ES6 Classes: Runtime error in JIT'd class calling super() with arguments and supercla...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
2
3         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
4         https://bugs.webkit.org/show_bug.cgi?id=142862
5
6         Reviewed by Benjamin Poulain.
7
8         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
9
10         * tests/stress/class-syntax-derived-default-constructor.js: Added.
11
12 2015-03-27  Michael Saboff  <msaboff@apple.com>
13
14         load8Signed() and load16Signed() should be renamed to avoid confusion
15         https://bugs.webkit.org/show_bug.cgi?id=143168
16
17         Reviewed by Benjamin Poulain.
18
19         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
20
21         * assembler/MacroAssemblerARM.h:
22         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
23         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
24         (JSC::MacroAssemblerARM::load8Signed): Deleted.
25         (JSC::MacroAssemblerARM::load16Signed): Deleted.
26         * assembler/MacroAssemblerARM64.h:
27         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
28         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
29         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
30         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
31         * assembler/MacroAssemblerARMv7.h:
32         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
33         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
34         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
35         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
36         * assembler/MacroAssemblerMIPS.h:
37         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
38         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
39         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
40         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
41         * assembler/MacroAssemblerSH4.h:
42         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
43         (JSC::MacroAssemblerSH4::load8):
44         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
45         (JSC::MacroAssemblerSH4::load16):
46         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
47         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
48         * assembler/MacroAssemblerX86Common.h:
49         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
50         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
51         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
52         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
53         * dfg/DFGSpeculativeJIT.cpp:
54         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
55         * jit/JITPropertyAccess.cpp:
56         (JSC::JIT::emitIntTypedArrayGetByVal):
57
58 2015-03-27  Michael Saboff  <msaboff@apple.com>
59
60         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
61         https://bugs.webkit.org/show_bug.cgi?id=138390
62
63         Reviewed by Mark Lam.
64
65         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
66         instead of 64 bits.  This is what X86-64 does.
67
68         * assembler/MacroAssemblerARM64.h:
69         (JSC::MacroAssemblerARM64::load16Signed):
70         (JSC::MacroAssemblerARM64::load8Signed):
71
72 2015-03-27  Saam Barati  <saambarati1@gmail.com>
73
74         Add back previously broken assert from bug 141869
75         https://bugs.webkit.org/show_bug.cgi?id=143005
76
77         Reviewed by Michael Saboff.
78
79         * runtime/ExceptionHelpers.cpp:
80         (JSC::invalidParameterInSourceAppender):
81
82 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
83
84         Make some more objects use FastMalloc
85         https://bugs.webkit.org/show_bug.cgi?id=143122
86
87         Reviewed by Csaba Osztrogonác.
88
89         * API/JSCallbackObject.h:
90         * heap/IncrementalSweeper.h:
91         * jit/JITThunks.h:
92         * runtime/JSGlobalObjectDebuggable.h:
93         * runtime/RegExpCache.h:
94
95 2015-03-27  Michael Saboff  <msaboff@apple.com>
96
97         Objects with numeric properties intermittently get a phantom 'length' property
98         https://bugs.webkit.org/show_bug.cgi?id=142792
99
100         Reviewed by Csaba Osztrogonác.
101
102         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
103         test and branch instructions.  This function is used for linking tbz/tbnz branches between
104         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
105         the failure case checks in the GetById array length stub created for "obj.length" access.
106         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
107         being set when we should have been looking for bit 0.
108
109         * assembler/ARM64Assembler.h:
110         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
111
112 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
113
114         Insert exception check around toPropertyKey call
115         https://bugs.webkit.org/show_bug.cgi?id=142922
116
117         Reviewed by Geoffrey Garen.
118
119         In some places, exception check is missing after/before toPropertyKey.
120         However, since it calls toString, it's observable to users,
121
122         Missing exception checks in Object.prototype methods can be
123         observed since it would be overridden with toObject(null/undefined) errors.
124         We inserted exception checks after toPropertyKey.
125
126         Missing exception checks in GetById related code can be
127         observed since it would be overridden with toObject(null/undefined) errors.
128         In this case, we need to insert exception checks before/after toPropertyKey
129         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
130
131         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
132         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
133         According to the spec, we first perform RequireObjectCoercible and check the exception.
134         And second, we perform ToPropertyKey and check the exception.
135         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
136         For example, if the target is not object coercible,
137         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
138         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
139
140         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
141
142         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
143
144         toObject converts primitive types into wrapper objects.
145         But it is not efficient since wrapper objects are not necessary
146         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
147
148         2. Using the result of toObject is not correct to the spec.
149
150         To align to the spec correctly, we cannot use JSObject::get
151         by using the wrapper object produced by the toObject suggested in (1).
152         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
153         It is not correct since getter should be called with the original |this| value that may be primitive types.
154
155         So in this patch, we use JSValue::requireObjectCoercible
156         to check the target is object coercible and raise an error if it's not.
157
158         * dfg/DFGOperations.cpp:
159         * jit/JITOperations.cpp:
160         (JSC::getByVal):
161         * llint/LLIntSlowPaths.cpp:
162         (JSC::LLInt::getByVal):
163         * runtime/CommonSlowPaths.cpp:
164         (JSC::SLOW_PATH_DECL):
165         * runtime/JSCJSValue.h:
166         * runtime/JSCJSValueInlines.h:
167         (JSC::JSValue::requireObjectCoercible):
168         * runtime/ObjectPrototype.cpp:
169         (JSC::objectProtoFuncHasOwnProperty):
170         (JSC::objectProtoFuncDefineGetter):
171         (JSC::objectProtoFuncDefineSetter):
172         (JSC::objectProtoFuncLookupGetter):
173         (JSC::objectProtoFuncLookupSetter):
174         (JSC::objectProtoFuncPropertyIsEnumerable):
175         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
176         (shouldThrow):
177         (if):
178         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
179         (shouldThrow):
180         (.):
181
182 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
183
184         WebContent Crash when instantiating class with Type Profiling enabled
185         https://bugs.webkit.org/show_bug.cgi?id=143037
186
187         Reviewed by Ryosuke Niwa.
188
189         * bytecompiler/BytecodeGenerator.h:
190         * bytecompiler/BytecodeGenerator.cpp:
191         (JSC::BytecodeGenerator::BytecodeGenerator):
192         (JSC::BytecodeGenerator::emitMoveEmptyValue):
193         We cannot profile the type of an uninitialized empty JSValue.
194         Nor do we expect this to be necessary, since it is effectively
195         an unseen undefined value. So add a way to put the empty value
196         without profiling.
197
198         (JSC::BytecodeGenerator::emitMove):
199         Add an assert to try to catch this issue early on, and force
200         callers to explicitly use emitMoveEmptyValue instead.
201
202         * tests/typeProfiler/classes.js: Added.
203         (wrapper.Base):
204         (wrapper.Derived):
205         (wrapper):
206         Add test coverage both for this case and classes in general.
207
208 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
209
210         Web Inspector: ES6: Provide a better view for Classes in the console
211         https://bugs.webkit.org/show_bug.cgi?id=142999
212
213         Reviewed by Timothy Hatcher.
214
215         * inspector/protocol/Runtime.json:
216         Provide a new `subtype` enum "class". This is a subtype of `type`
217         "function", all other subtypes are subtypes of `object` types.
218         For a class, the frontend will immediately want to get the prototype
219         to enumerate its methods, so include the `classPrototype`.
220
221         * inspector/JSInjectedScriptHost.cpp:
222         (Inspector::JSInjectedScriptHost::subtype):
223         Denote class construction functions as "class" subtypes.
224
225         * inspector/InjectedScriptSource.js:
226         Handling for the new "class" type.
227
228         * bytecode/UnlinkedCodeBlock.h:
229         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
230         * runtime/Executable.h:
231         (JSC::FunctionExecutable::isClassConstructorFunction):
232         * runtime/JSFunction.h:
233         * runtime/JSFunctionInlines.h:
234         (JSC::JSFunction::isClassConstructorFunction):
235         Check if this function is a class constructor function. That information
236         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
237
238 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
239
240         Function.prototype.toString should not decompile the AST
241         https://bugs.webkit.org/show_bug.cgi?id=142853
242
243         Reviewed by Darin Adler.
244
245         Following up on Darin's review comments.
246
247         * runtime/FunctionConstructor.cpp:
248         (JSC::constructFunctionSkippingEvalEnabledCheck):
249
250 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
251
252         "lineNo" does not match WebKit coding style guidelines
253         https://bugs.webkit.org/show_bug.cgi?id=143119
254
255         Reviewed by Michael Saboff.
256
257         We can afford to use whole words.
258
259         * bytecode/CodeBlock.cpp:
260         (JSC::CodeBlock::lineNumberForBytecodeOffset):
261         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
262         * bytecode/UnlinkedCodeBlock.cpp:
263         (JSC::UnlinkedFunctionExecutable::link):
264         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
265         * bytecode/UnlinkedCodeBlock.h:
266         * bytecompiler/NodesCodegen.cpp:
267         (JSC::WhileNode::emitBytecode):
268         * debugger/Debugger.cpp:
269         (JSC::Debugger::toggleBreakpoint):
270         * interpreter/Interpreter.cpp:
271         (JSC::StackFrame::computeLineAndColumn):
272         (JSC::GetStackTraceFunctor::operator()):
273         (JSC::Interpreter::execute):
274         * interpreter/StackVisitor.cpp:
275         (JSC::StackVisitor::Frame::computeLineAndColumn):
276         * parser/Nodes.h:
277         (JSC::Node::firstLine):
278         (JSC::Node::lineNo): Deleted.
279         (JSC::StatementNode::firstLine): Deleted.
280         * parser/ParserError.h:
281         (JSC::ParserError::toErrorObject):
282         * profiler/LegacyProfiler.cpp:
283         (JSC::createCallIdentifierFromFunctionImp):
284         * runtime/CodeCache.cpp:
285         (JSC::CodeCache::getGlobalCodeBlock):
286         * runtime/Executable.cpp:
287         (JSC::ScriptExecutable::ScriptExecutable):
288         (JSC::ScriptExecutable::newCodeBlockFor):
289         (JSC::FunctionExecutable::fromGlobalCode):
290         * runtime/Executable.h:
291         (JSC::ScriptExecutable::firstLine):
292         (JSC::ScriptExecutable::setOverrideLineNumber):
293         (JSC::ScriptExecutable::hasOverrideLineNumber):
294         (JSC::ScriptExecutable::overrideLineNumber):
295         (JSC::ScriptExecutable::lineNo): Deleted.
296         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
297         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
298         (JSC::ScriptExecutable::overrideLineNo): Deleted.
299         * runtime/FunctionConstructor.cpp:
300         (JSC::constructFunctionSkippingEvalEnabledCheck):
301         * runtime/FunctionConstructor.h:
302         * tools/CodeProfile.cpp:
303         (JSC::CodeProfile::report):
304         * tools/CodeProfile.h:
305         (JSC::CodeProfile::CodeProfile):
306
307 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
308
309         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
310         https://bugs.webkit.org/show_bug.cgi?id=142974
311
312         Reviewed by Joseph Pecoraro.
313
314         This patch does two things:
315
316         (1) Restore JavaScriptCore's sanitization of line and column numbers to
317         one-based values.
318
319         We need this because WebCore sometimes provides huge negative column
320         numbers.
321
322         (2) Solve the attribute event listener line numbering problem a different
323         way: Rather than offseting all line numbers by -1 in an attribute event
324         listener in order to arrange for a custom result, instead use an explicit
325         feature for saying "all errors in this code should map to this line number".
326
327         * bytecode/UnlinkedCodeBlock.cpp:
328         (JSC::UnlinkedFunctionExecutable::link):
329         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
330         * bytecode/UnlinkedCodeBlock.h:
331         * interpreter/Interpreter.cpp:
332         (JSC::StackFrame::computeLineAndColumn):
333         (JSC::GetStackTraceFunctor::operator()):
334         * interpreter/Interpreter.h:
335         * interpreter/StackVisitor.cpp:
336         (JSC::StackVisitor::Frame::computeLineAndColumn):
337         * parser/ParserError.h:
338         (JSC::ParserError::toErrorObject): Plumb through an override line number.
339         When a function has an override line number, all syntax and runtime
340         errors in the function will map to it. This is useful for attribute event
341         listeners.
342  
343         * parser/SourceCode.h:
344         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
345         column numbers to one-based integers. It was kind of a hack to remove this.
346
347         * runtime/Executable.cpp:
348         (JSC::ScriptExecutable::ScriptExecutable):
349         (JSC::FunctionExecutable::fromGlobalCode):
350         * runtime/Executable.h:
351         (JSC::ScriptExecutable::setOverrideLineNo):
352         (JSC::ScriptExecutable::hasOverrideLineNo):
353         (JSC::ScriptExecutable::overrideLineNo):
354         * runtime/FunctionConstructor.cpp:
355         (JSC::constructFunctionSkippingEvalEnabledCheck):
356         * runtime/FunctionConstructor.h: Plumb through an override line number.
357
358 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
359
360         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
361
362         Reviewed by Michael Saboff.
363
364         * jit/JITPropertyAccess.cpp:
365         (JSC::JIT::emitScopedArgumentsGetByVal):
366         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
367
368 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
369
370         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
371         https://bugs.webkit.org/show_bug.cgi?id=143098
372
373         Reviewed by Csaba Osztrogonác.
374
375         * ftl/FTLLowerDFGToLLVM.cpp:
376         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
377         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
378
379 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
380
381         Unreviewed gardening, skip failing tests on AArch64 Linux.
382
383         * tests/mozilla/mozilla-tests.yaml:
384         * tests/stress/cached-prototype-setter.js:
385
386 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
387
388         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
389
390         * dfg/DFGConstantFoldingPhase.cpp:
391         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
392         * ftl/FTLCompile.cpp:
393         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
394         * ftl/FTLState.cpp:
395         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
396         * ftl/FTLState.h:
397
398 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
399
400         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
401         right, so this just makes 32-bit do the same.
402
403         * dfg/DFGSpeculativeJIT32_64.cpp:
404         (JSC::DFG::SpeculativeJIT::emitCall):
405
406 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
407
408         Fix a typo that ggaren found but that I didn't fix before.
409
410         * runtime/DirectArgumentsOffset.h:
411
412 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
413
414         Unreviewed, VC found a bug. This fixes the bug.
415
416         * dfg/DFGConstantFoldingPhase.cpp:
417         (JSC::DFG::ConstantFoldingPhase::foldConstants):
418
419 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
420
421         Unreviewed, try to fix Windows build.
422
423         * runtime/ClonedArguments.cpp:
424         (JSC::ClonedArguments::createWithInlineFrame):
425
426 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
427
428         Unreviewed, fix debug build.
429
430         * bytecompiler/NodesCodegen.cpp:
431         (JSC::ConstDeclNode::emitCodeSingle):
432
433 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
434
435         Unreviewed, fix CLOOP build.
436
437         * dfg/DFGMinifiedID.h:
438
439 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
440
441         Heap variables shouldn't end up in the stack frame
442         https://bugs.webkit.org/show_bug.cgi?id=141174
443
444         Reviewed by Geoffrey Garen.
445         
446         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
447         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
448         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
449         simplifications:
450         
451         - Accesses to variables no longer need checks or indirections to determine where the variable is
452           at that moment in time. For example, loading a closure variable now takes just one load instead
453           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
454           (when no arguments object allocation is required) while previously that same operation required
455           a "did I allocate arguments yet" check, a bounds check, and then the load.
456         
457         - Reasoning about the allocation of an activation or arguments object now follows the same simple
458           logic as the allocation of any other kind of object. Previously, those objects were lazily
459           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
460           allocate anything at all. This made the implementation of traditional escape analyses really
461           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
462           arguments object using the usual SSA tricks which allows for more comprehensive removal.
463         
464         - The allocations of arguments objects, functions, and activations are now much faster. While
465           this patch generally expands our ability to eliminate arguments object allocations, an earlier
466           version of the patch - which lacked that functionality - was a progression on some arguments-
467           and closure-happy benchmarks because although no allocations were eliminated, all allocations
468           were faster.
469         
470         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
471           its arguments objects or activations. The runtime doesn't have to do things to the arguments
472           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
473           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
474           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
475           now gone. This also enables implementing block-scoping. Without this change, block-scope
476           support would require telling CodeBlock and all of the rest of the runtime about all of the
477           variables that store currently-live scopes. That would have been so disastrously hard that it
478           might as well be impossible. With this change, it's fair game for the bytecode generator to
479           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
480           however long it wants. This all works, because after bytecode generation, an activation is just
481           an object and variables that refer to it are just normal variables.
482         
483         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
484           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
485           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
486           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
487           an arguments object.
488         
489         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
490           using activations used to prevent inlining; now functions that use activations can be inlined
491           just fine.
492         
493         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
494         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
495         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
496         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
497         
498         The easiest way of understanding this change is to start by looking at the changes in runtime/,
499         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
500
501         * CMakeLists.txt:
502         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
503         * JavaScriptCore.xcodeproj/project.pbxproj:
504         * assembler/AbortReason.h:
505         * assembler/AbstractMacroAssembler.h:
506         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
507         * bytecode/ByValInfo.h:
508         (JSC::hasOptimizableIndexingForJSType):
509         (JSC::hasOptimizableIndexing):
510         (JSC::jitArrayModeForJSType):
511         (JSC::jitArrayModePermitsPut):
512         (JSC::jitArrayModeForStructure):
513         * bytecode/BytecodeKills.h: Added.
