a24310eee3b880c08fd0bce6319b2c8696c65d65
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-27  Michael Saboff  <msaboff@apple.com>
2
3         load8Signed() and load16Signed() should be renamed to avoid confusion
4         https://bugs.webkit.org/show_bug.cgi?id=143168
5
6         Reviewed by Benjamin Poulain.
7
8         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
9
10         * assembler/MacroAssemblerARM.h:
11         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
12         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
13         (JSC::MacroAssemblerARM::load8Signed): Deleted.
14         (JSC::MacroAssemblerARM::load16Signed): Deleted.
15         * assembler/MacroAssemblerARM64.h:
16         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
17         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
18         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
19         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
20         * assembler/MacroAssemblerARMv7.h:
21         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
22         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
23         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
24         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
25         * assembler/MacroAssemblerMIPS.h:
26         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
27         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
28         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
29         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
30         * assembler/MacroAssemblerSH4.h:
31         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
32         (JSC::MacroAssemblerSH4::load8):
33         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
34         (JSC::MacroAssemblerSH4::load16):
35         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
36         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
37         * assembler/MacroAssemblerX86Common.h:
38         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
39         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
40         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
41         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
42         * dfg/DFGSpeculativeJIT.cpp:
43         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
44         * jit/JITPropertyAccess.cpp:
45         (JSC::JIT::emitIntTypedArrayGetByVal):
46
47 2015-03-27  Michael Saboff  <msaboff@apple.com>
48
49         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
50         https://bugs.webkit.org/show_bug.cgi?id=138390
51
52         Reviewed by Mark Lam.
53
54         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
55         instead of 64 bits.  This is what X86-64 does.
56
57         * assembler/MacroAssemblerARM64.h:
58         (JSC::MacroAssemblerARM64::load16Signed):
59         (JSC::MacroAssemblerARM64::load8Signed):
60
61 2015-03-27  Saam Barati  <saambarati1@gmail.com>
62
63         Add back previously broken assert from bug 141869
64         https://bugs.webkit.org/show_bug.cgi?id=143005
65
66         Reviewed by Michael Saboff.
67
68         * runtime/ExceptionHelpers.cpp:
69         (JSC::invalidParameterInSourceAppender):
70
71 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
72
73         Make some more objects use FastMalloc
74         https://bugs.webkit.org/show_bug.cgi?id=143122
75
76         Reviewed by Csaba Osztrogonác.
77
78         * API/JSCallbackObject.h:
79         * heap/IncrementalSweeper.h:
80         * jit/JITThunks.h:
81         * runtime/JSGlobalObjectDebuggable.h:
82         * runtime/RegExpCache.h:
83
84 2015-03-27  Michael Saboff  <msaboff@apple.com>
85
86         Objects with numeric properties intermittently get a phantom 'length' property
87         https://bugs.webkit.org/show_bug.cgi?id=142792
88
89         Reviewed by Csaba Osztrogonác.
90
91         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
92         test and branch instructions.  This function is used for linking tbz/tbnz branches between
93         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
94         the failure case checks in the GetById array length stub created for "obj.length" access.
95         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
96         being set when we should have been looking for bit 0.
97
98         * assembler/ARM64Assembler.h:
99         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
100
101 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
102
103         Insert exception check around toPropertyKey call
104         https://bugs.webkit.org/show_bug.cgi?id=142922
105
106         Reviewed by Geoffrey Garen.
107
108         In some places, exception check is missing after/before toPropertyKey.
109         However, since it calls toString, it's observable to users,
110
111         Missing exception checks in Object.prototype methods can be
112         observed since it would be overridden with toObject(null/undefined) errors.
113         We inserted exception checks after toPropertyKey.
114
115         Missing exception checks in GetById related code can be
116         observed since it would be overridden with toObject(null/undefined) errors.
117         In this case, we need to insert exception checks before/after toPropertyKey
118         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
119
120         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
121         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
122         According to the spec, we first perform RequireObjectCoercible and check the exception.
123         And second, we perform ToPropertyKey and check the exception.
124         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
125         For example, if the target is not object coercible,
126         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
127         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
128
129         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
130
131         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
132
133         toObject converts primitive types into wrapper objects.
134         But it is not efficient since wrapper objects are not necessary
135         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
136
137         2. Using the result of toObject is not correct to the spec.
138
139         To align to the spec correctly, we cannot use JSObject::get
140         by using the wrapper object produced by the toObject suggested in (1).
141         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
142         It is not correct since getter should be called with the original |this| value that may be primitive types.
143
144         So in this patch, we use JSValue::requireObjectCoercible
145         to check the target is object coercible and raise an error if it's not.
146
147         * dfg/DFGOperations.cpp:
148         * jit/JITOperations.cpp:
149         (JSC::getByVal):
150         * llint/LLIntSlowPaths.cpp:
151         (JSC::LLInt::getByVal):
152         * runtime/CommonSlowPaths.cpp:
153         (JSC::SLOW_PATH_DECL):
154         * runtime/JSCJSValue.h:
155         * runtime/JSCJSValueInlines.h:
156         (JSC::JSValue::requireObjectCoercible):
157         * runtime/ObjectPrototype.cpp:
158         (JSC::objectProtoFuncHasOwnProperty):
159         (JSC::objectProtoFuncDefineGetter):
160         (JSC::objectProtoFuncDefineSetter):
161         (JSC::objectProtoFuncLookupGetter):
162         (JSC::objectProtoFuncLookupSetter):
163         (JSC::objectProtoFuncPropertyIsEnumerable):
164         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
165         (shouldThrow):
166         (if):
167         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
168         (shouldThrow):
169         (.):
170
171 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
172
173         WebContent Crash when instantiating class with Type Profiling enabled
174         https://bugs.webkit.org/show_bug.cgi?id=143037
175
176         Reviewed by Ryosuke Niwa.
177
178         * bytecompiler/BytecodeGenerator.h:
179         * bytecompiler/BytecodeGenerator.cpp:
180         (JSC::BytecodeGenerator::BytecodeGenerator):
181         (JSC::BytecodeGenerator::emitMoveEmptyValue):
182         We cannot profile the type of an uninitialized empty JSValue.
183         Nor do we expect this to be necessary, since it is effectively
184         an unseen undefined value. So add a way to put the empty value
185         without profiling.
