945cbc1710a3ba9d9c8fdd96b58eb069b2972c0f
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-08-27  Jon Davis  <jond@apple.com>
2
3         Include ES6 Generators and Proxy object status to feature status page.
4         https://bugs.webkit.org/show_bug.cgi?id=148095
5
6         Reviewed by Timothy Hatcher.
7
8         * features.json:
9
10 2015-08-27  Filip Pizlo  <fpizlo@apple.com>
11
12         Unreviewed, add a comment to describe something I learned about a confusingly-named function.
13
14         * dfg/DFGUseKind.h:
15         (JSC::DFG::isCell):
16
17 2015-08-27  Basile Clement  <basile_clement@apple.com>
18
19         REGRESSION(r184779): Possible read-after-free in JavaScriptCore/dfg/DFGClobberize.h
20         https://bugs.webkit.org/show_bug.cgi?id=148411
21
22         Reviewed by Geoffrey Garen and Filip Pizlo.
23
24         * dfg/DFGClobberize.h:
25         (JSC::DFG::clobberize):
26
27 2015-08-27  Brian Burg  <bburg@apple.com>
28
29         Web Inspector: FrontendChannel should know its own connection type
30         https://bugs.webkit.org/show_bug.cgi?id=148482
31
32         Reviewed by Joseph Pecoraro.
33
34         * inspector/InspectorFrontendChannel.h: Add connectionType().
35         * inspector/remote/RemoteInspectorDebuggableConnection.h:
36
37 2015-08-26  Filip Pizlo  <fpizlo@apple.com>
38
39         Node::origin should always be set, and the dead zone due to SSA Phis can just use exitOK=false
40         https://bugs.webkit.org/show_bug.cgi?id=148462
41
42         Reviewed by Saam Barati.
43
44         The need to label nodes that absolutely cannot exit was first observed when we introduced SSA form.
45         We indicated this by not setting the CodeOrigin.
46
47         But just recently (http://trac.webkit.org/changeset/188979), we added a more comprehensive "exitOK"
48         bit in NodeOrigin. After that change, there were two ways of indicating that you cannot exit:
49         !exitOK and an unset NodeOrigin. An unset NodeOrigin implied !exitOK.
50
51         Now, this change is about removing the old way so that we only use !exitOK. From now on, all nodes
52         must have their NodeOrigin set, and the IR validation will check this. This means that I could
53         remove various pieces of cruft for dealing with unset NodeOrigins, but I did have to add some new
54         cruft to ensure that all nodes we create have a NodeOrigin.
55
56         This change simplifies our IR by having a simpler rule about when NodeOrigin is set: it's always
57         set.
58
59         * dfg/DFGBasicBlock.cpp:
60         (JSC::DFG::BasicBlock::isInBlock):
61         (JSC::DFG::BasicBlock::removePredecessor):
62         (JSC::DFG::BasicBlock::firstOriginNode): Deleted.
63         (JSC::DFG::BasicBlock::firstOrigin): Deleted.
64         * dfg/DFGBasicBlock.h:
65         (JSC::DFG::BasicBlock::begin):
66         (JSC::DFG::BasicBlock::end):
67         (JSC::DFG::BasicBlock::numSuccessors):
68         (JSC::DFG::BasicBlock::successor):
69         * dfg/DFGCombinedLiveness.cpp:
70         (JSC::DFG::liveNodesAtHead):
71         * dfg/DFGConstantHoistingPhase.cpp:
72         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
73         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
74         * dfg/DFGForAllKills.h:
75         (JSC::DFG::forAllKilledOperands):
76         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
77         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
78         (JSC::DFG::createPreHeader):
79         (JSC::DFG::LoopPreHeaderCreationPhase::run):
80         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
81         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
82         * dfg/DFGObjectAllocationSinkingPhase.cpp:
83         * dfg/DFGPutStackSinkingPhase.cpp:
84         * dfg/DFGSSAConversionPhase.cpp:
85         (JSC::DFG::SSAConversionPhase::run):
86         * dfg/DFGValidate.cpp:
87         (JSC::DFG::Validate::validate):
88         (JSC::DFG::Validate::validateSSA):
89
90 2015-08-26  Saam barati  <sbarati@apple.com>
91
92         MarkedBlock::allocateBlock will have the wrong allocation size when (sizeof(MarkedBlock) + bytes) is divisible by WTF::pageSize()
93         https://bugs.webkit.org/show_bug.cgi?id=148500
94
95         Reviewed by Mark Lam.
96
97         Consider the following scenario:
98         - On OS X, WTF::pageSize() is 4*1024 bytes.
99         - JSEnvironmentRecord::allocationSizeForScopeSize(6621) == 53000
100         - sizeof(MarkedBlock) == 248
101         - (248 + 53000) is a multiple of 4*1024.
102         - (248 + 53000)/(4*1024) == 13
103
104         We will allocate a chunk of memory of size 53248 bytes that looks like this:
105         0            248       256                       53248       53256
106         [Marked Block | 8 bytes |  payload     ......      ]  8 bytes  |
107                                 ^                                      ^
108                            Our Environment record starts here.         ^
109                                                                        ^
110                                                                  Our last JSValue in the environment record will go from byte 53248 to 53256. But, we don't own this memory.
111
112         We need to ensure that we round up sizeof(MarkedBlock) to an
113         atomSize boundary. We need to do this because the first atom
114         inside the MarkedBlock will start at the rounded up multiple
115         of atomSize past MarkedBlock. If we end up with an allocation
116         that is perfectly aligned to the page size, then we will be short
117         8 bytes (in the current implementation where atomSize is 16 bytes,
118         and MarkedBlock is 248 bytes).
119
120         * heap/MarkedAllocator.cpp:
121         (JSC::MarkedAllocator::allocateBlock):
122         * tests/stress/heap-allocator-allocates-incorrect-size-for-activation.js: Added.
123         (use):
124         (makeFunction):
125
126 2015-08-26  Mark Lam  <mark.lam@apple.com>
127
128         watchdog m_didFire state erroneously retained.
129         https://bugs.webkit.org/show_bug.cgi?id=131082
130
131         Reviewed by Geoffrey Garen.
132
133         The watchdog can fire for 2 reasons:
134         1. an external controlling entity (i.e. another thread) has scheduled termination
135            of the script thread via watchdog::terminateSoon().
136         2. the allowed CPU time has expired.
137
138         For case 1, we're doing away with the m_didFire flag.  Watchdog::terminateSoon() 
139         will set the timer deadlines and m_timeLimit to 0, and m_timerDidFire to true.
140         This will get the script thread to check Watchdog::didFire() and terminate
141         execution.
142
143         Note: the watchdog only guarantees that script execution will terminate as soon
144         as possible due to a time limit of 0.  Once we've exited the VM, the client of the
145         VM is responsible from keeping a flag to prevent new script execution.
146
147         In a race condition, if terminateSoon() is called just after execution has gotten
148         past the client's reentry check and the client is in the process of re-entering,
149         the worst that can happen is that we will schedule the watchdog timer to fire
150         after a period of 0.  This will terminate script execution quickly, and thereafter
151         the client's check should be able to prevent further entry into the VM.
152
153         The correctness (i.e. has no race condition) of this type of termination relies
154         on the termination state being sticky.  Once the script thread is terminated this
155         way, the VM will continue to terminate scripts quickly until the client sets the
156         time limit to a non-zero value (or clears it which sets the time limit to
157         noTimeLimit).
158
159         For case 2, the watchdog does not alter m_timeLimit.  If the CPU deadline has
160         been reached, the script thread will terminate execution and exit the VM.
161
162         If the client of the VM starts new script execution, the watchdog will allow
163         execution for the specified m_timeLimit.  In this case, since m_timeLimit is not
164         0, the script gets a fresh allowance of CPU time to execute.  Hence, terminations
165         due to watchdog time outs are no longer sticky.
166
167         * API/JSContextRef.cpp:
168         (JSContextGroupSetExecutionTimeLimit):
169         (JSContextGroupClearExecutionTimeLimit):
170         * API/tests/ExecutionTimeLimitTest.cpp:
171         - Add test scenarios to verify that the watchdog is automatically reset by the VM
172           upon throwing the TerminatedExecutionException.
173
174         (testResetAfterTimeout):
175         (testExecutionTimeLimit):
176         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
177         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
178         * JavaScriptCore.xcodeproj/project.pbxproj:
179         * dfg/DFGByteCodeParser.cpp:
180         (JSC::DFG::ByteCodeParser::parseBlock):
181         * interpreter/Interpreter.cpp:
182         (JSC::Interpreter::execute):
183         (JSC::Interpreter::executeCall):
184         (JSC::Interpreter::executeConstruct):
185         * jit/JITOpcodes.cpp:
186         (JSC::JIT::emit_op_loop_hint):
187         (JSC::JIT::emitSlow_op_loop_hint):
188         * jit/JITOperations.cpp:
189         * llint/LLIntSlowPaths.cpp:
190         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
191         * runtime/VM.cpp:
192         (JSC::VM::VM):
193         (JSC::VM::ensureWatchdog):
194         * runtime/VM.h:
195         * runtime/VMInlines.h: Added.
196         (JSC::VM::shouldTriggerTermination):
197         * runtime/Watchdog.cpp:
198         (JSC::Watchdog::Watchdog):
199         (JSC::Watchdog::setTimeLimit):
200         (JSC::Watchdog::terminateSoon):
201         (JSC::Watchdog::didFireSlow):
202         (JSC::Watchdog::hasTimeLimit):
203         (JSC::Watchdog::enteredVM):
204         (JSC::Watchdog::exitedVM):
205         (JSC::Watchdog::startTimer):
206         (JSC::Watchdog::stopTimer):
207         (JSC::Watchdog::hasStartedTimer): Deleted.
208         (JSC::Watchdog::fire): Deleted.
209         * runtime/Watchdog.h:
210         (JSC::Watchdog::didFire):
211         (JSC::Watchdog::timerDidFireAddress):
212
213 2015-08-26  Joseph Pecoraro  <pecoraro@apple.com>
214
215         Web Inspector: Implement tracking of active stylesheets in the frontend
216         https://bugs.webkit.org/show_bug.cgi?id=105828
217
218         Reviewed by Timothy Hatcher.
219
220         * inspector/protocol/CSS.json:
221         Add new events for when a StyleSheet is added or removed.
222
223 2015-08-26  Chris Dumez  <cdumez@apple.com>
224
225         Distinguish Web IDL callback interfaces from Web IDL callback functions
226         https://bugs.webkit.org/show_bug.cgi?id=148434
227
228         Reviewed by Geoffrey Garen.
229
230         Add isNull() convenience method on PropertyName.
231
232         * runtime/PropertyName.h:
233         (JSC::PropertyName::isNull):
234
235 2015-08-26  Filip Pizlo  <fpizlo@apple.com>
236
237         Node::origin should be able to tell you if it's OK to exit
238         https://bugs.webkit.org/show_bug.cgi?id=145204
239
240         Reviewed by Geoffrey Garen.
241
242         This is a major change to DFG IR, that makes it easier to reason about where nodes with
243         speculations can be soundly hoisted.
244
245         A program in DFG IR is a sequence of operations that compute the values of SSA variables,
246         perform effects on the heap or stack, and perform updates to the OSR exit state. Because
247         effects and OSR exit updates are interleaved, there are points in execution where exiting
248         simply won't work. For example, we may have some bytecode operation:
249
250             [  24] op_foo loc42 // does something, and puts a value in loc42.
251
252         that gets compiled down to a sequence of DFG IR nodes like:
253
254             a: Foo(W:Heap, R:World, bc#24) // writes heap, reads world - i.e. an observable effect.
255             b: MovHint(@a, loc42, bc#24)
256             c: SetLocal(Check:Int32:@a, loc42, bc#24, exit: bc#26)
257
258         Note that we can OSR exit at @a because we haven't yet performed any effects for bc#24 yet and
259         we have performed all effects for prior bytecode operations. That's what the origin.forExit
260         being set to "bc#24" guarantees. So, an OSR exit at @a would transfer execution to bc#24 and
261         this would not be observable. But at @b, if we try to exit to bc#24 as indicated by forExit, we
262         would end up causing the side effect of bc#24 to execute a second time. This would be
263         observable, so we cannot do it. And we cannot exit to the next instruction - bc#26 - either,
264         because @b is responsible for updating the OSR state to indicate that the result of @a should
265         be put into loc42. It's not until we get to @c that we can exit again.
266
267         This is a confusing, but useful, property of DFG IR. It's useful because it allows us to use IR
268         to spell out how we would have affected the bytecode state, and we use this to implement hard
269         things like object allocation elimination, where we use IR instructions to indicate what object
270         allocation and mutation operations we would have performed, and which bytecode variables would
271         have pointed to those objects. So long as IR allows us to describe how OSR exit state is
272         updated, there will be points in execution where that state is invalid - especially if the IR
273         to update exit state is separate from the IR to perform actual effects.
274
275         But this property is super confusing! It's difficult to explain that somehow magically, @b is a
276         bad place to put OSR exits, and that magically we will only have OSR exits at @a. Of course, it
277         all kind of makes sense - we insert OSR exit checks in phases that *know* where it's safe to
278         exit - but it's just too opaque. This also gets in the way of more sophisticated
279         transformations. For example, LICM barely works - it magically knows that loop pre-headers are
280         good places to exit from, but it has no way of determining if that is actually true. It would
281         be odd to introduce a restriction that anytime some block qualifies as a pre-header according
282         to our loop calculator, it must end with a terminal at which it is OK to exit. So, our choices
283         are to either leave LICM in a magical state and exercise extreme caution when introducing new
284         optimizations that hoist checks, or to do something to make the "can I exit here" property more
285         explicit in IR.
286
287         We have already, in a separate change, added a NodeOrigin::exitOK property, though it didn't do
288         anything yet. This change puts exitOK to work, and makes it an integral part of IR. The key
289         intuition behind this change is that if we know which nodes clobber exit state - i.e. after the
290         node, it's no longer possible to OSR exit until the exit state is fixed up - then we can figure
291         out where it's fine to exit. This change mostly adopts the already implicit rule that it's
292         always safe to exit right at the boundary of exit origins (in between two nodes where
293         origin.forExit differs), and adds a new node, called ExitOK, which is a kind of declaration
294         that exit state is good again. When making this change, I struggled with the question of
295         whether to make origin.exitOK be explicit, or something that we can compute with an analysis.
296         Of course if we are armed with a clobbersExitState(Node*) function, we can find the places
297         where it's fine to exit. But this kind of computation could get quite sophisticated if the
298         nodes belonging to an exit origin are lowered to a control-flow construct. It would also be
299         harder to see what the original intent was, if we found an error: is the bug that we shouldn't
300         be clobbering exit state, or that we shouldn't be exiting? This change opts to make exitOK be
301         an explicit property of IR, so that DFG IR validation will reject any program where exitOK is
302         true after a node that clobbersExitState(), or if exitOK is true after a node has exitOK set to
303         false - unless the latter node has a different exit origin or is an ExitOK node. It will also
304         reject any program where a node mayExit() with !exitOK.
305
306         It turns out that this revealed a lot of sloppiness and what almost looked like an outright
307         bug: the callee property of an inline closure call frame was being set up "as if" by the
308         callee's op_enter. If we did hoist a check per the old rule - to the boundary of exit origins -
309         then we would crash because the callee is unknown. It also revealed that LICM could *almost*
310         get hosed by having a pre-header where there are effects before the jump. I wasn't able to
311         construct a test case that would crash trunk, but I also couldn't quite prove why such a
312         program couldn't be constructed. I did fix the issue in loop pre-header creation, and the
313         validater does catch the issue because of its exitOK assertions.
314
315         This doesn't yet add any other safeguards to LICM - that phase still expects that pre-headers
316         are in place and that they were created in such a way that their terminal origins have exitOK.
317         It also still keeps the old way of saying "not OK to exit" - having a clear NodeOrigin. In a
318         later patch I'll remove that and use !exitOK everywhere. Note that I did consider using clear
319         NodeOrigins to signify that it's not OK to exit, but that would make DFGForAllKills a lot more
320         expensive - it would have to sometimes search to find nearby forExit origins if the current
321         node doesn't have it set - and that's a critical phase for DFG compilation performance.
322         Requiring that forExit is usually set to *something* and that properly shadows the original
323         bytecode is cheap and easy, so it seemed like a good trade-off.
324
325         This change has no performance effect. Its only effect is that it makes the compiler easier to
326         understand by turning a previously magical concept into an explicit one.
327
328         * CMakeLists.txt:
329         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
330         * JavaScriptCore.xcodeproj/project.pbxproj:
331         * dfg/DFGAbstractHeap.h:
332         * dfg/DFGAbstractInterpreterInlines.h:
333         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
334         * dfg/DFGArgumentsEliminationPhase.cpp:
335         * dfg/DFGByteCodeParser.cpp:
336         (JSC::DFG::ByteCodeParser::setDirect):
337         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
338         (JSC::DFG::ByteCodeParser::branchData):
339         (JSC::DFG::ByteCodeParser::addToGraph):
340         (JSC::DFG::ByteCodeParser::handleCall):
341         (JSC::DFG::ByteCodeParser::inlineCall):
342         (JSC::DFG::ByteCodeParser::handleInlining):
343         (JSC::DFG::ByteCodeParser::handleGetById):
344         (JSC::DFG::ByteCodeParser::handlePutById):
345         (JSC::DFG::ByteCodeParser::parseBlock):
346         * dfg/DFGCFGSimplificationPhase.cpp:
347         (JSC::DFG::CFGSimplificationPhase::run):
348         * dfg/DFGClobberize.h:
349         (JSC::DFG::clobberize):
350         * dfg/DFGClobbersExitState.cpp: Added.
351         (JSC::DFG::clobbersExitState):
352         * dfg/DFGClobbersExitState.h: Added.
353         * dfg/DFGConstantFoldingPhase.cpp:
354         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
355         * dfg/DFGDoesGC.cpp:
356         (JSC::DFG::doesGC):
357         * dfg/DFGFixupPhase.cpp:
358         (JSC::DFG::FixupPhase::fixupNode):
359         (JSC::DFG::FixupPhase::convertStringAddUse):
360         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
361         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
362         (JSC::DFG::FixupPhase::fixupChecksInBlock):
363         * dfg/DFGFlushFormat.h:
364         (JSC::DFG::useKindFor):
365         (JSC::DFG::uncheckedUseKindFor):
366         (JSC::DFG::typeFilterFor):
367         * dfg/DFGGraph.cpp:
368         (JSC::DFG::printWhiteSpace):
369         (JSC::DFG::Graph::dumpCodeOrigin):
370         (JSC::DFG::Graph::dump):
371         * dfg/DFGGraph.h:
372         (JSC::DFG::Graph::addSpeculationMode):
373         * dfg/DFGInsertionSet.cpp:
374         (JSC::DFG::InsertionSet::insertSlow):
375         (JSC::DFG::InsertionSet::execute):
376         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
377         (JSC::DFG::LoopPreHeaderCreationPhase::run):
378         * dfg/DFGMayExit.cpp:
379         (JSC::DFG::mayExit):
380         (WTF::printInternal):
381         * dfg/DFGMayExit.h:
382         * dfg/DFGMovHintRemovalPhase.cpp:
383         * dfg/DFGNodeOrigin.cpp: Added.
384         (JSC::DFG::NodeOrigin::dump):
385         * dfg/DFGNodeOrigin.h:
386         (JSC::DFG::NodeOrigin::NodeOrigin):
387         (JSC::DFG::NodeOrigin::isSet):
388         (JSC::DFG::NodeOrigin::withSemantic):
389         (JSC::DFG::NodeOrigin::withExitOK):
390         (JSC::DFG::NodeOrigin::withInvalidExit):
391         (JSC::DFG::NodeOrigin::takeValidExit):
392         (JSC::DFG::NodeOrigin::forInsertingAfter):
393         (JSC::DFG::NodeOrigin::operator==):
394         (JSC::DFG::NodeOrigin::operator!=):
395         * dfg/DFGNodeType.h:
396         * dfg/DFGOSREntrypointCreationPhase.cpp:
397         (JSC::DFG::OSREntrypointCreationPhase::run):
398         * dfg/DFGOSRExit.cpp:
399         (JSC::DFG::OSRExit::OSRExit):
400         (JSC::DFG::OSRExit::setPatchableCodeOffset):
401         * dfg/DFGOSRExitBase.h:
402         * dfg/DFGObjectAllocationSinkingPhase.cpp:
403         * dfg/DFGPhantomInsertionPhase.cpp:
404         * dfg/DFGPhase.cpp:
405         (JSC::DFG::Phase::validate):
406         (JSC::DFG::Phase::beginPhase):
407         (JSC::DFG::Phase::endPhase):
408         * dfg/DFGPhase.h:
409         (JSC::DFG::Phase::vm):
410         (JSC::DFG::Phase::codeBlock):
411         (JSC::DFG::Phase::profiledBlock):
412         * dfg/DFGPredictionPropagationPhase.cpp:
413         (JSC::DFG::PredictionPropagationPhase::propagate):
414         * dfg/DFGPutStackSinkingPhase.cpp:
415         * dfg/DFGSSAConversionPhase.cpp:
416         (JSC::DFG::SSAConversionPhase::run):
417         * dfg/DFGSafeToExecute.h:
418         (JSC::DFG::safeToExecute):
419         * dfg/DFGSpeculativeJIT.cpp:
420         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
421         (JSC::DFG::SpeculativeJIT::speculationCheck):
422         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
423         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
424         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
425         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
426         (JSC::DFG::SpeculativeJIT::compile):
427         * dfg/DFGSpeculativeJIT.h:
428         * dfg/DFGSpeculativeJIT32_64.cpp:
429         (JSC::DFG::SpeculativeJIT::compile):
430         * dfg/DFGSpeculativeJIT64.cpp:
431         (JSC::DFG::SpeculativeJIT::compile):
432         * dfg/DFGStoreBarrierInsertionPhase.cpp:
433         * dfg/DFGTypeCheckHoistingPhase.cpp:
434         (JSC::DFG::TypeCheckHoistingPhase::run):
435         * dfg/DFGValidate.cpp:
436         (JSC::DFG::Validate::validate):
437         * ftl/FTLCapabilities.cpp:
438         (JSC::FTL::canCompile):
439         * ftl/FTLLowerDFGToLLVM.cpp:
440         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
441         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
442         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
443         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
444         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
445
446 2015-08-26  Andreas Kling  <akling@apple.com>
447
448         [JSC] StructureTransitionTable should eagerly deallocate single-transition WeakImpls.