514         (JSC::BytecodeKills::BytecodeKills):
515         (JSC::BytecodeKills::operandIsKilled):
516         (JSC::BytecodeKills::forEachOperandKilledAt):
517         (JSC::BytecodeKills::KillSet::KillSet):
518         (JSC::BytecodeKills::KillSet::add):
519         (JSC::BytecodeKills::KillSet::forEachLocal):
520         (JSC::BytecodeKills::KillSet::contains):
521         * bytecode/BytecodeList.json:
522         * bytecode/BytecodeLivenessAnalysis.cpp:
523         (JSC::isValidRegisterForLiveness):
524         (JSC::stepOverInstruction):
525         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
526         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
527         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
528         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
529         (JSC::BytecodeLivenessAnalysis::computeKills):
530         (JSC::indexForOperand): Deleted.
531         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
532         (JSC::getLivenessInfo): Deleted.
533         * bytecode/BytecodeLivenessAnalysis.h:
534         * bytecode/BytecodeLivenessAnalysisInlines.h:
535         (JSC::operandIsAlwaysLive):
536         (JSC::operandThatIsNotAlwaysLiveIsLive):
537         (JSC::operandIsLive):
538         * bytecode/BytecodeUseDef.h:
539         (JSC::computeUsesForBytecodeOffset):
540         (JSC::computeDefsForBytecodeOffset):
541         * bytecode/CodeBlock.cpp:
542         (JSC::CodeBlock::dumpBytecode):
543         (JSC::CodeBlock::CodeBlock):
544         (JSC::CodeBlock::nameForRegister):
545         (JSC::CodeBlock::validate):
546         (JSC::CodeBlock::isCaptured): Deleted.
547         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
548         (JSC::CodeBlock::machineSlowArguments): Deleted.
549         * bytecode/CodeBlock.h:
550         (JSC::unmodifiedArgumentsRegister): Deleted.
551         (JSC::CodeBlock::setArgumentsRegister): Deleted.
552         (JSC::CodeBlock::argumentsRegister): Deleted.
553         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
554         (JSC::CodeBlock::usesArguments): Deleted.
555         (JSC::CodeBlock::captureCount): Deleted.
556         (JSC::CodeBlock::captureStart): Deleted.
557         (JSC::CodeBlock::captureEnd): Deleted.
558         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
559         (JSC::CodeBlock::hasSlowArguments): Deleted.
560         (JSC::ExecState::argumentAfterCapture): Deleted.
561         * bytecode/CodeOrigin.h:
562         * bytecode/DataFormat.h:
563         (JSC::dataFormatToString):
564         * bytecode/FullBytecodeLiveness.h:
565         (JSC::FullBytecodeLiveness::getLiveness):
566         (JSC::FullBytecodeLiveness::operandIsLive):
567         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
568         (JSC::FullBytecodeLiveness::getOut): Deleted.
569         * bytecode/Instruction.h:
570         (JSC::Instruction::Instruction):
571         * bytecode/Operands.h:
572         (JSC::Operands::virtualRegisterForIndex):
573         * bytecode/SpeculatedType.cpp:
574         (JSC::dumpSpeculation):
575         (JSC::speculationToAbbreviatedString):
576         (JSC::speculationFromClassInfo):
577         * bytecode/SpeculatedType.h:
578         (JSC::isDirectArgumentsSpeculation):
579         (JSC::isScopedArgumentsSpeculation):
580         (JSC::isActionableMutableArraySpeculation):
581         (JSC::isActionableArraySpeculation):
582         (JSC::isArgumentsSpeculation): Deleted.
583         * bytecode/UnlinkedCodeBlock.cpp:
584         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
585         * bytecode/UnlinkedCodeBlock.h:
586         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
587         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
588         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
589         * bytecode/ValueRecovery.cpp:
590         (JSC::ValueRecovery::dumpInContext):
591         * bytecode/ValueRecovery.h:
592         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
593         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
594         (JSC::ValueRecovery::nodeID):
595         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
596         * bytecode/VirtualRegister.h:
597         (JSC::VirtualRegister::operator==):
598         (JSC::VirtualRegister::operator!=):
599         (JSC::VirtualRegister::operator<):
600         (JSC::VirtualRegister::operator>):
601         (JSC::VirtualRegister::operator<=):
602         (JSC::VirtualRegister::operator>=):
603         * bytecompiler/BytecodeGenerator.cpp:
604         (JSC::BytecodeGenerator::generate):
605         (JSC::BytecodeGenerator::BytecodeGenerator):
606         (JSC::BytecodeGenerator::initializeNextParameter):
607         (JSC::BytecodeGenerator::visibleNameForParameter):
608         (JSC::BytecodeGenerator::emitMove):
609         (JSC::BytecodeGenerator::variable):
610         (JSC::BytecodeGenerator::createVariable):
611         (JSC::BytecodeGenerator::emitResolveScope):
612         (JSC::BytecodeGenerator::emitGetFromScope):
613         (JSC::BytecodeGenerator::emitPutToScope):
614         (JSC::BytecodeGenerator::initializeVariable):
615         (JSC::BytecodeGenerator::emitInstanceOf):
616         (JSC::BytecodeGenerator::emitNewFunction):
617         (JSC::BytecodeGenerator::emitNewFunctionInternal):
618         (JSC::BytecodeGenerator::emitCall):
619         (JSC::BytecodeGenerator::emitReturn):
620         (JSC::BytecodeGenerator::emitConstruct):
621         (JSC::BytecodeGenerator::isArgumentNumber):
622         (JSC::BytecodeGenerator::emitEnumeration):
623         (JSC::BytecodeGenerator::addVar): Deleted.
624         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
625         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
626         (JSC::BytecodeGenerator::resolveCallee): Deleted.
627         (JSC::BytecodeGenerator::addCallee): Deleted.
628         (JSC::BytecodeGenerator::addParameter): Deleted.
629         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
630         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
631         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
632         (JSC::BytecodeGenerator::isCaptured): Deleted.
633         (JSC::BytecodeGenerator::local): Deleted.
634         (JSC::BytecodeGenerator::constLocal): Deleted.
635         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
636         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
637         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
638         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
639         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
640         * bytecompiler/BytecodeGenerator.h:
641         (JSC::Variable::Variable):
642         (JSC::Variable::isResolved):
643         (JSC::Variable::ident):
644         (JSC::Variable::offset):
645         (JSC::Variable::isLocal):
646         (JSC::Variable::local):
647         (JSC::Variable::isSpecial):
648         (JSC::BytecodeGenerator::argumentsRegister):
649         (JSC::BytecodeGenerator::emitNode):
650         (JSC::BytecodeGenerator::registerFor):
651         (JSC::Local::Local): Deleted.
652         (JSC::Local::operator bool): Deleted.
653         (JSC::Local::get): Deleted.
654         (JSC::Local::isSpecial): Deleted.
655         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
656         (JSC::ResolveScopeInfo::isLocal): Deleted.
657         (JSC::ResolveScopeInfo::localIndex): Deleted.
658         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
659         (JSC::BytecodeGenerator::captureMode): Deleted.
660         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
661         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
662         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
663         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
664         * bytecompiler/NodesCodegen.cpp:
665         (JSC::ResolveNode::isPure):
666         (JSC::ResolveNode::emitBytecode):
667         (JSC::BracketAccessorNode::emitBytecode):
668         (JSC::DotAccessorNode::emitBytecode):
669         (JSC::EvalFunctionCallNode::emitBytecode):
670         (JSC::FunctionCallResolveNode::emitBytecode):
671         (JSC::CallFunctionCallDotNode::emitBytecode):
672         (JSC::ApplyFunctionCallDotNode::emitBytecode):
673         (JSC::PostfixNode::emitResolve):
674         (JSC::DeleteResolveNode::emitBytecode):
675         (JSC::TypeOfResolveNode::emitBytecode):
676         (JSC::PrefixNode::emitResolve):
677         (JSC::ReadModifyResolveNode::emitBytecode):
678         (JSC::AssignResolveNode::emitBytecode):
679         (JSC::ConstDeclNode::emitCodeSingle):
680         (JSC::EmptyVarExpression::emitBytecode):
681         (JSC::ForInNode::tryGetBoundLocal):
682         (JSC::ForInNode::emitLoopHeader):
683         (JSC::ForOfNode::emitBytecode):
684         (JSC::ArrayPatternNode::emitDirectBinding):
685         (JSC::BindingNode::bindValue):
686         (JSC::getArgumentByVal): Deleted.
687         * dfg/DFGAbstractHeap.h:
688         * dfg/DFGAbstractInterpreter.h:
689         * dfg/DFGAbstractInterpreterInlines.h:
690         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
691         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
692         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
693         * dfg/DFGAbstractValue.h:
694         * dfg/DFGArgumentPosition.h:
695         (JSC::DFG::ArgumentPosition::addVariable):
696         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
697         (JSC::DFG::performArgumentsElimination):
698         * dfg/DFGArgumentsEliminationPhase.h: Added.
699         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
700         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
701         * dfg/DFGArgumentsUtilities.cpp: Added.
702         (JSC::DFG::argumentsInvolveStackSlot):
703         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
704         * dfg/DFGArgumentsUtilities.h: Added.
705         * dfg/DFGArrayMode.cpp:
706         (JSC::DFG::ArrayMode::refine):
707         (JSC::DFG::ArrayMode::alreadyChecked):
708         (JSC::DFG::arrayTypeToString):
709         * dfg/DFGArrayMode.h:
710         (JSC::DFG::ArrayMode::canCSEStorage):
711         (JSC::DFG::ArrayMode::modeForPut):
712         * dfg/DFGAvailabilityMap.cpp:
713         (JSC::DFG::AvailabilityMap::prune):
714         * dfg/DFGAvailabilityMap.h:
715         (JSC::DFG::AvailabilityMap::closeOverNodes):
716         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
717         * dfg/DFGBackwardsPropagationPhase.cpp:
718         (JSC::DFG::BackwardsPropagationPhase::propagate):
719         * dfg/DFGByteCodeParser.cpp:
720         (JSC::DFG::ByteCodeParser::newVariableAccessData):
721         (JSC::DFG::ByteCodeParser::getLocal):
722         (JSC::DFG::ByteCodeParser::setLocal):
723         (JSC::DFG::ByteCodeParser::getArgument):
724         (JSC::DFG::ByteCodeParser::setArgument):
725         (JSC::DFG::ByteCodeParser::flushDirect):
726         (JSC::DFG::ByteCodeParser::flush):
727         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
728         (JSC::DFG::ByteCodeParser::handleVarargsCall):
729         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
730         (JSC::DFG::ByteCodeParser::handleInlining):
731         (JSC::DFG::ByteCodeParser::parseBlock):
732         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
733         (JSC::DFG::ByteCodeParser::parseCodeBlock):
734         * dfg/DFGCPSRethreadingPhase.cpp:
735         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
736         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
737         * dfg/DFGCSEPhase.cpp:
738         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
739         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
740         * dfg/DFGCapabilities.cpp:
741         (JSC::DFG::isSupportedForInlining):
742         (JSC::DFG::capabilityLevel):
743         * dfg/DFGClobberize.h:
744         (JSC::DFG::clobberize):
745         * dfg/DFGCommon.h:
746         * dfg/DFGCommonData.h:
747         (JSC::DFG::CommonData::CommonData):
748         * dfg/DFGConstantFoldingPhase.cpp:
749         (JSC::DFG::ConstantFoldingPhase::foldConstants):
750         * dfg/DFGDCEPhase.cpp:
751         (JSC::DFG::DCEPhase::cleanVariables):
752         * dfg/DFGDisassembler.h:
753         * dfg/DFGDoesGC.cpp:
754         (JSC::DFG::doesGC):
755         * dfg/DFGFixupPhase.cpp:
756         (JSC::DFG::FixupPhase::fixupNode):
757         * dfg/DFGFlushFormat.cpp:
758         (WTF::printInternal):
759         * dfg/DFGFlushFormat.h:
760         (JSC::DFG::resultFor):
761         (JSC::DFG::useKindFor):
762         (JSC::DFG::dataFormatFor):
763         * dfg/DFGForAllKills.h: Added.
764         (JSC::DFG::forAllLiveNodesAtTail):
765         (JSC::DFG::forAllDirectlyKilledOperands):
766         (JSC::DFG::forAllKilledOperands):
767         (JSC::DFG::forAllKilledNodesAtNodeIndex):
768         (JSC::DFG::forAllKillsInBlock):
769         * dfg/DFGGraph.cpp:
770         (JSC::DFG::Graph::Graph):
771         (JSC::DFG::Graph::dump):
772         (JSC::DFG::Graph::substituteGetLocal):
773         (JSC::DFG::Graph::livenessFor):
774         (JSC::DFG::Graph::killsFor):
775         (JSC::DFG::Graph::tryGetConstantClosureVar):
776         (JSC::DFG::Graph::tryGetRegisters): Deleted.
777         * dfg/DFGGraph.h:
778         (JSC::DFG::Graph::symbolTableFor):
779         (JSC::DFG::Graph::uses):
780         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
781         (JSC::DFG::Graph::capturedVarsFor): Deleted.
782         (JSC::DFG::Graph::usesArguments): Deleted.
783         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
784         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
785         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
786         * dfg/DFGHeapLocation.cpp:
787         (WTF::printInternal):
788         * dfg/DFGHeapLocation.h:
789         * dfg/DFGInPlaceAbstractState.cpp:
790         (JSC::DFG::InPlaceAbstractState::initialize):
791         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
792         * dfg/DFGJITCompiler.cpp:
793         (JSC::DFG::JITCompiler::link):
794         * dfg/DFGMayExit.cpp:
795         (JSC::DFG::mayExit):
796         * dfg/DFGMinifiedID.h:
797         * dfg/DFGMinifiedNode.cpp:
798         (JSC::DFG::MinifiedNode::fromNode):
799         * dfg/DFGMinifiedNode.h:
800         (JSC::DFG::belongsInMinifiedGraph):
801         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
802         (JSC::DFG::MinifiedNode::inlineCallFrame):
803         * dfg/DFGNode.cpp:
804         (JSC::DFG::Node::convertToIdentityOn):
805         * dfg/DFGNode.h:
806         (JSC::DFG::Node::hasConstant):
807         (JSC::DFG::Node::constant):
808         (JSC::DFG::Node::hasScopeOffset):
809         (JSC::DFG::Node::scopeOffset):
810         (JSC::DFG::Node::hasDirectArgumentsOffset):
811         (JSC::DFG::Node::capturedArgumentsOffset):
812         (JSC::DFG::Node::variablePointer):
813         (JSC::DFG::Node::hasCallVarargsData):
814         (JSC::DFG::Node::hasLoadVarargsData):
815         (JSC::DFG::Node::hasHeapPrediction):
816         (JSC::DFG::Node::hasCellOperand):
817         (JSC::DFG::Node::objectMaterializationData):
818         (JSC::DFG::Node::isPhantomAllocation):
819         (JSC::DFG::Node::willHaveCodeGenOrOSR):
820         (JSC::DFG::Node::shouldSpeculateDirectArguments):
821         (JSC::DFG::Node::shouldSpeculateScopedArguments):
822         (JSC::DFG::Node::isPhantomArguments): Deleted.
823         (JSC::DFG::Node::hasVarNumber): Deleted.
824         (JSC::DFG::Node::varNumber): Deleted.
825         (JSC::DFG::Node::registerPointer): Deleted.