186
187         (JSC::BytecodeGenerator::emitMove):
188         Add an assert to try to catch this issue early on, and force
189         callers to explicitly use emitMoveEmptyValue instead.
190
191         * tests/typeProfiler/classes.js: Added.
192         (wrapper.Base):
193         (wrapper.Derived):
194         (wrapper):
195         Add test coverage both for this case and classes in general.
196
197 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
198
199         Web Inspector: ES6: Provide a better view for Classes in the console
200         https://bugs.webkit.org/show_bug.cgi?id=142999
201
202         Reviewed by Timothy Hatcher.
203
204         * inspector/protocol/Runtime.json:
205         Provide a new `subtype` enum "class". This is a subtype of `type`
206         "function", all other subtypes are subtypes of `object` types.
207         For a class, the frontend will immediately want to get the prototype
208         to enumerate its methods, so include the `classPrototype`.
209
210         * inspector/JSInjectedScriptHost.cpp:
211         (Inspector::JSInjectedScriptHost::subtype):
212         Denote class construction functions as "class" subtypes.
213
214         * inspector/InjectedScriptSource.js:
215         Handling for the new "class" type.
216
217         * bytecode/UnlinkedCodeBlock.h:
218         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
219         * runtime/Executable.h:
220         (JSC::FunctionExecutable::isClassConstructorFunction):
221         * runtime/JSFunction.h:
222         * runtime/JSFunctionInlines.h:
223         (JSC::JSFunction::isClassConstructorFunction):
224         Check if this function is a class constructor function. That information
225         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
226
227 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
228
229         Function.prototype.toString should not decompile the AST
230         https://bugs.webkit.org/show_bug.cgi?id=142853
231
232         Reviewed by Darin Adler.
233
234         Following up on Darin's review comments.
235
236         * runtime/FunctionConstructor.cpp:
237         (JSC::constructFunctionSkippingEvalEnabledCheck):
238
239 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
240
241         "lineNo" does not match WebKit coding style guidelines
242         https://bugs.webkit.org/show_bug.cgi?id=143119
243
244         Reviewed by Michael Saboff.
245
246         We can afford to use whole words.
247
248         * bytecode/CodeBlock.cpp:
249         (JSC::CodeBlock::lineNumberForBytecodeOffset):
250         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
251         * bytecode/UnlinkedCodeBlock.cpp:
252         (JSC::UnlinkedFunctionExecutable::link):
253         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
254         * bytecode/UnlinkedCodeBlock.h:
255         * bytecompiler/NodesCodegen.cpp:
256         (JSC::WhileNode::emitBytecode):
257         * debugger/Debugger.cpp:
258         (JSC::Debugger::toggleBreakpoint):
259         * interpreter/Interpreter.cpp:
260         (JSC::StackFrame::computeLineAndColumn):
261         (JSC::GetStackTraceFunctor::operator()):
262         (JSC::Interpreter::execute):
263         * interpreter/StackVisitor.cpp:
264         (JSC::StackVisitor::Frame::computeLineAndColumn):
265         * parser/Nodes.h:
266         (JSC::Node::firstLine):
267         (JSC::Node::lineNo): Deleted.
268         (JSC::StatementNode::firstLine): Deleted.
269         * parser/ParserError.h:
270         (JSC::ParserError::toErrorObject):
271         * profiler/LegacyProfiler.cpp:
272         (JSC::createCallIdentifierFromFunctionImp):
273         * runtime/CodeCache.cpp:
274         (JSC::CodeCache::getGlobalCodeBlock):
275         * runtime/Executable.cpp:
276         (JSC::ScriptExecutable::ScriptExecutable):
277         (JSC::ScriptExecutable::newCodeBlockFor):
278         (JSC::FunctionExecutable::fromGlobalCode):
279         * runtime/Executable.h:
280         (JSC::ScriptExecutable::firstLine):
281         (JSC::ScriptExecutable::setOverrideLineNumber):
282         (JSC::ScriptExecutable::hasOverrideLineNumber):
283         (JSC::ScriptExecutable::overrideLineNumber):
284         (JSC::ScriptExecutable::lineNo): Deleted.
285         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
286         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
287         (JSC::ScriptExecutable::overrideLineNo): Deleted.
288         * runtime/FunctionConstructor.cpp:
289         (JSC::constructFunctionSkippingEvalEnabledCheck):
290         * runtime/FunctionConstructor.h:
291         * tools/CodeProfile.cpp:
292         (JSC::CodeProfile::report):
293         * tools/CodeProfile.h:
294         (JSC::CodeProfile::CodeProfile):
295
296 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
297
298         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
299         https://bugs.webkit.org/show_bug.cgi?id=142974
300
301         Reviewed by Joseph Pecoraro.
302
303         This patch does two things:
304
305         (1) Restore JavaScriptCore's sanitization of line and column numbers to
306         one-based values.
307
308         We need this because WebCore sometimes provides huge negative column
309         numbers.