449         <https://webkit.org/b/148478>
450
451         Reviewed by Geoffrey Garen.
452
453         Use a WeakHandleOwner to eagerly deallocate StructureTransitionTable's Weak pointers
454         when it's using the single-transition optimization and the Structure it transitioned
455         to has been GC'd.
456
457         This prevents Structures from keeping WeakBlocks alive longer than necessary when
458         they've been transitioned away from but are still in use themselves.
459
460         * runtime/Structure.cpp:
461         (JSC::singleSlotTransitionWeakOwner):
462         (JSC::StructureTransitionTable::singleTransition):
463         (JSC::StructureTransitionTable::setSingleTransition):
464         (JSC::StructureTransitionTable::add):
465         * runtime/StructureTransitionTable.h:
466         (JSC::StructureTransitionTable::singleTransition): Deleted.
467         (JSC::StructureTransitionTable::setSingleTransition): Deleted.
468
469 2015-08-26  Brian Burg  <bburg@apple.com>
470
471         Web Inspector: REGRESSION(r188965): BackendDispatcher loses request ids when called re-entrantly
472         https://bugs.webkit.org/show_bug.cgi?id=148480
473
474         Reviewed by Joseph Pecoraro.
475
476         I added an assertion that m_currentRequestId is Nullopt when dispatch() is called, but this should
477         not hold if dispatching a backend command while debugger is paused. I will remove the assertion
478         and add proper scoping for all dispatch() branches.
479
480         No new tests, this wrong assert caused inspector/dom-debugger/node-removed.html to crash reliably.
481
482         * inspector/InspectorBackendDispatcher.cpp:
483         (Inspector::BackendDispatcher::dispatch): Cover each exit with an appropriate TemporaryChange scope.
484
485 2015-08-26  Sukolsak Sakshuwong  <sukolsak@gmail.com>
486
487         Remove the unused *Executable::unlinkCalls() and CodeBlock::unlinkCalls()
488         https://bugs.webkit.org/show_bug.cgi?id=148469
489
490         Reviewed by Geoffrey Garen.
491
492         We use CodeBlock::unlinkIncomingCalls() to unlink calls.
493         (...)Executable::unlinkCalls() and CodeBlock::unlinkCalls() are no longer used.
494
495         * bytecode/CodeBlock.cpp:
496         (JSC::CodeBlock::unlinkCalls): Deleted.
497         * bytecode/CodeBlock.h:
498         * runtime/Executable.cpp:
499         (JSC::EvalExecutable::unlinkCalls): Deleted.
500         (JSC::ProgramExecutable::unlinkCalls): Deleted.
501         (JSC::FunctionExecutable::unlinkCalls): Deleted.
502         * runtime/Executable.h:
503         (JSC::ScriptExecutable::unlinkCalls): Deleted.
504
505 2015-08-25  Brian Burg  <bburg@apple.com>
506
507         Web Inspector: no need to allocate protocolErrors array for every dispatched backend command
508         https://bugs.webkit.org/show_bug.cgi?id=146466
509
510         Reviewed by Joseph Pecoraro.
511
512         Clean up some of the backend dispatcher code, with a focus on eliminating useless allocations
513         of objects in the common case when no protocol errors happen. This is done by saving the
514         current id of each request as it is being processed by the backend dispatcher, and tagging any
515         subsequent errors with that id. This also means we don't have to thread the requestId except
516         in the async command code path.
517
518         This patch also lifts some common code shared between all generated backend command
519         implementatations into the per-domain dispatch method instead. This reduces generated code size.
520
521         To be consistent, this patch standardizes on calling the id of a backend message its 'requestId'.
522         Requests can be handled synchronously or asynchronously (triggered via the 'async' property).
523
524         No new tests, covered by existing protocol tests.
525
526         * inspector/InspectorBackendDispatcher.cpp:
527         (Inspector::BackendDispatcher::CallbackBase::CallbackBase): Split the two code paths for reporting
528         success and failure.
529
530         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
531         (Inspector::BackendDispatcher::CallbackBase::sendSuccess): Renamed from sendIfActive.
532         (Inspector::BackendDispatcher::dispatch): Reset counters and current requestId before dispatching.
533         No need to manually thread the requestId to all reportProtocolError calls.
534
535         (Inspector::BackendDispatcher::hasProtocolErrors): Added.
536         (Inspector::BackendDispatcher::sendResponse):
537         (Inspector::BackendDispatcher::sendPendingErrors): Send any saved protocol errors to the frontend.
538         Always send a 'data' member with all of the errors, even if there's just one. We might want to add
539         more information about errors later.
540
541         (Inspector::BackendDispatcher::reportProtocolError): Enqueue a protocol error to be sent later.
542         (Inspector::BackendDispatcher::getPropertyValue): Remove useless type parameters and nuke most of
543         the type conversion methods. Use std::function types instead of function pointer types.
544
545         (Inspector::castToInteger): Added.
546         (Inspector::castToNumber): Added.
547         (Inspector::BackendDispatcher::getInteger):
548         (Inspector::BackendDispatcher::getDouble):
549         (Inspector::BackendDispatcher::getString):
550         (Inspector::BackendDispatcher::getBoolean):
551         (Inspector::BackendDispatcher::getObject):
552         (Inspector::BackendDispatcher::getArray):
553         (Inspector::BackendDispatcher::getValue):
554         (Inspector::getPropertyValue): Deleted.
555         (Inspector::AsMethodBridges::asInteger): Deleted.
556         (Inspector::AsMethodBridges::asDouble): Deleted.
557         (Inspector::AsMethodBridges::asString): Deleted.
558         (Inspector::AsMethodBridges::asBoolean): Deleted.
559         (Inspector::AsMethodBridges::asObject): Deleted.
560         (Inspector::AsMethodBridges::asArray): Deleted.
561         (Inspector::AsMethodBridges::asValue): Deleted.
562         * inspector/InspectorBackendDispatcher.h:
563         * inspector/scripts/codegen/cpp_generator_templates.py: Extract 'params' object in domain dispatch method.
564         Omit requestIds where possible. Convert dispatch tables to use NeverDestroyed. Check the protocol error count
565         to decide whether to abort the dispatch or not, rather than allocating our own errors array.
566
567         * inspector/scripts/codegen/cpp_generator_templates.py:
568         (void):
569         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: Revert to passing RefPtr<InspectorObject>
570         since parameters are now being passed rather than the message object. Some commands do not require parameters.
571         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
572         (CppBackendDispatcherImplementationGenerator.generate_output):
573         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
574         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
575         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
576         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
577         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
578         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command):
579         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
580         * inspector/scripts/codegen/objc_generator_templates.py:
581
582         Rebaseline some protocol generator tests.
583         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
584         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
585         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
586         * inspector/scripts/tests/expected/enum-values.json-result:
587         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
588         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
589         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
590         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
591         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
592         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
593         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
594         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
595         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
596
597 2015-08-25  Saam barati  <sbarati@apple.com>
598
599         Lets rename codeOriginIndex to callSiteIndex and get rid of CallFrame::Location.
600         https://bugs.webkit.org/show_bug.cgi?id=148213
601
602         Reviewed by Filip Pizlo.
603
604         This patch introduces a struct called CallSiteIndex which is
605         used as a wrapper for a 32-bit int to place things in the tag for ArgumentCount 
606         in the call frame. On 32-bit we place Instruction* into this slot for LLInt and Basline.
607         For 32-bit DFG we place a an index into the code origin table in this slot.
608         On 64-bit we place a bytecode offset into this slot for LLInt and Baseline.
609         On 64-bit we place the index into the code origin table in this slot in the
610         DFG/FTL.
611
612         This patch also gets rid of the encoding scheme that describes if something is a
613         bytecode index or a code origin table index. This information can always
614         be determined based on the CodeBlock's' JITType.
615
616         StructureStubInfo now also has a CallSiteIndex which it stores to
617         the call frame when making a call.
618
619         * bytecode/CodeBlock.h:
620         (JSC::CodeBlock::hasCodeOrigins):
621         (JSC::CodeBlock::canGetCodeOrigin):
622         (JSC::CodeBlock::codeOrigin):
623         (JSC::CodeBlock::addFrequentExitSite):
624         * bytecode/StructureStubInfo.h:
625         (JSC::StructureStubInfo::StructureStubInfo):
626         * dfg/DFGCommonData.cpp:
627         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
628         (JSC::DFG::CommonData::addCodeOrigin):
629         (JSC::DFG::CommonData::shrinkToFit):
630         * dfg/DFGCommonData.h:
631         (JSC::DFG::CommonData::CommonData):
632         * dfg/DFGJITCompiler.h:
633         (JSC::DFG::JITCompiler::setEndOfCode):
634         (JSC::DFG::JITCompiler::addCallSite):
635         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
636         * dfg/DFGOSRExitCompilerCommon.cpp:
637         (JSC::DFG::reifyInlinedCallFrames):
638         * dfg/DFGSpeculativeJIT.cpp:
639         (JSC::DFG::SpeculativeJIT::compileIn):
640         * dfg/DFGSpeculativeJIT32_64.cpp:
641         (JSC::DFG::SpeculativeJIT::cachedGetById):
642         (JSC::DFG::SpeculativeJIT::cachedPutById):
643         * dfg/DFGSpeculativeJIT64.cpp:
644         (JSC::DFG::SpeculativeJIT::cachedGetById):
645         (JSC::DFG::SpeculativeJIT::cachedPutById):
646         * ftl/FTLCompile.cpp:
647         (JSC::FTL::mmAllocateDataSection):
648         * ftl/FTLInlineCacheDescriptor.h:
649         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
650         (JSC::FTL::InlineCacheDescriptor::stackmapID):
651         (JSC::FTL::InlineCacheDescriptor::callSiteIndex):
652         (JSC::FTL::InlineCacheDescriptor::uid):
653         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
654         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
655         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
656         (JSC::FTL::InlineCacheDescriptor::codeOrigin): Deleted.
657         * ftl/FTLLink.cpp:
658         (JSC::FTL::link):
659         * ftl/FTLLowerDFGToLLVM.cpp:
660         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
661         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
662         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
663         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
664         * ftl/FTLSlowPathCall.cpp:
665         (JSC::FTL::storeCodeOrigin):
666         * interpreter/CallFrame.cpp:
667         (JSC::CallFrame::currentVPC):
668         (JSC::CallFrame::setCurrentVPC):
669         (JSC::CallFrame::callSiteBitsAsBytecodeOffset):
670         (JSC::CallFrame::bytecodeOffset):
671         (JSC::CallFrame::codeOrigin):
672         (JSC::CallFrame::topOfFrameInternal):
673         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
674         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
675         (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex): Deleted.
676         * interpreter/CallFrame.h:
677         (JSC::CallSiteIndex::CallSiteIndex):
678         (JSC::CallSiteIndex::bits):
679         (JSC::ExecState::returnPCOffset):
680         (JSC::ExecState::abstractReturnPC):
681         (JSC::ExecState::topOfFrame):
682         (JSC::ExecState::setCallerFrame):
683         (JSC::ExecState::setScope):
684         (JSC::ExecState::currentVPC): Deleted.
685         (JSC::ExecState::setCurrentVPC): Deleted.
686         * interpreter/CallFrameInlines.h:
687         (JSC::CallFrame::callSiteBitsAreBytecodeOffset):
688         (JSC::CallFrame::callSiteBitsAreCodeOriginIndex):
689         (JSC::CallFrame::callSiteAsRawBits):
690         (JSC::CallFrame::callSiteIndex):
691         (JSC::CallFrame::hasActivation):
692         (JSC::CallFrame::Location::encode): Deleted.
693         (JSC::CallFrame::Location::decode): Deleted.
694         (JSC::CallFrame::Location::encodeAsBytecodeOffset): Deleted.
695         (JSC::CallFrame::Location::encodeAsBytecodeInstruction): Deleted.
696         (JSC::CallFrame::Location::encodeAsCodeOriginIndex): Deleted.
697         (JSC::CallFrame::Location::isBytecodeLocation): Deleted.
698         (JSC::CallFrame::Location::isCodeOriginIndex): Deleted.
699         (JSC::CallFrame::hasLocationAsBytecodeOffset): Deleted.
700         (JSC::CallFrame::hasLocationAsCodeOriginIndex): Deleted.
701         (JSC::CallFrame::locationAsRawBits): Deleted.
702         (JSC::CallFrame::setLocationAsRawBits): Deleted.
703         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
704         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
705         (JSC::CallFrame::locationAsCodeOriginIndex): Deleted.
706         * interpreter/StackVisitor.cpp:
707         (JSC::StackVisitor::readFrame):
708         (JSC::StackVisitor::readNonInlinedFrame):
709         (JSC::StackVisitor::Frame::print):
710         * jit/JITCall.cpp:
711         (JSC::JIT::compileOpCall):
712         * jit/JITCall32_64.cpp:
713         (JSC::JIT::compileOpCall):
714         * jit/JITInlineCacheGenerator.cpp:
715         (JSC::garbageStubInfo):
716         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
717         (JSC::JITByIdGenerator::JITByIdGenerator):
718         (JSC::JITByIdGenerator::generateFastPathChecks):
719         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
720         (JSC::JITGetByIdGenerator::generateFastPath):
721         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
722         * jit/JITInlineCacheGenerator.h:
723         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
724         (JSC::JITInlineCacheGenerator::stubInfo):
725         (JSC::JITByIdGenerator::JITByIdGenerator):
726         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
727         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
728         * jit/JITInlines.h:
729         (JSC::JIT::updateTopCallFrame):
730         * jit/JITOperations.cpp:
731         (JSC::getByVal):
732         (JSC::tryGetByValOptimize):
733         * jit/JITPropertyAccess.cpp:
734         (JSC::JIT::emitGetByValWithCachedId):
735         (JSC::JIT::emitPutByValWithCachedId):
736         (JSC::JIT::emit_op_get_by_id):
737         (JSC::JIT::emit_op_put_by_id):
738         * jit/JITPropertyAccess32_64.cpp:
739         (JSC::JIT::emitGetByValWithCachedId):
740         (JSC::JIT::emitPutByValWithCachedId):
741         (JSC::JIT::emit_op_get_by_id):
742         (JSC::JIT::emit_op_put_by_id):
743         * jit/Repatch.cpp:
744         (JSC::generateByIdStub):
745
746 2015-08-25 Aleksandr Skachkov   <gskachkov@gmail.com>
747
748         Function.prototype.toString is incorrect for ArrowFunction
749         https://bugs.webkit.org/show_bug.cgi?id=148148
750
751         Reviewed by Saam Barati.
752         
753         Added correct support of toString() method for arrow function.
754
755         * parser/ASTBuilder.h:
756         (JSC::ASTBuilder::createFunctionMetadata):
757         (JSC::ASTBuilder::createArrowFunctionExpr):
758         * parser/Nodes.cpp:
759         (JSC::FunctionMetadataNode::FunctionMetadataNode):
760         * parser/Nodes.h:
761         * parser/Parser.cpp:
762         (JSC::Parser<LexerType>::parseFunctionBody):
763         (JSC::Parser<LexerType>::parseFunctionInfo):
764         * parser/SyntaxChecker.h:
765         (JSC::SyntaxChecker::createFunctionMetadata):
766         * runtime/FunctionPrototype.cpp:
767         (JSC::functionProtoFuncToString):
768         * tests/stress/arrowfunction-tostring.js: Added.
769
770 2015-08-25  Saam barati  <sbarati@apple.com>
771
772         Callee can be incorrectly overridden when it's captured
773         https://bugs.webkit.org/show_bug.cgi?id=148400
774
775         Reviewed by Filip Pizlo.
776
777         We now resort to always creating the function name scope
778         when the function name is in scope. Because the bytecode
779         generator now has a notion of local lexical scoping,
780         this incurs no runtime penalty for function expression names
781         that aren't heap allocated. If they are heap allocated,
782         this means we may now have one more scope on the runtime
783         scope stack than before. This modification simplifies the
784         callee initialization code and uses the lexical scoping constructs
785         to implement this. This implementation also ensures
786         that everything Just Works for function's with default
787         parameter values. Before this patch, IIFE functions
788         with default parameter values and a captured function
789         name would crash JSC.
790
791         * bytecompiler/BytecodeGenerator.cpp:
792         (JSC::BytecodeGenerator::BytecodeGenerator):
793         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
794         (JSC::BytecodeGenerator::popLexicalScopeInternal):
795         (JSC::BytecodeGenerator::variable):
796         (JSC::BytecodeGenerator::resolveType):
797         (JSC::BytecodeGenerator::emitThrowTypeError):
798         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
799         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
800         * bytecompiler/BytecodeGenerator.h:
801         (JSC::Variable::isReadOnly):
802         (JSC::Variable::isSpecial):
803         (JSC::Variable::isConst):
804         (JSC::Variable::setIsReadOnly):
805         * bytecompiler/NodesCodegen.cpp:
806         (JSC::PostfixNode::emitResolve):
807         (JSC::PrefixNode::emitResolve):
808         (JSC::ReadModifyResolveNode::emitBytecode):
809         (JSC::AssignResolveNode::emitBytecode):
810         (JSC::BindingNode::bindValue):
811         * tests/stress/IIFE-es6-default-parameters.js: Added.
812         (assert):
813         (.):
814         * tests/stress/IIFE-function-name-captured.js: Added.
815         (assert):
816         (.):
817
818 2015-08-24  Brian Burg  <bburg@apple.com>
819
820         Web Inspector: add protocol test for existing error handling performed by the backend
821         https://bugs.webkit.org/show_bug.cgi?id=147097
822
823         Reviewed by Joseph Pecoraro.
824
825         A new test revealed that the protocol "method" parameter was being parsed in a naive way.
826         Rewrite it to use String::split and improve error checking to avoid failing later.
827
828         * inspector/InspectorBackendDispatcher.cpp:
829         (Inspector::BackendDispatcher::dispatch):
830
831 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
832
833         [ES6] Return JSInternalPromise as result of evaluateModule
834         https://bugs.webkit.org/show_bug.cgi?id=148173
835
836         Reviewed by Saam Barati.
837
838         Now evaluateModule returns JSInternalPromise* as its result value.
839         When an error occurs while loading or executing the modules,
840         this promise is rejected by that error. By leveraging this, we implemented
841         asynchronous error reporting when executing the modules in JSC shell.
842
843         And this patch also changes the evaluateModule signature to accept the entry
844         point by the moduleName. By using it, JSC shell can start executing the modules
845         with the entry point module name.
846
847         * builtins/ModuleLoaderObject.js:
848         (loadModule):
849         * jsc.cpp:
850         (dumpException):
851         (runWithScripts):
852         * runtime/Completion.cpp:
853         (JSC::evaluateModule):
854         * runtime/Completion.h:
855         * runtime/JSInternalPromise.cpp:
856         (JSC::JSInternalPromise::then):
857         * runtime/JSInternalPromise.h:
858         * runtime/ModuleLoaderObject.cpp:
859         (JSC::ModuleLoaderObject::requestInstantiateAll):
860         (JSC::ModuleLoaderObject::loadModule):
861         (JSC::ModuleLoaderObject::resolve):
862         (JSC::ModuleLoaderObject::fetch):
863         (JSC::ModuleLoaderObject::translate):
864         (JSC::ModuleLoaderObject::instantiate):
865         (JSC::moduleLoaderObjectParseModule):
866         * runtime/ModuleLoaderObject.h:
867
868 2015-08-24  Basile Clement  <basile_clement@apple.com>
869
870         REPTACH is not a word
871         https://bugs.webkit.org/show_bug.cgi?id=148401
872
873         Reviewed by Saam Barati.
874
875         * assembler/MacroAssemblerX86_64.h:
876         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
877         (JSC::MacroAssemblerX86_64::call):
878         (JSC::MacroAssemblerX86_64::tailRecursiveCall):
879         (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
880         (JSC::MacroAssemblerX86_64::readCallTarget):
881         (JSC::MacroAssemblerX86_64::linkCall):
882         (JSC::MacroAssemblerX86_64::repatchCall):
883
884 2015-08-24  Mark Lam  <mark.lam@apple.com>
885
886         Add support for setting JSC options from a file.
887         https://bugs.webkit.org/show_bug.cgi?id=148394
888
889         Reviewed by Saam Barati.
890
891         This is needed for environments where the JSC executable does not have access to
892         environmental variables.  This is only needed for debugging, and is currently
893         guarded under a #define USE_OPTIONS_FILE in Options.cpp, and is disabled by
894         default.
895
896         Also fixed Options::setOptions() to be allow for whitespace that is not a single
897         ' '.  This makes setOptions() much more flexible and friendlier to use for loading
898         options in general.
899
900         For example, this current use case of loading options from a file may have '\n's
901         in the character stream, and this feature is easier to implement if setOptions()
902         just support more than 1 whitespace char between options, and recognize whitespace
903         characters other than ' '.
904
905         * runtime/Options.cpp:
906         (JSC::parse):
907         (JSC::Options::initialize):
908         (JSC::Options::setOptions):
909
910 2015-08-24  Filip Pizlo  <fpizlo@apple.com>
911
912         DFG::FixupPhase should use the lambda form of m_graph.doToChildren() rather than the old macro
913         https://bugs.webkit.org/show_bug.cgi?id=148397
914
915         Reviewed by Geoffrey Garen.
916
917         We used to iterate the edges of a node by using the DFG_NODE_DO_TO_CHILDREN macro. We
918         don't need to do that anymore since we have the lambda-based m_graph.doToChildren(). This
919         allows us to get rid of a bunch of helper methods in DFG::FixupPhase.
920
921         I also took the opportunity to give the injectTypeConversionsInBlock() method a more
922         generic name, since after https://bugs.webkit.org/show_bug.cgi?id=145204 it will be used
923         for fix-up of checks more broadly.
924
925         * dfg/DFGFixupPhase.cpp:
926         (JSC::DFG::FixupPhase::run):
927         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
928         (JSC::DFG::FixupPhase::fixupChecksInBlock):
929         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): Deleted.
930         (JSC::DFG::FixupPhase::tryToRelaxRepresentation): Deleted.
931         (JSC::DFG::FixupPhase::fixEdgeRepresentation): Deleted.
932         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Deleted.
933
934 2015-08-24  Geoffrey Garen  <ggaren@apple.com>
935
936         Some renaming to clarify CodeBlock and UnlinkedCodeBlock
937         https://bugs.webkit.org/show_bug.cgi?id=148391
938
939         Reviewed by Saam Barati.
940
941         * bytecode/UnlinkedFunctionExecutable.cpp:
942         (JSC::generateUnlinkedFunctionCodeBlock):
943         (JSC::UnlinkedFunctionExecutable::visitChildren):
944         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
945         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
946         (JSC::generateFunctionCodeBlock): Deleted.
947         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Deleted.