826         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
827         * dfg/DFGNodeType.h:
828         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
829         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
830         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
831         * dfg/DFGOSRExitCompiler.cpp:
832         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
833         * dfg/DFGOSRExitCompiler.h:
834         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
835         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
836         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
837         * dfg/DFGOSRExitCompiler32_64.cpp:
838         (JSC::DFG::OSRExitCompiler::compileExit):
839         * dfg/DFGOSRExitCompiler64.cpp:
840         (JSC::DFG::OSRExitCompiler::compileExit):
841         * dfg/DFGOSRExitCompilerCommon.cpp:
842         (JSC::DFG::reifyInlinedCallFrames):
843         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
844         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
845         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
846         * dfg/DFGOSRExitCompilerCommon.h:
847         * dfg/DFGOperations.cpp:
848         * dfg/DFGOperations.h:
849         * dfg/DFGPlan.cpp:
850         (JSC::DFG::Plan::compileInThreadImpl):
851         * dfg/DFGPreciseLocalClobberize.h:
852         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
853         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
854         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
855         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
856         (JSC::DFG::preciseLocalClobberize):
857         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
858         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
859         * dfg/DFGPredictionPropagationPhase.cpp:
860         (JSC::DFG::PredictionPropagationPhase::run):
861         (JSC::DFG::PredictionPropagationPhase::propagate):
862         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
863         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
864         * dfg/DFGPromoteHeapAccess.h:
865         (JSC::DFG::promoteHeapAccess):
866         * dfg/DFGPromotedHeapLocation.cpp:
867         (WTF::printInternal):
868         * dfg/DFGPromotedHeapLocation.h:
869         * dfg/DFGSSAConversionPhase.cpp:
870         (JSC::DFG::SSAConversionPhase::run):
871         * dfg/DFGSafeToExecute.h:
872         (JSC::DFG::safeToExecute):
873         * dfg/DFGSpeculativeJIT.cpp:
874         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
875         (JSC::DFG::SpeculativeJIT::emitGetLength):
876         (JSC::DFG::SpeculativeJIT::emitGetCallee):
877         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
878         (JSC::DFG::SpeculativeJIT::checkArray):
879         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
880         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
881         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
882         (JSC::DFG::SpeculativeJIT::compileNewFunction):
883         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
884         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
885         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
886         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
887         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
888         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
889         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
890         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
891         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
892         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
893         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
894         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
895         * dfg/DFGSpeculativeJIT.h:
896         (JSC::DFG::SpeculativeJIT::callOperation):
897         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
898         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
899         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
900         * dfg/DFGSpeculativeJIT32_64.cpp:
901         (JSC::DFG::SpeculativeJIT::emitCall):
902         (JSC::DFG::SpeculativeJIT::compile):
903         * dfg/DFGSpeculativeJIT64.cpp:
904         (JSC::DFG::SpeculativeJIT::emitCall):
905         (JSC::DFG::SpeculativeJIT::compile):
906         * dfg/DFGStackLayoutPhase.cpp:
907         (JSC::DFG::StackLayoutPhase::run):
908         * dfg/DFGStrengthReductionPhase.cpp:
909         (JSC::DFG::StrengthReductionPhase::handleNode):
910         * dfg/DFGStructureRegistrationPhase.cpp:
911         (JSC::DFG::StructureRegistrationPhase::run):
912         * dfg/DFGUnificationPhase.cpp:
913         (JSC::DFG::UnificationPhase::run):
914         * dfg/DFGValidate.cpp:
915         (JSC::DFG::Validate::validateCPS):
916         * dfg/DFGValueSource.cpp:
917         (JSC::DFG::ValueSource::dump):
918         * dfg/DFGValueSource.h:
919         (JSC::DFG::dataFormatToValueSourceKind):
920         (JSC::DFG::valueSourceKindToDataFormat):
921         (JSC::DFG::ValueSource::ValueSource):
922         (JSC::DFG::ValueSource::forFlushFormat):
923         (JSC::DFG::ValueSource::valueRecovery):
924         * dfg/DFGVarargsForwardingPhase.cpp: Added.
925         (JSC::DFG::performVarargsForwarding):
926         * dfg/DFGVarargsForwardingPhase.h: Added.
927         * dfg/DFGVariableAccessData.cpp:
928         (JSC::DFG::VariableAccessData::VariableAccessData):
929         (JSC::DFG::VariableAccessData::flushFormat):
930         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
931         * dfg/DFGVariableAccessData.h:
932         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
933         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
934         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
935         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
936         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
937         * dfg/DFGVariableAccessDataDump.cpp:
938         (JSC::DFG::VariableAccessDataDump::dump):
939         * dfg/DFGVariableAccessDataDump.h:
940         * dfg/DFGVariableEventStream.cpp:
941         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
942         * dfg/DFGVariableEventStream.h:
943         * ftl/FTLAbstractHeap.cpp:
944         (JSC::FTL::AbstractHeap::dump):
945         (JSC::FTL::AbstractField::dump):
946         (JSC::FTL::IndexedAbstractHeap::dump):
947         (JSC::FTL::NumberedAbstractHeap::dump):
948         (JSC::FTL::AbsoluteAbstractHeap::dump):
949         * ftl/FTLAbstractHeap.h:
950         * ftl/FTLAbstractHeapRepository.cpp:
951         * ftl/FTLAbstractHeapRepository.h:
952         * ftl/FTLCapabilities.cpp:
953         (JSC::FTL::canCompile):
954         * ftl/FTLCompile.cpp:
955         (JSC::FTL::mmAllocateDataSection):
956         * ftl/FTLExitArgument.cpp:
957         (JSC::FTL::ExitArgument::dump):
958         * ftl/FTLExitPropertyValue.cpp:
959         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
960         * ftl/FTLExitPropertyValue.h:
961         * ftl/FTLExitTimeObjectMaterialization.cpp:
962         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
963         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
964         * ftl/FTLExitTimeObjectMaterialization.h:
965         (JSC::FTL::ExitTimeObjectMaterialization::origin):
966         * ftl/FTLExitValue.cpp:
967         (JSC::FTL::ExitValue::withLocalsOffset):
968         (JSC::FTL::ExitValue::valueFormat):
969         (JSC::FTL::ExitValue::dumpInContext):
970         * ftl/FTLExitValue.h:
971         (JSC::FTL::ExitValue::isArgument):
972         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
973         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
974         (JSC::FTL::ExitValue::valueFormat): Deleted.
975         * ftl/FTLInlineCacheSize.cpp:
976         (JSC::FTL::sizeOfCallForwardVarargs):
977         (JSC::FTL::sizeOfConstructForwardVarargs):
978         (JSC::FTL::sizeOfICFor):
979         * ftl/FTLInlineCacheSize.h:
980         * ftl/FTLIntrinsicRepository.h:
981         * ftl/FTLJSCallVarargs.cpp:
982         (JSC::FTL::JSCallVarargs::JSCallVarargs):
983         (JSC::FTL::JSCallVarargs::emit):
984         * ftl/FTLJSCallVarargs.h:
985         * ftl/FTLLowerDFGToLLVM.cpp:
986         (JSC::FTL::LowerDFGToLLVM::lower):
987         (JSC::FTL::LowerDFGToLLVM::compileNode):
988         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
989         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
990         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
991         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
992         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
993         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
994         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
995         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
996         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
997         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
998         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
999         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
1000         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1001         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
1002         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1003         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
1004         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
1005         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1006         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
1007         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
1008         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
1009         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1010         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
1011         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
1012         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
1013         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
1014         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
1015         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
1016         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1017         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1018         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
1019         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1020         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1021         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1022         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1023         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1024         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1025         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
1026         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
1027         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
1028         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
1029         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
1030         * ftl/FTLOSRExitCompiler.cpp:
1031         (JSC::FTL::compileRecovery):
1032         (JSC::FTL::compileStub):
1033         * ftl/FTLOperations.cpp:
1034         (JSC::FTL::operationMaterializeObjectInOSR):
1035         * ftl/FTLOutput.h:
1036         (JSC::FTL::Output::aShr):
1037         (JSC::FTL::Output::lShr):
1038         (JSC::FTL::Output::zeroExtPtr):
1039         * heap/CopyToken.h:
1040         * interpreter/CallFrame.h:
1041         (JSC::ExecState::getArgumentUnsafe):
1042         * interpreter/Interpreter.cpp:
1043         (JSC::sizeOfVarargs):
1044         (JSC::sizeFrameForVarargs):
1045         (JSC::loadVarargs):
1046         (JSC::unwindCallFrame):
1047         * interpreter/Interpreter.h:
1048         * interpreter/StackVisitor.cpp:
1049         (JSC::StackVisitor::Frame::createArguments):
1050         (JSC::StackVisitor::Frame::existingArguments): Deleted.
1051         * interpreter/StackVisitor.h:
1052         * jit/AssemblyHelpers.h:
1053         (JSC::AssemblyHelpers::storeValue):
1054         (JSC::AssemblyHelpers::loadValue):
1055         (JSC::AssemblyHelpers::storeTrustedValue):
1056         (JSC::AssemblyHelpers::branchIfNotCell):
1057         (JSC::AssemblyHelpers::branchIsEmpty):
1058         (JSC::AssemblyHelpers::argumentsStart):
1059         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
1060         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
1061         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
1062         * jit/CCallHelpers.h:
1063         (JSC::CCallHelpers::setupArgument):
1064         * jit/GPRInfo.h:
1065         (JSC::JSValueRegs::withTwoAvailableRegs):
1066         * jit/JIT.cpp:
1067         (JSC::JIT::privateCompileMainPass):
1068         (JSC::JIT::privateCompileSlowCases):
1069         * jit/JIT.h:
1070         * jit/JITCall.cpp:
1071         (JSC::JIT::compileSetupVarargsFrame):
1072         * jit/JITCall32_64.cpp:
1073         (JSC::JIT::compileSetupVarargsFrame):
1074         * jit/JITInlines.h:
1075         (JSC::JIT::callOperation):
1076         * jit/JITOpcodes.cpp:
1077         (JSC::JIT::emit_op_create_lexical_environment):
1078         (JSC::JIT::emit_op_new_func):
1079         (JSC::JIT::emit_op_create_direct_arguments):
1080         (JSC::JIT::emit_op_create_scoped_arguments):
1081         (JSC::JIT::emit_op_create_out_of_band_arguments):
1082         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1083         (JSC::JIT::emit_op_create_arguments): Deleted.
1084         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1085         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1086         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1087         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1088         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1089         * jit/JITOpcodes32_64.cpp:
1090         (JSC::JIT::emit_op_create_lexical_environment):
1091         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1092         (JSC::JIT::emit_op_create_arguments): Deleted.
1093         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1094         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1095         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1096         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1097         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1098         * jit/JITOperations.cpp:
1099         * jit/JITOperations.h:
1100         * jit/JITPropertyAccess.cpp:
1101         (JSC::JIT::emitGetClosureVar):
1102         (JSC::JIT::emitPutClosureVar):
1103         (JSC::JIT::emit_op_get_from_arguments):
1104         (JSC::JIT::emit_op_put_to_arguments):
1105         (JSC::JIT::emit_op_init_global_const):
1106         (JSC::JIT::privateCompileGetByVal):
1107         (JSC::JIT::emitDirectArgumentsGetByVal):
1108         (JSC::JIT::emitScopedArgumentsGetByVal):
1109         * jit/JITPropertyAccess32_64.cpp:
1110         (JSC::JIT::emitGetClosureVar):
1111         (JSC::JIT::emitPutClosureVar):
1112         (JSC::JIT::emit_op_get_from_arguments):
1113         (JSC::JIT::emit_op_put_to_arguments):
1114         (JSC::JIT::emit_op_init_global_const):
1115         * jit/SetupVarargsFrame.cpp:
1116         (JSC::emitSetupVarargsFrameFastCase):
1117         * llint/LLIntOffsetsExtractor.cpp:
1118         * llint/LLIntSlowPaths.cpp:
1119         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1120         * llint/LowLevelInterpreter.asm:
1121         * llint/LowLevelInterpreter32_64.asm:
1122         * llint/LowLevelInterpreter64.asm:
1123         * parser/Nodes.h:
1124         (JSC::ScopeNode::captures):
1125         * runtime/Arguments.cpp: Removed.
1126         * runtime/Arguments.h: Removed.
1127         * runtime/ArgumentsMode.h: Added.
1128         * runtime/DirectArgumentsOffset.cpp: Added.
1129         (JSC::DirectArgumentsOffset::dump):
1130         * runtime/DirectArgumentsOffset.h: Added.
1131         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
1132         * runtime/CommonSlowPaths.cpp:
1133         (JSC::SLOW_PATH_DECL):
1134         * runtime/CommonSlowPaths.h:
1135         * runtime/ConstantMode.cpp: Added.
1136         (WTF::printInternal):
1137         * runtime/ConstantMode.h:
1138         (JSC::modeForIsConstant):
1139         * runtime/DirectArguments.cpp: Added.
1140         (JSC::DirectArguments::DirectArguments):
1141         (JSC::DirectArguments::createUninitialized):
1142         (JSC::DirectArguments::create):
1143         (JSC::DirectArguments::createByCopying):
1144         (JSC::DirectArguments::visitChildren):
1145         (JSC::DirectArguments::copyBackingStore):
1146         (JSC::DirectArguments::createStructure):
1147         (JSC::DirectArguments::overrideThings):
1148         (JSC::DirectArguments::overrideThingsIfNecessary):
1149         (JSC::DirectArguments::overrideArgument):
1150         (JSC::DirectArguments::copyToArguments):
1151         (JSC::DirectArguments::overridesSize):
1152         * runtime/DirectArguments.h: Added.
1153         (JSC::DirectArguments::internalLength):
1154         (JSC::DirectArguments::length):
1155         (JSC::DirectArguments::canAccessIndexQuickly):
1156         (JSC::DirectArguments::getIndexQuickly):
1157         (JSC::DirectArguments::setIndexQuickly):
1158         (JSC::DirectArguments::callee):
1159         (JSC::DirectArguments::argument):
1160         (JSC::DirectArguments::overrodeThings):
1161         (JSC::DirectArguments::offsetOfCallee):
1162         (JSC::DirectArguments::offsetOfLength):
1163         (JSC::DirectArguments::offsetOfMinCapacity):
1164         (JSC::DirectArguments::offsetOfOverrides):
1165         (JSC::DirectArguments::storageOffset):
1166         (JSC::DirectArguments::offsetOfSlot):
1167         (JSC::DirectArguments::allocationSize):
1168         (JSC::DirectArguments::storage):
1169         * runtime/FunctionPrototype.cpp:
1170         * runtime/GenericArguments.h: Added.
1171         (JSC::GenericArguments::GenericArguments):
1172         * runtime/GenericArgumentsInlines.h: Added.
1173         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1174         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1175         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1176         (JSC::GenericArguments<Type>::put):
1177         (JSC::GenericArguments<Type>::putByIndex):
1178         (JSC::GenericArguments<Type>::deleteProperty):
1179         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1180         (JSC::GenericArguments<Type>::defineOwnProperty):
1181         (JSC::GenericArguments<Type>::copyToArguments):
1182         * runtime/GenericOffset.h: Added.
1183         (JSC::GenericOffset::GenericOffset):
1184         (JSC::GenericOffset::operator!):
1185         (JSC::GenericOffset::offsetUnchecked):
1186         (JSC::GenericOffset::offset):
1187         (JSC::GenericOffset::operator==):
1188         (JSC::GenericOffset::operator!=):
1189         (JSC::GenericOffset::operator<):
1190         (JSC::GenericOffset::operator>):
1191         (JSC::GenericOffset::operator<=):
1192         (JSC::GenericOffset::operator>=):
1193         (JSC::GenericOffset::operator+):
1194         (JSC::GenericOffset::operator-):
1195         (JSC::GenericOffset::operator+=):
1196         (JSC::GenericOffset::operator-=):
1197         * runtime/JSArgumentsIterator.cpp:
1198         (JSC::JSArgumentsIterator::finishCreation):
1199         (JSC::argumentsFuncIterator):
1200         * runtime/JSArgumentsIterator.h:
1201         (JSC::JSArgumentsIterator::create):
1202         (JSC::JSArgumentsIterator::next):
1203         * runtime/JSEnvironmentRecord.cpp:
1204         (JSC::JSEnvironmentRecord::visitChildren):
1205         * runtime/JSEnvironmentRecord.h:
1206         (JSC::JSEnvironmentRecord::variables):
1207         (JSC::JSEnvironmentRecord::isValid):
1208         (JSC::JSEnvironmentRecord::variableAt):
1209         (JSC::JSEnvironmentRecord::offsetOfVariables):
1210         (JSC::JSEnvironmentRecord::offsetOfVariable):
1211         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
1212         (JSC::JSEnvironmentRecord::allocationSize):
1213         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1214         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1215         (JSC::JSEnvironmentRecord::finishCreation):
1216         (JSC::JSEnvironmentRecord::registers): Deleted.
1217         (JSC::JSEnvironmentRecord::registerAt): Deleted.
1218         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
1219         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
1220         * runtime/JSFunction.cpp:
1221         * runtime/JSGlobalObject.cpp:
1222         (JSC::JSGlobalObject::init):
1223         (JSC::JSGlobalObject::addGlobalVar):
1224         (JSC::JSGlobalObject::addFunction):
1225         (JSC::JSGlobalObject::visitChildren):
1226         (JSC::JSGlobalObject::addStaticGlobals):
1227         * runtime/JSGlobalObject.h:
1228         (JSC::JSGlobalObject::directArgumentsStructure):
1229         (JSC::JSGlobalObject::scopedArgumentsStructure):
1230         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
1231         (JSC::JSGlobalObject::argumentsStructure): Deleted.
1232         * runtime/JSLexicalEnvironment.cpp:
1233         (JSC::JSLexicalEnvironment::symbolTableGet):
1234         (JSC::JSLexicalEnvironment::symbolTablePut):
1235         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1236         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1237         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
1238         * runtime/JSLexicalEnvironment.h:
1239         (JSC::JSLexicalEnvironment::create):
1240         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1241         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
1242         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
1243         (JSC::JSLexicalEnvironment::storage): Deleted.
1244         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
1245         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
1246         (JSC::JSLexicalEnvironment::isValid): Deleted.
1247         (JSC::JSLexicalEnvironment::registerAt): Deleted.
1248         * runtime/JSNameScope.cpp:
1249         (JSC::JSNameScope::visitChildren): Deleted.