310
311         (2) Solve the attribute event listener line numbering problem a different
312         way: Rather than offseting all line numbers by -1 in an attribute event
313         listener in order to arrange for a custom result, instead use an explicit
314         feature for saying "all errors in this code should map to this line number".
315
316         * bytecode/UnlinkedCodeBlock.cpp:
317         (JSC::UnlinkedFunctionExecutable::link):
318         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
319         * bytecode/UnlinkedCodeBlock.h:
320         * interpreter/Interpreter.cpp:
321         (JSC::StackFrame::computeLineAndColumn):
322         (JSC::GetStackTraceFunctor::operator()):
323         * interpreter/Interpreter.h:
324         * interpreter/StackVisitor.cpp:
325         (JSC::StackVisitor::Frame::computeLineAndColumn):
326         * parser/ParserError.h:
327         (JSC::ParserError::toErrorObject): Plumb through an override line number.
328         When a function has an override line number, all syntax and runtime
329         errors in the function will map to it. This is useful for attribute event
330         listeners.
331  
332         * parser/SourceCode.h:
333         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
334         column numbers to one-based integers. It was kind of a hack to remove this.
335
336         * runtime/Executable.cpp:
337         (JSC::ScriptExecutable::ScriptExecutable):
338         (JSC::FunctionExecutable::fromGlobalCode):
339         * runtime/Executable.h:
340         (JSC::ScriptExecutable::setOverrideLineNo):
341         (JSC::ScriptExecutable::hasOverrideLineNo):
342         (JSC::ScriptExecutable::overrideLineNo):
343         * runtime/FunctionConstructor.cpp:
344         (JSC::constructFunctionSkippingEvalEnabledCheck):
345         * runtime/FunctionConstructor.h: Plumb through an override line number.
346
347 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
348
349         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
350
351         Reviewed by Michael Saboff.
352
353         * jit/JITPropertyAccess.cpp:
354         (JSC::JIT::emitScopedArgumentsGetByVal):
355         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
356
357 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
358
359         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
360         https://bugs.webkit.org/show_bug.cgi?id=143098
361
362         Reviewed by Csaba Osztrogonác.
363
364         * ftl/FTLLowerDFGToLLVM.cpp:
365         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
366         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
367
368 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
369
370         Unreviewed gardening, skip failing tests on AArch64 Linux.
371
372         * tests/mozilla/mozilla-tests.yaml:
373         * tests/stress/cached-prototype-setter.js:
374
375 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
376
377         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
378
379         * dfg/DFGConstantFoldingPhase.cpp:
380         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
381         * ftl/FTLCompile.cpp:
382         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
383         * ftl/FTLState.cpp:
384         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
385         * ftl/FTLState.h:
386
387 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
388
389         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
390         right, so this just makes 32-bit do the same.
391
392         * dfg/DFGSpeculativeJIT32_64.cpp:
393         (JSC::DFG::SpeculativeJIT::emitCall):
394
395 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
396
397         Fix a typo that ggaren found but that I didn't fix before.
398
399         * runtime/DirectArgumentsOffset.h:
400
401 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
402
403         Unreviewed, VC found a bug. This fixes the bug.
404
405         * dfg/DFGConstantFoldingPhase.cpp:
406         (JSC::DFG::ConstantFoldingPhase::foldConstants):
407
408 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
409
410         Unreviewed, try to fix Windows build.
411
412         * runtime/ClonedArguments.cpp:
413         (JSC::ClonedArguments::createWithInlineFrame):
414
415 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
416
417         Unreviewed, fix debug build.
418
419         * bytecompiler/NodesCodegen.cpp:
420         (JSC::ConstDeclNode::emitCodeSingle):
421
422 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
423
424         Unreviewed, fix CLOOP build.
425
426         * dfg/DFGMinifiedID.h:
427
428 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
429
430         Heap variables shouldn't end up in the stack frame
431         https://bugs.webkit.org/show_bug.cgi?id=141174
432
433         Reviewed by Geoffrey Garen.
434         
435         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
436         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
437         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
438         simplifications:
439         
440         - Accesses to variables no longer need checks or indirections to determine where the variable is
441           at that moment in time. For example, loading a closure variable now takes just one load instead
442           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
443           (when no arguments object allocation is required) while previously that same operation required
444           a "did I allocate arguments yet" check, a bounds check, and then the load.
445         
446         - Reasoning about the allocation of an activation or arguments object now follows the same simple
447           logic as the allocation of any other kind of object. Previously, those objects were lazily
448           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
449           allocate anything at all. This made the implementation of traditional escape analyses really
450           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
451           arguments object using the usual SSA tricks which allows for more comprehensive removal.
452         
453         - The allocations of arguments objects, functions, and activations are now much faster. While
454           this patch generally expands our ability to eliminate arguments object allocations, an earlier
455           version of the patch - which lacked that functionality - was a progression on some arguments-
456           and closure-happy benchmarks because although no allocations were eliminated, all allocations
457           were faster.
458         
459         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
460           its arguments objects or activations. The runtime doesn't have to do things to the arguments
461           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
462           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
463           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
464           now gone. This also enables implementing block-scoping. Without this change, block-scope
465           support would require telling CodeBlock and all of the rest of the runtime about all of the
466           variables that store currently-live scopes. That would have been so disastrously hard that it
467           might as well be impossible. With this change, it's fair game for the bytecode generator to
468           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
469           however long it wants. This all works, because after bytecode generation, an activation is just
470           an object and variables that refer to it are just normal variables.
471         
472         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
473           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
474           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
475           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
476           an arguments object.