948         * bytecode/UnlinkedFunctionExecutable.h: Call our CodeBlocks "unlinked"
949         in the name for clarity, since we are unlinked. 
950
951         * heap/Heap.cpp:
952         (JSC::Heap::objectTypeCounts):
953         (JSC::Heap::deleteAllCodeBlocks):
954         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
955         (JSC::Heap::clearUnmarkedExecutables):
956         (JSC::Heap::deleteOldCode):
957         (JSC::Heap::FinalizerOwner::finalize):
958         (JSC::Heap::addExecutable):
959         (JSC::Heap::collectAllGarbageIfNotDoneRecently):
960         (JSC::Heap::deleteAllCompiledCode): Deleted.
961         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted.
962         (JSC::Heap::addCompiledCode): Deleted.
963         * heap/Heap.h:
964         (JSC::Heap::notifyIsSafeToCollect):
965         (JSC::Heap::isSafeToCollect):
966         (JSC::Heap::sizeBeforeLastFullCollection):
967         (JSC::Heap::sizeAfterLastFullCollection):
968         (JSC::Heap::compiledCode): Deleted.
969
970             deleteAllCompiledCode => deleteAllCodeBlocks because "compiled"
971             is a broad phrase these days.
972
973             m_compiledCode => m_executables for the same reason.
974
975             addCompiledCode => addExecutable for the same reason.
976
977             deleteAllUnlinkedFunctionCode => deleteAllUnlinkedCodeBlocks
978             for consistency.
979
980         * jsc.cpp:
981         (functionDeleteAllCompiledCode):
982
983         * runtime/Executable.cpp:
984         (JSC::ScriptExecutable::newCodeBlockFor): codeBlockFor => unlinkedCodeBlockFor
985
986         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
987         It was strange to put this function on executable, since its name implied
988         that it only changed the executable, but it actually changed all cached
989         code. Now, a client that wants to change cached code must do so explicitly.
990
991         * runtime/Executable.h:
992         (JSC::ScriptExecutable::finishCreation):
993         * runtime/VM.cpp:
994         (JSC::VM::deleteAllCode):
995         * runtime/VMEntryScope.cpp:
996         (JSC::VMEntryScope::VMEntryScope): Updated for renames above.
997
998 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
999
1000         DFG::InsertionSet should be tolerant of occasional out-of-order insertions
1001         https://bugs.webkit.org/show_bug.cgi?id=148367
1002
1003         Reviewed by Geoffrey Garen and Saam Barati.
1004
1005         Since forever, the DFG::InsertionSet has been the way we insert nodes into DFG IR, and it
1006         requires that you walk a block in order and perform insertions in order: you can't insert
1007         something at index J, then at index I where I < J, except if you do a second pass.
1008
1009         This restriction makes sense, because it enables a very fast algorithm. And it's very
1010         rare that a phase would need to insert things out of order.
1011
1012         But sometimes - rarely - we need to insert things slightly out-of-order. For example we
1013         may want to insert a node at index J, but to insert a check associated with that node, we
1014         may need to use index I where I < J. This will come up from the work on
1015         https://bugs.webkit.org/show_bug.cgi?id=145204. And it has already come up in the past.
1016         It seems like it would be best to just lift this restriction.
1017
1018         * CMakeLists.txt:
1019         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1020         * JavaScriptCore.xcodeproj/project.pbxproj:
1021         * dfg/DFGInsertionSet.cpp: Added.
1022         (JSC::DFG::InsertionSet::insertSlow):
1023         * dfg/DFGInsertionSet.h:
1024         (JSC::DFG::InsertionSet::InsertionSet):
1025         (JSC::DFG::InsertionSet::graph):
1026         (JSC::DFG::InsertionSet::insert):
1027         (JSC::DFG::InsertionSet::execute):
1028
1029 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1030
1031         Create ById IC for ByVal operation only when the specific Id comes more than once
1032         https://bugs.webkit.org/show_bug.cgi?id=148288
1033
1034         Reviewed by Geoffrey Garen.
1035
1036         After introducing byId ICs into byVal ops, byVal ops creates much ICs than before.
1037         The failure fixed in r188767 figures out these ICs are created even if this op is executed only once.
1038
1039         The situation is the following;
1040         In the current code, when byVal op is executed with the Id, we immediately set up the byId IC for that byVal op.
1041         But setting up JITGetByIdGenerator generates the fast path IC code and consumes executable memory.
1042         As a result, if we call eval("contains byVal ops") with the different strings repeatedly under no-llint environment, each eval call creates byId IC for byVal and consumes executable memory.
1043
1044         To solve it, we will add "seen" flag to ByValInfo.
1045         And we will create the IC on the second byVal op call with the same Id.
1046
1047         * bytecode/ByValInfo.h:
1048         (JSC::ByValInfo::ByValInfo):
1049         * jit/JITOperations.cpp:
1050         (JSC::tryGetByValOptimize):
1051         * jit/JITPropertyAccess.cpp:
1052         (JSC::JIT::privateCompileGetByValWithCachedId): Deleted.
1053         (JSC::JIT::privateCompilePutByValWithCachedId): Deleted.
1054
1055 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
1056
1057         [JSC] Get rid of NodePointerTraits
1058         https://bugs.webkit.org/show_bug.cgi?id=148340
1059
1060         Reviewed by Anders Carlsson.
1061
1062         NodePointerTraits does exactly the same thing has the default trait.
1063
1064         * dfg/DFGBasicBlock.h:
1065         * dfg/DFGCommon.h:
1066         (JSC::DFG::NodePointerTraits::defaultValue): Deleted.
1067         (JSC::DFG::NodePointerTraits::isEmptyForDump): Deleted.
1068
1069 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
1070
1071         [JSC] Reduce the memory usage of BytecodeLivenessAnalysis
1072         https://bugs.webkit.org/show_bug.cgi?id=148353
1073
1074         Reviewed by Darin Adler.
1075
1076         BytecodeLivenessAnalysis easily takes kilobytes of memory for
1077         non trivial blocks and that memory sticks around because
1078         it stored on CodeBlock.
1079
1080         This patch reduces that memory use a bit.
1081
1082         Most of the memory is in the array of BytecodeBasicBlock.
1083         BytecodeBasicBlock is shrunk by:
1084         -Making it not ref-counted.
1085         -Removing m_predecessors, it was only used for debugging and
1086          is usually big.
1087         -Added a shrinkToFit() phase to shrink the vectors once we are
1088          done building the BytecodeBasicBlock.
1089
1090         There are more things we should do in the future:
1091         -Store all the BytecodeBasicBlock direclty in the array.
1092          We know the size ahead of time, this would be a pure win.
1093          The only tricky part is changing m_successors to have the
1094          index of the successor instead of a pointer.
1095         -Stop putting duplicates in m_successors.
1096
1097         * bytecode/BytecodeBasicBlock.cpp:
1098         (JSC::computeBytecodeBasicBlocks):
1099         (JSC::BytecodeBasicBlock::shrinkToFit): Deleted.
1100         (JSC::linkBlocks): Deleted.
1101         * bytecode/BytecodeBasicBlock.h:
1102         (JSC::BytecodeBasicBlock::addSuccessor):
1103         (JSC::BytecodeBasicBlock::addPredecessor): Deleted.
1104         (JSC::BytecodeBasicBlock::predecessors): Deleted.
1105         * bytecode/BytecodeLivenessAnalysis.cpp:
1106         (JSC::getLeaderOffsetForBasicBlock):
1107         (JSC::findBasicBlockWithLeaderOffset):
1108         (JSC::findBasicBlockForBytecodeOffset):
1109         (JSC::stepOverInstruction):
1110         (JSC::computeLocalLivenessForBytecodeOffset):
1111         (JSC::computeLocalLivenessForBlock):
1112         (JSC::BytecodeLivenessAnalysis::dumpResults): Deleted.
1113         * bytecode/BytecodeLivenessAnalysis.h:
1114
1115 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
1116
1117         Unreviewed, rolling back in r188792.
1118         https://bugs.webkit.org/show_bug.cgi?id=148347
1119
1120         Previously reverted changesets:
1121
1122         "Unify code paths for manually deleting all code"
1123         https://bugs.webkit.org/show_bug.cgi?id=148280
1124         http://trac.webkit.org/changeset/188792
1125
1126         The previous patch caused some inspector tests to hang because it
1127         introduced extra calls to sourceParsed, and sourceParsed is
1128         pathologically slow in WK1 debug builds. This patch restores pre-existing
1129         code to limit calls to sourceParsed, excluding code not being debugged
1130         (i.e., inspector code).
1131
1132 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
1133
1134         Unreviewed, rolling back in r188803.
1135
1136         Previously reverted changesets:
1137
1138         "Debugger's VM should never be null"
1139         https://bugs.webkit.org/show_bug.cgi?id=148341
1140         http://trac.webkit.org/changeset/188803
1141
1142         * debugger/Debugger.cpp:
1143         (JSC::Debugger::Debugger):
1144         (JSC::Debugger::attach):
1145         (JSC::Debugger::detach):
1146         (JSC::Debugger::isAttached):
1147         (JSC::Debugger::setSteppingMode):
1148         (JSC::Debugger::registerCodeBlock):
1149         (JSC::Debugger::toggleBreakpoint):
1150         (JSC::Debugger::recompileAllJSFunctions):
1151         (JSC::Debugger::setBreakpoint):
1152         (JSC::Debugger::clearBreakpoints):
1153         (JSC::Debugger::clearDebuggerRequests):
1154         (JSC::Debugger::setBreakpointsActivated):
1155         (JSC::Debugger::breakProgram):
1156         (JSC::Debugger::stepOutOfFunction):
1157         (JSC::Debugger::returnEvent):
1158         (JSC::Debugger::didExecuteProgram):
1159         * debugger/Debugger.h:
1160         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1161         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
1162         (Inspector::JSGlobalObjectScriptDebugServer::removeListener):
1163         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
1164         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions): Deleted.
1165         * inspector/JSGlobalObjectScriptDebugServer.h:
1166         * inspector/ScriptDebugServer.cpp:
1167         (Inspector::ScriptDebugServer::ScriptDebugServer):
1168         * inspector/ScriptDebugServer.h:
1169
1170 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
1171
1172         DFG string concatenation shouldn't be playing fast and loose with effects and OSR exit
1173         https://bugs.webkit.org/show_bug.cgi?id=148338
1174
1175         Reviewed by Michael Saboff and Saam Barati.
1176
1177         Prior to this change, DFG string concatenation appeared to have various different ways of
1178         creating an OSR exit right after a side effect. That's bad, because the exit will cause
1179         us to reexecute the side effect. The code appears to have some hacks for avoiding this,
1180         but some cases are basically unavoidable, like the OOM case of string concatenation: in
1181         trunk that could cause two executions of the toString operation.
1182
1183         This changes the string concatenation code to either be speculative or effectful but
1184         never both. It's already the case that when this code needs to be effectful, it also
1185         needs to be slow (it does int->string conversions, calls JS functions, etc). So, this is
1186         a small price to pay for sanity.
1187
1188         The biggest part of this change is the introduction of StrCat, which is like MakeRope but
1189         does toString conversions on its own instead of relying on separate nodes. StrCat can
1190         take either 2 or 3 children. It's the effectful but not speculative version of MakeRope.
1191
1192         * dfg/DFGAbstractInterpreterInlines.h:
1193         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1194         * dfg/DFGBackwardsPropagationPhase.cpp:
1195         (JSC::DFG::BackwardsPropagationPhase::propagate):
1196         * dfg/DFGByteCodeParser.cpp:
1197         (JSC::DFG::ByteCodeParser::parseBlock):
1198         * dfg/DFGClobberize.h:
1199         (JSC::DFG::clobberize):
1200         * dfg/DFGDoesGC.cpp:
1201         (JSC::DFG::doesGC):
1202         * dfg/DFGFixupPhase.cpp:
1203         (JSC::DFG::FixupPhase::fixupNode):
1204         (JSC::DFG::FixupPhase::convertStringAddUse):
1205         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1206         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1207         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1208         * dfg/DFGNodeType.h:
1209         * dfg/DFGOperations.cpp:
1210         * dfg/DFGOperations.h:
1211         * dfg/DFGPredictionPropagationPhase.cpp:
1212         (JSC::DFG::PredictionPropagationPhase::propagate):
1213         * dfg/DFGSafeToExecute.h:
1214         (JSC::DFG::safeToExecute):
1215         * dfg/DFGSpeculativeJIT.h:
1216         (JSC::DFG::SpeculativeJIT::callOperation):
1217         (JSC::DFG::JSValueOperand::JSValueOperand):
1218         (JSC::DFG::JSValueOperand::~JSValueOperand):
1219         * dfg/DFGSpeculativeJIT32_64.cpp:
1220         (JSC::DFG::SpeculativeJIT::compile):
1221         * dfg/DFGSpeculativeJIT64.cpp:
1222         (JSC::DFG::SpeculativeJIT::compile):
1223         * dfg/DFGValidate.cpp:
1224         (JSC::DFG::Validate::validate):
1225         * ftl/FTLCapabilities.cpp:
1226         (JSC::FTL::canCompile):
1227         * ftl/FTLIntrinsicRepository.h:
1228         * ftl/FTLLowerDFGToLLVM.cpp:
1229         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1230         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
1231         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
1232         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1233         * jit/JITOperations.h:
1234         * tests/stress/exception-effect-strcat.js: Added. This test previously failed.
1235         * tests/stress/exception-in-strcat-string-overflow.js: Added. An earlier version of this patch made this fail.
1236         * tests/stress/exception-in-strcat.js: Added.
1237
1238 2015-08-22  Andreas Kling  <akling@apple.com>
1239
1240         [JSC] Static hash tables should be 100% compile-time constant.
1241         <https://webkit.org/b/148359>
1242
1243         Reviewed by Michael Saboff.
1244
1245         We were dirtying the memory pages containing static hash tables the
1246         first time they were used, when a dynamically allocated index-to-key
1247         table was built and cached in the HashTable struct.
1248
1249         It turns out that this "optimization" was completely useless, since
1250         we've long since decoupled static hash tables from the JSC::VM and
1251         we can get the key for an index via HashTable::values[index].m_key!
1252
1253         We also get rid of VM::keywords which was a little wrapper around
1254         a VM-specific copy of JSC::mainTable. There was nothing VM-specific
1255         about it at all, so clients now use JSC::mainTable directly.
1256
1257         After this change all fooHashTable structs end up in __DATA __const
1258         and no runtime initialization/allocation takes place.
1259
1260         * create_hash_table:
1261         * jsc.cpp:
1262         * parser/Lexer.cpp:
1263         (JSC::isLexerKeyword):
1264         (JSC::Lexer<LChar>::parseIdentifier):
1265         (JSC::Lexer<UChar>::parseIdentifier):
1266         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
1267         (JSC::Keywords::Keywords): Deleted.
1268         * parser/Lexer.h:
1269         (JSC::Keywords::isKeyword): Deleted.
1270         (JSC::Keywords::getKeyword): Deleted.
1271         (JSC::Keywords::~Keywords): Deleted.
1272         * runtime/LiteralParser.cpp:
1273         (JSC::LiteralParser<CharType>::tryJSONPParse):
1274         * runtime/Lookup.cpp:
1275         (JSC::HashTable::createTable): Deleted.
1276         (JSC::HashTable::deleteTable): Deleted.
1277         * runtime/Lookup.h:
1278         (JSC::HashTable::entry):
1279         (JSC::HashTable::ConstIterator::key):
1280         (JSC::HashTable::ConstIterator::skipInvalidKeys):
1281         (JSC::HashTable::copy): Deleted.
1282         (JSC::HashTable::initializeIfNeeded): Deleted.
1283         (JSC::HashTable::begin): Deleted.
1284         (JSC::HashTable::end): Deleted.
1285         * runtime/VM.cpp:
1286         (JSC::VM::VM): Deleted.
1287         * runtime/VM.h:
1288         * testRegExp.cpp:
1289
1290 2015-08-21  Commit Queue  <commit-queue@webkit.org>
1291
1292         Unreviewed, rolling out r188792 and r188803.
1293         https://bugs.webkit.org/show_bug.cgi?id=148347
1294
1295         broke lots of tests, ggaren is going to investigate and reland
1296         (Requested by thorton on #webkit).
1297
1298         Reverted changesets:
1299
1300         "Unify code paths for manually deleting all code"
1301         https://bugs.webkit.org/show_bug.cgi?id=148280
1302         http://trac.webkit.org/changeset/188792
1303
1304         "Debugger's VM should never be null"
1305         https://bugs.webkit.org/show_bug.cgi?id=148341
1306         http://trac.webkit.org/changeset/188803
1307
1308 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1309
1310         Parse control flow statements in WebAssembly
1311         https://bugs.webkit.org/show_bug.cgi?id=148333
1312
1313         Reviewed by Geoffrey Garen.
1314
1315         Parse control flow statements in WebAssembly files generated by pack-asmjs
1316         <https://github.com/WebAssembly/polyfill-prototype-1>.
1317
1318         * wasm/WASMConstants.h:
1319         * wasm/WASMFunctionParser.cpp:
1320         (JSC::WASMFunctionParser::parseStatement):
1321         (JSC::WASMFunctionParser::parseIfStatement):
1322         (JSC::WASMFunctionParser::parseIfElseStatement):
1323         (JSC::WASMFunctionParser::parseWhileStatement):
1324         (JSC::WASMFunctionParser::parseDoStatement):
1325         (JSC::WASMFunctionParser::parseLabelStatement):
1326         (JSC::WASMFunctionParser::parseBreakStatement):
1327         (JSC::WASMFunctionParser::parseBreakLabelStatement):
1328         (JSC::WASMFunctionParser::parseContinueStatement):
1329         (JSC::WASMFunctionParser::parseContinueLabelStatement):
1330         (JSC::WASMFunctionParser::parseSwitchStatement):
1331         * wasm/WASMFunctionParser.h:
1332         (JSC::WASMFunctionParser::WASMFunctionParser):
1333         * wasm/WASMReader.cpp:
1334         (JSC::WASMReader::readCompactInt32):
1335         (JSC::WASMReader::readSwitchCase):
1336         * wasm/WASMReader.h:
1337
1338 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1339
1340         Debugger's VM should never be null
1341         https://bugs.webkit.org/show_bug.cgi?id=148341
1342
1343         Reviewed by Joseph Pecoraro.
1344
1345         It doesn't make sense for a Debugger's VM to be null, and code related
1346         to maintaining that illusion just caused the Web Inspector to crash on
1347         launch (https://bugs.webkit.org/show_bug.cgi?id=148312). So, let's stop
1348         doing that.
1349
1350         Now, Debugger requires its subclass to provide a never-null VM&.
1351
1352         Also took the opportunity, based on review feedback, to remove some
1353         confusion in the virtual recompileAllJSFunctions hierarchy, by eliminating
1354         the pure virtual in ScriptDebugServer and the unnecessary override in
1355         JSGlobalObjectScriptDebugServer.
1356
1357         * debugger/Debugger.cpp:
1358         (JSC::Debugger::Debugger):
1359         (JSC::Debugger::attach):
1360         (JSC::Debugger::detach):
1361         (JSC::Debugger::isAttached):
1362         (JSC::Debugger::setSteppingMode):
1363         (JSC::Debugger::registerCodeBlock):
1364         (JSC::Debugger::toggleBreakpoint):
1365         (JSC::Debugger::recompileAllJSFunctions):
1366         (JSC::Debugger::setBreakpoint):
1367         (JSC::Debugger::clearBreakpoints):
1368         (JSC::Debugger::clearDebuggerRequests):
1369         (JSC::Debugger::setBreakpointsActivated):
1370         (JSC::Debugger::breakProgram):
1371         (JSC::Debugger::stepOutOfFunction):
1372         (JSC::Debugger::returnEvent):
1373         (JSC::Debugger::didExecuteProgram):
1374         * debugger/Debugger.h:
1375         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1376         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
1377         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions):
1378         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
1379         * inspector/ScriptDebugServer.cpp:
1380         (Inspector::ScriptDebugServer::ScriptDebugServer):
1381         * inspector/ScriptDebugServer.h:
1382
1383 2015-08-21  Basile Clement  <basile_clement@apple.com>
1384
1385         Remove unused code relative to allocation sinking
1386         https://bugs.webkit.org/show_bug.cgi?id=148342
1387
1388         Reviewed by Mark Lam.
1389
1390         This removes two things:
1391
1392          - The DFGPromoteHeapAccess.h file which is a relic of the old sinking
1393            phase and is no longer used (it has been subsumed by
1394            ObjectAllocationSinking::promoteLocalHeap)
1395
1396          - Code in the allocation sinking phase for sinking
1397            MaterializeCreateActivation and MaterializeNewObject. Handling those
1398            is no longer necessary since the phase no longer runs in a fixpoint
1399            and thus will never see those nodes, since no other phase creates
1400            them.
1401
1402         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1403         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1404         * JavaScriptCore.xcodeproj/project.pbxproj:
1405         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1406         * dfg/DFGPromoteHeapAccess.h: Removed.
1407
1408 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1409
1410         Unify code paths for manually deleting all code
1411         https://bugs.webkit.org/show_bug.cgi?id=148280
1412
1413         Reviewed by Saam Barati.
1414
1415         We used to have three paths for manually deleting all code. Now we have
1416         one shared path.
1417
1418         * debugger/Debugger.cpp:
1419         (JSC::Debugger::attach): Notify the debugger of all previous code when
1420         it attaches. We used to do this when recompiling, which was only correct
1421         by accident.
1422
1423         (JSC::Debugger::recompileAllJSFunctions): Switch to the shared path.
1424
1425         * heap/Heap.h:
1426         (JSC::Heap::compiledCode):
1427
1428         * inspector/agents/InspectorRuntimeAgent.cpp:
1429         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1430         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
1431         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
1432         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1433         (Inspector::TypeRecompiler::visit): Deleted.
1434         (Inspector::TypeRecompiler::operator()): Deleted.
1435         (Inspector::recompileAllJSFunctionsForTypeProfiling): Deleted. Switch
1436         to the shared path.
1437
1438         * runtime/VM.cpp:
1439         (JSC::VM::afterVMExit): Added a helper for scheduling an activity after
1440         VM exit. We can't delete code while it's on the stack, and we can't
1441         delete auxiliary profiling data while profiling code is on the stack,
1442         so in those cases, we schedule the deletion for the next time we exit.
1443
1444         (JSC::VM::deleteAllCode): Use afterVMExit because we might have code
1445         on the stack when debugger, profiler, or watchdog state changes.
1446
1447         * runtime/VM.h:
1448
1449         * runtime/VMEntryScope.cpp:
1450         (JSC::VMEntryScope::VMEntryScope):
1451         (JSC::VMEntryScope::addDidPopListener):
1452         (JSC::VMEntryScope::~VMEntryScope):
1453         (JSC::VMEntryScope::setEntryScopeDidPopListener): Deleted.