1250         * runtime/JSNameScope.h:
1251         (JSC::JSNameScope::create):
1252         (JSC::JSNameScope::value):
1253         (JSC::JSNameScope::finishCreation):
1254         (JSC::JSNameScope::JSNameScope):
1255         * runtime/JSScope.cpp:
1256         (JSC::abstractAccess):
1257         * runtime/JSSegmentedVariableObject.cpp:
1258         (JSC::JSSegmentedVariableObject::findVariableIndex):
1259         (JSC::JSSegmentedVariableObject::addVariables):
1260         (JSC::JSSegmentedVariableObject::visitChildren):
1261         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
1262         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
1263         * runtime/JSSegmentedVariableObject.h:
1264         (JSC::JSSegmentedVariableObject::variableAt):
1265         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
1266         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
1267         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
1268         * runtime/JSSymbolTableObject.h:
1269         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
1270         (JSC::symbolTableGet):
1271         (JSC::symbolTablePut):
1272         (JSC::symbolTablePutWithAttributes):
1273         * runtime/JSType.h:
1274         * runtime/Options.h:
1275         * runtime/ClonedArguments.cpp: Added.
1276         (JSC::ClonedArguments::ClonedArguments):
1277         (JSC::ClonedArguments::createEmpty):
1278         (JSC::ClonedArguments::createWithInlineFrame):
1279         (JSC::ClonedArguments::createWithMachineFrame):
1280         (JSC::ClonedArguments::createByCopyingFrom):
1281         (JSC::ClonedArguments::createStructure):
1282         (JSC::ClonedArguments::getOwnPropertySlot):
1283         (JSC::ClonedArguments::getOwnPropertyNames):
1284         (JSC::ClonedArguments::put):
1285         (JSC::ClonedArguments::deleteProperty):
1286         (JSC::ClonedArguments::defineOwnProperty):
1287         (JSC::ClonedArguments::materializeSpecials):
1288         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
1289         * runtime/ClonedArguments.h: Added.
1290         (JSC::ClonedArguments::specialsMaterialized):
1291         * runtime/ScopeOffset.cpp: Added.
1292         (JSC::ScopeOffset::dump):
1293         * runtime/ScopeOffset.h: Added.
1294         (JSC::ScopeOffset::ScopeOffset):
1295         * runtime/ScopedArguments.cpp: Added.
1296         (JSC::ScopedArguments::ScopedArguments):
1297         (JSC::ScopedArguments::finishCreation):
1298         (JSC::ScopedArguments::createUninitialized):
1299         (JSC::ScopedArguments::create):
1300         (JSC::ScopedArguments::createByCopying):
1301         (JSC::ScopedArguments::createByCopyingFrom):
1302         (JSC::ScopedArguments::visitChildren):
1303         (JSC::ScopedArguments::createStructure):
1304         (JSC::ScopedArguments::overrideThings):
1305         (JSC::ScopedArguments::overrideThingsIfNecessary):
1306         (JSC::ScopedArguments::overrideArgument):
1307         (JSC::ScopedArguments::copyToArguments):
1308         * runtime/ScopedArguments.h: Added.
1309         (JSC::ScopedArguments::internalLength):
1310         (JSC::ScopedArguments::length):
1311         (JSC::ScopedArguments::canAccessIndexQuickly):
1312         (JSC::ScopedArguments::getIndexQuickly):
1313         (JSC::ScopedArguments::setIndexQuickly):
1314         (JSC::ScopedArguments::callee):
1315         (JSC::ScopedArguments::overrodeThings):
1316         (JSC::ScopedArguments::offsetOfOverrodeThings):
1317         (JSC::ScopedArguments::offsetOfTotalLength):
1318         (JSC::ScopedArguments::offsetOfTable):
1319         (JSC::ScopedArguments::offsetOfScope):
1320         (JSC::ScopedArguments::overflowStorageOffset):
1321         (JSC::ScopedArguments::allocationSize):
1322         (JSC::ScopedArguments::overflowStorage):
1323         * runtime/ScopedArgumentsTable.cpp: Added.
1324         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
1325         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
1326         (JSC::ScopedArgumentsTable::destroy):
1327         (JSC::ScopedArgumentsTable::create):
1328         (JSC::ScopedArgumentsTable::clone):
1329         (JSC::ScopedArgumentsTable::setLength):
1330         (JSC::ScopedArgumentsTable::set):
1331         (JSC::ScopedArgumentsTable::createStructure):
1332         * runtime/ScopedArgumentsTable.h: Added.
1333         (JSC::ScopedArgumentsTable::length):
1334         (JSC::ScopedArgumentsTable::get):
1335         (JSC::ScopedArgumentsTable::lock):
1336         (JSC::ScopedArgumentsTable::offsetOfLength):
1337         (JSC::ScopedArgumentsTable::offsetOfArguments):
1338         (JSC::ScopedArgumentsTable::at):
1339         * runtime/SymbolTable.cpp:
1340         (JSC::SymbolTableEntry::prepareToWatch):
1341         (JSC::SymbolTable::SymbolTable):
1342         (JSC::SymbolTable::visitChildren):
1343         (JSC::SymbolTable::localToEntry):
1344         (JSC::SymbolTable::entryFor):
1345         (JSC::SymbolTable::cloneScopePart):
1346         (JSC::SymbolTable::prepareForTypeProfiling):
1347         (JSC::SymbolTable::uniqueIDForOffset):
1348         (JSC::SymbolTable::globalTypeSetForOffset):
1349         (JSC::SymbolTable::cloneCapturedNames): Deleted.
1350         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1351         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1352         * runtime/SymbolTable.h:
1353         (JSC::SymbolTableEntry::varOffsetFromBits):
1354         (JSC::SymbolTableEntry::scopeOffsetFromBits):
1355         (JSC::SymbolTableEntry::Fast::varOffset):
1356         (JSC::SymbolTableEntry::Fast::scopeOffset):
1357         (JSC::SymbolTableEntry::Fast::isDontEnum):
1358         (JSC::SymbolTableEntry::Fast::getAttributes):
1359         (JSC::SymbolTableEntry::SymbolTableEntry):
1360         (JSC::SymbolTableEntry::varOffset):
1361         (JSC::SymbolTableEntry::isWatchable):
1362         (JSC::SymbolTableEntry::scopeOffset):
1363         (JSC::SymbolTableEntry::setAttributes):
1364         (JSC::SymbolTableEntry::constantMode):
1365         (JSC::SymbolTableEntry::isDontEnum):
1366         (JSC::SymbolTableEntry::disableWatching):
1367         (JSC::SymbolTableEntry::pack):
1368         (JSC::SymbolTableEntry::isValidVarOffset):
1369         (JSC::SymbolTable::createNameScopeTable):
1370         (JSC::SymbolTable::maxScopeOffset):
1371         (JSC::SymbolTable::didUseScopeOffset):
1372         (JSC::SymbolTable::didUseVarOffset):
1373         (JSC::SymbolTable::scopeSize):
1374         (JSC::SymbolTable::nextScopeOffset):
1375         (JSC::SymbolTable::takeNextScopeOffset):
1376         (JSC::SymbolTable::add):
1377         (JSC::SymbolTable::set):
1378         (JSC::SymbolTable::argumentsLength):
1379         (JSC::SymbolTable::setArgumentsLength):
1380         (JSC::SymbolTable::argumentOffset):
1381         (JSC::SymbolTable::setArgumentOffset):
1382         (JSC::SymbolTable::arguments):
1383         (JSC::SlowArgument::SlowArgument): Deleted.
1384         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
1385         (JSC::SymbolTableEntry::getIndex): Deleted.
1386         (JSC::SymbolTableEntry::isValidIndex): Deleted.
1387         (JSC::SymbolTable::captureStart): Deleted.
1388         (JSC::SymbolTable::setCaptureStart): Deleted.
1389         (JSC::SymbolTable::captureEnd): Deleted.
1390         (JSC::SymbolTable::setCaptureEnd): Deleted.
1391         (JSC::SymbolTable::captureCount): Deleted.
1392         (JSC::SymbolTable::isCaptured): Deleted.
1393         (JSC::SymbolTable::parameterCount): Deleted.
1394         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
1395         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
1396         (JSC::SymbolTable::slowArguments): Deleted.
1397         (JSC::SymbolTable::setSlowArguments): Deleted.
1398         * runtime/VM.cpp:
1399         (JSC::VM::VM):
1400         * runtime/VM.h:
1401         * runtime/VarOffset.cpp: Added.
1402         (JSC::VarOffset::dump):
1403         (WTF::printInternal):
1404         * runtime/VarOffset.h: Added.
1405         (JSC::VarOffset::VarOffset):
1406         (JSC::VarOffset::assemble):
1407         (JSC::VarOffset::isValid):
1408         (JSC::VarOffset::operator!):
1409         (JSC::VarOffset::kind):
1410         (JSC::VarOffset::isStack):
1411         (JSC::VarOffset::isScope):
1412         (JSC::VarOffset::isDirectArgument):
1413         (JSC::VarOffset::stackOffsetUnchecked):
1414         (JSC::VarOffset::scopeOffsetUnchecked):
1415         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
1416         (JSC::VarOffset::stackOffset):
1417         (JSC::VarOffset::scopeOffset):
1418         (JSC::VarOffset::capturedArgumentsOffset):
1419         (JSC::VarOffset::rawOffset):
1420         (JSC::VarOffset::checkSanity):
1421         (JSC::VarOffset::operator==):
1422         (JSC::VarOffset::operator!=):
1423         (JSC::VarOffset::hash):
1424         (JSC::VarOffset::isHashTableDeletedValue):
1425         (JSC::VarOffsetHash::hash):
1426         (JSC::VarOffsetHash::equal):
1427         * tests/stress/arguments-exit-strict-mode.js: Added.
1428         * tests/stress/arguments-exit.js: Added.
1429         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
1430         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
1431         * tests/stress/arguments-inlined-exit.js: Added.
1432         * tests/stress/arguments-interference.js: Added.
1433         * tests/stress/arguments-interference-cfg.js: Added.
1434         * tests/stress/dead-get-closure-var.js: Added.
1435         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
1436         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
1437         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
1438         * tests/stress/varargs-closure-inlined-exit.js: Added.
1439         * tests/stress/varargs-exit.js: Added.
1440         * tests/stress/varargs-inlined-exit.js: Added.
1441         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
1442         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
1443         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
1444         * tests/stress/varargs-inlined-simple-exit.js: Added.
1445         * tests/stress/varargs-too-few-arguments.js: Added.
1446         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
1447         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
1448         * tests/stress/varargs-varargs-inlined-exit.js: Added.
1449
1450 2015-03-25  Andy Estes  <aestes@apple.com>
1451
1452         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
1453         https://bugs.webkit.org/show_bug.cgi?id=143068
1454
1455         Reviewed by Dan Bernstein.
1456
1457         * inspector/remote/RemoteInspectorXPCConnection.mm:
1458         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
1459
1460 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1461
1462         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
1463         https://bugs.webkit.org/show_bug.cgi?id=142993
1464
1465         Reviewed by Geoffrey Garen and Mark Lam.
1466         
1467         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
1468         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
1469         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
1470         failure, but also involves adding the same kind of thing to the stub generators in
1471         Repatch.
1472         
1473         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
1474         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
1475         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
1476         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
1477         printout.
1478         
1479         Also add a way of inducing executable allocation failure, so that we can test this.
1480
1481         * CMakeLists.txt:
1482         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1483         * JavaScriptCore.xcodeproj/project.pbxproj:
1484         * dfg/DFGJITCompiler.cpp:
1485         (JSC::DFG::JITCompiler::compile):
1486         (JSC::DFG::JITCompiler::compileFunction):
1487         (JSC::DFG::JITCompiler::link): Deleted.
1488         (JSC::DFG::JITCompiler::linkFunction): Deleted.
1489         * dfg/DFGJITCompiler.h:
1490         * dfg/DFGPlan.cpp:
1491         (JSC::DFG::Plan::compileInThreadImpl):
1492         * ftl/FTLCompile.cpp:
1493         (JSC::FTL::mmAllocateCodeSection):
1494         (JSC::FTL::mmAllocateDataSection):
1495         * ftl/FTLLink.cpp:
1496         (JSC::FTL::link):
1497         * ftl/FTLState.h:
1498         * jit/ArityCheckFailReturnThunks.cpp:
1499         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1500         * jit/ExecutableAllocationFuzz.cpp: Added.
1501         (JSC::numberOfExecutableAllocationFuzzChecks):
1502         (JSC::doExecutableAllocationFuzzing):
1503         * jit/ExecutableAllocationFuzz.h: Added.
1504         (JSC::doExecutableAllocationFuzzingIfEnabled):
1505         * jit/ExecutableAllocatorFixedVMPool.cpp:
1506         (JSC::ExecutableAllocator::allocate):
1507         * jit/JIT.cpp:
1508         (JSC::JIT::privateCompile):
1509         * jit/JITCompilationEffort.h:
1510         * jit/Repatch.cpp:
1511         (JSC::generateByIdStub):
1512         (JSC::tryCacheGetByID):
1513         (JSC::tryBuildGetByIDList):
1514         (JSC::emitPutReplaceStub):
1515         (JSC::emitPutTransitionStubAndGetOldStructure):
1516         (JSC::tryCachePutByID):
1517         (JSC::tryBuildPutByIdList):
1518         (JSC::tryRepatchIn):
1519         (JSC::linkPolymorphicCall):
1520         * jsc.cpp:
1521         (jscmain):
1522         * runtime/Options.h:
1523         * runtime/TestRunnerUtils.h:
1524         * runtime/VM.cpp:
1525         * tests/executableAllocationFuzz: Added.
1526         * tests/executableAllocationFuzz.yaml: Added.
1527         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
1528
1529 2015-03-25  Mark Lam  <mark.lam@apple.com>
1530
1531         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
1532         <https://webkit.org/b/135719>
1533
1534         Reviewed by Geoffrey Garen.
1535
1536         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
1537         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
1538         update the LLINT to access it as such.
1539
1540         The issue has only manifested so far on the CLoop tests because those are LLINT
1541         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
1542         hiding the bug in the LLINT.
1543
1544         * API/JSContextRef.cpp:
1545         (createWatchdogIfNeeded):
1546         (JSContextGroupSetExecutionTimeLimit):
1547         (JSContextGroupClearExecutionTimeLimit):
1548         * llint/LowLevelInterpreter.asm:
1549
1550 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1551
1552         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
1553
1554         Rubber stamped by Geoffrey Garen.
1555
1556         * bytecode/CodeBlock.cpp:
1557         (JSC::CodeBlock::visitAggregate):
1558
1559 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1560
1561         Fix formatting in BuiltinExecutables
1562         https://bugs.webkit.org/show_bug.cgi?id=143061
1563
1564         Reviewed by Ryosuke Niwa.
1565
1566         * builtins/BuiltinExecutables.cpp:
1567         (JSC::BuiltinExecutables::createExecutableInternal):
1568
1569 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1570
1571         ES6: Classes: Program level class statement throws exception in strict mode
1572         https://bugs.webkit.org/show_bug.cgi?id=143038
1573
1574         Reviewed by Ryosuke Niwa.
1575
1576         Classes expose a name to the current lexical environment. This treats
1577         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
1578         Also, improve error messages for class statements where the class is missing a name.
1579
1580         * parser/Parser.h:
1581         * parser/Parser.cpp:
1582         (JSC::Parser<LexerType>::parseClass):
1583         Fill name in info parameter if needed. Better error message if name is needed and missing.
1584
1585         (JSC::Parser<LexerType>::parseClassDeclaration):
1586         Pass info parameter to get name, and expose the name as a variable name.
1587
1588         (JSC::Parser<LexerType>::parsePrimaryExpression):
1589         Pass info parameter that is ignored.
1590
1591         * parser/ParserFunctionInfo.h:
1592         Add a parser info for class, to extract the name.
1593
1594 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1595
1596         New map and set modification tests in r181922 fails
1597         https://bugs.webkit.org/show_bug.cgi?id=143031
1598
1599         Reviewed and tweaked by Geoffrey Garen.
1600
1601         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
1602         to adjust for the packed backing store.
1603
1604         Consider the following map data.
1605
1606         x: deleted, o: exists
1607         0 1 2 3 4
1608         x x x x o
1609
1610         And iterator with m_index 3.
1611
1612         When packing the map data, map data will become,
1613
1614         0
1615         o
1616
1617         At that time, we perfom didRemoveEntry 4 times on iterators.
1618         times => m_index/index/result
1619         1 => 3/0/dec
1620         2 => 2/1/dec
1621         3 => 1/2/nothing
1622         4 => 1/3/nothing
1623
1624         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
1625         This is because if we use decremented m_index for comparison,
1626         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
1627
1628         In this patch, we compare against the packed index instead.
1629         times => m_index/packedIndex/result
1630         1 => 3/0/dec
1631         2 => 2/0/dec
1632         3 => 1/0/dec
1633         4 => 0/0/nothing
1634
1635         So m_index becomes 0 as expected.
1636
1637         And according to the spec, once the iterator is closed (becomes done: true),
1638         its internal [[Map]]/[[Set]] is set to undefined.
1639         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
1640
1641         In this patch, we change 2 things.
1642         1.
1643         Compare an iterator's index against the packed index when removing an entry.
1644
1645         2.