477         
478         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
479           using activations used to prevent inlining; now functions that use activations can be inlined
480           just fine.
481         
482         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
483         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
484         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
485         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
486         
487         The easiest way of understanding this change is to start by looking at the changes in runtime/,
488         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
489
490         * CMakeLists.txt:
491         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
492         * JavaScriptCore.xcodeproj/project.pbxproj:
493         * assembler/AbortReason.h:
494         * assembler/AbstractMacroAssembler.h:
495         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
496         * bytecode/ByValInfo.h:
497         (JSC::hasOptimizableIndexingForJSType):
498         (JSC::hasOptimizableIndexing):
499         (JSC::jitArrayModeForJSType):
500         (JSC::jitArrayModePermitsPut):
501         (JSC::jitArrayModeForStructure):
502         * bytecode/BytecodeKills.h: Added.
503         (JSC::BytecodeKills::BytecodeKills):
504         (JSC::BytecodeKills::operandIsKilled):
505         (JSC::BytecodeKills::forEachOperandKilledAt):
506         (JSC::BytecodeKills::KillSet::KillSet):
507         (JSC::BytecodeKills::KillSet::add):
508         (JSC::BytecodeKills::KillSet::forEachLocal):
509         (JSC::BytecodeKills::KillSet::contains):
510         * bytecode/BytecodeList.json:
511         * bytecode/BytecodeLivenessAnalysis.cpp:
512         (JSC::isValidRegisterForLiveness):
513         (JSC::stepOverInstruction):
514         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
515         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
516         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
517         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
518         (JSC::BytecodeLivenessAnalysis::computeKills):
519         (JSC::indexForOperand): Deleted.
520         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
521         (JSC::getLivenessInfo): Deleted.
522         * bytecode/BytecodeLivenessAnalysis.h:
523         * bytecode/BytecodeLivenessAnalysisInlines.h:
524         (JSC::operandIsAlwaysLive):
525         (JSC::operandThatIsNotAlwaysLiveIsLive):
526         (JSC::operandIsLive):
527         * bytecode/BytecodeUseDef.h:
528         (JSC::computeUsesForBytecodeOffset):
529         (JSC::computeDefsForBytecodeOffset):
530         * bytecode/CodeBlock.cpp:
531         (JSC::CodeBlock::dumpBytecode):
532         (JSC::CodeBlock::CodeBlock):
533         (JSC::CodeBlock::nameForRegister):
534         (JSC::CodeBlock::validate):
535         (JSC::CodeBlock::isCaptured): Deleted.
536         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
537         (JSC::CodeBlock::machineSlowArguments): Deleted.
538         * bytecode/CodeBlock.h:
539         (JSC::unmodifiedArgumentsRegister): Deleted.
540         (JSC::CodeBlock::setArgumentsRegister): Deleted.
541         (JSC::CodeBlock::argumentsRegister): Deleted.
542         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
543         (JSC::CodeBlock::usesArguments): Deleted.
544         (JSC::CodeBlock::captureCount): Deleted.
545         (JSC::CodeBlock::captureStart): Deleted.
546         (JSC::CodeBlock::captureEnd): Deleted.
547         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
548         (JSC::CodeBlock::hasSlowArguments): Deleted.
549         (JSC::ExecState::argumentAfterCapture): Deleted.
550         * bytecode/CodeOrigin.h:
551         * bytecode/DataFormat.h:
552         (JSC::dataFormatToString):
553         * bytecode/FullBytecodeLiveness.h:
554         (JSC::FullBytecodeLiveness::getLiveness):
555         (JSC::FullBytecodeLiveness::operandIsLive):
556         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
557         (JSC::FullBytecodeLiveness::getOut): Deleted.
558         * bytecode/Instruction.h:
559         (JSC::Instruction::Instruction):
560         * bytecode/Operands.h:
561         (JSC::Operands::virtualRegisterForIndex):
562         * bytecode/SpeculatedType.cpp:
563         (JSC::dumpSpeculation):
564         (JSC::speculationToAbbreviatedString):
565         (JSC::speculationFromClassInfo):
566         * bytecode/SpeculatedType.h:
567         (JSC::isDirectArgumentsSpeculation):
568         (JSC::isScopedArgumentsSpeculation):
569         (JSC::isActionableMutableArraySpeculation):
570         (JSC::isActionableArraySpeculation):
571         (JSC::isArgumentsSpeculation): Deleted.
572         * bytecode/UnlinkedCodeBlock.cpp:
573         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
574         * bytecode/UnlinkedCodeBlock.h:
575         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
576         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
577         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
578         * bytecode/ValueRecovery.cpp:
579         (JSC::ValueRecovery::dumpInContext):
580         * bytecode/ValueRecovery.h:
581         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
582         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
583         (JSC::ValueRecovery::nodeID):
584         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
585         * bytecode/VirtualRegister.h:
586         (JSC::VirtualRegister::operator==):
587         (JSC::VirtualRegister::operator!=):
588         (JSC::VirtualRegister::operator<):
589         (JSC::VirtualRegister::operator>):
590         (JSC::VirtualRegister::operator<=):
591         (JSC::VirtualRegister::operator>=):
592         * bytecompiler/BytecodeGenerator.cpp:
593         (JSC::BytecodeGenerator::generate):
594         (JSC::BytecodeGenerator::BytecodeGenerator):
595         (JSC::BytecodeGenerator::initializeNextParameter):
596         (JSC::BytecodeGenerator::visibleNameForParameter):
597         (JSC::BytecodeGenerator::emitMove):
598         (JSC::BytecodeGenerator::variable):
599         (JSC::BytecodeGenerator::createVariable):
600         (JSC::BytecodeGenerator::emitResolveScope):
601         (JSC::BytecodeGenerator::emitGetFromScope):
602         (JSC::BytecodeGenerator::emitPutToScope):
603         (JSC::BytecodeGenerator::initializeVariable):
604         (JSC::BytecodeGenerator::emitInstanceOf):
605         (JSC::BytecodeGenerator::emitNewFunction):
606         (JSC::BytecodeGenerator::emitNewFunctionInternal):
607         (JSC::BytecodeGenerator::emitCall):
608         (JSC::BytecodeGenerator::emitReturn):
609         (JSC::BytecodeGenerator::emitConstruct):
610         (JSC::BytecodeGenerator::isArgumentNumber):
611         (JSC::BytecodeGenerator::emitEnumeration):
612         (JSC::BytecodeGenerator::addVar): Deleted.