1454         * runtime/VMEntryScope.h:
1455         (JSC::VMEntryScope::globalObject): Removed the uniquing feature from
1456         the scope pop listener list because we don't have a client that wants
1457         it, and it's not convenient to use correctly since you can't take
1458         the address of a member function, a lambda, or an std::function. We can
1459         add this feature back if we discover that we want it.
1460
1461 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1462
1463         Implement WebAssembly function parser
1464         https://bugs.webkit.org/show_bug.cgi?id=147738
1465
1466         Reviewed by Filip Pizlo.
1467
1468         Implement WebAssembly function parser for WebAssembly files produced by pack-asmjs
1469         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch parses only
1470         some instructions on statements and int32 expressions. Parsing of the rest
1471         will be implemented in subsequent patches. The instruction lists in WASMConstants.h
1472         are slightly modified from
1473         <https://github.com/WebAssembly/polyfill-prototype-1/blob/master/src/shared.h>.
1474
1475         * CMakeLists.txt:
1476         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1477         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1478         * JavaScriptCore.xcodeproj/project.pbxproj:
1479         * wasm/WASMConstants.h: Added.
1480         * wasm/WASMFormat.h:
1481         * wasm/WASMFunctionParser.cpp: Added.
1482         (JSC::WASMFunctionParser::checkSyntax):
1483         (JSC::WASMFunctionParser::parseFunction):
1484         (JSC::WASMFunctionParser::parseLocalVariables):
1485         (JSC::WASMFunctionParser::parseStatement):
1486         (JSC::WASMFunctionParser::parseSetLocalStatement):
1487         (JSC::WASMFunctionParser::parseReturnStatement):
1488         (JSC::WASMFunctionParser::parseBlockStatement):
1489         (JSC::WASMFunctionParser::parseExpression):
1490         (JSC::WASMFunctionParser::parseExpressionI32):
1491         (JSC::WASMFunctionParser::parseImmediateExpressionI32):
1492         * wasm/WASMFunctionParser.h: Added.
1493         (JSC::WASMFunctionParser::WASMFunctionParser):
1494         * wasm/WASMFunctionSyntaxChecker.h: Renamed from Source/JavaScriptCore/wasm/WASMMagicNumber.h.
1495         * wasm/WASMModuleParser.cpp:
1496         (JSC::WASMModuleParser::WASMModuleParser):
1497         (JSC::WASMModuleParser::parseFunctionDefinitionSection):
1498         (JSC::WASMModuleParser::parseFunctionDefinition):
1499         * wasm/WASMModuleParser.h:
1500         * wasm/WASMReader.cpp:
1501         (JSC::WASMReader::readType):
1502         (JSC::WASMReader::readExpressionType):
1503         (JSC::WASMReader::readExportFormat):
1504         (JSC::WASMReader::readOpStatement):
1505         (JSC::WASMReader::readOpExpressionI32):
1506         (JSC::WASMReader::readVariableTypes):
1507         (JSC::WASMReader::readOp):
1508         * wasm/WASMReader.h:
1509         (JSC::WASMReader::offset):
1510         (JSC::WASMReader::setOffset):
1511
1512 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1513
1514         DFG::PutStackSinkingPhase doesn't need to emit KillStack nodes
1515         https://bugs.webkit.org/show_bug.cgi?id=148331
1516
1517         Reviewed by Geoffrey Garen.
1518
1519         PutStackSinkingPhase previously emitted a KillStack node when it sank a PutStack. This
1520         isn't necessary because KillStack is only interesting for OSR exit, and PutStack nodes
1521         that are relevant to OSR will already be preceded by a KillStack/MovHint pair.
1522
1523         * dfg/DFGPutStackSinkingPhase.cpp:
1524
1525 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1526
1527         DFG::NodeOrigin should have a flag determining if exiting is OK right now
1528         https://bugs.webkit.org/show_bug.cgi?id=148323
1529
1530         Reviewed by Saam Barati.
1531
1532         * dfg/DFGByteCodeParser.cpp:
1533         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
1534         (JSC::DFG::ByteCodeParser::branchData):
1535         * dfg/DFGInsertionSet.h:
1536         (JSC::DFG::InsertionSet::insertConstant):
1537         (JSC::DFG::InsertionSet::insertConstantForUse):
1538         (JSC::DFG::InsertionSet::insertBottomConstantForUse):
1539         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1540         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1541         * dfg/DFGLICMPhase.cpp:
1542         (JSC::DFG::LICMPhase::attemptHoist):
1543         * dfg/DFGNodeOrigin.h:
1544         (JSC::DFG::NodeOrigin::NodeOrigin):
1545         (JSC::DFG::NodeOrigin::isSet):
1546         (JSC::DFG::NodeOrigin::withSemantic):
1547         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1548
1549 2015-08-21  Saam barati  <sbarati@apple.com>
1550
1551         DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks
1552         https://bugs.webkit.org/show_bug.cgi?id=147988
1553
1554         Reviewed by Geoffrey Garen.
1555
1556         This is in preparation for the DFG being able to handle exceptions. 
1557         To do this, we need more control over when we emit exception checks.
1558         Specifically, we want to be able to silentFill before emitting an exception check.
1559         This patch does that. This patch also allows us to easily see which
1560         operations do and do not emit exception checks. Finding this information
1561         out before was a pain.
1562
1563         * assembler/AbortReason.h:
1564         * dfg/DFGArrayifySlowPathGenerator.h:
1565         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1566         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1567         * dfg/DFGJITCompiler.h:
1568         (JSC::DFG::JITCompiler::appendCall):
1569         (JSC::DFG::JITCompiler::exceptionCheck):
1570         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1571         * dfg/DFGSlowPathGenerator.h:
1572         (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
1573         (JSC::DFG::CallSlowPathGenerator::tearDown):
1574         (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::CallResultAndNoArgumentsSlowPathGenerator):
1575         (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::CallResultAndOneArgumentSlowPathGenerator):
1576         (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::CallResultAndTwoArgumentsSlowPathGenerator):
1577         (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::CallResultAndThreeArgumentsSlowPathGenerator):
1578         (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::CallResultAndFourArgumentsSlowPathGenerator):
1579         (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::CallResultAndFiveArgumentsSlowPathGenerator):
1580         (JSC::DFG::slowPathCall):
1581         * dfg/DFGSpeculativeJIT.cpp:
1582         (JSC::DFG::SpeculativeJIT::compileIn):
1583         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1584         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1585         (JSC::DFG::SpeculativeJIT::compileArithRound):
1586         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1587         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1588         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1589         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1590         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1591         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1592         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1593         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1594         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1595         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1596         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1597         * dfg/DFGSpeculativeJIT.h:
1598         (JSC::DFG::SpeculativeJIT::callOperation):
1599         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
1600         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
1601         (JSC::DFG::SpeculativeJIT::appendCall):
1602         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1603         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1604         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1605         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): Deleted.
1606         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult): Deleted.
1607         * dfg/DFGSpeculativeJIT32_64.cpp:
1608         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1609         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1610         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1611         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1612         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1613         (JSC::DFG::SpeculativeJIT::emitCall):
1614         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1615         (JSC::DFG::SpeculativeJIT::compile):
1616         * dfg/DFGSpeculativeJIT64.cpp:
1617         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1618         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1619         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1620         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1621         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1622         (JSC::DFG::SpeculativeJIT::emitCall):
1623         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1624         (JSC::DFG::SpeculativeJIT::compile):
1625         * ftl/FTLIntrinsicRepository.h:
1626         * ftl/FTLLowerDFGToLLVM.cpp:
1627         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1628         * jit/AssemblyHelpers.cpp:
1629         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1630         (JSC::AssemblyHelpers::jitAssertNoException):
1631         (JSC::AssemblyHelpers::callExceptionFuzz):
1632         (JSC::AssemblyHelpers::emitExceptionCheck):
1633         * jit/AssemblyHelpers.h:
1634         (JSC::AssemblyHelpers::jitAssertIsInt32):
1635         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1636         (JSC::AssemblyHelpers::jitAssertIsNull):
1637         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1638         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1639         (JSC::AssemblyHelpers::jitAssertNoException):
1640         * jit/JITOperations.cpp:
1641         * jit/JITOperations.h:
1642         * runtime/VM.h:
1643         (JSC::VM::scratchBufferForSize):
1644         (JSC::VM::exceptionFuzzingBuffer):
1645
1646 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1647
1648         REGRESSION (r188714): RELEASE_ASSERT in JSC::Heap::incrementDeferralDepth() opening Web Inspector on daringfireball.net
1649         https://bugs.webkit.org/show_bug.cgi?id=148312
1650
1651         Reviewed by Mark Lam.
1652
1653         * debugger/Debugger.cpp:
1654         (JSC::Debugger::recompileAllJSFunctions): Use our vm argument instead of
1655         m_vm because sometimes they are different and m_vm is null. (This behavior
1656         is very strange, and we should probably eliminate it -- but we need a 
1657         fix for this serious regression right now.)
1658
1659 2015-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1660
1661         [ES6] prototyping module loader in JSC shell
1662         https://bugs.webkit.org/show_bug.cgi?id=147876
1663
1664         Reviewed by Saam Barati.
1665
1666         This patch implements ES6 Module Loader part. The implementation is based on
1667         the latest draft[1, 2]. The naive implementation poses several problems.
1668         This patch attempts to solve the spec issues and proposes the fix[3, 4, 5].
1669
1670         We construct the JSC internal module loader based on the ES6 Promises.
1671         The chain of the promises represents the dependency graph of the modules and
1672         it automatically enables asynchronous module fetching.
1673         To leverage the Promises internally, we use the InternalPromise landed in r188681.
1674
1675         The loader has several platform-dependent hooks. The platform can implement
1676         these hooks to provide the functionality missing in the module loaders, like
1677         "how to fetch the resources". The method table of the JSGlobalObject is extended
1678         to accept these hooks from the platform.
1679
1680         This patch focus on the loading part. So we don't create the module environment
1681         and don't link the modules yet.
1682
1683         To test the current module progress easily, we add the `-m` option to the JSC shell.
1684         When this option is specified, we load the given script as the module. And to use
1685         the module loading inside the JSC shell, we added the simple loader hook for fetching.
1686         It fetches the module content from the file system.
1687
1688         And to use the ES6 Map in the Loader implementation, we added @get and @set methods to the Map.
1689         But it conflicts with the existing `getPrivateName` method. Rename it to `lookUpPrivateName`.
1690
1691         [1]: https://whatwg.github.io/loader/
1692         [2]: https://github.com/whatwg/loader/commit/214c7a6625b445bdf411c39984f36f01139a24be
1693         [3]: https://github.com/whatwg/loader/pull/66
1694         [4]: https://github.com/whatwg/loader/pull/67
1695         [5]: https://github.com/whatwg/loader/issues/68
1696         [6]: https://bugs.webkit.org/show_bug.cgi?id=148136
1697
1698         * CMakeLists.txt:
1699         * DerivedSources.make:
1700         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1701         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1702         * JavaScriptCore.xcodeproj/project.pbxproj:
1703         * builtins/BuiltinNames.h:
1704         (JSC::BuiltinNames::lookUpPrivateName):
1705         (JSC::BuiltinNames::lookUpPublicName):
1706         (JSC::BuiltinNames::getPrivateName): Deleted.
1707         (JSC::BuiltinNames::getPublicName): Deleted.
1708         * builtins/ModuleLoaderObject.js: Added.
1709         (setStateToMax):
1710         (newRegistryEntry):
1711         (forceFulfillPromise):
1712         (fulfillFetch):
1713         (fulfillTranslate):
1714         (fulfillInstantiate):
1715         (instantiation):
1716         (requestFetch):
1717         (requestTranslate):
1718         (requestInstantiate):
1719         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then.):
1720         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then):
1721         (requestResolveDependencies):
1722         (requestInstantiateAll):
1723         (provide):
1724         * jsc.cpp:
1725         (stringFromUTF):
1726         (jscSource):
1727         (GlobalObject::moduleLoaderFetch):
1728         (functionCheckModuleSyntax):
1729         (dumpException):
1730         (runWithScripts):
1731         (printUsageStatement):
1732         (CommandLine::parseArguments):
1733         (jscmain):
1734         (CommandLine::CommandLine): Deleted.
1735         * parser/Lexer.cpp:
1736         (JSC::Lexer<LChar>::parseIdentifier):
1737         (JSC::Lexer<UChar>::parseIdentifier):
1738         * parser/ModuleAnalyzer.cpp:
1739         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1740         (JSC::ModuleAnalyzer::exportVariable):
1741         (JSC::ModuleAnalyzer::analyze):
1742         * parser/ModuleAnalyzer.h:
1743         (JSC::ModuleAnalyzer::moduleRecord):
1744         * parser/ModuleRecord.cpp:
1745         (JSC::printableName): Deleted.
1746         (JSC::ModuleRecord::dump): Deleted.
1747         * parser/ModuleRecord.h:
1748         (JSC::ModuleRecord::ImportEntry::isNamespace): Deleted.
1749         (JSC::ModuleRecord::create): Deleted.
1750         (JSC::ModuleRecord::appendRequestedModule): Deleted.
1751         (JSC::ModuleRecord::addImportEntry): Deleted.
1752         (JSC::ModuleRecord::addExportEntry): Deleted.
1753         (JSC::ModuleRecord::addStarExportEntry): Deleted.
1754         * parser/Nodes.h:
1755         * parser/NodesAnalyzeModule.cpp:
1756         (JSC::ImportDeclarationNode::analyzeModule):
1757         (JSC::ExportAllDeclarationNode::analyzeModule):
1758         (JSC::ExportNamedDeclarationNode::analyzeModule):
1759         * runtime/CommonIdentifiers.cpp:
1760         (JSC::CommonIdentifiers::lookUpPrivateName):
1761         (JSC::CommonIdentifiers::lookUpPublicName):
1762         (JSC::CommonIdentifiers::getPrivateName): Deleted.
1763         (JSC::CommonIdentifiers::getPublicName): Deleted.
1764         * runtime/CommonIdentifiers.h:
1765         * runtime/Completion.cpp:
1766         (JSC::checkModuleSyntax):
1767         (JSC::evaluateModule):
1768         * runtime/Completion.h:
1769         * runtime/ExceptionHelpers.cpp:
1770         (JSC::createUndefinedVariableError):
1771         * runtime/Identifier.h:
1772         * runtime/JSGlobalObject.cpp:
1773         (JSC::JSGlobalObject::init):
1774         (JSC::JSGlobalObject::visitChildren):
1775         * runtime/JSGlobalObject.h:
1776         (JSC::JSGlobalObject::moduleLoader):
1777         (JSC::JSGlobalObject::moduleRecordStructure):
1778         * runtime/JSModuleRecord.cpp: Renamed from Source/JavaScriptCore/parser/ModuleRecord.cpp.
1779         (JSC::JSModuleRecord::destroy):
1780         (JSC::JSModuleRecord::finishCreation):
1781         (JSC::printableName):
1782         (JSC::JSModuleRecord::dump):
1783         * runtime/JSModuleRecord.h: Renamed from Source/JavaScriptCore/parser/ModuleRecord.h.
1784         (JSC::JSModuleRecord::ImportEntry::isNamespace):
1785         (JSC::JSModuleRecord::createStructure):
1786         (JSC::JSModuleRecord::create):
1787         (JSC::JSModuleRecord::requestedModules):
1788         (JSC::JSModuleRecord::JSModuleRecord):
1789         (JSC::JSModuleRecord::appendRequestedModule):
1790         (JSC::JSModuleRecord::addImportEntry):
1791         (JSC::JSModuleRecord::addExportEntry):
1792         (JSC::JSModuleRecord::addStarExportEntry):
1793         * runtime/MapPrototype.cpp:
1794         (JSC::MapPrototype::finishCreation):
1795         * runtime/ModuleLoaderObject.cpp: Added.
1796         (JSC::ModuleLoaderObject::ModuleLoaderObject):
1797         (JSC::ModuleLoaderObject::finishCreation):
1798         (JSC::ModuleLoaderObject::getOwnPropertySlot):
1799         (JSC::printableModuleKey):
1800         (JSC::ModuleLoaderObject::provide):
1801         (JSC::ModuleLoaderObject::requestInstantiateAll):
1802         (JSC::ModuleLoaderObject::resolve):
1803         (JSC::ModuleLoaderObject::fetch):
1804         (JSC::ModuleLoaderObject::translate):
1805         (JSC::ModuleLoaderObject::instantiate):
1806         (JSC::moduleLoaderObjectParseModule):
1807         (JSC::moduleLoaderObjectRequestedModules):
1808         (JSC::moduleLoaderObjectResolve):
1809         (JSC::moduleLoaderObjectFetch):
1810         (JSC::moduleLoaderObjectTranslate):
1811         (JSC::moduleLoaderObjectInstantiate):
1812         * runtime/ModuleLoaderObject.h: Added.
1813         (JSC::ModuleLoaderObject::create):
1814         (JSC::ModuleLoaderObject::createStructure):
1815         * runtime/Options.h:
1816
1817 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
1818
1819         DFG should have a KnownBooleanUse for cases where we are required to know that the child is a boolean and it's not OK to speculate
1820         https://bugs.webkit.org/show_bug.cgi?id=148286
1821
1822         Reviewed by Benjamin Poulain.
1823
1824         This enables us to ensure that the Branch or LogicalNot after an effectful CompareXYZ can
1825         be marked as !mayExit(). I need that for https://bugs.webkit.org/show_bug.cgi?id=145204.
1826
1827         * dfg/DFGFixupPhase.cpp:
1828         (JSC::DFG::FixupPhase::fixupNode):
1829         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1830         * dfg/DFGSafeToExecute.h:
1831         (JSC::DFG::SafeToExecuteEdge::operator()):
1832         * dfg/DFGSpeculativeJIT.cpp:
1833         (JSC::DFG::SpeculativeJIT::speculate):
1834         * dfg/DFGSpeculativeJIT.h:
1835         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1836         * dfg/DFGSpeculativeJIT32_64.cpp:
1837         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1838         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1839         (JSC::DFG::SpeculativeJIT::emitBranch):
1840         * dfg/DFGSpeculativeJIT64.cpp:
1841         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1842         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1843         (JSC::DFG::SpeculativeJIT::emitBranch):
1844         * dfg/DFGUseKind.cpp:
1845         (WTF::printInternal):
1846         * dfg/DFGUseKind.h:
1847         (JSC::DFG::typeFilterFor):
1848         (JSC::DFG::shouldNotHaveTypeCheck):
1849         * ftl/FTLCapabilities.cpp:
1850         (JSC::FTL::canCompile):
1851         * ftl/FTLLowerDFGToLLVM.cpp:
1852         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1853         (JSC::FTL::DFG::LowerDFGToLLVM::lowBoolean):
1854
1855 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
1856
1857         Overflow check elimination fails for a simple test case
1858         https://bugs.webkit.org/show_bug.cgi?id=147387
1859
1860         Reviewed by Benjamin Poulain.
1861
1862         Overflow check elimination was having issues when things got constant-folded, because whereas an
1863         Add or LessThan operation teaches us about relationships between the things being added or
1864         compared, we don't do that when we see a JSConstant. We don't create a relationship between every
1865         JSConstant and every other JSConstant. So, if we constant-fold an Add, we forget the relationships
1866         that it would have had with its inputs.
1867
1868         One solution would be to have every JSConstant create a relationship with every other JSConstant.
1869         This is dangerous, since it would create O(n^2) explosion of relationships.
1870
1871         Instead, this patch teaches filtration and merging how to behave "as if" there were inter-constant
1872         relationships. Normally those operations only work on two relationships involving the same node
1873         pair. But now, if we have @x op @c and @x op @d, where @c and @d are different nodes but both are
1874         constants, we will do merging or filtering by grokking the constant values.
1875
1876         This speeds up lots of tests in JSRegress, because it enables overflow check elimination on things
1877         like:
1878
1879         for (var i = 0; i < 100; ++i)
1880
1881         Previously, the fact that this was all constants would throw off the analysis because the analysis
1882         wouldn't "know" that 0 < 100.
1883
1884         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1885
1886 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
1887
1888         forEachCodeBlock should wait for all CodeBlocks automatically
1889         https://bugs.webkit.org/show_bug.cgi?id=148255
1890
1891         Add back a line of code I deleted by accident in my last patch due to
1892         incorrect merge.
1893
1894         Unreviewed.
1895
1896         * runtime/VM.cpp:
1897         (JSC::VM::deleteAllCode):
1898
1899 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
1900
1901         forEachCodeBlock should wait for all CodeBlocks automatically
1902         https://bugs.webkit.org/show_bug.cgi?id=148255
1903
1904         Reviewed by Saam Barati.
1905
1906         Previously, all clients needed to wait manually before calling
1907         forEachCodeBlock. That's easy to get wrong, and at least one place
1908         got it wrong. Let's do this automatically instead.
1909
1910         * debugger/Debugger.cpp:
1911         (JSC::Debugger::Debugger):
1912         (JSC::Debugger::setSteppingMode):
1913         (JSC::Debugger::toggleBreakpoint): No need to wait manually;
1914         forEachCodeBlock will do it automatically now.
1915
1916         (JSC::Debugger::recompileAllJSFunctions): We still need to wait manually
1917         here because this is an iteration of the heap, which does not wait
1918         automatically. Use the new helper function for waiting.
1919
1920         (JSC::Debugger::clearBreakpoints):
1921         (JSC::Debugger::clearDebuggerRequests):
1922         (JSC::Debugger::setBreakpointsActivated):
1923         (JSC::Debugger::forEachCodeBlock): Deleted. No need to wait manually.
1924
1925         * debugger/Debugger.h:
1926
1927         * dfg/DFGWorklist.cpp:
1928         (JSC::DFG::completeAllPlansForVM):
1929         * dfg/DFGWorklist.h:
1930         (JSC::DFG::completeAllPlansForVM): Added a helper function that replaces
1931         vm.prepareToDeleteCode. This new function is clearer because we need
1932         to call it sometimes even if we are not going to delete code.
1933
1934         * heap/HeapInlines.h:
1935         (JSC::Heap::forEachCodeBlock): Moved.
1936
1937         * inspector/agents/InspectorRuntimeAgent.cpp:
1938         (Inspector::recompileAllJSFunctionsForTypeProfiling): Use the new helper
1939         function.
1940
1941         * runtime/JSCInlines.h:
1942         (JSC::Heap::forEachCodeBlock): Do the waiting automatically.