1646         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
1647
1648         * runtime/MapData.h:
1649         (JSC::MapDataImpl::IteratorData::finish):
1650         (JSC::MapDataImpl::IteratorData::isFinished):
1651         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
1652         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
1653         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
1654         * runtime/MapDataInlines.h:
1655         (JSC::JSIterator>::replaceAndPackBackingStore):
1656         * tests/stress/modify-map-during-iteration.js:
1657         * tests/stress/modify-set-during-iteration.js:
1658
1659 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1660
1661         Setter should have a single formal parameter, Getter no parameters
1662         https://bugs.webkit.org/show_bug.cgi?id=142903
1663
1664         Reviewed by Geoffrey Garen.
1665
1666         * parser/Parser.cpp:
1667         (JSC::Parser<LexerType>::parseFunctionInfo):
1668         Enforce no parameters for getters and a single parameter
1669         for setters, with informational error messages.
1670
1671 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1672
1673         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
1674         https://bugs.webkit.org/show_bug.cgi?id=143012
1675
1676         Reviewed by Ryosuke Niwa.
1677
1678         * bytecompiler/BytecodeGenerator.cpp:
1679         (JSC::BytecodeGenerator::emitReturn):
1680         Fix handling of "undefined" when returned from a Derived class. It was
1681         returning "undefined" when it should have returned "this".
1682
1683 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1684
1685         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
1686         https://bugs.webkit.org/show_bug.cgi?id=142696
1687
1688         Reviewed and tweaked by Geoffrey Garen.
1689
1690         Before r142556, JSSetIterator::destroy was not defined.
1691         So accidentally MapData::const_iterator in JSSet was never destroyed.
1692         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
1693
1694         After r142556, JSSetIterator::destroy works.
1695         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
1696         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
1697
1698         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
1699         and marks it in visitChildren (WriteBarrier<Unknown>).
1700         However, the order of destructions is not guaranteed in GC-ed system.
1701
1702         Consider the following case,
1703         allocate JSSet and subsequently allocate JSSetIterator.
1704         And they resides in the separated MarkedBlock, <1> and <2>.
1705
1706         JSSet<1> <- JSSetIterator<2>
1707
1708         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
1709         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
1710
1711         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
1712         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
1713         However, JSSetIterator<2>'s destructor,
1714         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
1715
1716         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
1717         When packing the removed elements in JSSet/JSMap, we apply the change to all live
1718         iterators tracked by WeakGCMap.
1719
1720         WeakGCMap can only track JSCell since they are managed by GC.
1721         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
1722         introduces JS style iterator signatures into C++ class IteratorData.
1723         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
1724         IteratorData directly.
1725
1726         * runtime/JSMap.cpp:
1727         (JSC::JSMap::destroy):
1728         * runtime/JSMap.h:
1729         (JSC::JSMap::JSMap):
1730         (JSC::JSMap::begin): Deleted.
1731         (JSC::JSMap::end): Deleted.
1732         * runtime/JSMapIterator.cpp:
1733         (JSC::JSMapIterator::destroy):
1734         * runtime/JSMapIterator.h:
1735         (JSC::JSMapIterator::next):
1736         (JSC::JSMapIterator::nextKeyValue):
1737         (JSC::JSMapIterator::iteratorData):
1738         (JSC::JSMapIterator::JSMapIterator):
1739         * runtime/JSSet.cpp:
1740         (JSC::JSSet::destroy):
1741         * runtime/JSSet.h:
1742         (JSC::JSSet::JSSet):
1743         (JSC::JSSet::begin): Deleted.
1744         (JSC::JSSet::end): Deleted.
1745         * runtime/JSSetIterator.cpp:
1746         (JSC::JSSetIterator::destroy):
1747         * runtime/JSSetIterator.h:
1748         (JSC::JSSetIterator::next):
1749         (JSC::JSSetIterator::iteratorData):
1750         (JSC::JSSetIterator::JSSetIterator):
1751         * runtime/MapData.h:
1752         (JSC::MapDataImpl::IteratorData::finish):
1753         (JSC::MapDataImpl::IteratorData::isFinished):
1754         (JSC::MapDataImpl::shouldPack):
1755         (JSC::JSIterator>::MapDataImpl):
1756         (JSC::JSIterator>::KeyType::KeyType):
1757         (JSC::JSIterator>::IteratorData::IteratorData):
1758         (JSC::JSIterator>::IteratorData::next):
1759         (JSC::JSIterator>::IteratorData::ensureSlot):
1760         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
1761         (JSC::JSIterator>::IteratorData::refreshCursor):
1762         (JSC::MapDataImpl::const_iterator::key): Deleted.
1763         (JSC::MapDataImpl::const_iterator::value): Deleted.
1764         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
1765         (JSC::MapDataImpl::const_iterator::finish): Deleted.
1766         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
1767         (JSC::MapDataImpl::begin): Deleted.
1768         (JSC::MapDataImpl::end): Deleted.
1769         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
1770         (JSC::MapDataImpl<Entry>::clear): Deleted.
1771         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
1772         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
1773         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
1774         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
1775         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
1776         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
1777         (JSC::=): Deleted.
1778         * runtime/MapDataInlines.h:
1779         (JSC::JSIterator>::clear):
1780         (JSC::JSIterator>::find):
1781         (JSC::JSIterator>::contains):
1782         (JSC::JSIterator>::add):
1783         (JSC::JSIterator>::set):
1784         (JSC::JSIterator>::get):
1785         (JSC::JSIterator>::remove):
1786         (JSC::JSIterator>::replaceAndPackBackingStore):
1787         (JSC::JSIterator>::replaceBackingStore):
1788         (JSC::JSIterator>::ensureSpaceForAppend):
1789         (JSC::JSIterator>::visitChildren):
1790         (JSC::JSIterator>::copyBackingStore):
1791         (JSC::JSIterator>::applyMapDataPatch):
1792         (JSC::MapDataImpl<Entry>::find): Deleted.
1793         (JSC::MapDataImpl<Entry>::contains): Deleted.
1794         (JSC::MapDataImpl<Entry>::add): Deleted.
1795         (JSC::MapDataImpl<Entry>::set): Deleted.
1796         (JSC::MapDataImpl<Entry>::get): Deleted.
1797         (JSC::MapDataImpl<Entry>::remove): Deleted.
1798         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
1799         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
1800         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
1801         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
1802         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
1803         * runtime/MapPrototype.cpp:
1804         (JSC::mapProtoFuncForEach):
1805         * runtime/SetPrototype.cpp:
1806         (JSC::setProtoFuncForEach):
1807         * runtime/WeakGCMap.h:
1808         (JSC::WeakGCMap::forEach):
1809         * tests/stress/modify-map-during-iteration.js: Added.
1810         (testValue):
1811         (identityPairs):
1812         (.set if):
1813         (var):
1814         (set map):
1815         * tests/stress/modify-set-during-iteration.js: Added.
1816         (testValue):
1817         (set forEach):
1818         (set delete):
1819
1820 2015-03-24  Mark Lam  <mark.lam@apple.com>
1821
1822         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
1823         <https://webkit.org/b/143024>
1824
1825         Reviewed by Geoffrey Garen.
1826
1827         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
1828         passed in from testapi.c.  It should create its own for better
1829         encapsulation of the test.
1830
1831         * API/tests/ExecutionTimeLimitTest.cpp:
1832         (currentCPUTimeAsJSFunctionCallback):
1833         (testExecutionTimeLimit):
1834         * API/tests/ExecutionTimeLimitTest.h:
1835         * API/tests/testapi.c:
1836         (main):
1837
1838 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1839
1840         ES6: Object Literal Methods toString is missing method name
1841         https://bugs.webkit.org/show_bug.cgi?id=142992
1842
1843         Reviewed by Geoffrey Garen.
1844
1845         Always stringify functions in the pattern:
1846
1847           "function " + <function name> + <text from opening parenthesis to closing brace>.
1848
1849         * runtime/FunctionPrototype.cpp:
1850         (JSC::functionProtoFuncToString):
1851         Update the path that was not stringifying in this pattern.
1852
1853         * bytecode/UnlinkedCodeBlock.cpp:
1854         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1855         * bytecode/UnlinkedCodeBlock.h:
1856         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
1857         * parser/Nodes.h:
1858         * runtime/Executable.cpp:
1859         (JSC::FunctionExecutable::FunctionExecutable):
1860         * runtime/Executable.h:
1861         (JSC::FunctionExecutable::parametersStartOffset):
1862         Pass the already known function parameter opening parenthesis
1863         start offset through to the FunctionExecutable. 
1864
1865         * tests/mozilla/js1_5/Scope/regress-185485.js:
1866         (with.g):
1867         Add back original space in this test that was removed by r181810
1868         now that we have the space again in stringification.
1869
1870 2015-03-24  Michael Saboff  <msaboff@apple.com>
1871
1872         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
1873         https://bugs.webkit.org/show_bug.cgi?id=142856
1874
1875         Reviewed by Filip Pizlo.
1876
1877         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
1878         get info for three loops to iterate over indexed properties, structure properties and other properties,
1879         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
1880         for all loops before we exectue any enumeration.
1881
1882         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
1883         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
1884         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
1885
1886         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
1887         op_next_enumerator_pname.
1888         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
1889         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
1890         end value we stop iterating on.
1891
1892         Made corresponding node changes to the DFG and FTL for the bytecode changes.
1893
1894         * bytecode/BytecodeList.json:
1895         * bytecode/BytecodeUseDef.h:
1896         (JSC::computeUsesForBytecodeOffset):
1897         (JSC::computeDefsForBytecodeOffset):
1898         * bytecode/CodeBlock.cpp:
1899         (JSC::CodeBlock::dumpBytecode):
1900         * bytecompiler/BytecodeGenerator.cpp:
1901         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
1902         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
1903         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
1904         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
1905         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
1906         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
1907         * bytecompiler/BytecodeGenerator.h:
1908         * bytecompiler/NodesCodegen.cpp:
1909         (JSC::ForInNode::emitMultiLoopBytecode):
1910         * dfg/DFGAbstractInterpreterInlines.h:
1911         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1912         * dfg/DFGByteCodeParser.cpp:
1913         (JSC::DFG::ByteCodeParser::parseBlock):
1914         * dfg/DFGCapabilities.cpp:
1915         (JSC::DFG::capabilityLevel):
1916         * dfg/DFGClobberize.h:
1917         (JSC::DFG::clobberize):
1918         * dfg/DFGDoesGC.cpp:
1919         (JSC::DFG::doesGC):
1920         * dfg/DFGFixupPhase.cpp:
1921         (JSC::DFG::FixupPhase::fixupNode):
1922         * dfg/DFGNodeType.h:
1923         * dfg/DFGPredictionPropagationPhase.cpp:
1924         (JSC::DFG::PredictionPropagationPhase::propagate):
1925         * dfg/DFGSafeToExecute.h:
1926         (JSC::DFG::safeToExecute):
1927         * dfg/DFGSpeculativeJIT32_64.cpp:
1928         (JSC::DFG::SpeculativeJIT::compile):
1929         * dfg/DFGSpeculativeJIT64.cpp:
1930         (JSC::DFG::SpeculativeJIT::compile):
1931         * ftl/FTLAbstractHeapRepository.h:
1932         * ftl/FTLCapabilities.cpp:
1933         (JSC::FTL::canCompile):
1934         * ftl/FTLLowerDFGToLLVM.cpp:
1935         (JSC::FTL::LowerDFGToLLVM::compileNode):
1936         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
1937         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
1938         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
1939         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
1940         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
1941         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
1942         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
1943         * jit/JIT.cpp:
1944         (JSC::JIT::privateCompileMainPass):
1945         * jit/JIT.h:
1946         * jit/JITOpcodes.cpp:
1947         (JSC::JIT::emit_op_enumerator_structure_pname):
1948         (JSC::JIT::emit_op_enumerator_generic_pname):
1949         (JSC::JIT::emit_op_get_property_enumerator):
1950         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
1951         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
1952         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
1953         * jit/JITOpcodes32_64.cpp:
1954         (JSC::JIT::emit_op_enumerator_structure_pname):
1955         (JSC::JIT::emit_op_enumerator_generic_pname):
1956         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
1957         * jit/JITOperations.cpp:
1958         * jit/JITOperations.h:
1959         * llint/LowLevelInterpreter.asm:
1960         * runtime/CommonSlowPaths.cpp:
1961         (JSC::SLOW_PATH_DECL):
1962         * runtime/CommonSlowPaths.h:
1963         * runtime/JSPropertyNameEnumerator.cpp:
1964         (JSC::JSPropertyNameEnumerator::create):
1965         (JSC::JSPropertyNameEnumerator::finishCreation):
1966         * runtime/JSPropertyNameEnumerator.h:
1967         (JSC::JSPropertyNameEnumerator::indexedLength):
1968         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
1969         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
1970         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
1971         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
1972         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
1973         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
1974         (JSC::propertyNameEnumerator):
1975         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
1976         (JSC::structurePropertyNameEnumerator): Deleted.
1977         (JSC::genericPropertyNameEnumerator): Deleted.
1978         * runtime/Structure.cpp:
1979         (JSC::Structure::setCachedPropertyNameEnumerator):
1980         (JSC::Structure::cachedPropertyNameEnumerator):
1981         (JSC::Structure::canCachePropertyNameEnumerator):
1982         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
1983         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
1984         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
1985         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
1986         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
1987         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
1988         * runtime/Structure.h:
1989         * runtime/StructureRareData.cpp:
1990         (JSC::StructureRareData::visitChildren):
1991         (JSC::StructureRareData::cachedPropertyNameEnumerator):
1992         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
1993         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
1994         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
1995         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
1996         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
1997         * runtime/StructureRareData.h:
1998         * tests/stress/for-in-delete-during-iteration.js:
1999
2000 2015-03-24  Michael Saboff  <msaboff@apple.com>
2001
2002         Unreviewed build fix for debug builds.
2003
2004         * runtime/ExceptionHelpers.cpp:
2005         (JSC::invalidParameterInSourceAppender):
2006
2007 2015-03-24  Saam Barati  <saambarati1@gmail.com>
2008
2009         Improve error messages in JSC
2010         https://bugs.webkit.org/show_bug.cgi?id=141869
2011
2012         Reviewed by Geoffrey Garen.
2013
2014         JavaScriptCore has some unintuitive error messages associated
2015         with certain common errors. This patch changes some specific
2016         error messages to be more understandable and also creates a
2017         mechanism that will allow for easy modification of error messages
2018         in the future. The specific errors we change are not a function
2019         errors and invalid parameter errors.
2020
2021         * CMakeLists.txt:
2022         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2023         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2024         * JavaScriptCore.xcodeproj/project.pbxproj:
2025         * interpreter/Interpreter.cpp:
2026         (JSC::sizeOfVarargs):
2027         * jit/JITOperations.cpp:
2028         op_throw_static_error always has a JSString as its argument.
2029         There is no need to dance around this, and we should assert
2030         that this always holds. This JSString represents the error 
2031         message we want to display to the user, so there is no need
2032         to pass it into errorDescriptionForValue which will now place
2033         quotes around the string.
2034
2035         * llint/LLIntSlowPaths.cpp:
2036         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2037         * runtime/CommonSlowPaths.h:
2038         (JSC::CommonSlowPaths::opIn):
2039         * runtime/ErrorInstance.cpp:
2040         (JSC::ErrorInstance::ErrorInstance):
2041         * runtime/ErrorInstance.h:
2042         (JSC::ErrorInstance::hasSourceAppender):
2043         (JSC::ErrorInstance::sourceAppender):
2044         (JSC::ErrorInstance::setSourceAppender):
2045         (JSC::ErrorInstance::clearSourceAppender):
2046         (JSC::ErrorInstance::setRuntimeTypeForCause):
2047         (JSC::ErrorInstance::runtimeTypeForCause):
2048         (JSC::ErrorInstance::clearRuntimeTypeForCause):
2049         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
2050         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
2051         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
2052         * runtime/ExceptionHelpers.cpp:
2053         (JSC::errorDescriptionForValue):
2054         (JSC::defaultApproximateSourceError):
2055         (JSC::defaultSourceAppender):
2056         (JSC::functionCallBase):
2057         (JSC::notAFunctionSourceAppender):
2058         (JSC::invalidParameterInSourceAppender):
2059         (JSC::invalidParameterInstanceofSourceAppender):
2060         (JSC::createError):
2061         (JSC::createInvalidFunctionApplyParameterError):
2062         (JSC::createInvalidInParameterError):
2063         (JSC::createInvalidInstanceofParameterError):
2064         (JSC::createNotAConstructorError):
2065         (JSC::createNotAFunctionError):
2066         (JSC::createNotAnObjectError):
2067         (JSC::createInvalidParameterError): Deleted.
2068         * runtime/ExceptionHelpers.h:
2069         * runtime/JSObject.cpp:
2070         (JSC::JSObject::hasInstance):
2071         * runtime/RuntimeType.cpp: Added.
2072         (JSC::runtimeTypeForValue):
2073         (JSC::runtimeTypeAsString):
2074         * runtime/RuntimeType.h: Added.
2075         * runtime/TypeProfilerLog.cpp:
2076         (JSC::TypeProfilerLog::processLogEntries):
2077         * runtime/TypeSet.cpp:
2078         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
2079         * runtime/TypeSet.h:
2080         * runtime/VM.cpp:
2081         (JSC::appendSourceToError):
2082         (JSC::VM::throwException):
2083
2084 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
2085
2086         JSC should have a low-cost asynchronous disassembler
2087         https://bugs.webkit.org/show_bug.cgi?id=142997
2088
2089         Reviewed by Mark Lam.
2090         
2091         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
2092         doesn't block execution. Some code will live a little longer because of this, since the
2093         work tasks hold a ref to the code, but other than that there is basically no overhead.