613         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
614         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
615         (JSC::BytecodeGenerator::resolveCallee): Deleted.
616         (JSC::BytecodeGenerator::addCallee): Deleted.
617         (JSC::BytecodeGenerator::addParameter): Deleted.
618         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
619         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
620         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
621         (JSC::BytecodeGenerator::isCaptured): Deleted.
622         (JSC::BytecodeGenerator::local): Deleted.
623         (JSC::BytecodeGenerator::constLocal): Deleted.
624         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
625         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
626         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
627         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
628         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
629         * bytecompiler/BytecodeGenerator.h:
630         (JSC::Variable::Variable):
631         (JSC::Variable::isResolved):
632         (JSC::Variable::ident):
633         (JSC::Variable::offset):
634         (JSC::Variable::isLocal):
635         (JSC::Variable::local):
636         (JSC::Variable::isSpecial):
637         (JSC::BytecodeGenerator::argumentsRegister):
638         (JSC::BytecodeGenerator::emitNode):
639         (JSC::BytecodeGenerator::registerFor):
640         (JSC::Local::Local): Deleted.
641         (JSC::Local::operator bool): Deleted.
642         (JSC::Local::get): Deleted.
643         (JSC::Local::isSpecial): Deleted.
644         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
645         (JSC::ResolveScopeInfo::isLocal): Deleted.
646         (JSC::ResolveScopeInfo::localIndex): Deleted.
647         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
648         (JSC::BytecodeGenerator::captureMode): Deleted.
649         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
650         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
651         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
652         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
653         * bytecompiler/NodesCodegen.cpp:
654         (JSC::ResolveNode::isPure):
655         (JSC::ResolveNode::emitBytecode):
656         (JSC::BracketAccessorNode::emitBytecode):
657         (JSC::DotAccessorNode::emitBytecode):
658         (JSC::EvalFunctionCallNode::emitBytecode):
659         (JSC::FunctionCallResolveNode::emitBytecode):
660         (JSC::CallFunctionCallDotNode::emitBytecode):
661         (JSC::ApplyFunctionCallDotNode::emitBytecode):
662         (JSC::PostfixNode::emitResolve):
663         (JSC::DeleteResolveNode::emitBytecode):
664         (JSC::TypeOfResolveNode::emitBytecode):
665         (JSC::PrefixNode::emitResolve):
666         (JSC::ReadModifyResolveNode::emitBytecode):
667         (JSC::AssignResolveNode::emitBytecode):
668         (JSC::ConstDeclNode::emitCodeSingle):
669         (JSC::EmptyVarExpression::emitBytecode):
670         (JSC::ForInNode::tryGetBoundLocal):
671         (JSC::ForInNode::emitLoopHeader):
672         (JSC::ForOfNode::emitBytecode):
673         (JSC::ArrayPatternNode::emitDirectBinding):
674         (JSC::BindingNode::bindValue):
675         (JSC::getArgumentByVal): Deleted.
676         * dfg/DFGAbstractHeap.h:
677         * dfg/DFGAbstractInterpreter.h:
678         * dfg/DFGAbstractInterpreterInlines.h:
679         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
680         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
681         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
682         * dfg/DFGAbstractValue.h:
683         * dfg/DFGArgumentPosition.h:
684         (JSC::DFG::ArgumentPosition::addVariable):
685         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
686         (JSC::DFG::performArgumentsElimination):
687         * dfg/DFGArgumentsEliminationPhase.h: Added.
688         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
689         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
690         * dfg/DFGArgumentsUtilities.cpp: Added.
691         (JSC::DFG::argumentsInvolveStackSlot):
692         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
693         * dfg/DFGArgumentsUtilities.h: Added.