1943
1944         * runtime/VM.cpp:
1945         (JSC::VM::stopSampling):
1946         (JSC::VM::deleteAllCode):
1947         (JSC::VM::setEnabledProfiler):
1948         (JSC::VM::prepareToDeleteCode): Deleted.
1949         * runtime/VM.h: No need to wait manually.
1950
1951 2015-08-20  Commit Queue  <commit-queue@webkit.org>
1952
1953         Unreviewed, rolling out r188675.
1954         https://bugs.webkit.org/show_bug.cgi?id=148244
1955
1956         "caused a 17% Mac PLT regression" (Requested by ggaren on
1957         #webkit).
1958
1959         Reverted changeset:
1960
1961         "clearCode() should clear code"
1962         https://bugs.webkit.org/show_bug.cgi?id=148203
1963         http://trac.webkit.org/changeset/188675
1964
1965 2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1966
1967         Introduce put_by_id like IC into put_by_val when the given name is String or Symbol
1968         https://bugs.webkit.org/show_bug.cgi?id=147760
1969
1970         Reviewed by Filip Pizlo.
1971
1972         This patch adds put_by_id IC to put_by_val by caching the one candidate id,
1973         it is the same thing to the get_by_val IC extension.
1974         It will encourage the use of ES6 Symbols and ES6 computed properties in the object literals.
1975
1976         In this patch, we leverage the existing CheckIdent and PutById / PutByVal in DFG,
1977         so this patch does not change FTL because the above operations are already supported in FTL.
1978
1979         And this patch also includes refactoring to leverage byValInfo->slowPathCount in the cached Id path.
1980
1981         Performance results report there's no regression in the existing tests. And in the synthetic
1982         benchmarks created by modifying put-by-id to put-by-val, we can see significant performance
1983         improvements up to 13.9x.
1984
1985         * bytecode/PutByIdStatus.cpp:
1986         (JSC::PutByIdStatus::computeForStubInfo):
1987         * bytecode/PutByIdStatus.h:
1988         * dfg/DFGByteCodeParser.cpp:
1989         (JSC::DFG::ByteCodeParser::parseBlock):
1990         * jit/JIT.h:
1991         (JSC::JIT::compilePutByValWithCachedId):
1992         * jit/JITOperations.cpp:
1993         (JSC::getByVal):
1994         (JSC::tryGetByValOptimize):
1995         * jit/JITOperations.h:
1996         * jit/JITPropertyAccess.cpp:
1997         (JSC::JIT::emitGetByValWithCachedId):
1998         (JSC::JIT::emit_op_put_by_val):
1999         (JSC::JIT::emitPutByValWithCachedId):
2000         (JSC::JIT::emitSlow_op_put_by_val):
2001         (JSC::JIT::emitIdentifierCheck):
2002         (JSC::JIT::privateCompilePutByValWithCachedId):
2003         * jit/JITPropertyAccess32_64.cpp:
2004         (JSC::JIT::emitGetByValWithCachedId):
2005         (JSC::JIT::emit_op_put_by_val):
2006         (JSC::JIT::emitPutByValWithCachedId):
2007         (JSC::JIT::emitSlow_op_put_by_val):
2008         * tests/stress/put-by-val-with-string-break.js: Added.
2009         (shouldBe):
2010         (assign):
2011         * tests/stress/put-by-val-with-string-generated.js: Added.
2012         (shouldBe):
2013         (gen1):
2014         (gen2):
2015         (assign):
2016         * tests/stress/put-by-val-with-string-generic.js: Added.
2017         (shouldBe):
2018         (assign):
2019         * tests/stress/put-by-val-with-symbol-break.js: Added.
2020         (shouldBe):
2021         (assign):
2022         * tests/stress/put-by-val-with-symbol-generic.js: Added.
2023         (shouldBe):
2024         (assign):
2025
2026 2015-08-20  Alex Christensen  <achristensen@webkit.org>
2027
2028         Clean up CMake build after r188673
2029         https://bugs.webkit.org/show_bug.cgi?id=148234
2030
2031         Reviewed by Tim Horton.
2032
2033         * shell/PlatformWin.cmake:
2034         Define WIN_CAIRO so the WinCairo jsc.exe can find the correct dlls.
2035
2036 2015-08-20  Mark Lam  <mark.lam@apple.com>
2037
2038         A watchdog tests is failing on Windows.
2039         https://bugs.webkit.org/show_bug.cgi?id=148228
2040
2041         Reviewed by Brent Fulgham.
2042
2043         The test just needed a little more time because Windows' timer resolution is low.
2044         After increasing the test deadlines, the test started passing.
2045
2046         * API/tests/ExecutionTimeLimitTest.cpp:
2047         (testExecutionTimeLimit):
2048
2049 2015-08-20  Mark Lam  <mark.lam@apple.com>
2050
2051         Fixed some warnings on Windows.
2052         https://bugs.webkit.org/show_bug.cgi?id=148224
2053
2054         Reviewed by Brent Fulgham.
2055
2056         The Windows build was complaining that function params were hiding a global variable.
2057         Since the function params were unused, I resolved this by removing the param names.
2058
2059         * API/tests/ExecutionTimeLimitTest.cpp:
2060         (currentCPUTimeAsJSFunctionCallback):
2061         (shouldTerminateCallback):
2062         (cancelTerminateCallback):
2063         (extendTerminateCallback):
2064
2065 2015-08-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2066
2067         Add InternalPromise to use Promises safely in the internals
2068         https://bugs.webkit.org/show_bug.cgi?id=148136
2069
2070         Reviewed by Saam Barati.
2071
2072         This patch implements InternalPromise.
2073         It is completely different instance set (constructor, prototype, instance)
2074         but it has the same feature to the Promise.
2075
2076         In the Promise operations, when resolving the promise with the returned promise
2077         from the fulfill handler, we need to look up "then" method.
2078
2079         e.g.
2080             var p3 = p1.then(function handler(...) {
2081                 return p2;
2082             });
2083
2084         When handler is executed, we retrieve the returned `p2` promise. And to resolve
2085         the returned promise by "then" method (that is `p3`), we construct the chain by executing
2086         `p2.then(resolving function for p3)`. So if the user modify the Promise.prototype.then,
2087         we can observe the internal operations.
2088
2089         By using InternalPromise, we completely hide InternalPromise.prototype from the users.
2090         It allows JSC to use Promises internally; even if the user modify / override
2091         the Promise.prototype.then function, it does not effect on InternalPromise.
2092
2093         One limitation is that the implementation need to take care not to leak the InternalPromise instance
2094         to the user space.
2095
2096         * CMakeLists.txt:
2097         * DerivedSources.make:
2098         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2099         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2100         * JavaScriptCore.xcodeproj/project.pbxproj:
2101         * builtins/InternalPromiseConstructor.js: Added.
2102         (internalAll.newResolveElement):
2103         (internalAll):
2104         * builtins/Operations.Promise.js:
2105         (newPromiseDeferred): Deleted.
2106         * builtins/PromiseConstructor.js:
2107         (privateAll.newResolveElement): Deleted.
2108         (privateAll): Deleted.
2109         * runtime/CommonIdentifiers.h:
2110         * runtime/JSGlobalObject.cpp:
2111         (JSC::JSGlobalObject::init):
2112         (JSC::JSGlobalObject::visitChildren):
2113         * runtime/JSGlobalObject.h:
2114         (JSC::JSGlobalObject::promiseConstructor):
2115         (JSC::JSGlobalObject::internalPromiseConstructor):
2116         (JSC::JSGlobalObject::newPromiseCapabilityFunction):
2117         (JSC::JSGlobalObject::newPromiseDeferredFunction): Deleted.
2118         * runtime/JSInternalPromise.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
2119         (JSC::JSInternalPromise::create):
2120         (JSC::JSInternalPromise::createStructure):
2121         (JSC::JSInternalPromise::JSInternalPromise):
2122         * runtime/JSInternalPromise.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
2123         * runtime/JSInternalPromiseConstructor.cpp: Added.
2124         (JSC::JSInternalPromiseConstructor::create):
2125         (JSC::JSInternalPromiseConstructor::createStructure):
2126         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
2127         (JSC::constructPromise):
2128         (JSC::JSInternalPromiseConstructor::getConstructData):
2129         (JSC::JSInternalPromiseConstructor::getCallData):
2130         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot):
2131         * runtime/JSInternalPromiseConstructor.h: Copied from Source/JavaScriptCore/runtime/JSPromiseConstructor.h.
2132         * runtime/JSInternalPromiseDeferred.cpp: Added.
2133         (JSC::JSInternalPromiseDeferred::create):
2134         (JSC::JSInternalPromiseDeferred::JSInternalPromiseDeferred):
2135         (JSC::JSInternalPromiseDeferred::promise):
2136         * runtime/JSInternalPromiseDeferred.h: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
2137         * runtime/JSInternalPromisePrototype.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.cpp.
2138         (JSC::JSInternalPromisePrototype::create):
2139         (JSC::JSInternalPromisePrototype::createStructure):
2140         (JSC::JSInternalPromisePrototype::JSInternalPromisePrototype):
2141         * runtime/JSInternalPromisePrototype.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
2142         * runtime/JSPromise.cpp:
2143         (JSC::JSPromise::create):
2144         (JSC::JSPromise::JSPromise):
2145         (JSC::JSPromise::initialize):
2146         * runtime/JSPromise.h:
2147         * runtime/JSPromiseConstructor.cpp:
2148         (JSC::JSPromiseConstructor::JSPromiseConstructor):
2149         (JSC::constructPromise):
2150         (JSC::JSPromiseConstructor::getOwnPropertySlot):
2151         (JSC::JSPromiseConstructor::finishCreation): Deleted.
2152         * runtime/JSPromiseConstructor.h:
2153         * runtime/JSPromiseDeferred.cpp:
2154         (JSC::newPromiseCapability):
2155         (JSC::JSPromiseDeferred::create):
2156         (JSC::JSPromiseDeferred::JSPromiseDeferred):
2157         * runtime/JSPromiseDeferred.h:
2158         * runtime/JSPromisePrototype.cpp:
2159         (JSC::JSPromisePrototype::getOwnPropertySlot):
2160         * runtime/JSPromisePrototype.h:
2161         * runtime/VM.cpp:
2162         (JSC::VM::VM):
2163         * runtime/VM.h:
2164
2165 2015-08-19  Filip Pizlo  <fpizlo@apple.com>
2166
2167         Remove WTF::SpinLock
2168         https://bugs.webkit.org/show_bug.cgi?id=148208
2169
2170         Reviewed by Geoffrey Garen.
2171
2172         Remove the one remaining use of SpinLock.
2173
2174         * API/JSValue.mm:
2175         (handerForStructTag):
2176
2177 2015-08-19  Geoffrey Garen  <ggaren@apple.com>
2178
2179         clearCode() should clear code
2180         https://bugs.webkit.org/show_bug.cgi?id=148203
2181
2182         Reviewed by Saam Barati.
2183
2184         Clearing code used to require two steps: clearCode() and
2185         clearUnlinkedCodeForRecompilation(). Unsurprisingly, clients sometimes
2186         did one or the other or both without much rhyme or reason.
2187
2188         This patch simplifies things by merging both functions into clearCode().
2189
2190         * bytecode/UnlinkedFunctionExecutable.h:
2191         * debugger/Debugger.cpp:
2192         * heap/Heap.cpp:
2193         (JSC::Heap::deleteAllCompiledCode):
2194         (JSC::Heap::clearUnmarkedExecutables):
2195         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted. No need for this
2196         function anymore since it was only used by clients who already called
2197         clearCode() (and it would be terribly wrong to use without doing both.)
2198
2199         * heap/Heap.h:
2200         (JSC::Heap::sizeAfterLastFullCollection):
2201         * inspector/agents/InspectorRuntimeAgent.cpp:
2202         (Inspector::TypeRecompiler::visit):
2203         (Inspector::TypeRecompiler::operator()):
2204         * runtime/Executable.cpp:
2205         (JSC::FunctionExecutable::visitChildren):
2206         (JSC::FunctionExecutable::clearCode):
2207         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
2208         * runtime/Executable.h:
2209         * runtime/VM.cpp:
2210         (JSC::VM::deleteAllCode):
2211
2212 2015-08-19  Alex Christensen  <achristensen@webkit.org>
2213
2214         CMake Windows build should not include files directly from other Source directories
2215         https://bugs.webkit.org/show_bug.cgi?id=148198
2216
2217         Reviewed by Brent Fulgham.
2218
2219         * CMakeLists.txt:
2220         JavaScriptCore_FORWARDING_HEADERS_FILES is no longer necessary because all the headers
2221         that used to be in it are now in JavaScriptCore_FORWARDING_HEADERS_DIRECTORIES
2222         * PlatformEfl.cmake:
2223         * PlatformGTK.cmake:
2224         * PlatformMac.cmake:
2225         * PlatformWin.cmake:
2226
2227 2015-08-19  Eric Carlson  <eric.carlson@apple.com>
2228
2229         Remove ENABLE_WEBVTT_REGIONS
2230         https://bugs.webkit.org/show_bug.cgi?id=148184
2231
2232         Reviewed by Jer Noble.
2233
2234         * Configurations/FeatureDefines.xcconfig: Remove ENABLE_WEBVTT_REGIONS.
2235
2236 2015-08-19  Joseph Pecoraro  <pecoraro@apple.com>
2237
2238         Web Inspector: Unexpected node preview format for an element with newlines in className attribute
2239         https://bugs.webkit.org/show_bug.cgi?id=148192
2240
2241         Reviewed by Brian Burg.
2242
2243         * inspector/InjectedScriptSource.js:
2244         (InjectedScript.prototype._nodePreview):
2245         Replace whitespace blocks with single spaces to produce a simpler class string for previews.
2246
2247 2015-08-19  Mark Lam  <mark.lam@apple.com>
2248
2249         Add support for CheckWatchdogTimer as slow path in DFG and FTL.
2250         https://bugs.webkit.org/show_bug.cgi?id=147968
2251
2252         Reviewed by Michael Saboff.
2253
2254         Re-implement the DFG's CheckWatchdogTimer as a slow path instead of a speculation
2255         check.  Since the watchdog timer can fire spuriously, this allows the code to
2256         stay optimized if all we have are spurious fires.
2257
2258         Implement the equivalent slow path for CheckWatchdogTimer in the FTL. 
2259
2260         The watchdog tests in ExecutionTimeLimitTest.cpp has already been updated in
2261         https://bugs.webkit.org/show_bug.cgi?id=148125 to test for the FTL's watchdog
2262         implementation.
2263
2264         * dfg/DFGSpeculativeJIT32_64.cpp:
2265         (JSC::DFG::SpeculativeJIT::compile):
2266         * dfg/DFGSpeculativeJIT64.cpp:
2267         (JSC::DFG::SpeculativeJIT::compile):
2268         * ftl/FTLCapabilities.cpp:
2269         (JSC::FTL::canCompile):
2270         * ftl/FTLLowerDFGToLLVM.cpp:
2271         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2272         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
2273         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
2274         (JSC::FTL::DFG::LowerDFGToLLVM::isInlinableSize):
2275
2276         * jit/JIT.h:
2277         * jit/JITInlines.h:
2278         (JSC::JIT::callOperation):
2279         * jit/JITOperations.cpp:
2280         * jit/JITOperations.h:
2281         - Changed operationHandleWatchdogTimer() to return an unused nullptr.  This
2282           allows me to reuse the existing DFG slow path generator mechanism.  I didn't
2283           think that operationHandleWatchdogTimer() was worth introducing a whole new set
2284           of machinery just so we can have a slow path that returns void.
2285
2286 2015-08-19  Mark Lam  <mark.lam@apple.com>
2287
2288         Add ability to save and restore JSC options.
2289         https://bugs.webkit.org/show_bug.cgi?id=148125
2290
2291         Reviewed by Saam Barati.
2292
2293         * API/tests/ExecutionTimeLimitTest.cpp:
2294         (testExecutionTimeLimit):
2295         - Employ the new options getter/setter to run watchdog tests for each of the
2296           execution engine tiers.
2297         - Also altered the test scripts to be in a function instead of global code.
2298           This is one of 2 changes needed to give them an opportunity to be FTL compiled.
2299           The other is to add support for compiling CheckWatchdogTimer in the FTL (which
2300           will be addressed in a separate patch).
2301
2302         * jsc.cpp:
2303         (CommandLine::parseArguments):
2304         * runtime/Options.cpp:
2305         (JSC::parse):
2306         - Add the ability to clear a string option with a nullptr value.
2307           This is needed to restore a default string option value which may be null.
2308
2309         (JSC::OptionRange::init):
2310         - Add the ability to clear a range option with a null value.
2311           This is needed to restore a default range option value which may be null.
2312
2313         (JSC::Options::initialize):
2314         (JSC::Options::dumpOptionsIfNeeded):
2315         - Factor code to dump options out to dumpOptionsIfNeeded() since we will need
2316           that logic elsewhere.
2317
2318         (JSC::Options::setOptions):
2319         - Parse an options string and set each of the specified options.
2320
2321         (JSC::Options::dumpAllOptions):
2322         (JSC::Options::dumpAllOptionsInALine):
2323         (JSC::Options::dumpOption):
2324         (JSC::Option::dump):
2325         - Refactored so that the underlying dumper dumps to a StringBuilder instead of
2326           stderr.  This lets us reuse this code to serialize all the options into a
2327           single string for dumpAllOptionsInALine().
2328
2329         * runtime/Options.h:
2330         (JSC::OptionRange::rangeString):
2331
2332 2015-08-18  Filip Pizlo  <fpizlo@apple.com>
2333
2334         Replace all uses of std::mutex/std::condition_variable with WTF::Lock/WTF::Condition
2335         https://bugs.webkit.org/show_bug.cgi?id=148140
2336
2337         Reviewed by Geoffrey Garen.
2338
2339         * inspector/remote/RemoteInspector.h:
2340         * inspector/remote/RemoteInspector.mm:
2341         (Inspector::RemoteInspector::registerDebuggable):
2342         (Inspector::RemoteInspector::unregisterDebuggable):
2343         (Inspector::RemoteInspector::updateDebuggable):
2344         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
2345         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
2346         (Inspector::RemoteInspector::setupFailed):
2347         (Inspector::RemoteInspector::setupCompleted):
2348         (Inspector::RemoteInspector::start):
2349         (Inspector::RemoteInspector::stop):
2350         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2351         (Inspector::RemoteInspector::setParentProcessInformation):
2352         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2353         (Inspector::RemoteInspector::xpcConnectionFailed):
2354         (Inspector::RemoteInspector::pushListingSoon):
2355         (Inspector::RemoteInspector::receivedIndicateMessage):
2356         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2357         * inspector/remote/RemoteInspectorXPCConnection.h:
2358         * inspector/remote/RemoteInspectorXPCConnection.mm:
2359         (Inspector::RemoteInspectorXPCConnection::close):
2360         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
2361         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2362         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2363
2364 2015-08-18  Joseph Pecoraro  <pecoraro@apple.com>
2365
2366         Web Inspector: Links for rules in <style> are incorrect, do not account for <style> offset in the document
2367         https://bugs.webkit.org/show_bug.cgi?id=148141
2368
2369         Reviewed by Brian Burg.
2370
2371         * inspector/protocol/CSS.json:
2372         Extend StyleSheetHeader to include start offset information and a bit
2373         for whether or not this was an inline style tag created by the parser.
2374         These match additions to Blink's protocol.
2375
2376 2015-08-18  Benjamin Poulain  <bpoulain@apple.com>
2377
2378         [JSC] Optimize more cases of something-compared-to-null/undefined
2379         https://bugs.webkit.org/show_bug.cgi?id=148157
2380
2381         Reviewed by Geoffrey Garen and Filip Pizlo.
2382
2383         CompareEq is fairly trivial if you assert one of the operands is either
2384         null or undefined. Under those conditions, the only way to have "true"
2385         is to have the other operand be null/undefined or have an object
2386         that masquerades to undefined.
2387
2388         JSC already had a fast path in CompareEqConstant.
2389         With this patch, I generalize this fast path to more cases and try
2390         to eliminate the checks whenever possible.
2391
2392         CompareEq now does the job of CompareEqConstant. If any operand can
2393         be proved to be undefined/other, its edge is set to OtherUse. Whenever
2394         any edge is OtherUse, we generate the fast code we had for CompareEqConstant.
2395
2396         The AbstractInterpreter has additional checks to reduce the node to a constant
2397         whenever possible.
2398
2399         There are two additional changes in this patch:
2400         -The Fixup Phase tries to set edges to OtherUse early. This is done correctly
2401          in ConstantFoldingPhase but setting it up early helps the phases relying
2402          on Clobberize.
2403         -The codegen for CompareEqConstant was improved. The reason is the comparison
2404          for ObjectOrOther could be faster just because the codegen was better.
2405
2406         * dfg/DFGAbstractInterpreterInlines.h:
2407         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2408         * dfg/DFGByteCodeParser.cpp:
2409         (JSC::DFG::ByteCodeParser::parseBlock):
2410         * dfg/DFGClobberize.h:
2411         (JSC::DFG::clobberize): Deleted.
2412         * dfg/DFGConstantFoldingPhase.cpp:
2413         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2414         * dfg/DFGDoesGC.cpp:
2415         (JSC::DFG::doesGC): Deleted.
2416         * dfg/DFGFixupPhase.cpp:
2417         (JSC::DFG::FixupPhase::fixupNode):
2418         * dfg/DFGNode.h:
2419         (JSC::DFG::Node::isUndefinedOrNullConstant):
2420         * dfg/DFGNodeType.h:
2421         * dfg/DFGPredictionPropagationPhase.cpp:
2422         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
2423         * dfg/DFGSafeToExecute.h:
2424         (JSC::DFG::safeToExecute): Deleted.
2425         * dfg/DFGSpeculativeJIT.cpp:
2426         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2427         (JSC::DFG::SpeculativeJIT::compare):
2428         * dfg/DFGSpeculativeJIT.h:
2429         (JSC::DFG::SpeculativeJIT::isKnownNotOther):
2430         * dfg/DFGSpeculativeJIT32_64.cpp:
2431         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2432         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2433         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
2434         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
2435         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
2436         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2437         * dfg/DFGSpeculativeJIT64.cpp:
2438         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2439         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2440         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
2441         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
2442         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
2443         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2444         * dfg/DFGValidate.cpp:
2445         (JSC::DFG::Validate::validate): Deleted.
2446         * dfg/DFGWatchpointCollectionPhase.cpp:
2447         (JSC::DFG::WatchpointCollectionPhase::handle):
2448         * ftl/FTLCapabilities.cpp:
2449         (JSC::FTL::canCompile):
2450         * ftl/FTLLowerDFGToLLVM.cpp:
2451         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
2452         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
2453         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEqConstant): Deleted.