2094         
2095         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
2096         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
2097         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
2098         JSC_asyncDisassembly has bizarre behavior - so just choose one.
2099         
2100         A simple way of understanding how great this is, is to run a small benchmark like
2101         V8Spider/earley-boyer.
2102         
2103         Performance without any disassembly flags: 60ms
2104         Performance with JSC_showDisassembly=true: 477ms
2105         Performance with JSC_asyncDisassembly=true: 65ms
2106         
2107         So, the overhead of disassembly goes from 8x to 8%.
2108         
2109         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
2110         measuring benchmark performance. This is because at VM exit, we wait for all async
2111         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
2112         after the benchmark completely finishes to finish the disassemblies. This small weirdness
2113         should be OK for the intended use-cases, since all you have to do to get around it is to
2114         measure the execution time of the benchmark payload rather than the end-to-end time of
2115         launching the VM.
2116
2117         * assembler/LinkBuffer.cpp:
2118         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2119         * assembler/LinkBuffer.h:
2120         (JSC::LinkBuffer::wasAlreadyDisassembled):
2121         (JSC::LinkBuffer::didAlreadyDisassemble):
2122         * dfg/DFGJITCompiler.cpp:
2123         (JSC::DFG::JITCompiler::disassemble):
2124         * dfg/DFGJITFinalizer.cpp:
2125         (JSC::DFG::JITFinalizer::finalize):
2126         (JSC::DFG::JITFinalizer::finalizeFunction):
2127         * disassembler/Disassembler.cpp:
2128         (JSC::disassembleAsynchronously):
2129         (JSC::waitForAsynchronousDisassembly):
2130         * disassembler/Disassembler.h:
2131         * ftl/FTLCompile.cpp:
2132         (JSC::FTL::mmAllocateDataSection):
2133         * ftl/FTLLink.cpp:
2134         (JSC::FTL::link):
2135         * jit/JIT.cpp:
2136         (JSC::JIT::privateCompile):
2137         * jsc.cpp:
2138         * runtime/Options.h:
2139         * runtime/VM.cpp:
2140         (JSC::VM::~VM):
2141
2142 2015-03-23  Dean Jackson  <dino@apple.com>
2143
2144         ES7: Implement Array.prototype.includes
2145         https://bugs.webkit.org/show_bug.cgi?id=142707
2146
2147         Reviewed by Geoffrey Garen.
2148
2149         Add support for the ES7 includes method on Arrays.
2150         https://github.com/tc39/Array.prototype.includes
2151
2152         * builtins/Array.prototype.js:
2153         (includes): Implementation in JS.
2154         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
2155
2156 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2157
2158         __defineGetter__/__defineSetter__ should throw exceptions
2159         https://bugs.webkit.org/show_bug.cgi?id=142934
2160
2161         Reviewed by Geoffrey Garen.
2162
2163         * runtime/ObjectPrototype.cpp:
2164         (JSC::objectProtoFuncDefineGetter):
2165         (JSC::objectProtoFuncDefineSetter):
2166         Throw exceptions when these functions are used directly.
2167
2168 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2169
2170         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
2171         https://bugs.webkit.org/show_bug.cgi?id=142952
2172
2173         Reviewed by Geoffrey Garen.
2174
2175         * runtime/Structure.cpp:
2176         (JSC::PropertyTable::checkConsistency):
2177         The check offset method doesn't exist in PropertyTable, it exists in Structure.
2178
2179         (JSC::Structure::checkConsistency):
2180         So move it here, and always put it at the start to match normal behavior.
2181
2182 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2183
2184         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
2185         https://bugs.webkit.org/show_bug.cgi?id=142956
2186
2187         Rubber stamped by Gyuyoung Kim.
2188         
2189         Just removing dead code.
2190
2191         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2192         * JavaScriptCore.xcodeproj/project.pbxproj:
2193         * dfg/DFGOSRExit.h:
2194         * dfg/DFGOSRExitCompiler.cpp:
2195         * dfg/DFGValueRecoveryOverride.h: Removed.
2196
2197 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2198
2199         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
2200         https://bugs.webkit.org/show_bug.cgi?id=142948
2201
2202         Reviewed by Sam Weinig.
2203         
2204         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
2205         since a signal may clobber the area below the stack pointer. When the DFG is executing,
2206         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
2207         baseline, we will use a different amount of stack. This is because baseline is a different
2208         compiler. It will make different decisions. So it will use a different amount of stack.
2209         
2210         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
2211         incrementally transforming the stack from how it looked in the DFG to how it will look in
2212         baseline. The most conservative approach would be to set the stack pointer to the max of
2213         DFG and baseline.
2214         
2215         When this code was written, a reckless assumption was made: that the stack usage in
2216         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
2217         assumption, the code first adjusts the stack pointer to account for the baseline stack
2218         usage. This sort of usually works, because usually baseline does happen to use more stack.
2219         But that's not an invariant. Nobody guarantees this. We will never make any changes that
2220         would make this be guaranteed, because that would be antithetical to how optimizing
2221         compilers work. The DFG should be allowed to use however much stack it decides that it
2222         should use in order to get good performance, and it shouldn't try to guarantee that it
2223         always uses less stack than baseline.
2224         
2225         As such, we must always assume that the frame size for DFG execution (i.e.
2226         frameRegisterCount) and the frame size in baseline once we exit (i.e.
2227         requiredRegisterCountForExit) are two independent quantities and they have no
2228         relationship.
2229         
2230         Fortunately, though, this code can be made correct by just moving the stack adjustment to
2231         just before we do conversions. This is because we have since changed the OSR exit
2232         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
2233         drop it out of the scratch buffer and into the stack according to the baseline layout. The
2234         point just before conversions is the point where we have finished reading the DFG frame
2235         and will not read it anymore, and we haven't started writing the baseline frame. So, at
2236         this point it is safe to set the stack pointer to account for the frame size at exit.
2237         
2238         This is benign because baseline happens to create larger frames than DFG.
2239
2240         * dfg/DFGOSRExitCompiler32_64.cpp:
2241         (JSC::DFG::OSRExitCompiler::compileExit):
2242         * dfg/DFGOSRExitCompiler64.cpp:
2243         (JSC::DFG::OSRExitCompiler::compileExit):
2244         * dfg/DFGOSRExitCompilerCommon.cpp:
2245         (JSC::DFG::adjustAndJumpToTarget):
2246
2247 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2248
2249         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
2250
2251         Rubber stamped by Sam Weinig.
2252
2253         * tests/stress/equals-masquerader.js:
2254
2255 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2256
2257         tests/stress/*tdz* tests do 10x more iterations than necessary
2258         https://bugs.webkit.org/show_bug.cgi?id=142946
2259
2260         Reviewed by Ryosuke Niwa.
2261         
2262         The stress test harness runs all of these tests in various configurations. This includes
2263         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
2264         enough to get to the highest tier. The only exceptions are very large functions or
2265         functions that have some reoptimizations. That happens rarely, and when it does happen,
2266         usually 20,000 iterations is enough.
2267         
2268         Therefore, these tests use 10x too many iterations. This is bad, since these tests
2269         allocate on each iteration, and so they run very slowly in debug mode.
2270
2271         * tests/stress/class-syntax-no-loop-tdz.js:
2272         * tests/stress/class-syntax-no-tdz-in-catch.js:
2273         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2274         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2275         * tests/stress/class-syntax-no-tdz-in-loop.js:
2276         * tests/stress/class-syntax-no-tdz.js:
2277         * tests/stress/class-syntax-tdz-in-catch.js:
2278         * tests/stress/class-syntax-tdz-in-conditional.js:
2279         * tests/stress/class-syntax-tdz-in-loop.js:
2280         * tests/stress/class-syntax-tdz.js:
2281
2282 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2283
2284         Fix a typo in Parser error message
2285         https://bugs.webkit.org/show_bug.cgi?id=142942
2286
2287         Reviewed by Alexey Proskuryakov.
2288
2289         * jit/JITPropertyAccess.cpp:
2290         (JSC::JIT::emitSlow_op_resolve_scope):
2291         * jit/JITPropertyAccess32_64.cpp:
2292         (JSC::JIT::emitSlow_op_resolve_scope):
2293         * parser/Parser.cpp:
2294         (JSC::Parser<LexerType>::parseClass):
2295         Fix a common identifier typo.
2296
2297 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2298
2299         Computed Property names should allow only AssignmentExpressions not any Expression
2300         https://bugs.webkit.org/show_bug.cgi?id=142902
2301
2302         Reviewed by Ryosuke Niwa.
2303
2304         * parser/Parser.cpp:
2305         (JSC::Parser<LexerType>::parseProperty):
2306         Limit computed expressions to just assignment expressions instead of
2307         any expression (which allowed comma expressions).
2308
2309 2015-03-21  Andreas Kling  <akling@apple.com>
2310
2311         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
2312         <https://webkit.org/b/142939>
2313
2314         Reviewed by Mark Hahnenberg.
2315
2316         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
2317         a 128-byte heap cell instead of requiring a 256-byte one.
2318
2319         Threw in a static_assert to catch anyone pushing it over the limit again.
2320
2321         * bytecode/UnlinkedCodeBlock.cpp:
2322         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2323         * bytecode/UnlinkedCodeBlock.h:
2324         (JSC::UnlinkedFunctionExecutable::functionMode):
2325
2326 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
2327
2328         GCTimer should know keep track of nested GC phases
2329         https://bugs.webkit.org/show_bug.cgi?id=142675
2330
2331         Reviewed by Darin Adler.
2332
2333         This improves the GC phase timing output in Heap.cpp by linking
2334         phases nested inside other phases together, allowing tools
2335         to compute how much time we're spending in various nested phases.
2336
2337         * heap/Heap.cpp:
2338
2339 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
2340
2341         FunctionBodyNode should known where its parameters started
2342         https://bugs.webkit.org/show_bug.cgi?id=142926
2343
2344         Reviewed by Ryosuke Niwa.
2345
2346         This will allow us to re-parse parameters instead of keeping the
2347         parameters piece of the AST around forever.
2348
2349         I also took the opportunity to initialize most FunctionBodyNode data
2350         members at construction time, to help clarify that they are set right.
2351
2352         * parser/ASTBuilder.h:
2353         (JSC::ASTBuilder::createFunctionExpr): No need to pass
2354         functionKeywordStart here; we now provide it at FunctionBodyNode
2355         creation time.
2356
2357         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
2358         construction time, including the start of our parameters.
2359
2360         (JSC::ASTBuilder::createGetterOrSetterProperty):
2361         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
2362         functionKeywordStart here; we now provide it at FunctionBodyNode
2363         creation time.
2364
2365         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
2366
2367         * parser/Nodes.cpp:
2368         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
2369         construction time.
2370
2371         * parser/Nodes.h: Added a field for the location of our parameters.
2372
2373         * parser/Parser.cpp:
2374         (JSC::Parser<LexerType>::parseFunctionBody):
2375         (JSC::Parser<LexerType>::parseFunctionInfo):
2376         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2377         (JSC::Parser<LexerType>::parseClass):
2378         (JSC::Parser<LexerType>::parsePropertyMethod):
2379         (JSC::Parser<LexerType>::parseGetterSetter):
2380         (JSC::Parser<LexerType>::parsePrimaryExpression):
2381         * parser/Parser.h: Refactored to match above interface changes.
2382
2383         * parser/SyntaxChecker.h:
2384         (JSC::SyntaxChecker::createFunctionExpr):
2385         (JSC::SyntaxChecker::createFunctionBody):
2386         (JSC::SyntaxChecker::createFuncDeclStatement):
2387         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
2388         above interface changes.
2389
2390         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
2391
2392 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
2393
2394         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
2395         https://bugs.webkit.org/show_bug.cgi?id=142920
2396
2397         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
2398         
2399         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
2400         executed, then something other than the bytecode instruction's specified outcome will
2401         happen.
2402
2403         We almost never had observably effectful nodes except at the end of the bytecode
2404         instruction.  The exception is a lowered transitioning PutById:
2405
2406         PutStructure(@o, S1 -> S2)
2407         PutByOffset(@o, @o, @v)
2408
2409         The PutStructure is observably effectful: if you try to reexecute the bytecode after
2410         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
2411         first checking what the old structure of the object is; but if we reexecute, the old
2412         structure will seem to be the new structure.  But the property ensured by the new
2413         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
2414
2415         Intriguingly, however, none of the other operations involved in the PutById are
2416         observably effectful.  Consider this example:
2417
2418         PutByOffset(@o, @o, @v)
2419         PutStructure(@o, S1 -> S2)
2420
2421         Note that the PutStructure node doesn't reallocate property storage; see further below
2422         for an example that does that. Because no property storage is happening, we know that we
2423         already had room for the new property.  This means that the PutByOffset is no observable
2424         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
2425         observably effectful.
2426
2427         Now consider this:
2428
2429         b: AllocatePropertyStorage(@o)
2430         PutByOffset(@b, @o, @v)
2431         PutStructure(@o, S1 -> S2)
2432
2433         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
2434         effectful. It *does* reallocate the property storage and the new property storage pointer
2435         is stored into the object. But until the PutStructure occurs, the world will just think
2436         that the reallocation didn't happen, in the sense that we'll think that the property
2437         storage is using less memory than what we just allocated. That's harmless.
2438
2439         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
2440         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
2441         everything could be expected to be fine, so long as all of @o, @v and @b are on the
2442         stack. If they are all on the stack, then the GC will leave the property storage alone
2443         (so the extra memory we just allocated would be safe). The GC will not scan the part of
2444         the property storage that contains @v, but that's fine, so long as @v is on the stack.
2445         
2446         The better long-term solution is probably bug 142921.
2447         
2448         But for now, this:
2449         
2450         - Fixes an object materialization bug, exemplified by the two tests, that previously
2451           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
2452         
2453         - Allows us to remove the workaround introduced in r174856.
2454
2455         * dfg/DFGByteCodeParser.cpp:
2456         (JSC::DFG::ByteCodeParser::handlePutById):
2457         * dfg/DFGConstantFoldingPhase.cpp:
2458         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2459         * dfg/DFGFixupPhase.cpp:
2460         (JSC::DFG::FixupPhase::insertCheck):
2461         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
2462         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
2463         * dfg/DFGInsertionSet.h:
2464         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
2465         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
2466         * tests/stress/materialize-past-butterfly-allocation.js: Added.
2467         (bar):
2468         (foo0):
2469         (foo1):
2470         (foo2):
2471         (foo3):
2472         (foo4):
2473         * tests/stress/materialize-past-put-structure.js: Added.
2474         (foo):
2475
2476 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2477
2478         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
2479         https://bugs.webkit.org/show_bug.cgi?id=142410
2480
2481         Reviewed by Geoffrey Garen.
2482
2483         Before this patch, added function JSValue::toPropertyKey returns PropertyName.
2484         Since PropertyName doesn't have AtomicStringImpl ownership,
2485         if Identifier is implicitly converted to PropertyName and Identifier is destructed,
2486         PropertyName may refer freed AtomicStringImpl*.
2487
2488         This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
2489         to keep AtomicStringImpl* ownership after the toPropertyName call is done.
2490         And receive the result value as Identifier type to keep ownership in the caller side.
2491
2492         To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
2493
2494         However, now we don't need to have both Identifier and PropertyName.
2495         So we'll merge PropertyName to Identifier in the subsequent patch.
2496
2497         * dfg/DFGOperations.cpp:
2498         (JSC::DFG::operationPutByValInternal):
2499         * jit/JITOperations.cpp:
2500         (JSC::getByVal):
2501         * llint/LLIntSlowPaths.cpp:
2502         (JSC::LLInt::getByVal):
2503         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2504         * runtime/CommonSlowPaths.cpp:
2505         (JSC::SLOW_PATH_DECL):
2506         * runtime/CommonSlowPaths.h:
2507         (JSC::CommonSlowPaths::opIn):
2508         * runtime/JSCJSValue.h:
2509         * runtime/JSCJSValueInlines.h:
2510         (JSC::JSValue::toPropertyKey):
2511         * runtime/ObjectConstructor.cpp:
2512         (JSC::objectConstructorGetOwnPropertyDescriptor):
2513         (JSC::objectConstructorDefineProperty):
2514         * runtime/ObjectPrototype.cpp:
2515         (JSC::objectProtoFuncPropertyIsEnumerable):
2516
2517 2015-03-18  Geoffrey Garen  <ggaren@apple.com>
2518
2519         Function.prototype.toString should not decompile the AST
2520         https://bugs.webkit.org/show_bug.cgi?id=142853
2521
2522         Reviewed by Sam Weinig.
2523
2524         To recover the function parameter string, Function.prototype.toString
2525         decompiles the function parameters from the AST. This is bad for a few
2526         reasons:
2527
2528         (1) It requires us to keep pieces of the AST live forever. This is an
2529         awkward design and a waste of memory.
2530
2531         (2) It doesn't match Firefox or Chrome (because it changes whitespace
2532         and ES6 destructuring expressions).
2533
2534         (3) It doesn't scale to ES6 default argument parameters, which require
2535         arbitrarily complex decompilation.
2536
2537         (4) It can counterfeit all the line numbers in a function (because
2538         whitespace can include newlines).