694         * dfg/DFGArrayMode.cpp:
695         (JSC::DFG::ArrayMode::refine):
696         (JSC::DFG::ArrayMode::alreadyChecked):
697         (JSC::DFG::arrayTypeToString):
698         * dfg/DFGArrayMode.h:
699         (JSC::DFG::ArrayMode::canCSEStorage):
700         (JSC::DFG::ArrayMode::modeForPut):
701         * dfg/DFGAvailabilityMap.cpp:
702         (JSC::DFG::AvailabilityMap::prune):
703         * dfg/DFGAvailabilityMap.h:
704         (JSC::DFG::AvailabilityMap::closeOverNodes):
705         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
706         * dfg/DFGBackwardsPropagationPhase.cpp:
707         (JSC::DFG::BackwardsPropagationPhase::propagate):
708         * dfg/DFGByteCodeParser.cpp:
709         (JSC::DFG::ByteCodeParser::newVariableAccessData):
710         (JSC::DFG::ByteCodeParser::getLocal):
711         (JSC::DFG::ByteCodeParser::setLocal):
712         (JSC::DFG::ByteCodeParser::getArgument):
713         (JSC::DFG::ByteCodeParser::setArgument):
714         (JSC::DFG::ByteCodeParser::flushDirect):
715         (JSC::DFG::ByteCodeParser::flush):
716         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
717         (JSC::DFG::ByteCodeParser::handleVarargsCall):
718         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
719         (JSC::DFG::ByteCodeParser::handleInlining):
720         (JSC::DFG::ByteCodeParser::parseBlock):
721         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
722         (JSC::DFG::ByteCodeParser::parseCodeBlock):
723         * dfg/DFGCPSRethreadingPhase.cpp:
724         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
725         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
726         * dfg/DFGCSEPhase.cpp:
727         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
728         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
729         * dfg/DFGCapabilities.cpp:
730         (JSC::DFG::isSupportedForInlining):
731         (JSC::DFG::capabilityLevel):
732         * dfg/DFGClobberize.h:
733         (JSC::DFG::clobberize):
734         * dfg/DFGCommon.h:
735         * dfg/DFGCommonData.h:
736         (JSC::DFG::CommonData::CommonData):
737         * dfg/DFGConstantFoldingPhase.cpp:
738         (JSC::DFG::ConstantFoldingPhase::foldConstants):
739         * dfg/DFGDCEPhase.cpp:
740         (JSC::DFG::DCEPhase::cleanVariables):
741         * dfg/DFGDisassembler.h:
742         * dfg/DFGDoesGC.cpp:
743         (JSC::DFG::doesGC):
744         * dfg/DFGFixupPhase.cpp:
745         (JSC::DFG::FixupPhase::fixupNode):
746         * dfg/DFGFlushFormat.cpp:
747         (WTF::printInternal):
748         * dfg/DFGFlushFormat.h:
749         (JSC::DFG::resultFor):
750         (JSC::DFG::useKindFor):
751         (JSC::DFG::dataFormatFor):
752         * dfg/DFGForAllKills.h: Added.
753         (JSC::DFG::forAllLiveNodesAtTail):
754         (JSC::DFG::forAllDirectlyKilledOperands):
755         (JSC::DFG::forAllKilledOperands):
756         (JSC::DFG::forAllKilledNodesAtNodeIndex):
757         (JSC::DFG::forAllKillsInBlock):
758         * dfg/DFGGraph.cpp:
759         (JSC::DFG::Graph::Graph):
760         (JSC::DFG::Graph::dump):
761         (JSC::DFG::Graph::substituteGetLocal):
762         (JSC::DFG::Graph::livenessFor):
763         (JSC::DFG::Graph::killsFor):
764         (JSC::DFG::Graph::tryGetConstantClosureVar):
765         (JSC::DFG::Graph::tryGetRegisters): Deleted.
766         * dfg/DFGGraph.h:
767         (JSC::DFG::Graph::symbolTableFor):
768         (JSC::DFG::Graph::uses):
769         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
770         (JSC::DFG::Graph::capturedVarsFor): Deleted.
771         (JSC::DFG::Graph::usesArguments): Deleted.
772         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
773         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
774         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
775         * dfg/DFGHeapLocation.cpp:
776         (WTF::printInternal):
777         * dfg/DFGHeapLocation.h:
778         * dfg/DFGInPlaceAbstractState.cpp:
779         (JSC::DFG::InPlaceAbstractState::initialize):
780         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
781         * dfg/DFGJITCompiler.cpp:
782         (JSC::DFG::JITCompiler::link):
783         * dfg/DFGMayExit.cpp:
784         (JSC::DFG::mayExit):
785         * dfg/DFGMinifiedID.h:
786         * dfg/DFGMinifiedNode.cpp:
787         (JSC::DFG::MinifiedNode::fromNode):
788         * dfg/DFGMinifiedNode.h:
789         (JSC::DFG::belongsInMinifiedGraph):
790         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
791         (JSC::DFG::MinifiedNode::inlineCallFrame):
792         * dfg/DFGNode.cpp:
793         (JSC::DFG::Node::convertToIdentityOn):
794         * dfg/DFGNode.h:
795         (JSC::DFG::Node::hasConstant):
796         (JSC::DFG::Node::constant):
797         (JSC::DFG::Node::hasScopeOffset):
798         (JSC::DFG::Node::scopeOffset):
799         (JSC::DFG::Node::hasDirectArgumentsOffset):
800         (JSC::DFG::Node::capturedArgumentsOffset):
801         (JSC::DFG::Node::variablePointer):
802         (JSC::DFG::Node::hasCallVarargsData):
803         (JSC::DFG::Node::hasLoadVarargsData):
804         (JSC::DFG::Node::hasHeapPrediction):
805         (JSC::DFG::Node::hasCellOperand):
806         (JSC::DFG::Node::objectMaterializationData):
807         (JSC::DFG::Node::isPhantomAllocation):
808         (JSC::DFG::Node::willHaveCodeGenOrOSR):
809         (JSC::DFG::Node::shouldSpeculateDirectArguments):
810         (JSC::DFG::Node::shouldSpeculateScopedArguments):
811         (JSC::DFG::Node::isPhantomArguments): Deleted.
812         (JSC::DFG::Node::hasVarNumber): Deleted.
813         (JSC::DFG::Node::varNumber): Deleted.
814         (JSC::DFG::Node::registerPointer): Deleted.