2454         * tests/stress/compare-eq-on-null-and-undefined-non-peephole.js: Added.
2455         (string_appeared_here.useForMath):
2456         (testUseForMath):
2457         * tests/stress/compare-eq-on-null-and-undefined-optimized-in-constant-folding.js: Added.
2458         (string_appeared_here.unreachableCodeTest):
2459         (inlinedCompareToNull):
2460         (inlinedComparedToUndefined):
2461         (warmupInlineFunctions):
2462         (testInlineFunctions):
2463         * tests/stress/compare-eq-on-null-and-undefined.js: Added.
2464         (string_appeared_here.compareConstants):
2465         (opaqueNull):
2466         (opaqueUndefined):
2467         (compareConstantsAndDynamicValues):
2468         (compareDynamicValues):
2469         (compareDynamicValueToItself):
2470         (arrayTesting):
2471         (opaqueCompare1):
2472         (testNullComparatorUpdate):
2473         (opaqueCompare2):
2474         (testUndefinedComparatorUpdate):
2475         (opaqueCompare3):
2476         (testNullAndUndefinedComparatorUpdate):
2477
2478 2015-08-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2479
2480         Introduce non-user-observable Promise functions to use Promises internally
2481         https://bugs.webkit.org/show_bug.cgi?id=148118
2482
2483         Reviewed by Saam Barati.
2484
2485         To leverage the Promises internally (like ES6 Module Loaders), we add
2486         the several non-user-observable private methods, like @then, @all. And
2487         refactor the existing Promises implementation to make it easy to use
2488         internally.
2489
2490         But still the trappable part remains. When resolving the promise with
2491         the returned value, we look up the "then" function. So users can trap
2492         by replacing "then" function of the Promise's prototype.
2493         To avoid this situation, we'll introduce completely differnt promise
2494         instances called InternalPromise in the subsequent patch[1].
2495
2496         No behavior change.
2497
2498         [1]: https://bugs.webkit.org/show_bug.cgi?id=148136
2499
2500         * builtins/PromiseConstructor.js:
2501         (privateAll.newResolveElement):
2502         (privateAll):
2503         * runtime/JSGlobalObject.cpp:
2504         (JSC::JSGlobalObject::init):
2505         (JSC::JSGlobalObject::visitChildren): Deleted.
2506         * runtime/JSGlobalObject.h:
2507         (JSC::JSGlobalObject::promiseConstructor): Deleted.
2508         (JSC::JSGlobalObject::promisePrototype): Deleted.
2509         (JSC::JSGlobalObject::promiseStructure): Deleted.
2510         * runtime/JSPromiseConstructor.cpp:
2511         (JSC::JSPromiseConstructor::finishCreation):
2512         * runtime/JSPromiseDeferred.cpp:
2513         (JSC::callFunction):
2514         (JSC::JSPromiseDeferred::resolve):
2515         (JSC::JSPromiseDeferred::reject):
2516         * runtime/JSPromiseDeferred.h:
2517         * runtime/JSPromisePrototype.cpp:
2518         (JSC::JSPromisePrototype::create):
2519         (JSC::JSPromisePrototype::JSPromisePrototype):
2520         * runtime/JSPromisePrototype.h:
2521
2522 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2523
2524         Try to fix the CLOOP build.
2525
2526         Unreviewed.
2527
2528         * bytecode/CodeBlock.cpp:
2529
2530 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2531
2532         Split InlineCallFrame into its own file
2533         https://bugs.webkit.org/show_bug.cgi?id=148131
2534
2535         Reviewed by Saam Barati.
2536
2537         * CMakeLists.txt:
2538         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2539         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2540         * JavaScriptCore.xcodeproj/project.pbxproj:
2541         * bytecode/CallLinkStatus.cpp:
2542         * bytecode/CodeBlock.h:
2543         (JSC::ExecState::r):
2544         (JSC::baselineCodeBlockForInlineCallFrame): Deleted.
2545         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock): Deleted.
2546         * bytecode/CodeOrigin.cpp:
2547         (JSC::CodeOrigin::inlineStack):
2548         (JSC::CodeOrigin::codeOriginOwner):
2549         (JSC::CodeOrigin::stackOffset):
2550         (JSC::CodeOrigin::dump):
2551         (JSC::CodeOrigin::dumpInContext):
2552         (JSC::InlineCallFrame::calleeConstant): Deleted.
2553         (JSC::InlineCallFrame::visitAggregate): Deleted.
2554         (JSC::InlineCallFrame::calleeForCallFrame): Deleted.
2555         (JSC::InlineCallFrame::hash): Deleted.
2556         (JSC::InlineCallFrame::hashAsStringIfPossible): Deleted.
2557         (JSC::InlineCallFrame::inferredName): Deleted.
2558         (JSC::InlineCallFrame::baselineCodeBlock): Deleted.
2559         (JSC::InlineCallFrame::dumpBriefFunctionInformation): Deleted.
2560         (JSC::InlineCallFrame::dumpInContext): Deleted.
2561         (JSC::InlineCallFrame::dump): Deleted.
2562         (WTF::printInternal): Deleted.
2563         * bytecode/CodeOrigin.h:
2564         (JSC::CodeOrigin::deletedMarker):
2565         (JSC::CodeOrigin::hash):
2566         (JSC::CodeOrigin::operator==):
2567         (JSC::CodeOriginHash::hash):
2568         (JSC::CodeOriginHash::equal):
2569         (JSC::InlineCallFrame::kindFor): Deleted.
2570         (JSC::InlineCallFrame::varargsKindFor): Deleted.
2571         (JSC::InlineCallFrame::specializationKindFor): Deleted.
2572         (JSC::InlineCallFrame::isVarargs): Deleted.
2573         (JSC::InlineCallFrame::InlineCallFrame): Deleted.
2574         (JSC::InlineCallFrame::specializationKind): Deleted.
2575         (JSC::InlineCallFrame::setStackOffset): Deleted.
2576         (JSC::InlineCallFrame::callerFrameOffset): Deleted.
2577         (JSC::InlineCallFrame::returnPCOffset): Deleted.
2578         (JSC::CodeOrigin::stackOffset): Deleted.
2579         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2580         * bytecode/InlineCallFrame.cpp: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.cpp.
2581         (JSC::InlineCallFrame::calleeConstant):
2582         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
2583         (JSC::CodeOrigin::inlineDepth): Deleted.
2584         (JSC::CodeOrigin::isApproximatelyEqualTo): Deleted.
2585         (JSC::CodeOrigin::approximateHash): Deleted.
2586         (JSC::CodeOrigin::inlineStack): Deleted.
2587         (JSC::CodeOrigin::dump): Deleted.
2588         (JSC::CodeOrigin::dumpInContext): Deleted.
2589         * bytecode/InlineCallFrame.h: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.h.
2590         (JSC::InlineCallFrame::isVarargs):
2591         (JSC::InlineCallFrame::InlineCallFrame):
2592         (JSC::InlineCallFrame::specializationKind):
2593         (JSC::baselineCodeBlockForInlineCallFrame):
2594         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2595         (JSC::CodeOrigin::CodeOrigin): Deleted.
2596         (JSC::CodeOrigin::isSet): Deleted.
2597         (JSC::CodeOrigin::operator!): Deleted.
2598         (JSC::CodeOrigin::isHashTableDeletedValue): Deleted.
2599         (JSC::CodeOrigin::operator!=): Deleted.
2600         (JSC::CodeOrigin::deletedMarker): Deleted.
2601         (JSC::CodeOrigin::stackOffset): Deleted.
2602         (JSC::CodeOrigin::hash): Deleted.
2603         (JSC::CodeOrigin::operator==): Deleted.
2604         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2605         (JSC::CodeOriginHash::hash): Deleted.
2606         (JSC::CodeOriginHash::equal): Deleted.
2607         (JSC::CodeOriginApproximateHash::hash): Deleted.
2608         (JSC::CodeOriginApproximateHash::equal): Deleted.
2609         * bytecode/InlineCallFrameSet.cpp:
2610         * dfg/DFGCommonData.cpp:
2611         * dfg/DFGOSRExitBase.cpp:
2612         * dfg/DFGVariableEventStream.cpp:
2613         * ftl/FTLOperations.cpp:
2614         * interpreter/CallFrame.cpp:
2615         * interpreter/StackVisitor.cpp:
2616         * jit/AssemblyHelpers.h:
2617         * profiler/ProfilerOriginStack.cpp:
2618         * runtime/ClonedArguments.cpp:
2619
2620 2015-08-18  Mark Lam  <mark.lam@apple.com>
2621
2622         Removed an unused param in Interpreter::initialize().
2623         https://bugs.webkit.org/show_bug.cgi?id=148129
2624
2625         Reviewed by Michael Saboff.
2626
2627         * interpreter/Interpreter.cpp:
2628         (JSC::Interpreter::~Interpreter):
2629         (JSC::Interpreter::initialize):
2630         * interpreter/Interpreter.h:
2631         (JSC::Interpreter::stack):
2632         * runtime/VM.cpp:
2633         (JSC::VM::VM):
2634
2635 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2636
2637         Add const to content extension parser
2638         https://bugs.webkit.org/show_bug.cgi?id=148044
2639
2640         Reviewed by Benjamin Poulain.
2641
2642         * runtime/JSObject.h:
2643         (JSC::JSObject::getIndexQuickly):
2644         (JSC::JSObject::tryGetIndexQuickly):
2645         (JSC::JSObject::getDirectIndex):
2646         (JSC::JSObject::getIndex):
2647         Added a few const keywords.
2648
2649 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2650
2651         Build Debug Suffix on Windows with CMake
2652         https://bugs.webkit.org/show_bug.cgi?id=148083
2653
2654         Reviewed by Brent Fulgham.
2655
2656         * CMakeLists.txt:
2657         * PlatformWin.cmake:
2658         * shell/CMakeLists.txt:
2659         * shell/PlatformWin.cmake:
2660         Add DEBUG_SUFFIX
2661
2662 2015-08-17  Saam barati  <sbarati@apple.com>
2663
2664         Web Inspector: Type profiler return types aren't showing up
2665         https://bugs.webkit.org/show_bug.cgi?id=147348
2666
2667         Reviewed by Brian Burg.
2668
2669         Bug #145995 changed the starting offset of a function to 
2670         be the open parenthesis of the function's parameter list.
2671         This broke JSC's type profiler protocol of communicating 
2672         return types of a function to the web inspector. This
2673         is now fixed. The text offset used in the protocol is now
2674         the first letter of the function/get/set/method name.
2675         So "f" in "function a() {}", "s" in "set foo(){}", etc.
2676
2677         * bytecode/CodeBlock.cpp:
2678         (JSC::CodeBlock::CodeBlock):
2679         * jsc.cpp:
2680         (functionReturnTypeFor):
2681
2682 2015-08-17 Aleksandr Skachkov   <gskachkov@gmail.com>
2683
2684         [ES6] Implement ES6 arrow function syntax. Arrow function specific features. Lexical bind of this
2685         https://bugs.webkit.org/show_bug.cgi?id=144956
2686
2687         Reviewed by Saam Barati.
2688
2689         Added support of ES6 arrow function specific feature, lexical bind of this and no constructor. http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax
2690         In patch were implemented the following cases:
2691            this - variable |this| is point to the |this| of the function where arrow function is declared. Lexical bind of |this|
2692            constructor - the using of the command |new| for arrow function leads to runtime error
2693            call(), apply(), bind()  - methods can only pass in arguments, but has no effect on |this| 
2694
2695
2696         * CMakeLists.txt:
2697         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2698         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2699         * JavaScriptCore.xcodeproj/project.pbxproj:
2700         * bytecode/BytecodeList.json:
2701         * bytecode/BytecodeUseDef.h:
2702         (JSC::computeUsesForBytecodeOffset):
2703         (JSC::computeDefsForBytecodeOffset):
2704         * bytecode/CodeBlock.cpp:
2705         (JSC::CodeBlock::dumpBytecode):
2706         * bytecode/ExecutableInfo.h:
2707         (JSC::ExecutableInfo::ExecutableInfo):
2708         (JSC::ExecutableInfo::isArrowFunction):
2709         * bytecode/UnlinkedCodeBlock.cpp:
2710         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2711         * bytecode/UnlinkedCodeBlock.h:
2712         (JSC::UnlinkedCodeBlock::isArrowFunction):
2713         * bytecode/UnlinkedFunctionExecutable.cpp:
2714         (JSC::generateFunctionCodeBlock):
2715         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2716         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2717         * bytecode/UnlinkedFunctionExecutable.h:
2718         * bytecompiler/BytecodeGenerator.cpp:
2719         (JSC::BytecodeGenerator::BytecodeGenerator):
2720         (JSC::BytecodeGenerator::emitNewFunctionCommon):
2721         (JSC::BytecodeGenerator::emitNewFunctionExpression):
2722         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2723         (JSC::BytecodeGenerator::emitLoadArrowFunctionThis):
2724         * bytecompiler/BytecodeGenerator.h:
2725         * bytecompiler/NodesCodegen.cpp:
2726         (JSC::ArrowFuncExprNode::emitBytecode):
2727         * dfg/DFGAbstractInterpreterInlines.h:
2728         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2729         * dfg/DFGByteCodeParser.cpp:
2730         (JSC::DFG::ByteCodeParser::parseBlock):
2731         * dfg/DFGCapabilities.cpp:
2732         (JSC::DFG::capabilityLevel):
2733         * dfg/DFGClobberize.h:
2734         (JSC::DFG::clobberize):
2735         * dfg/DFGDoesGC.cpp:
2736         (JSC::DFG::doesGC):
2737         * dfg/DFGFixupPhase.cpp:
2738         (JSC::DFG::FixupPhase::fixupNode):
2739         * dfg/DFGNode.h:
2740         (JSC::DFG::Node::convertToPhantomNewFunction):
2741         (JSC::DFG::Node::hasCellOperand):
2742         (JSC::DFG::Node::isFunctionAllocation):
2743         * dfg/DFGNodeType.h:
2744         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2745         * dfg/DFGPredictionPropagationPhase.cpp:
2746         (JSC::DFG::PredictionPropagationPhase::propagate):
2747         * dfg/DFGPromotedHeapLocation.cpp:
2748         (WTF::printInternal):
2749         * dfg/DFGPromotedHeapLocation.h:
2750         * dfg/DFGSafeToExecute.h:
2751         (JSC::DFG::safeToExecute):
2752         * dfg/DFGSpeculativeJIT.cpp:
2753         (JSC::DFG::SpeculativeJIT::compileLoadArrowFunctionThis):
2754         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2755         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2756         * dfg/DFGSpeculativeJIT.h:
2757         (JSC::DFG::SpeculativeJIT::callOperation):
2758         * dfg/DFGSpeculativeJIT32_64.cpp:
2759         (JSC::DFG::SpeculativeJIT::compile):
2760         * dfg/DFGSpeculativeJIT64.cpp:
2761         (JSC::DFG::SpeculativeJIT::compile):
2762         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2763         * dfg/DFGStructureRegistrationPhase.cpp:
2764         (JSC::DFG::StructureRegistrationPhase::run):
2765         * ftl/FTLAbstractHeapRepository.cpp:
2766         * ftl/FTLAbstractHeapRepository.h:
2767         * ftl/FTLCapabilities.cpp:
2768         (JSC::FTL::canCompile):
2769         * ftl/FTLIntrinsicRepository.h:
2770         * ftl/FTLLowerDFGToLLVM.cpp:
2771         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2772         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2773         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadArrowFunctionThis):
2774         * ftl/FTLOperations.cpp:
2775         (JSC::FTL::operationMaterializeObjectInOSR):
2776         * interpreter/Interpreter.cpp:
2777         * interpreter/Interpreter.h:
2778         * jit/CCallHelpers.h:
2779         (JSC::CCallHelpers::setupArgumentsWithExecState): Added 3 arguments version for windows build.
2780         * jit/JIT.cpp:
2781         (JSC::JIT::privateCompileMainPass):
2782         * jit/JIT.h:
2783         * jit/JITInlines.h:
2784         (JSC::JIT::callOperation):
2785         * jit/JITOpcodes.cpp:
2786         (JSC::JIT::emit_op_load_arrowfunction_this):
2787         (JSC::JIT::emit_op_new_func_exp):
2788         (JSC::JIT::emitNewFuncExprCommon):
2789         (JSC::JIT::emit_op_new_arrow_func_exp):
2790         * jit/JITOpcodes32_64.cpp:
2791         (JSC::JIT::emit_op_load_arrowfunction_this):
2792         * jit/JITOperations.cpp:
2793         * jit/JITOperations.h:
2794         * llint/LLIntOffsetsExtractor.cpp:
2795         * llint/LLIntSlowPaths.cpp:
2796         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2797         (JSC::LLInt::setUpCall):
2798         * llint/LLIntSlowPaths.h:
2799         * llint/LowLevelInterpreter.asm:
2800         * llint/LowLevelInterpreter32_64.asm:
2801         * llint/LowLevelInterpreter64.asm:
2802         * parser/ASTBuilder.h:
2803         (JSC::ASTBuilder::createFunctionMetadata):
2804         (JSC::ASTBuilder::createArrowFunctionExpr):
2805         * parser/NodeConstructors.h:
2806         (JSC::BaseFuncExprNode::BaseFuncExprNode):
2807         (JSC::FuncExprNode::FuncExprNode):
2808         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
2809         * parser/Nodes.cpp:
2810         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2811         * parser/Nodes.h:
2812         (JSC::ExpressionNode::isArrowFuncExprNode):
2813         * parser/Parser.cpp:
2814         (JSC::Parser<LexerType>::parseFunctionBody):
2815         (JSC::Parser<LexerType>::parseFunctionInfo):
2816         * parser/SyntaxChecker.h:
2817         (JSC::SyntaxChecker::createFunctionMetadata):
2818         * runtime/Executable.cpp:
2819         (JSC::ScriptExecutable::newCodeBlockFor):
2820         * runtime/Executable.h:
2821         * runtime/JSArrowFunction.cpp: Added.
2822         (JSC::JSArrowFunction::destroy):
2823         (JSC::JSArrowFunction::create):
2824         (JSC::JSArrowFunction::JSArrowFunction):
2825         (JSC::JSArrowFunction::createWithInvalidatedReallocationWatchpoint):
2826         (JSC::JSArrowFunction::visitChildren):
2827         (JSC::JSArrowFunction::getConstructData):
2828         * runtime/JSArrowFunction.h: Added.
2829         (JSC::JSArrowFunction::allocationSize):
2830         (JSC::JSArrowFunction::createImpl):
2831         (JSC::JSArrowFunction::boundThis):
2832         (JSC::JSArrowFunction::createStructure):
2833         (JSC::JSArrowFunction::offsetOfThisValue):
2834         * runtime/JSFunction.h:
2835         * runtime/JSFunctionInlines.h:
2836         (JSC::JSFunction::JSFunction):
2837         * runtime/JSGlobalObject.cpp:
2838         (JSC::JSGlobalObject::init):
2839         (JSC::JSGlobalObject::visitChildren):
2840         * runtime/JSGlobalObject.h:
2841         (JSC::JSGlobalObject::arrowFunctionStructure):
2842         * tests/stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js: Added.
2843         * tests/stress/arrowfunction-activation-sink-osrexit-default-value.js: Added.
2844         * tests/stress/arrowfunction-activation-sink-osrexit.js: Added.
2845         * tests/stress/arrowfunction-activation-sink.js: Added.
2846         * tests/stress/arrowfunction-bound.js: Added.
2847         * tests/stress/arrowfunction-call.js: Added.
2848         * tests/stress/arrowfunction-constructor.js: Added.
2849         * tests/stress/arrowfunction-lexical-bind-this-1.js: Added.
2850         * tests/stress/arrowfunction-lexical-bind-this-2.js: Added.
2851         * tests/stress/arrowfunction-lexical-bind-this-3.js: Added.
2852         * tests/stress/arrowfunction-lexical-bind-this-4.js: Added.
2853         * tests/stress/arrowfunction-lexical-bind-this-5.js: Added.
2854         * tests/stress/arrowfunction-lexical-bind-this-6.js: Added.
2855         * tests/stress/arrowfunction-lexical-this-activation-sink-osrexit.js: Added.
2856         * tests/stress/arrowfunction-lexical-this-activation-sink.js: Added.
2857         * tests/stress/arrowfunction-lexical-this-sinking-no-double-allocate.js: Added.
2858         * tests/stress/arrowfunction-lexical-this-sinking-osrexit.js: Added.
2859         * tests/stress/arrowfunction-lexical-this-sinking-put.js: Added.
2860         * tests/stress/arrowfunction-others.js: Added.
2861         * tests/stress/arrowfunction-run-10-1.js: Added.
2862         * tests/stress/arrowfunction-run-10-2.js: Added.
2863         * tests/stress/arrowfunction-run-10000-1.js: Added.
2864         * tests/stress/arrowfunction-run-10000-2.js: Added.
2865         * tests/stress/arrowfunction-sinking-no-double-allocate.js: Added.
2866         * tests/stress/arrowfunction-sinking-osrexit.js: Added.
2867         * tests/stress/arrowfunction-sinking-put.js: Added.
2868         * tests/stress/arrowfunction-tdz.js: Added.
2869         * tests/stress/arrowfunction-typeof.js: Added.
2870
2871 2015-07-28  Sam Weinig  <sam@webkit.org>
2872
2873         Cleanup the builtin JavaScript files
2874         https://bugs.webkit.org/show_bug.cgi?id=147382
2875
2876         Reviewed by Geoffrey Garen.
2877
2878         * builtins/Array.prototype.js:
2879         * builtins/ArrayConstructor.js:
2880         * builtins/ArrayIterator.prototype.js:
2881         * builtins/Function.prototype.js:
2882         * builtins/Iterator.prototype.js:
2883         * builtins/ObjectConstructor.js:
2884         * builtins/StringConstructor.js:
2885         * builtins/StringIterator.prototype.js:
2886         Unify the style of the built JavaScript files.
2887
2888 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2889
2890         Move some commands from ./CMakeLists.txt to Source/cmake
2891         https://bugs.webkit.org/show_bug.cgi?id=148003
2892
2893         Reviewed by Brent Fulgham.
2894
2895         * CMakeLists.txt:
2896         Added commands needed to build JSC by itself.
2897
2898 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2899
2900         [ES6] Implement Reflect.get
2901         https://bugs.webkit.org/show_bug.cgi?id=147925
2902
2903         Reviewed by Geoffrey Garen.
2904
2905         This patch implements Reflect.get API.
2906         It can take the receiver object as the third argument.
2907         When the receiver is specified and there's a getter for the given property name,
2908         we call the getter with the receiver as the |this| value.