2539
2540         (5) It's expensive, and we've seen cases where websites invoke
2541         Function.prototype.toString a lot by accident.
2542
2543         The fix is to do what we do for the rest of the function: Just quote the
2544         original source text.
2545
2546         Since this change inevitably changes some function stringification, I
2547         took the opportunity to make our stringification match Firefox's and
2548         Chrome's.
2549
2550         * API/tests/testapi.c:
2551         (assertEqualsAsUTF8String): Be more informative when this fails.
2552
2553         (main): Updated to match new stringification rules.
2554
2555         * bytecode/UnlinkedCodeBlock.cpp:
2556         (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
2557         * bytecode/UnlinkedCodeBlock.h:
2558
2559         * parser/Nodes.h:
2560         (JSC::StatementNode::isFuncDeclNode): New helper for constructing
2561         anonymous functions.
2562
2563         * parser/SourceCode.h:
2564         (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.
2565
2566         * runtime/CodeCache.cpp:
2567         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
2568         of function declaration over function expression.
2569
2570         * runtime/Executable.cpp:
2571         (JSC::FunctionExecutable::paramString): Deleted. Yay!
2572         * runtime/Executable.h:
2573         (JSC::FunctionExecutable::parameterCount):
2574
2575         * runtime/FunctionConstructor.cpp:
2576         (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
2577         the opening brace to match Firefox and Chrome, and a space after the comma
2578         to match Firefox and WebKit coding style. Added the function name to
2579         the text of the function so it would look right when stringify-ing. Switched
2580         from parentheses to braces to produce a function declaration instead of
2581         a function expression because we are required to exclude the function's
2582         name from its scope, and that's what a function declaration does.
2583
2584         * runtime/FunctionPrototype.cpp:
2585         (JSC::functionProtoFuncToString): Removed an old workaround because the
2586         library it worked around doesn't really exist anymore, and the behavior
2587         doesn't match Firefox or Chrome. Use type profiling offsets instead of
2588         function body offsets because we want to include the function name and
2589         the parameter string, rather than stitching them in manually by
2590         decompiling the AST.
2591
2592         (JSC::insertSemicolonIfNeeded): Deleted.
2593
2594         * tests/mozilla/js1_2/function/tostring-1.js:
2595         * tests/mozilla/js1_5/Scope/regress-185485.js:
2596         (with.g): Updated these test results for formatting changes.
2597
2598 2015-03-20  Joseph Pecoraro  <pecoraro@apple.com>
2599
2600         SyntaxChecker assertion is trapped with computed property name and getter
2601         https://bugs.webkit.org/show_bug.cgi?id=142863
2602
2603         Reviewed by Ryosuke Niwa.
2604
2605         * parser/SyntaxChecker.h:
2606         (JSC::SyntaxChecker::getName):
2607         Remove invalid assert. Computed properties will not have a name
2608         and the calling code is checking for null expecting it. The
2609         AST path (non-CheckingPath) already does this without the assert
2610         so it is well tested.
2611
2612 2015-03-19  Mark Lam  <mark.lam@apple.com>
2613
2614         JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
2615         <https://webkit.org/b/142846>
2616
2617         Reviewed by Geoffrey Garen.
2618
2619         Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
2620         1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
2621            that a JSCallbackObject references.
2622         2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
2623            vm.heap.addFinalizer() which destroys the JSCallbackObject.
2624
2625         The first finalizer is implemented as a virtual function of a JSCallbackObjectData
2626         instance that will be destructed if the 2nd finalizer is called.  Hence, if the
2627         2nd finalizer if called first, the later invocation of the 1st finalizer will
2628         result in a crash.
2629
2630         This patch fixes the issue by eliminating the finalizer registration in init().
2631         Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
2632         if needed.  This ensures that these finalizers are called before the JSCallbackObject
2633         is destructor.
2634
2635         Also added assertions to a few Heap functions because JSCell::classInfo() expects
2636         all objects that are allocated from MarkedBlock::Normal blocks to be derived from
2637         JSDestructibleObject.  These assertions will help us catch violations of this
2638         expectation earlier.
2639
2640         * API/JSCallbackObject.cpp:
2641         (JSC::JSCallbackObjectData::finalize): Deleted.
2642         * API/JSCallbackObject.h:
2643         (JSC::JSCallbackObjectData::~JSCallbackObjectData):
2644         * API/JSCallbackObjectFunctions.h:
2645         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2646         (JSC::JSCallbackObject<Parent>::init):
2647         * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
2648         (finalize):
2649         (testGlobalContextWithFinalizer):
2650         * API/tests/GlobalContextWithFinalizerTest.h: Added.
2651         * API/tests/testapi.c:
2652         (main):
2653         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
2654         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
2655         * JavaScriptCore.xcodeproj/project.pbxproj:
2656         * heap/HeapInlines.h:
2657         (JSC::Heap::allocateObjectOfType):
2658         (JSC::Heap::subspaceForObjectOfType):
2659         (JSC::Heap::allocatorForObjectOfType):
2660
2661 2015-03-19  Andreas Kling  <akling@apple.com>
2662
2663         JSCallee unnecessarily overrides a bunch of things in the method table.
2664         <https://webkit.org/b/142855>
2665
2666         Reviewed by Geoffrey Garen.
2667
2668         Remove JSCallee method table overrides that simply call to base class.
2669         This makes JSFunction property slot lookups slightly more efficient since
2670         they can take the fast path when passing over JSCallee in the base class chain.
2671
2672         * runtime/JSCallee.cpp:
2673         (JSC::JSCallee::getOwnPropertySlot): Deleted.
2674         (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted.
2675         (JSC::JSCallee::put): Deleted.
2676         (JSC::JSCallee::deleteProperty): Deleted.
2677         (JSC::JSCallee::defineOwnProperty): Deleted.
2678         * runtime/JSCallee.h:
2679
2680 2015-03-19  Andreas Kling  <akling@apple.com>
2681
2682         DFGAllocator should use bmalloc's aligned allocator.
2683         <https://webkit.org/b/142871>
2684
2685         Reviewed by Geoffrey Garen.
2686
2687         Switch DFGAllocator to using bmalloc through fastAlignedMalloc().
2688
2689         * dfg/DFGAllocator.h:
2690         (JSC::DFG::Allocator<T>::allocateSlow):
2691         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
2692         * heap/CopiedSpace.h:
2693         * heap/MarkedBlock.h:
2694         * heap/MarkedSpace.h:
2695
2696 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2697
2698         ES6 Classes: Extends should accept an expression without parenthesis
2699         https://bugs.webkit.org/show_bug.cgi?id=142840
2700
2701         Reviewed by Ryosuke Niwa.
2702
2703         * parser/Parser.cpp:
2704         (JSC::Parser<LexerType>::parseClass):
2705         "extends" allows a LeftHandExpression (new expression / call expression,
2706         which includes a member expression), not a primary expression. Our
2707         parseMemberExpression does all of these.
2708
2709 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2710
2711         Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection
2712         https://bugs.webkit.org/show_bug.cgi?id=142830
2713
2714         Reviewed by Timothy Hatcher.
2715
2716         * inspector/agents/InspectorDebuggerAgent.cpp:
2717         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2718         Give Probe Samples object previews.
2719
2720 2015-03-17  Ryuan Choi  <ryuan.choi@navercorp.com>
2721
2722         [EFL] Expose JavaScript binding interface through ewk_extension
2723         https://bugs.webkit.org/show_bug.cgi?id=142033
2724
2725         Reviewed by Gyuyoung Kim.
2726
2727         * PlatformEfl.cmake: Install Javascript APIs.
2728
2729 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2730
2731         Function bodies should always include braces
2732         https://bugs.webkit.org/show_bug.cgi?id=142795
2733
2734         Reviewed by Michael Saboff.
2735
2736         Having a mode for excluding the opening and closing braces from a function
2737         body was unnecessary and confusing.
2738
2739         * bytecode/CodeBlock.cpp:
2740         (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function.
2741
2742         * bytecode/UnlinkedCodeBlock.cpp:
2743         (JSC::generateFunctionCodeBlock):
2744         (JSC::UnlinkedFunctionExecutable::link):
2745         (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through
2746         a boolean: there is only one kind of function now.
2747
2748         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted.
2749         (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only
2750         have one way to do things. This removes the old mode that would pretend
2751         that a function always started at column 1. That pretense was not true:
2752         an attribute event listener does not necessarily start at column 1.
2753
2754         * bytecode/UnlinkedCodeBlock.h:
2755         * generate-js-builtins: Adopt the new one true linking function.
2756
2757         * parser/Parser.h:
2758         (JSC::Parser<LexerType>::parse):
2759         (JSC::parse): needsReparsingAdjustment is always true now, so I removed it.
2760
2761         * runtime/Executable.cpp:
2762         (JSC::ScriptExecutable::newCodeBlockFor):
2763         (JSC::FunctionExecutable::FunctionExecutable):
2764         (JSC::ProgramExecutable::initializeGlobalProperties):
2765         (JSC::FunctionExecutable::fromGlobalCode):
2766         * runtime/Executable.h:
2767         (JSC::FunctionExecutable::create):
2768         (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff.
2769
2770         * runtime/FunctionConstructor.cpp:
2771         (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a
2772         leading space because that's what this function's comment says is required
2773         for web compatibility. We used to fake this up after the fact when
2774         stringifying, based on the bodyIncludesBraces flag, but that flag is gone now.
2775
2776         * runtime/FunctionPrototype.cpp:
2777         (JSC::insertSemicolonIfNeeded):
2778         (JSC::functionProtoFuncToString): No need to add braces and/or a space
2779         after the fact -- we always have them now.
2780
2781 2015-03-17  Mark Lam  <mark.lam@apple.com>
2782
2783         Refactor execution time limit tests out of testapi.c.
2784         <https://webkit.org/b/142798>
2785
2786         Rubber stamped by Michael Saboff.
2787
2788         These tests were sometimes failing to time out on C loop builds.  Let's
2789         refactor them out of the big monolith that is testapi.c so that we can
2790         reason more easily about them and make adjustments if needed.
2791
2792         * API/tests/ExecutionTimeLimitTest.cpp: Added.
2793         (currentCPUTime):
2794         (currentCPUTimeAsJSFunctionCallback):
2795         (shouldTerminateCallback):
2796         (cancelTerminateCallback):
2797         (extendTerminateCallback):
2798         (testExecutionTimeLimit):
2799         * API/tests/ExecutionTimeLimitTest.h: Added.
2800         * API/tests/testapi.c:
2801         (main):
2802         (currentCPUTime): Deleted.
2803         (currentCPUTime_callAsFunction): Deleted.
2804         (shouldTerminateCallback): Deleted.
2805         (cancelTerminateCallback): Deleted.
2806         (extendTerminateCallback): Deleted.
2807         * JavaScriptCore.xcodeproj/project.pbxproj:
2808
2809 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2810
2811         Built-in functions should know that they use strict mode
2812         https://bugs.webkit.org/show_bug.cgi?id=142788
2813
2814         Reviewed by Mark Lam.
2815
2816         Even though all of our builtin functions use strict mode, the parser
2817         thinks that they don't. This is because Executable::toStrictness treats
2818         builtin-ness and strict-ness as mutually exclusive.
2819
2820         The fix is to disambiguate builtin-ness from strict-ness.
2821
2822         This bug is currently unobservable because of some other parser bugs. But
2823         it causes lots of test failures once those other bugs are fixed.
2824
2825         * API/JSScriptRef.cpp:
2826         (parseScript):
2827         * builtins/BuiltinExecutables.cpp:
2828         (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API
2829         for a separate value to indicate builtin-ness vs strict-ness.
2830
2831         * bytecode/UnlinkedCodeBlock.cpp:
2832         (JSC::generateFunctionCodeBlock):
2833         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto.
2834
2835         * bytecode/UnlinkedCodeBlock.h:
2836         (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function
2837         was misleading since it pretended that no builtin function was ever
2838         strict, which is the opposite of true.
2839
2840         * parser/Lexer.cpp:
2841         (JSC::Lexer<T>::Lexer):
2842         * parser/Lexer.h:
2843         * parser/Parser.cpp:
2844         (JSC::Parser<LexerType>::Parser):
2845         * parser/Parser.h:
2846         (JSC::parse): Adopt the new API.
2847
2848         * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give
2849         existing modes clearer names.
2850
2851         * runtime/CodeCache.cpp:
2852         (JSC::CodeCache::getGlobalCodeBlock):
2853         (JSC::CodeCache::getProgramCodeBlock):
2854         (JSC::CodeCache::getEvalCodeBlock):
2855         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API.
2856
2857         * runtime/CodeCache.h:
2858         (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and
2859         bulitin-ness as separate pieces of the code cache key. We would not want
2860         a user function to match a built-in function in the cache, even if they
2861         agreed about strictness, since builtin functions have different lexing
2862         rules.
2863
2864         * runtime/Completion.cpp:
2865         (JSC::checkSyntax):
2866         * runtime/Executable.cpp:
2867         (JSC::FunctionExecutable::FunctionExecutable):
2868         (JSC::ProgramExecutable::checkSyntax):
2869         * runtime/Executable.h:
2870         (JSC::FunctionExecutable::create):
2871         * runtime/JSGlobalObject.cpp:
2872         (JSC::JSGlobalObject::createProgramCodeBlock):
2873         (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API.
2874
2875 2015-03-16  Filip Pizlo  <fpizlo@apple.com>
2876
2877         DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor
2878         https://bugs.webkit.org/show_bug.cgi?id=142769
2879
2880         Reviewed by Michael Saboff.
2881         
2882         When we sink an object allocation, we need to have some way of tracking what stores would
2883         have happened had the allocation not been sunk, so that we know how to rematerialize the
2884         object on OSR exit. Prior to this change, trunk had two ways of describing such a "put
2885         hint":
2886         
2887         - The PutStrutureHint and PutByOffsetHint node types.
2888         - The PromotedLocationDescriptor class, which has an enum with cases StructurePLoc and
2889           NamedPropertyPLoc.
2890         
2891         We also had ways of converting from a Node with those two node types to a
2892         PromotedLocationDescriptor, and we had a way of converting a PromotedLocationDescriptor to
2893         a Node.
2894         
2895         This change removes the redundancy. We now have just one node type that corresponds to a
2896         put hint, and it's called PutHint. It has a PromotedLocationDescriptor as metadata.
2897         Converting between a PutHint node and a PromotedLocationDescriptor and vice-versa is now
2898         trivial.
2899         
2900         This means that if we add new kinds of sunken objects, we'll have less pro-forma to write
2901         for the put hints to those objects. This is mainly to simplify the implementation of
2902         arguments elimination in bug 141174.
2903
2904         * dfg/DFGAbstractInterpreterInlines.h:
2905         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2906         * dfg/DFGClobberize.h:
2907         (JSC::DFG::clobberize):
2908         * dfg/DFGDoesGC.cpp:
2909         (JSC::DFG::doesGC):
2910         * dfg/DFGFixupPhase.cpp:
2911         (JSC::DFG::FixupPhase::fixupNode):
2912         * dfg/DFGGraph.cpp:
2913         (JSC::DFG::Graph::dump):
2914         (JSC::DFG::Graph::mergeRelevantToOSR):
2915         * dfg/DFGMayExit.cpp:
2916         (JSC::DFG::mayExit):
2917         * dfg/DFGNode.cpp:
2918         (JSC::DFG::Node::convertToPutHint):
2919         (JSC::DFG::Node::convertToPutStructureHint):
2920         (JSC::DFG::Node::convertToPutByOffsetHint):
2921         (JSC::DFG::Node::promotedLocationDescriptor):
2922         * dfg/DFGNode.h:
2923         (JSC::DFG::Node::hasIdentifier):
2924         (JSC::DFG::Node::hasPromotedLocationDescriptor):
2925         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
2926         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
2927         * dfg/DFGNodeType.h:
2928         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2929         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2930         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2931         (JSC::DFG::ObjectAllocationSinkingPhase::run):
2932         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
2933         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2934         * dfg/DFGPredictionPropagationPhase.cpp:
2935         (JSC::DFG::PredictionPropagationPhase::propagate):
2936         * dfg/DFGPromoteHeapAccess.h:
2937         (JSC::DFG::promoteHeapAccess):
2938         * dfg/DFGPromotedHeapLocation.cpp:
2939         (JSC::DFG::PromotedHeapLocation::createHint):
2940         * dfg/DFGPromotedHeapLocation.h:
2941         (JSC::DFG::PromotedLocationDescriptor::imm1):
2942         (JSC::DFG::PromotedLocationDescriptor::imm2):
2943         * dfg/DFGSafeToExecute.h:
2944         (JSC::DFG::safeToExecute):
2945         * dfg/DFGSpeculativeJIT32_64.cpp:
2946         (JSC::DFG::SpeculativeJIT::compile):
2947         * dfg/DFGSpeculativeJIT64.cpp:
2948         (JSC::DFG::SpeculativeJIT::compile):
2949         * dfg/DFGValidate.cpp:
2950         (JSC::DFG::Validate::validateCPS):
2951         * ftl/FTLCapabilities.cpp:
2952         (JSC::FTL::canCompile):
2953         * ftl/FTLLowerDFGToLLVM.cpp:
2954         (JSC::FTL::LowerDFGToLLVM::compileNode):
2955
2956 2015-03-17  Michael Saboff  <msaboff@apple.com>
2957
2958         Windows X86-64 should use the fixed executable allocator
2959         https://bugs.webkit.org/show_bug.cgi?id=142749
2960
2961         Reviewed by Filip Pizlo.
2962
2963         Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build.