815         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
816         * dfg/DFGNodeType.h:
817         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
818         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
819         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
820         * dfg/DFGOSRExitCompiler.cpp:
821         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
822         * dfg/DFGOSRExitCompiler.h:
823         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
824         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
825         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
826         * dfg/DFGOSRExitCompiler32_64.cpp:
827         (JSC::DFG::OSRExitCompiler::compileExit):
828         * dfg/DFGOSRExitCompiler64.cpp:
829         (JSC::DFG::OSRExitCompiler::compileExit):
830         * dfg/DFGOSRExitCompilerCommon.cpp:
831         (JSC::DFG::reifyInlinedCallFrames):
832         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
833         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
834         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
835         * dfg/DFGOSRExitCompilerCommon.h:
836         * dfg/DFGOperations.cpp:
837         * dfg/DFGOperations.h:
838         * dfg/DFGPlan.cpp:
839         (JSC::DFG::Plan::compileInThreadImpl):
840         * dfg/DFGPreciseLocalClobberize.h:
841         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
842         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
843         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
844         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
845         (JSC::DFG::preciseLocalClobberize):
846         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
847         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
848         * dfg/DFGPredictionPropagationPhase.cpp:
849         (JSC::DFG::PredictionPropagationPhase::run):
850         (JSC::DFG::PredictionPropagationPhase::propagate):
851         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
852         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
853         * dfg/DFGPromoteHeapAccess.h:
854         (JSC::DFG::promoteHeapAccess):
855         * dfg/DFGPromotedHeapLocation.cpp:
856         (WTF::printInternal):
857         * dfg/DFGPromotedHeapLocation.h:
858         * dfg/DFGSSAConversionPhase.cpp:
859         (JSC::DFG::SSAConversionPhase::run):
860         * dfg/DFGSafeToExecute.h:
861         (JSC::DFG::safeToExecute):
862         * dfg/DFGSpeculativeJIT.cpp:
863         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
864         (JSC::DFG::SpeculativeJIT::emitGetLength):
865         (JSC::DFG::SpeculativeJIT::emitGetCallee):
866         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
867         (JSC::DFG::SpeculativeJIT::checkArray):
868         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
869         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
870         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
871         (JSC::DFG::SpeculativeJIT::compileNewFunction):
872         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
873         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
874         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
875         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
876         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
877         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
878         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
879         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
880         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
881         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
882         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
883         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
884         * dfg/DFGSpeculativeJIT.h:
885         (JSC::DFG::SpeculativeJIT::callOperation):
886         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
887         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
888         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
889         * dfg/DFGSpeculativeJIT32_64.cpp:
890         (JSC::DFG::SpeculativeJIT::emitCall):
891         (JSC::DFG::SpeculativeJIT::compile):
892         * dfg/DFGSpeculativeJIT64.cpp:
893         (JSC::DFG::SpeculativeJIT::emitCall):
894         (JSC::DFG::SpeculativeJIT::compile):
895         * dfg/DFGStackLayoutPhase.cpp:
896         (JSC::DFG::StackLayoutPhase::run):
897         * dfg/DFGStrengthReductionPhase.cpp:
898         (JSC::DFG::StrengthReductionPhase::handleNode):
899         * dfg/DFGStructureRegistrationPhase.cpp:
900         (JSC::DFG::StructureRegistrationPhase::run):
901         * dfg/DFGUnificationPhase.cpp:
902         (JSC::DFG::UnificationPhase::run):
903         * dfg/DFGValidate.cpp:
904         (JSC::DFG::Validate::validateCPS):
905         * dfg/DFGValueSource.cpp:
906         (JSC::DFG::ValueSource::dump):
907         * dfg/DFGValueSource.h:
908         (JSC::DFG::dataFormatToValueSourceKind):
909         (JSC::DFG::valueSourceKindToDataFormat):
910         (JSC::DFG::ValueSource::ValueSource):
911         (JSC::DFG::ValueSource::forFlushFormat):
912         (JSC::DFG::ValueSource::valueRecovery):
913         * dfg/DFGVarargsForwardingPhase.cpp: Added.
914         (JSC::DFG::performVarargsForwarding):
915         * dfg/DFGVarargsForwardingPhase.h: Added.
916         * dfg/DFGVariableAccessData.cpp:
917         (JSC::DFG::VariableAccessData::VariableAccessData):
918         (JSC::DFG::VariableAccessData::flushFormat):
919         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
920         * dfg/DFGVariableAccessData.h:
921         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
922         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
923         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
924         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
925         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
926         * dfg/DFGVariableAccessDataDump.cpp:
927         (JSC::DFG::VariableAccessDataDump::dump):
928         * dfg/DFGVariableAccessDataDump.h:
929         * dfg/DFGVariableEventStream.cpp:
930         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
931         * dfg/DFGVariableEventStream.h:
932         * ftl/FTLAbstractHeap.cpp:
933         (JSC::FTL::AbstractHeap::dump):
934         (JSC::FTL::AbstractField::dump):
935         (JSC::FTL::IndexedAbstractHeap::dump):
936         (JSC::FTL::NumberedAbstractHeap::dump):
937         (JSC::FTL::AbsoluteAbstractHeap::dump):
938         * ftl/FTLAbstractHeap.h:
939         * ftl/FTLAbstractHeapRepository.cpp:
940         * ftl/FTLAbstractHeapRepository.h:
941         * ftl/FTLCapabilities.cpp:
942         (JSC::FTL::canCompile):
943         * ftl/FTLCompile.cpp:
944         (JSC::FTL::mmAllocateDataSection):
945         * ftl/FTLExitArgument.cpp:
946         (JSC::FTL::ExitArgument::dump):
947         * ftl/FTLExitPropertyValue.cpp:
948         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
949         * ftl/FTLExitPropertyValue.h:
950         * ftl/FTLExitTimeObjectMaterialization.cpp:
951         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
952         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
953         * ftl/FTLExitTimeObjectMaterialization.h:
954         (JSC::FTL::ExitTimeObjectMaterialization::origin):
955         * ftl/FTLExitValue.cpp:
956         (JSC::FTL::ExitValue::withLocalsOffset):
957         (JSC::FTL::ExitValue::valueFormat):
958         (JSC::FTL::ExitValue::dumpInContext):
959         * ftl/FTLExitValue.h:
960         (JSC::FTL::ExitValue::isArgument):
961         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
962         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
963         (JSC::FTL::ExitValue::valueFormat): Deleted.