2909
2910         * runtime/ReflectObject.cpp:
2911         (JSC::reflectObjectGet):
2912         * runtime/SparseArrayValueMap.cpp:
2913         (JSC::SparseArrayEntry::get): Deleted.
2914         * runtime/SparseArrayValueMap.h:
2915         * tests/stress/reflect-get.js: Added.
2916         (shouldBe):
2917         (shouldThrow):
2918         (.get shouldThrow):
2919         (.get var):
2920         (get var.object.get hello):
2921         (.get shouldBe):
2922         (get var.object.set hello):
2923
2924 2015-08-17  Simon Fraser  <simon.fraser@apple.com>
2925
2926         will-change should sometimes trigger compositing
2927         https://bugs.webkit.org/show_bug.cgi?id=148072
2928
2929         Reviewed by Tim Horton.
2930         
2931         Include will-change as a reason for compositing.
2932
2933         * inspector/protocol/LayerTree.json:
2934
2935 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2936
2937         [ES6] Implement Reflect.getOwnPropertyDescriptor
2938         https://bugs.webkit.org/show_bug.cgi?id=147929
2939
2940         Reviewed by Geoffrey Garen.
2941
2942         Implement Reflect.getOwnPropertyDescriptor.
2943         The difference from the Object.getOwnPropertyDescriptor is
2944         Reflect.getOwnPropertyDescriptor does not perform ToObject onto
2945         the first argument. If the first argument is not an Object, it
2946         immediately raises the TypeError.
2947
2948         * runtime/ObjectConstructor.cpp:
2949         (JSC::objectConstructorGetOwnPropertyDescriptor):
2950         * runtime/ObjectConstructor.h:
2951         * runtime/ReflectObject.cpp:
2952         (JSC::reflectObjectGetOwnPropertyDescriptor):
2953         * tests/stress/reflect-get-own-property.js: Added.
2954         (shouldBe):
2955         (shouldThrow):
2956
2957 2015-08-16  Benjamin Poulain  <bpoulain@apple.com>
2958
2959         [JSC] Use (x + x) instead of (x * 2) when possible
2960         https://bugs.webkit.org/show_bug.cgi?id=148051
2961
2962         Reviewed by Michael Saboff.
2963
2964         When multiplying a number by 2, JSC was loading a constant "2"
2965         in register and multiplying it with the first number:
2966
2967             mov $0x4000000000000000, %rcx
2968             movd %rcx, %xmm0
2969             mulsd %xmm0, %xmm1
2970
2971         This is a problem for a few reasons.
2972         1) "movd %rcx, %xmm0" only set half of XMM0. This instruction
2973            has to wait for any preceding instruction on XMM0 to finish
2974            before executing.
2975         2) The load and transform itself is large and unecessary.
2976
2977         To fix that, I added a StrengthReductionPhase to transform
2978         multiplications by 2 into a addition.
2979
2980         Unfortunately, that turned the code into:
2981             movsd %xmm0 %xmm1
2982             mulsd %xmm1 %xmm0
2983
2984         The reason is GenerationInfo::canReuse() was not accounting
2985         for nodes using other nodes multiple times.
2986
2987         After fixing that too, we now have the multiplications by 2
2988         done as:
2989             addsd %xmm0 %xmm0
2990
2991         * dfg/DFGGenerationInfo.h:
2992         (JSC::DFG::GenerationInfo::useCount):
2993         (JSC::DFG::GenerationInfo::canReuse): Deleted.
2994         * dfg/DFGSpeculativeJIT.cpp:
2995         (JSC::DFG::FPRTemporary::FPRTemporary):
2996         * dfg/DFGSpeculativeJIT.h:
2997         (JSC::DFG::SpeculativeJIT::canReuse):
2998         (JSC::DFG::GPRTemporary::GPRTemporary):
2999         * dfg/DFGStrengthReductionPhase.cpp:
3000         (JSC::DFG::StrengthReductionPhase::handleNode):
3001
3002 2015-08-14  Basile Clement  <basile_clement@apple.com>
3003
3004         Occasional failure in v8-v6/v8-raytrace.js.ftl-eager
3005         https://bugs.webkit.org/show_bug.cgi?id=147165
3006
3007         Reviewed by Saam Barati.
3008
3009         The object allocation sinking phase was not properly checking that a
3010         MultiGetByOffset was safe to lower before lowering it.
3011         This makes it so that we only lower MultiGetByOffset if it only loads
3012         from direct properties of the object, and considers it as an escape in
3013         any other case (e.g. a load from the prototype).
3014
3015         It also ensure proper conversion of MultiGetByOffset into
3016         CheckStructureImmediate when needed.
3017
3018         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3019         * ftl/FTLLowerDFGToLLVM.cpp:
3020         (JSC::FTL::DFG::LowerDFGToLLVM::checkStructure):
3021             We were not compiling properly CheckStructure and
3022             CheckStructureImmediate nodes with an empty StructureSet.
3023         * tests/stress/sink-multigetbyoffset.js: Regression test.
3024
3025 2015-08-14  Filip Pizlo  <fpizlo@apple.com>
3026
3027         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
3028         https://bugs.webkit.org/show_bug.cgi?id=147999
3029
3030         Reviewed by Geoffrey Garen.
3031
3032         * API/JSVirtualMachine.mm:
3033         (initWrapperCache):
3034         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3035         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3036         (wrapperCacheMutex): Deleted.
3037         * bytecode/SamplingTool.cpp:
3038         (JSC::SamplingTool::doRun):
3039         (JSC::SamplingTool::notifyOfScope):
3040         * bytecode/SamplingTool.h:
3041         * dfg/DFGThreadData.h:
3042         * dfg/DFGWorklist.cpp:
3043         (JSC::DFG::Worklist::~Worklist):
3044         (JSC::DFG::Worklist::isActiveForVM):
3045         (JSC::DFG::Worklist::enqueue):
3046         (JSC::DFG::Worklist::compilationState):
3047         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3048         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3049         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3050         (JSC::DFG::Worklist::visitWeakReferences):
3051         (JSC::DFG::Worklist::removeDeadPlans):
3052         (JSC::DFG::Worklist::queueLength):
3053         (JSC::DFG::Worklist::dump):
3054         (JSC::DFG::Worklist::runThread):
3055         * dfg/DFGWorklist.h:
3056         * disassembler/Disassembler.cpp:
3057         * heap/CopiedSpace.cpp:
3058         (JSC::CopiedSpace::doneFillingBlock):
3059         (JSC::CopiedSpace::doneCopying):
3060         * heap/CopiedSpace.h:
3061         * heap/CopiedSpaceInlines.h:
3062         (JSC::CopiedSpace::recycleBorrowedBlock):
3063         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
3064         * heap/GCThread.cpp:
3065         (JSC::GCThread::waitForNextPhase):
3066         (JSC::GCThread::gcThreadMain):
3067         * heap/GCThreadSharedData.cpp:
3068         (JSC::GCThreadSharedData::GCThreadSharedData):
3069         (JSC::GCThreadSharedData::~GCThreadSharedData):
3070         (JSC::GCThreadSharedData::startNextPhase):
3071         (JSC::GCThreadSharedData::endCurrentPhase):
3072         (JSC::GCThreadSharedData::didStartMarking):
3073         (JSC::GCThreadSharedData::didFinishMarking):
3074         * heap/GCThreadSharedData.h:
3075         * heap/HeapTimer.h:
3076         * heap/MachineStackMarker.cpp:
3077         (JSC::ActiveMachineThreadsManager::Locker::Locker):
3078         (JSC::ActiveMachineThreadsManager::add):
3079         (JSC::ActiveMachineThreadsManager::remove):
3080         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
3081         (JSC::MachineThreads::~MachineThreads):
3082         (JSC::MachineThreads::addCurrentThread):
3083         (JSC::MachineThreads::removeThreadIfFound):
3084         (JSC::MachineThreads::tryCopyOtherThreadStack):
3085         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3086         (JSC::MachineThreads::gatherConservativeRoots):
3087         * heap/MachineStackMarker.h:
3088         * heap/SlotVisitor.cpp:
3089         (JSC::SlotVisitor::donateKnownParallel):
3090         (JSC::SlotVisitor::drain):
3091         (JSC::SlotVisitor::drainFromShared):
3092         (JSC::SlotVisitor::mergeOpaqueRoots):
3093         * heap/SlotVisitorInlines.h:
3094         (JSC::SlotVisitor::containsOpaqueRootTriState):
3095         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3096         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3097         (Inspector::RemoteInspectorHandleRunSourceGlobal):
3098         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
3099         (Inspector::RemoteInspectorInitializeGlobalQueue):
3100         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
3101         (Inspector::RemoteInspectorDebuggableConnection::setup):
3102         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3103         (Inspector::RemoteInspectorDebuggableConnection::close):
3104         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3105         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
3106         * interpreter/JSStack.cpp:
3107         (JSC::JSStack::JSStack):
3108         (JSC::JSStack::releaseExcessCapacity):
3109         (JSC::JSStack::addToCommittedByteCount):
3110         (JSC::JSStack::committedByteCount):
3111         (JSC::stackStatisticsMutex): Deleted.
3112         (JSC::JSStack::initializeThreading): Deleted.
3113         * interpreter/JSStack.h:
3114         (JSC::JSStack::gatherConservativeRoots):
3115         (JSC::JSStack::sanitizeStack):
3116         (JSC::JSStack::size):
3117         (JSC::JSStack::initializeThreading): Deleted.
3118         * jit/ExecutableAllocator.cpp:
3119         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
3120         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
3121         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
3122         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
3123         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
3124         (JSC::DemandExecutableAllocator::allocators):
3125         (JSC::DemandExecutableAllocator::allocatorsMutex):
3126         * jit/JITThunks.cpp:
3127         (JSC::JITThunks::ctiStub):
3128         * jit/JITThunks.h:
3129         * profiler/ProfilerDatabase.cpp:
3130         (JSC::Profiler::Database::ensureBytecodesFor):
3131         (JSC::Profiler::Database::notifyDestruction):
3132         * profiler/ProfilerDatabase.h:
3133         * runtime/InitializeThreading.cpp:
3134         (JSC::initializeThreading):
3135         * runtime/JSLock.cpp:
3136         (JSC::GlobalJSLock::GlobalJSLock):
3137         (JSC::GlobalJSLock::~GlobalJSLock):
3138         (JSC::JSLockHolder::JSLockHolder):
3139         (JSC::GlobalJSLock::initialize): Deleted.
3140         * runtime/JSLock.h:
3141
3142 2015-08-14  Ryosuke Niwa  <rniwa@webkit.org>
3143
3144         ES6 class syntax should allow computed name method
3145         https://bugs.webkit.org/show_bug.cgi?id=142690
3146
3147         Reviewed by Saam Barati.
3148
3149         Added a new "attributes" attribute to op_put_getter_by_id, op_put_setter_by_id, op_put_getter_setter to specify
3150         the property descriptor options so that we can use use op_put_setter_by_id and op_put_getter_setter to define
3151         getters and setters for classes. Without this, getters and setters could erroneously override methods.
3152
3153         * bytecode/BytecodeList.json:
3154         * bytecode/BytecodeUseDef.h:
3155         (JSC::computeUsesForBytecodeOffset):
3156         * bytecode/CodeBlock.cpp:
3157         (JSC::CodeBlock::dumpBytecode):
3158         * bytecompiler/BytecodeGenerator.cpp:
3159         (JSC::BytecodeGenerator::emitDirectPutById):
3160         (JSC::BytecodeGenerator::emitPutGetterById):
3161         (JSC::BytecodeGenerator::emitPutSetterById):
3162         (JSC::BytecodeGenerator::emitPutGetterSetter):
3163         * bytecompiler/BytecodeGenerator.h:
3164         * bytecompiler/NodesCodegen.cpp:
3165         (JSC::PropertyListNode::emitBytecode): Always use emitPutGetterSetter to emit getters and setters for classes
3166         as done for object literals.
3167         (JSC::PropertyListNode::emitPutConstantProperty):
3168         (JSC::ClassExprNode::emitBytecode):
3169         * jit/CCallHelpers.h:
3170         (JSC::CCallHelpers::setupArgumentsWithExecState):
3171         * jit/JIT.h:
3172         * jit/JITInlines.h:
3173         (JSC::JIT::callOperation):
3174         * jit/JITOperations.cpp:
3175         * jit/JITOperations.h:
3176         * jit/JITPropertyAccess.cpp:
3177         (JSC::JIT::emit_op_put_getter_by_id):
3178         (JSC::JIT::emit_op_put_setter_by_id):
3179         (JSC::JIT::emit_op_put_getter_setter):
3180         (JSC::JIT::emit_op_del_by_id):
3181         * jit/JITPropertyAccess32_64.cpp:
3182         (JSC::JIT::emit_op_put_getter_by_id):
3183         (JSC::JIT::emit_op_put_setter_by_id):
3184         (JSC::JIT::emit_op_put_getter_setter):
3185         (JSC::JIT::emit_op_del_by_id):
3186         * llint/LLIntSlowPaths.cpp:
3187         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3188         * llint/LowLevelInterpreter.asm:
3189         * parser/ASTBuilder.h:
3190         (JSC::ASTBuilder::createProperty):
3191         (JSC::ASTBuilder::createPropertyList):
3192         * parser/NodeConstructors.h:
3193         (JSC::PropertyNode::PropertyNode):
3194         * parser/Nodes.h:
3195         (JSC::PropertyNode::expressionName):
3196         (JSC::PropertyNode::name):
3197         * parser/Parser.cpp:
3198         (JSC::Parser<LexerType>::parseClass): Added the support for computed property name. We don't support computed names
3199         for getters and setters.
3200         * parser/SyntaxChecker.h:
3201         (JSC::SyntaxChecker::createProperty):
3202         * runtime/JSObject.cpp:
3203         (JSC::JSObject::allowsAccessFrom):
3204         (JSC::JSObject::putGetter):
3205         (JSC::JSObject::putSetter):
3206         * runtime/JSObject.h:
3207         * runtime/PropertyDescriptor.h:
3208
3209 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3210
3211         Add InspectorInstrumentation builtin object to instrument the code in JS builtins like Promises
3212         https://bugs.webkit.org/show_bug.cgi?id=147942
3213
3214         Reviewed by Geoffrey Garen.
3215
3216         This patch adds new private global object, @InspectorInstrumentation.
3217         It is intended to be used as the namespace object (like Reflect/Math) for Inspector's
3218         instrumentation system and it is used to instrument the builtin JS code, like Promises.
3219
3220         * CMakeLists.txt:
3221         * DerivedSources.make:
3222         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3223         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3224         * JavaScriptCore.xcodeproj/project.pbxproj:
3225         * builtins/InspectorInstrumentationObject.js: Added.
3226         (debug):
3227         (promiseFulfilled):
3228         (promiseRejected):
3229         * builtins/Operations.Promise.js:
3230         (rejectPromise):
3231         (fulfillPromise):
3232         * runtime/CommonIdentifiers.h:
3233         * runtime/InspectorInstrumentationObject.cpp: Added.
3234         (JSC::InspectorInstrumentationObject::InspectorInstrumentationObject):
3235         (JSC::InspectorInstrumentationObject::finishCreation):
3236         (JSC::InspectorInstrumentationObject::getOwnPropertySlot):
3237         (JSC::InspectorInstrumentationObject::isEnabled):
3238         (JSC::InspectorInstrumentationObject::enable):
3239         (JSC::InspectorInstrumentationObject::disable):
3240         (JSC::inspectorInstrumentationObjectDataLogImpl):
3241         * runtime/InspectorInstrumentationObject.h: Added.
3242         (JSC::InspectorInstrumentationObject::create):
3243         (JSC::InspectorInstrumentationObject::createStructure):
3244         * runtime/JSGlobalObject.cpp:
3245         (JSC::JSGlobalObject::init):
3246
3247 2015-08-14  Commit Queue  <commit-queue@webkit.org>
3248
3249         Unreviewed, rolling out r188444.
3250         https://bugs.webkit.org/show_bug.cgi?id=148029
3251
3252         Broke GTK and EFL (see bug #148027) (Requested by philn on
3253         #webkit).
3254
3255         Reverted changeset:
3256
3257         "Use WTF::Lock and WTF::Condition instead of WTF::Mutex,
3258         WTF::ThreadCondition, std::mutex, and std::condition_variable"
3259         https://bugs.webkit.org/show_bug.cgi?id=147999
3260         http://trac.webkit.org/changeset/188444
3261
3262 2015-08-13  Filip Pizlo  <fpizlo@apple.com>
3263
3264         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
3265         https://bugs.webkit.org/show_bug.cgi?id=147999
3266
3267         Reviewed by Geoffrey Garen.
3268
3269         * API/JSVirtualMachine.mm:
3270         (initWrapperCache):
3271         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3272         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3273         (wrapperCacheMutex): Deleted.
3274         * bytecode/SamplingTool.cpp:
3275         (JSC::SamplingTool::doRun):
3276         (JSC::SamplingTool::notifyOfScope):
3277         * bytecode/SamplingTool.h:
3278         * dfg/DFGThreadData.h:
3279         * dfg/DFGWorklist.cpp:
3280         (JSC::DFG::Worklist::~Worklist):
3281         (JSC::DFG::Worklist::isActiveForVM):
3282         (JSC::DFG::Worklist::enqueue):
3283         (JSC::DFG::Worklist::compilationState):
3284         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3285         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3286         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3287         (JSC::DFG::Worklist::visitWeakReferences):
3288         (JSC::DFG::Worklist::removeDeadPlans):
3289         (JSC::DFG::Worklist::queueLength):
3290         (JSC::DFG::Worklist::dump):
3291         (JSC::DFG::Worklist::runThread):
3292         * dfg/DFGWorklist.h:
3293         * disassembler/Disassembler.cpp:
3294         * heap/CopiedSpace.cpp:
3295         (JSC::CopiedSpace::doneFillingBlock):
3296         (JSC::CopiedSpace::doneCopying):
3297         * heap/CopiedSpace.h:
3298         * heap/CopiedSpaceInlines.h:
3299         (JSC::CopiedSpace::recycleBorrowedBlock):
3300         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
3301         * heap/GCThread.cpp:
3302         (JSC::GCThread::waitForNextPhase):
3303         (JSC::GCThread::gcThreadMain):
3304         * heap/GCThreadSharedData.cpp:
3305         (JSC::GCThreadSharedData::GCThreadSharedData):
3306         (JSC::GCThreadSharedData::~GCThreadSharedData):
3307         (JSC::GCThreadSharedData::startNextPhase):
3308         (JSC::GCThreadSharedData::endCurrentPhase):
3309         (JSC::GCThreadSharedData::didStartMarking):
3310         (JSC::GCThreadSharedData::didFinishMarking):
3311         * heap/GCThreadSharedData.h:
3312         * heap/HeapTimer.h:
3313         * heap/MachineStackMarker.cpp:
3314         (JSC::ActiveMachineThreadsManager::Locker::Locker):
3315         (JSC::ActiveMachineThreadsManager::add):
3316         (JSC::ActiveMachineThreadsManager::remove):
3317         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
3318         (JSC::MachineThreads::~MachineThreads):
3319         (JSC::MachineThreads::addCurrentThread):
3320         (JSC::MachineThreads::removeThreadIfFound):
3321         (JSC::MachineThreads::tryCopyOtherThreadStack):
3322         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3323         (JSC::MachineThreads::gatherConservativeRoots):
3324         * heap/MachineStackMarker.h:
3325         * heap/SlotVisitor.cpp:
3326         (JSC::SlotVisitor::donateKnownParallel):
3327         (JSC::SlotVisitor::drain):
3328         (JSC::SlotVisitor::drainFromShared):
3329         (JSC::SlotVisitor::mergeOpaqueRoots):
3330         * heap/SlotVisitorInlines.h:
3331         (JSC::SlotVisitor::containsOpaqueRootTriState):
3332         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3333         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3334         (Inspector::RemoteInspectorHandleRunSourceGlobal):
3335         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
3336         (Inspector::RemoteInspectorInitializeGlobalQueue):
3337         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
3338         (Inspector::RemoteInspectorDebuggableConnection::setup):
3339         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3340         (Inspector::RemoteInspectorDebuggableConnection::close):
3341         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3342         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
3343         * interpreter/JSStack.cpp:
3344         (JSC::JSStack::JSStack):
3345         (JSC::JSStack::releaseExcessCapacity):
3346         (JSC::JSStack::addToCommittedByteCount):
3347         (JSC::JSStack::committedByteCount):
3348         (JSC::stackStatisticsMutex): Deleted.
3349         (JSC::JSStack::initializeThreading): Deleted.
3350         * interpreter/JSStack.h:
3351         (JSC::JSStack::gatherConservativeRoots):
3352         (JSC::JSStack::sanitizeStack):
3353         (JSC::JSStack::size):
3354         (JSC::JSStack::initializeThreading): Deleted.
3355         * jit/ExecutableAllocator.cpp:
3356         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
3357         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
3358         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
3359         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
3360         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
3361         (JSC::DemandExecutableAllocator::allocators):
3362         (JSC::DemandExecutableAllocator::allocatorsMutex):
3363         * jit/JITThunks.cpp:
3364         (JSC::JITThunks::ctiStub):
3365         * jit/JITThunks.h:
3366         * profiler/ProfilerDatabase.cpp:
3367         (JSC::Profiler::Database::ensureBytecodesFor):
3368         (JSC::Profiler::Database::notifyDestruction):
3369         * profiler/ProfilerDatabase.h:
3370         * runtime/InitializeThreading.cpp:
3371         (JSC::initializeThreading):
3372         * runtime/JSLock.cpp:
3373         (JSC::GlobalJSLock::GlobalJSLock):
3374         (JSC::GlobalJSLock::~GlobalJSLock):
3375         (JSC::JSLockHolder::JSLockHolder):
3376         (JSC::GlobalJSLock::initialize): Deleted.
3377         * runtime/JSLock.h:
3378
3379 2015-08-13  Commit Queue  <commit-queue@webkit.org>
3380
3381         Unreviewed, rolling out r188428.
3382         https://bugs.webkit.org/show_bug.cgi?id=148015
3383
3384         broke cmake build (Requested by alexchristensen on #webkit).
3385
3386         Reverted changeset:
3387
3388         "Move some commands from ./CMakeLists.txt to Source/cmake"
3389         https://bugs.webkit.org/show_bug.cgi?id=148003
3390         http://trac.webkit.org/changeset/188428
3391
3392 2015-08-13  Commit Queue  <commit-queue@webkit.org>
3393
3394         Unreviewed, rolling out r188431.
3395         https://bugs.webkit.org/show_bug.cgi?id=148013
3396
3397         JSC headers are too hard to understand (Requested by smfr on
3398         #webkit).