2964
2965         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2966         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2967         * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows.
2968
2969 2015-03-17  Matt Baker  <mattbaker@apple.com>
2970
2971         Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline
2972         https://bugs.webkit.org/show_bug.cgi?id=142029
2973
2974         Reviewed by Timothy Hatcher.
2975
2976         * inspector/protocol/Timeline.json:
2977         Added new event type for runloop timeline records.
2978
2979 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
2980
2981         Enable ES6 classes by default
2982         https://bugs.webkit.org/show_bug.cgi?id=142774
2983
2984         Reviewed by Gavin Barraclough.
2985
2986         Enabled the feature and unskipped tests.
2987
2988         * Configurations/FeatureDefines.xcconfig:
2989         * tests/stress/class-syntax-no-loop-tdz.js:
2990         * tests/stress/class-syntax-no-tdz-in-catch.js:
2991         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2992         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2993         * tests/stress/class-syntax-no-tdz-in-loop.js:
2994         * tests/stress/class-syntax-no-tdz.js:
2995         * tests/stress/class-syntax-tdz-in-catch.js:
2996         * tests/stress/class-syntax-tdz-in-conditional.js:
2997         * tests/stress/class-syntax-tdz-in-loop.js:
2998         * tests/stress/class-syntax-tdz.js:
2999
3000 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3001
3002         Web Inspector: Better Console Previews for Arrays / Small Objects
3003         https://bugs.webkit.org/show_bug.cgi?id=142322
3004
3005         Reviewed by Timothy Hatcher.
3006
3007         * inspector/InjectedScriptSource.js:
3008         Create deep valuePreviews for simple previewable objects,
3009         such as arrays with 5 values, or basic objects with
3010         3 properties.
3011
3012 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3013
3014         Add support for default constructor
3015         https://bugs.webkit.org/show_bug.cgi?id=142388
3016
3017         Reviewed by Filip Pizlo.
3018
3019         Added the support for default constructors. They're generated by ClassExprNode::emitBytecode
3020         via BuiltinExecutables::createDefaultConstructor.
3021
3022         UnlinkedFunctionExecutable now has the ability to override SourceCode provided by the owner
3023         executable. We can't make store SourceCode in UnlinkedFunctionExecutable since CodeCache can use
3024         the same UnlinkedFunctionExecutable to generate code blocks for multiple functions.
3025
3026         Parser now has the ability to treat any function expression as a constructor of the kind specified
3027         by m_defaultConstructorKind member variable.
3028
3029         * builtins/BuiltinExecutables.cpp:
3030         (JSC::BuiltinExecutables::createDefaultConstructor): Added.
3031         (JSC::BuiltinExecutables::createExecutableInternal): Generalized from createBuiltinExecutable.
3032         Parse default constructors as normal non-builtin functions. Override SourceCode in the unlinked
3033         function executable since the Miranda function's code is definitely not in the owner executable's
3034         source code. That's the whole point.
3035         * builtins/BuiltinExecutables.h:
3036         (UnlinkedFunctionExecutable::createBuiltinExecutable): Added. Wraps createExecutableInternal.
3037         * bytecode/UnlinkedCodeBlock.cpp:
3038         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3039         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable):
3040         (JSC::UnlinkedFunctionExecutable::linkGlobalCode):
3041         * bytecode/UnlinkedCodeBlock.h:
3042         (JSC::UnlinkedFunctionExecutable::create):
3043         (JSC::UnlinkedFunctionExecutable::symbolTable): Deleted.
3044         * bytecompiler/BytecodeGenerator.cpp:
3045         (JSC::BytecodeGenerator::emitNewDefaultConstructor): Added.
3046         * bytecompiler/BytecodeGenerator.h:
3047         * bytecompiler/NodesCodegen.cpp:
3048         (JSC::ClassExprNode::emitBytecode): Generate the default constructor if needed.
3049         * parser/Parser.cpp:
3050         (JSC::Parser<LexerType>::Parser):
3051         (JSC::Parser<LexerType>::parseFunctionInfo): Override ownerClassKind and assume the function as
3052         a constructor if we're parsing a default constructor.
3053         (JSC::Parser<LexerType>::parseClass): Allow omission of the class constructor.
3054         * parser/Parser.h:
3055         (JSC::parse):
3056
3057 2015-03-16  Alex Christensen  <achristensen@webkit.org>
3058
3059         Progress towards CMake on Mac
3060         https://bugs.webkit.org/show_bug.cgi?id=142747
3061
3062         Reviewed by Chris Dumez.
3063
3064         * CMakeLists.txt:
3065         Include AugmentableInspectorController.h in CMake build.
3066
3067 2015-03-16  Csaba Osztrogonác  <ossy@webkit.org>
3068
3069         [ARM] Enable generating idiv instructions if it is supported
3070         https://bugs.webkit.org/show_bug.cgi?id=142725
3071
3072         Reviewed by Michael Saboff.
3073
3074         * assembler/ARMAssembler.h: Added sdiv and udiv implementation for ARM Traditional instruction set.
3075         (JSC::ARMAssembler::sdiv):
3076         (JSC::ARMAssembler::udiv):
3077         * assembler/ARMv7Assembler.h: Use HAVE(ARM_IDIV_INSTRUCTIONS) instead of CPU(APPLE_ARMV7S).
3078         * assembler/AbstractMacroAssembler.h:
3079         (JSC::isARMv7IDIVSupported):
3080         (JSC::optimizeForARMv7IDIVSupported):
3081         (JSC::isARMv7s): Renamed to isARMv7IDIVSupported().
3082         (JSC::optimizeForARMv7s): Renamed to optimizeForARMv7IDIVSupported().
3083         * dfg/DFGFixupPhase.cpp:
3084         (JSC::DFG::FixupPhase::fixupNode):
3085         * dfg/DFGSpeculativeJIT.cpp:
3086         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3087         (JSC::DFG::SpeculativeJIT::compileArithMod):
3088
3089 2015-03-15  Filip Pizlo  <fpizlo@apple.com>
3090
3091         DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source, and emit GetStacks when the stack's value is needed and none is deferred
3092         https://bugs.webkit.org/show_bug.cgi?id=141624
3093
3094         Reviewed by Geoffrey Garen.
3095
3096         Not eliminating GetStacks was an obvious omission from the original PutStackSinkingPhase.
3097         Previously, we would treat GetStacks conservatively and assume that the stack slot
3098         escaped. That's pretty dumb, since a GetStack is a local load of the stack. This change
3099         makes GetStack a no-op from the standpoint of this phase's deferral analysis. At the end
3100         we either keep the GetStack (if there was no concrete deferral) or we replace it with an
3101         identity over the value that would have been stored by the deferred PutStack. Note that
3102         this might be a Phi that the phase creates, so this is strictly stronger than what GCSE
3103         could do.
3104         
3105         But this change revealed the fact that this phase never correctly handled side effects in
3106         case that we had done a GetStack, then a side-effect, and then found ourselves wanting the
3107         value on the stack due to (for example) a Phi on a deferred PutStack and that GetStack.
3108         Basically, it's only correct to use the SSA converter's incoming value mapping if we have
3109         a concrete deferral - since anything but a concrete deferral may imply that the value has
3110         been clobbered.
3111         
3112         This has no performance change. I believe that the bug was previously benign because we
3113         have so few operations that clobber the stack anymore, and most of those get used in a
3114         very idiomatic way. The GetStack elimination will be very useful for the varargs
3115         simplification that is part of bug 141174.
3116         
3117         This includes a test for the case that Speedometer hit, plus tests for the other cases I
3118         thought of once I realized the deeper issue.
3119
3120         * dfg/DFGPutStackSinkingPhase.cpp:
3121         * tests/stress/get-stack-identity-due-to-sinking.js: Added.
3122         (foo):
3123         (bar):
3124         * tests/stress/get-stack-mapping-with-dead-get-stack.js: Added.
3125         (bar):
3126         (foo):
3127         * tests/stress/get-stack-mapping.js: Added.
3128         (bar):
3129         (foo):
3130         * tests/stress/weird-put-stack-varargs.js: Added.
3131         (baz):
3132         (foo):
3133         (fuzz):
3134         (bar):
3135
3136 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3137
3138         Update Map/Set to treat -0 and 0 as the same value
3139         https://bugs.webkit.org/show_bug.cgi?id=142709
3140
3141         Reviewed by Csaba Osztrogonác.
3142
3143         * runtime/MapData.h:
3144         (JSC::MapDataImpl<Entry>::KeyType::KeyType):
3145         No longer special case -0. It will be treated as the same as 0.
3146
3147 2015-03-15  Joseph Pecoraro  <pecoraro@apple.com>
3148
3149         Web Inspector: Better handle displaying -0
3150         https://bugs.webkit.org/show_bug.cgi?id=142708
3151
3152         Reviewed by Timothy Hatcher.
3153
3154         Modeled after a blink change:
3155
3156         Patch by <aandrey@chromium.org>
3157         DevTools: DevTools: Show -0 for negative zero in console
3158         https://src.chromium.org/viewvc/blink?revision=162605&view=revision
3159
3160         * inspector/InjectedScriptSource.js:
3161         When creating a description string, or preview value string
3162         for -0, be sure the string is "-0" and not "0".
3163
3164 2015-03-14  Ryosuke Niwa  <rniwa@webkit.org>
3165
3166         parseClass should popScope after pushScope
3167         https://bugs.webkit.org/show_bug.cgi?id=142689
3168
3169         Reviewed by Benjamin Poulain.
3170
3171         Pop the parser scope as needed.
3172
3173         * parser/Parser.cpp:
3174         (JSC::Parser<LexerType>::parseClass):
3175
3176 2015-03-14  Dean Jackson  <dino@apple.com>
3177
3178         Feature flag for Animations Level 2
3179         https://bugs.webkit.org/show_bug.cgi?id=142699
3180         <rdar://problem/20165097>
3181
3182         Reviewed by Brent Fulgham.
3183
3184         Add ENABLE_CSS_ANIMATIONS_LEVEL_2 and a runtime flag animationTriggersEnabled.
3185
3186         * Configurations/FeatureDefines.xcconfig:
3187
3188 2015-03-14  Commit Queue  <commit-queue@webkit.org>
3189
3190         Unreviewed, rolling out r181487.
3191         https://bugs.webkit.org/show_bug.cgi?id=142695
3192
3193         Caused Speedometer/Full.html to fail (Requested by smfr on
3194         #webkit).
3195
3196         Reverted changeset:
3197
3198         "DFG::PutStackSinkingPhase should eliminate GetStacks that
3199         have an obviously known source"
3200         https://bugs.webkit.org/show_bug.cgi?id=141624
3201         http://trac.webkit.org/changeset/181487
3202
3203 2015-03-14  Michael Saboff  <msaboff@apple.com>
3204
3205         ES6: Add binary and octal literal support
3206         https://bugs.webkit.org/show_bug.cgi?id=142681
3207
3208         Reviewed by Ryosuke Niwa.
3209
3210         Added a binary literal parser function, parseBinary(), to Lexer patterned after the octal parser.
3211         Refactored the parseBinary, parseOctal and parseDecimal to use a constant size for the number of
3212         characters to try and handle directly. Factored out the shifting past any prefix to be handled by
3213         the caller. Added binary and octal parsing to toDouble() via helper functions.
3214
3215         * parser/Lexer.cpp:
3216         (JSC::Lexer<T>::parseHex):
3217         (JSC::Lexer<T>::parseBinary):
3218         (JSC::Lexer<T>::parseOctal):
3219         (JSC::Lexer<T>::parseDecimal):
3220         (JSC::Lexer<T>::lex):
3221         * parser/Lexer.h:
3222         * parser/ParserTokens.h:
3223         * runtime/JSGlobalObjectFunctions.cpp:
3224         (JSC::jsBinaryIntegerLiteral):
3225         (JSC::jsOctalIntegerLiteral):
3226         (JSC::toDouble):
3227
3228 2015-03-13  Alex Christensen  <achristensen@webkit.org>
3229
3230         Progress towards CMake on Mac.
3231         https://bugs.webkit.org/show_bug.cgi?id=142680
3232
3233         Reviewed by Gyuyoung Kim.
3234
3235         * PlatformMac.cmake:
3236         Generate TracingDtrace.h based on project.pbxproj.
3237
3238 2015-03-13  Filip Pizlo  <fpizlo@apple.com>
3239
3240         Object allocation sinking phase shouldn't re-decorate previously sunken allocations on each fixpoint operation
3241         https://bugs.webkit.org/show_bug.cgi?id=142686
3242
3243         Reviewed by Oliver Hunt.
3244         
3245         Just because promoteHeapAccess() notifies us of an effect to a heap location in a node doesn't
3246         mean that we should handle it as if it was for one of our sinking candidates. Instead we should
3247         prune based on m_sinkCandidates.
3248         
3249         This fixes a benign bug where we would generate a lot of repeated IR for some pathological
3250         tests.
3251
3252         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3253         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
3254
3255 2015-03-13  Eric Carlson  <eric.carlson@apple.com>
3256
3257         [Mac] Enable WIRELESS_PLAYBACK_TARGET
3258         https://bugs.webkit.org/show_bug.cgi?id=142635
3259
3260         Reviewed by Darin Adler.
3261
3262         * Configurations/FeatureDefines.xcconfig:
3263
3264 2015-03-13  Ryosuke Niwa  <rniwa@webkit.org>
3265
3266         Class constructor should throw TypeError when "called"
3267         https://bugs.webkit.org/show_bug.cgi?id=142566
3268
3269         Reviewed by Michael Saboff.
3270
3271         Added ConstructorKind::None to denote code that doesn't belong to an ES6 class.
3272         This allows BytecodeGenerator to emit code to throw TypeError when generating code block
3273         to call ES6 class constructors.
3274
3275         Most of changes are about increasing the number of bits to store ConstructorKind from one
3276         bit to two bits.
3277
3278         * bytecode/UnlinkedCodeBlock.cpp:
3279         (JSC::generateFunctionCodeBlock):
3280         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3281         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3282         * bytecode/UnlinkedCodeBlock.h:
3283         (JSC::ExecutableInfo::ExecutableInfo):
3284         (JSC::ExecutableInfo::needsActivation):
3285         (JSC::ExecutableInfo::usesEval):
3286         (JSC::ExecutableInfo::isStrictMode):
3287         (JSC::ExecutableInfo::isConstructor):
3288         (JSC::ExecutableInfo::isBuiltinFunction):
3289         (JSC::ExecutableInfo::constructorKind):
3290         (JSC::UnlinkedFunctionExecutable::constructorKind):
3291         (JSC::UnlinkedCodeBlock::constructorKind):
3292         (JSC::UnlinkedFunctionExecutable::constructorKindIsDerived): Deleted.
3293         (JSC::UnlinkedCodeBlock::constructorKindIsDerived): Deleted.
3294         * bytecompiler/BytecodeGenerator.cpp:
3295         (JSC::BytecodeGenerator::generate): Don't emit bytecode when we had already emitted code
3296         to throw TypeError.
3297         (JSC::BytecodeGenerator::BytecodeGenerator): Emit code to throw TypeError when generating
3298         code to call.
3299         (JSC::BytecodeGenerator::emitReturn):
3300         * bytecompiler/BytecodeGenerator.h:
3301         (JSC::BytecodeGenerator::constructorKind):
3302         (JSC::BytecodeGenerator::constructorKindIsDerived): Deleted.
3303         * bytecompiler/NodesCodegen.cpp:
3304         (JSC::ThisNode::emitBytecode):
3305         (JSC::FunctionCallValueNode::emitBytecode):
3306         * parser/Nodes.cpp:
3307         (JSC::FunctionBodyNode::FunctionBodyNode):
3308         * parser/Nodes.h:
3309         * parser/Parser.cpp:
3310         (JSC::Parser<LexerType>::parseFunctionInfo): Renamed the incoming function argument to
3311         ownerClassKind. Set constructorKind to Base or Derived only if we're parsing a constructor.
3312         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3313         (JSC::Parser<LexerType>::parseClass): Don't parse static methods using MethodMode since that
3314         would result in BytecodeGenerator erroneously treating static method named "constructor" as
3315         a class constructor.
3316         (JSC::Parser<LexerType>::parsePropertyMethod):
3317         (JSC::Parser<LexerType>::parsePrimaryExpression):
3318         * parser/Parser.h:
3319         * parser/ParserModes.h:
3320         * runtime/Executable.h:
3321         (JSC::EvalExecutable::executableInfo):
3322         (JSC::ProgramExecutable::executableInfo):
3323
3324 2015-03-13  Filip Pizlo  <fpizlo@apple.com>
3325
3326         DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source
3327         https://bugs.webkit.org/show_bug.cgi?id=141624
3328
3329         Reviewed by Oliver Hunt.
3330         
3331         This was an obvious omission from the original PutStackSinkingPhase. Previously, we would treat
3332         GetStacks conservatively and assume that the stack slot escaped. That's pretty dumb, since a