3399
3400         Reverted changeset:
3401
3402         "Remove a few includes from JSGlobalObject.h"
3403         https://bugs.webkit.org/show_bug.cgi?id=148004
3404         http://trac.webkit.org/changeset/188431
3405
3406 2015-08-13  Benjamin Poulain  <bpoulain@apple.com>
3407
3408         [JSC] Add support for GetByVal on arrays of Undecided shape
3409         https://bugs.webkit.org/show_bug.cgi?id=147814
3410
3411         Reviewed by Filip Pizlo.
3412
3413         Previously, GetByVal on Array::Undecided would just take
3414         the generic path. The problem is the generic path is so
3415         slow that it could take a significant amount of time
3416         even for unfrequent accesses.
3417
3418         With this patch, if the following conditions are met,
3419         the GetByVal just returns a "undefined" constant:
3420         -The object is an OriginalArray.
3421         -The prototype chain is sane.
3422         -The index is an integer.
3423         -The integer is positive (runtime check).
3424
3425         Ideally, the 4th conditions should be removed
3426         deducing a compile-time constant gives us so much better
3427         opportunities at getting rid of this code.
3428
3429         There are two cases where this patch removes the runtime
3430         check:
3431         -If the index is constant (uncommon but easy)
3432         -If the index is within a range known to be positive.
3433          (common case and made possible with DFGIntegerRangeOptimizationPhase).
3434
3435         When we get into those cases, DFG just nukes everything
3436         and all we have left is a structure check :)
3437
3438         This patch is a 14% improvement on audio-beat-detection,
3439         a few percent faster here and there and no regression.
3440
3441         * dfg/DFGAbstractInterpreterInlines.h:
3442         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3443         If the index is a positive constant, we can get rid of the GetByVal
3444         entirely. :)
3445
3446         * dfg/DFGArrayMode.cpp:
3447         (JSC::DFG::ArrayMode::fromObserved):
3448         The returned type is now Array::Undecided + profiling information.
3449         The useful type is set in ArrayMode::refine().
3450
3451         (JSC::DFG::ArrayMode::refine):
3452         If we meet the particular set conditions, we speculate an Undecided
3453         array type with sane chain. Anything else comes back to Generic.
3454
3455         (JSC::DFG::ArrayMode::originalArrayStructure):
3456         To enable the structure check for Undecided array.
3457
3458         (JSC::DFG::ArrayMode::alreadyChecked):
3459         * dfg/DFGArrayMode.h:
3460         (JSC::DFG::ArrayMode::withProfile):
3461         (JSC::DFG::ArrayMode::canCSEStorage):
3462         (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
3463         (JSC::DFG::ArrayMode::lengthNeedsStorage): Deleted.
3464         (JSC::DFG::ArrayMode::isSpecific): Deleted.A
3465
3466         * dfg/DFGByteCodeParser.cpp:
3467         (JSC::DFG::ByteCodeParser::handleIntrinsic): Deleted.
3468         This is somewhat unrelated.
3469
3470         Having Array::Undecided on ArrayPush was impossible before
3471         since ArrayMode::fromObserved() used to return Array::Generic.
3472
3473         Now that Array::Undecided is possible, we must make sure not
3474         to provide it to ArrayPush since there is no code to handle it
3475         properly.
3476
3477         * dfg/DFGClobberize.h:
3478         (JSC::DFG::clobberize):
3479         The operation only depends on the index, it is pure.
3480
3481         * dfg/DFGFixupPhase.cpp:
3482         (JSC::DFG::FixupPhase::fixupNode): Deleted.
3483         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3484         * dfg/DFGSpeculativeJIT.cpp:
3485         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3486         (JSC::DFG::SpeculativeJIT::checkArray):
3487         * dfg/DFGSpeculativeJIT32_64.cpp:
3488         (JSC::DFG::SpeculativeJIT::compile):
3489         * dfg/DFGSpeculativeJIT64.cpp:
3490         (JSC::DFG::SpeculativeJIT::compile):
3491         * ftl/FTLCapabilities.cpp:
3492         (JSC::FTL::canCompile):
3493         * ftl/FTLLowerDFGToLLVM.cpp:
3494         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
3495         * tests/stress/get-by-val-on-undecided-array-type.js: Added.
3496         * tests/stress/get-by-val-on-undecided-sane-chain-1.js: Added.
3497         * tests/stress/get-by-val-on-undecided-sane-chain-2.js: Added.
3498         * tests/stress/get-by-val-on-undecided-sane-chain-3.js: Added.
3499         * tests/stress/get-by-val-on-undecided-sane-chain-4.js: Added.
3500         * tests/stress/get-by-val-on-undecided-sane-chain-5.js: Added.
3501         * tests/stress/get-by-val-on-undecided-sane-chain-6.js: Added.
3502
3503 2015-08-13  Simon Fraser  <simon.fraser@apple.com>
3504
3505         Remove a few includes from JSGlobalObject.h
3506         https://bugs.webkit.org/show_bug.cgi?id=148004
3507
3508         Reviewed by Tim Horton.
3509         
3510         Remove 4 #includes from JSGlobalObject.h, and fix the fallout.
3511
3512         * parser/VariableEnvironment.cpp:
3513         * parser/VariableEnvironment.h:
3514         * runtime/JSGlobalObject.h:
3515         * runtime/Structure.h:
3516         * runtime/StructureInlines.h:
3517
3518 2015-08-13  Alex Christensen  <achristensen@webkit.org>
3519
3520         Move some commands from ./CMakeLists.txt to Source/cmake
3521         https://bugs.webkit.org/show_bug.cgi?id=148003
3522
3523         Reviewed by Brent Fulgham.
3524
3525         * CMakeLists.txt:
3526         Added commands needed to build JSC by itself.
3527
3528 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3529
3530         Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode
3531         https://bugs.webkit.org/show_bug.cgi?id=147353
3532
3533         Reviewed by Saam Barati.
3534
3535         This is the follow-up patch after r188355.
3536         It includes the following changes.
3537
3538         - Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode
3539         - Make SourceParseMode to C++ strongly-typed enum.
3540         - Fix the comments.
3541         - Rename ModuleSpecifier to ModuleName.
3542         - Add the type name `ImportEntry` before the C++11 uniform initialization.
3543         - Fix the thrown message for duplicate 'default' names.
3544         - Assert the all statements in the top-level source elements are the module declarations under the module analyzer phase.
3545
3546         * API/JSScriptRef.cpp:
3547         (parseScript):
3548         * builtins/BuiltinExecutables.cpp:
3549         (JSC::BuiltinExecutables::createExecutableInternal):
3550         * bytecode/UnlinkedFunctionExecutable.cpp:
3551         (JSC::generateFunctionCodeBlock):
3552         * bytecode/UnlinkedFunctionExecutable.h:
3553         * bytecompiler/BytecodeGenerator.h:
3554         (JSC::BytecodeGenerator::makeFunction):
3555         * parser/ASTBuilder.h:
3556         (JSC::ASTBuilder::createFunctionMetadata):
3557         (JSC::ASTBuilder::createModuleName):
3558         (JSC::ASTBuilder::createImportDeclaration):
3559         (JSC::ASTBuilder::createExportAllDeclaration):
3560         (JSC::ASTBuilder::createExportNamedDeclaration):
3561         (JSC::ASTBuilder::createModuleSpecifier): Deleted.
3562         * parser/ModuleAnalyzer.cpp:
3563         (JSC::ModuleAnalyzer::analyze):
3564         * parser/NodeConstructors.h:
3565         (JSC::ModuleNameNode::ModuleNameNode):
3566         (JSC::ImportDeclarationNode::ImportDeclarationNode):
3567         (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
3568         (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
3569         (JSC::ModuleSpecifierNode::ModuleSpecifierNode): Deleted.
3570         * parser/Nodes.cpp:
3571         (JSC::FunctionMetadataNode::FunctionMetadataNode):
3572         * parser/Nodes.h:
3573         (JSC::StatementNode::isModuleDeclarationNode):
3574         (JSC::ModuleDeclarationNode::isModuleDeclarationNode):
3575         (JSC::ImportDeclarationNode::moduleName):
3576         (JSC::ExportAllDeclarationNode::moduleName):
3577         (JSC::ExportNamedDeclarationNode::moduleName):
3578         (JSC::ImportDeclarationNode::moduleSpecifier): Deleted.
3579         (JSC::ExportAllDeclarationNode::moduleSpecifier): Deleted.
3580         (JSC::ExportNamedDeclarationNode::moduleSpecifier): Deleted.
3581         * parser/NodesAnalyzeModule.cpp:
3582         (JSC::SourceElements::analyzeModule):
3583         (JSC::ImportDeclarationNode::analyzeModule):
3584         (JSC::ExportAllDeclarationNode::analyzeModule):
3585         (JSC::ExportNamedDeclarationNode::analyzeModule):
3586         * parser/Parser.cpp:
3587         (JSC::Parser<LexerType>::Parser):
3588         (JSC::Parser<LexerType>::parseInner):
3589         (JSC::Parser<LexerType>::parseModuleSourceElements):
3590         (JSC::Parser<LexerType>::parseFunctionBody):
3591         (JSC::stringForFunctionMode):
3592         (JSC::Parser<LexerType>::parseFunctionParameters):
3593         (JSC::Parser<LexerType>::parseFunctionInfo):
3594         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3595         (JSC::Parser<LexerType>::parseClass):
3596         (JSC::Parser<LexerType>::parseModuleName):
3597         (JSC::Parser<LexerType>::parseImportDeclaration):
3598         (JSC::Parser<LexerType>::parseExportDeclaration):
3599         (JSC::Parser<LexerType>::parsePropertyMethod):
3600         (JSC::Parser<LexerType>::parseGetterSetter):
3601         (JSC::Parser<LexerType>::parsePrimaryExpression):
3602         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3603         (JSC::Parser<LexerType>::parseModuleSpecifier): Deleted.
3604         * parser/Parser.h:
3605         (JSC::Parser<LexerType>::parse):
3606         (JSC::parse):
3607         * parser/ParserModes.h:
3608         (JSC::isFunctionParseMode):
3609         (JSC::isModuleParseMode):
3610         (JSC::isProgramParseMode):
3611         * parser/SyntaxChecker.h:
3612         (JSC::SyntaxChecker::createFunctionMetadata):
3613         (JSC::SyntaxChecker::createModuleName):
3614         (JSC::SyntaxChecker::createImportDeclaration):
3615         (JSC::SyntaxChecker::createExportAllDeclaration):
3616         (JSC::SyntaxChecker::createExportNamedDeclaration):
3617         (JSC::SyntaxChecker::createModuleSpecifier): Deleted.
3618         * runtime/CodeCache.cpp:
3619         (JSC::CodeCache::getGlobalCodeBlock):
3620         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3621         * runtime/Completion.cpp:
3622         (JSC::checkSyntax):
3623         (JSC::checkModuleSyntax):
3624         * runtime/Executable.cpp:
3625         (JSC::ProgramExecutable::checkSyntax):
3626         * tests/stress/modules-syntax-error-with-names.js:
3627
3628 2015-08-13  Joseph Pecoraro  <pecoraro@apple.com>
3629
3630         Web Inspector: A {Map, WeakMap, Set, WeakSet} object contains itself will hang the console
3631         https://bugs.webkit.org/show_bug.cgi?id=147966
3632
3633         Reviewed by Timothy Hatcher.
3634
3635         * inspector/InjectedScriptSource.js:
3636         (InjectedScript.prototype._initialPreview):
3637         Renamed to initial preview. This is not a complete preview for
3638         this object, and it needs some processing in order to be a
3639         complete accurate preview.
3640
3641         (InjectedScript.RemoteObject.prototype._emptyPreview):
3642         This attempts to be an accurate empty preview for the given object.
3643         For types with entries, it adds an empty entries list and updates
3644         the overflow and lossless properties.
3645
3646         (InjectedScript.RemoteObject.prototype._createObjectPreviewForValue):
3647         Take a generatePreview parameter to generate a full preview or empty preview.
3648
3649         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3650         (InjectedScript.RemoteObject.prototype._appendEntryPreviews):
3651         (InjectedScript.RemoteObject.prototype._isPreviewableObject):
3652         Take care to avoid cycles.
3653
3654 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3655
3656         Periodic code deletion should delete RegExp code
3657         https://bugs.webkit.org/show_bug.cgi?id=147990
3658
3659         Reviewed by Filip Pizlo.
3660
3661         The RegExp code cache was created for the sake of simple loops that
3662         re-created the same RegExps. It's reasonable to delete it periodically.
3663
3664         * heap/Heap.cpp:
3665         (JSC::Heap::deleteOldCode):
3666
3667 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3668
3669         RegExpCache::finalize should not delete code
3670         https://bugs.webkit.org/show_bug.cgi?id=147987
3671
3672         Reviewed by Mark Lam.
3673
3674         The RegExp object already knows how to delete its own code in its
3675         destructor. Our job is just to clear our stale pointer.
3676
3677         * runtime/RegExpCache.cpp:
3678         (JSC::RegExpCache::finalize):
3679         (JSC::RegExpCache::addToStrongCache):
3680
3681 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3682
3683         Standardize on the phrase "delete code"
3684         https://bugs.webkit.org/show_bug.cgi?id=147984
3685
3686         Reviewed by Mark Lam.
3687
3688         Use "delete" when we talk about throwing away code, as opposed to
3689         "invalidate" or "discard".
3690
3691         * debugger/Debugger.cpp:
3692         (JSC::Debugger::forEachCodeBlock):
3693         (JSC::Debugger::setSteppingMode):
3694         (JSC::Debugger::recompileAllJSFunctions):
3695         * heap/Heap.cpp:
3696         (JSC::Heap::deleteAllCompiledCode):
3697         * inspector/agents/InspectorRuntimeAgent.cpp:
3698         (Inspector::recompileAllJSFunctionsForTypeProfiling):
3699         * runtime/RegExp.cpp:
3700         (JSC::RegExp::match):
3701         (JSC::RegExp::deleteCode):
3702         (JSC::RegExp::invalidateCode): Deleted.
3703         * runtime/RegExp.h:
3704         * runtime/RegExpCache.cpp:
3705         (JSC::RegExpCache::finalize):
3706         (JSC::RegExpCache::addToStrongCache):
3707         (JSC::RegExpCache::deleteAllCode):
3708         (JSC::RegExpCache::invalidateCode): Deleted.
3709         * runtime/RegExpCache.h:
3710         * runtime/VM.cpp:
3711         (JSC::VM::stopSampling):
3712         (JSC::VM::prepareToDeleteCode):
3713         (JSC::VM::deleteAllCode):
3714         (JSC::VM::setEnabledProfiler):
3715         (JSC::VM::prepareToDiscardCode): Deleted.
3716         (JSC::VM::discardAllCode): Deleted.
3717         * runtime/VM.h:
3718         (JSC::VM::apiLock):
3719         (JSC::VM::codeCache):
3720         * runtime/Watchdog.cpp:
3721         (JSC::Watchdog::setTimeLimit):
3722
3723 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3724
3725         X.[[SetPrototypeOf]](Y) should succeed if X.[[Prototype]] is already Y even if X is not extensible
3726         https://bugs.webkit.org/show_bug.cgi?id=147930
3727
3728         Reviewed by Saam Barati.
3729
3730         When the passed prototype object to be set is the same to the existing
3731         prototype object, [[SetPrototypeOf]] just finishes its operation even
3732         if the extensibility of the target object is `false`.
3733
3734         * runtime/JSGlobalObjectFunctions.cpp:
3735         (JSC::globalFuncProtoSetter):
3736         * runtime/ObjectConstructor.cpp:
3737         (JSC::objectConstructorSetPrototypeOf):
3738         * runtime/ReflectObject.cpp:
3739         (JSC::reflectObjectSetPrototypeOf):
3740         * tests/stress/set-same-prototype.js: Added.
3741         (shouldBe):
3742         (shouldThrow):
3743
3744 2015-08-12  Geoffrey Garen  <ggaren@apple.com>
3745
3746         Removed clearEvalCodeCache()
3747         https://bugs.webkit.org/show_bug.cgi?id=147957
3748
3749         Reviewed by Filip Pizlo.
3750
3751         It was unused.
3752
3753         * bytecode/CodeBlock.cpp:
3754         (JSC::CodeBlock::linkIncomingCall):
3755         (JSC::CodeBlock::install):
3756         (JSC::CodeBlock::clearEvalCache): Deleted.
3757         * bytecode/CodeBlock.h:
3758         (JSC::CodeBlock::numberOfJumpTargets):
3759         (JSC::CodeBlock::jumpTarget):
3760         (JSC::CodeBlock::numberOfArgumentValueProfiles):
3761
3762 2015-08-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3763
3764         [ES6] Implement Reflect.defineProperty
3765         https://bugs.webkit.org/show_bug.cgi?id=147943
3766
3767         Reviewed by Saam Barati.
3768
3769         This patch implements Reflect.defineProperty.
3770         The difference from the Object.defineProperty is,
3771
3772         1. Reflect.defineProperty does not perform ToObject operation onto the first argument.
3773         2. Reflect.defineProperty does not throw a TypeError when the [[DefineOwnProperty]] operation fails.
3774         3. Reflect.defineProperty returns the boolean value that represents whether [[DefineOwnProperty]] succeeded.
3775
3776         And this patch comments the links to the ES6 spec.
3777
3778         * builtins/ReflectObject.js:
3779         * runtime/ObjectConstructor.cpp:
3780         (JSC::toPropertyDescriptor):
3781         * runtime/ObjectConstructor.h:
3782         * runtime/ReflectObject.cpp:
3783         (JSC::reflectObjectDefineProperty):
3784         * tests/stress/reflect-define-property.js: Added.
3785         (shouldBe):
3786         (shouldThrow):
3787         (.set getter):
3788         (setter):
3789         (.get testDescriptor):
3790         (.set get var):
3791         (.set testDescriptor):
3792         (.set get testDescriptor):
3793         (.set get shouldThrow):
3794         (.get var):
3795
3796 2015-08-12  Filip Pizlo  <fpizlo@apple.com>
3797
3798         DFG::ByteCodeParser should attempt constant folding on loads from structures that are DFG-watchable
3799         https://bugs.webkit.org/show_bug.cgi?id=147950
3800
3801         Reviewed by Michael Saboff.
3802
3803         Previously we reduced the constant folding power of ByteCodeParser::load() because that code was
3804         responsible for memory corruption, since it would sometimes install watchpoints on structures that
3805         weren't being traced.  It seemed like the safest fix was to remove the constant folding rule
3806         entirely since later phases also do constant folding, and they do it without introducing the bug.
3807         Well, that change (http://trac.webkit.org/changeset/188292) caused a big regression, because we
3808         still have some constant folding rules that only exist in ByteCodeParser, and so ByteCodeParser must
3809         be maximally aggressive in constant-folding whenever possible.
3810
3811         So, this change now brings back that constant folding rule - for loads from object constants that
3812         have DFG-watchable structures - and implements it properly, by ensuring that we only call into
3813         tryGetConstantProperty() if we have registered the structure set.
3814
3815         * dfg/DFGByteCodeParser.cpp:
3816         (JSC::DFG::ByteCodeParser::load):
3817
3818 2015-08-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3819
3820         [ES6] Add ES6 Modules preparsing phase to collect the dependencies
3821         https://bugs.webkit.org/show_bug.cgi?id=147353
3822
3823         Reviewed by Geoffrey Garen.
3824
3825         This patch implements ModuleRecord and ModuleAnalyzer.
3826         ModuleAnalyzer analyzes the produced AST from the parser.
3827         By collaborating with the parser, ModuleAnalyzer collects the information
3828         that is necessary to request the loading for the dependent modules and
3829         construct module's environment and namespace object before executing the actual
3830         module body.
3831
3832         In the parser, we annotate which variable is imported binding and which variable
3833         is exported from the current module. This information is leveraged in the ModuleAnalyzer
3834         to categorize the export entries.
3835
3836         To preparse the modules in the parser, we just add the new flag `ModuleParseMode`
3837         instead of introducing a new TreeContext type. This is because only 2 users use the
3838         parseModuleSourceElements; preparser and actual compiler. Adding the flag is simple
3839         enough to switch the context to the SyntaxChecker when parsing the non-module related
3840         statement in the preparsing phase.
3841
3842         To demonstrate the module analyzer, we added the new option dumpModuleRecord option
3843         into the JSC shell. By specifying this, the result of analysis is dumped when the module
3844         is parsed and analyzed.
3845
3846         * CMakeLists.txt:
3847         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3848         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3849         * JavaScriptCore.xcodeproj/project.pbxproj:
3850         * builtins/BuiltinNames.h:
3851         * parser/ASTBuilder.h:
3852         (JSC::ASTBuilder::createExportDefaultDeclaration):
3853         * parser/ModuleAnalyzer.cpp: Added.
3854         (JSC::ModuleAnalyzer::ModuleAnalyzer):
3855         (JSC::ModuleAnalyzer::exportedBinding):
3856         (JSC::ModuleAnalyzer::declareExportAlias):
3857         (JSC::ModuleAnalyzer::exportVariable):
3858         (JSC::ModuleAnalyzer::analyze):
3859         * parser/ModuleAnalyzer.h: Added.
3860         (JSC::ModuleAnalyzer::vm):
3861         (JSC::ModuleAnalyzer::moduleRecord):
3862         * parser/ModuleRecord.cpp: Added.
3863         (JSC::printableName):
3864         (JSC::ModuleRecord::dump):
3865         * parser/ModuleRecord.h: Added.
3866         (JSC::ModuleRecord::ImportEntry::isNamespace):
3867         (JSC::ModuleRecord::create):
3868         (JSC::ModuleRecord::appendRequestedModule):
3869         (JSC::ModuleRecord::addImportEntry):
3870         (JSC::ModuleRecord::addExportEntry):
3871         (JSC::ModuleRecord::addStarExportEntry):
3872         * parser/NodeConstructors.h:
3873         (JSC::ModuleDeclarationNode::ModuleDeclarationNode):
3874         (JSC::ImportDeclarationNode::ImportDeclarationNode):
3875         (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
3876         (JSC::ExportDefaultDeclarationNode::ExportDefaultDeclarationNode):
3877         (JSC::ExportLocalDeclarationNode::ExportLocalDeclarationNode):
3878         (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
3879         * parser/Nodes.h:
3880         (JSC::ExportDefaultDeclarationNode::localName):
3881         * parser/NodesAnalyzeModule.cpp: Added.
3882         (JSC::ScopeNode::analyzeModule):
3883         (JSC::SourceElements::analyzeModule):
3884    &nbs