964         * ftl/FTLInlineCacheSize.cpp:
965         (JSC::FTL::sizeOfCallForwardVarargs):
966         (JSC::FTL::sizeOfConstructForwardVarargs):
967         (JSC::FTL::sizeOfICFor):
968         * ftl/FTLInlineCacheSize.h:
969         * ftl/FTLIntrinsicRepository.h:
970         * ftl/FTLJSCallVarargs.cpp:
971         (JSC::FTL::JSCallVarargs::JSCallVarargs):
972         (JSC::FTL::JSCallVarargs::emit):
973         * ftl/FTLJSCallVarargs.h:
974         * ftl/FTLLowerDFGToLLVM.cpp:
975         (JSC::FTL::LowerDFGToLLVM::lower):
976         (JSC::FTL::LowerDFGToLLVM::compileNode):
977         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
978         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
979         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
980         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
981         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
982         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
983         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
984         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
985         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
986         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
987         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
988         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
989         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
990         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
991         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
992         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
993         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
994         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
995         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
996         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
997         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
998         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
999         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
1000         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
1001         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
1002         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
1003         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
1004         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
1005         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1006         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1007         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
1008         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1009         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1010         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1011         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1012         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1013         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1014         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
1015         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
1016         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
1017         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
1018         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
1019         * ftl/FTLOSRExitCompiler.cpp:
1020         (JSC::FTL::compileRecovery):
1021         (JSC::FTL::compileStub):
1022         * ftl/FTLOperations.cpp:
1023         (JSC::FTL::operationMaterializeObjectInOSR):
1024         * ftl/FTLOutput.h:
1025         (JSC::FTL::Output::aShr):
1026         (JSC::FTL::Output::lShr):
1027         (JSC::FTL::Output::zeroExtPtr):
1028         * heap/CopyToken.h:
1029         * interpreter/CallFrame.h:
1030         (JSC::ExecState::getArgumentUnsafe):
1031         * interpreter/Interpreter.cpp:
1032         (JSC::sizeOfVarargs):
1033         (JSC::sizeFrameForVarargs):
1034         (JSC::loadVarargs):
1035         (JSC::unwindCallFrame):
1036         * interpreter/Interpreter.h:
1037         * interpreter/StackVisitor.cpp:
1038         (JSC::StackVisitor::Frame::createArguments):
1039         (JSC::StackVisitor::Frame::existingArguments): Deleted.
1040         * interpreter/StackVisitor.h:
1041         * jit/AssemblyHelpers.h:
1042         (JSC::AssemblyHelpers::storeValue):
1043         (JSC::AssemblyHelpers::loadValue):
1044         (JSC::AssemblyHelpers::storeTrustedValue):
1045         (JSC::AssemblyHelpers::branchIfNotCell):
1046         (JSC::AssemblyHelpers::branchIsEmpty):
1047         (JSC::AssemblyHelpers::argumentsStart):
1048         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
1049         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
1050         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
1051         * jit/CCallHelpers.h:
1052         (JSC::CCallHelpers::setupArgument):
1053         * jit/GPRInfo.h:
1054         (JSC::JSValueRegs::withTwoAvailableRegs):
1055         * jit/JIT.cpp:
1056         (JSC::JIT::privateCompileMainPass):
1057         (JSC::JIT::privateCompileSlowCases):
1058         * jit/JIT.h:
1059         * jit/JITCall.cpp:
1060         (JSC::JIT::compileSetupVarargsFrame):
1061         * jit/JITCall32_64.cpp:
1062         (JSC::JIT::compileSetupVarargsFrame):
1063         * jit/JITInlines.h:
1064         (JSC::JIT::callOperation):
1065         * jit/JITOpcodes.cpp:
1066         (JSC::JIT::emit_op_create_lexical_environment):
1067         (JSC::JIT::emit_op_new_func):
1068         (JSC::JIT::emit_op_create_direct_arguments):
1069         (JSC::JIT::emit_op_create_scoped_arguments):
1070         (JSC::JIT::emit_op_create_out_of_band_arguments):
1071         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1072         (JSC::JIT::emit_op_create_arguments): Deleted.
1073         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1074         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1075         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1076         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1077         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1078         * jit/JITOpcodes32_64.cpp:
1079         (JSC::JIT::emit_op_create_lexical_environment):
1080         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1081         (JSC::JIT::emit_op_create_arguments): Deleted.
1082         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1083         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1084         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1085         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1086         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1087         * jit/JITOperations.cpp:
1088         * jit/JITOperations.h:
1089         * jit/JITPropertyAccess.cpp:
1090         (JSC::JIT::emitGetClosureVar):
1091         (JSC::JIT::emitPutClosureVar):
1092         (JSC::JIT::emit_op_get_from_arguments):
1093         (JSC::JIT::emit_op_put_to_arguments):
1094         (JSC::JIT::emit_op_init_global_const):
1095         (JSC::JIT::privateCompileGetByVal):
1096         (JSC::JIT::emitDirectArgumentsGetByVal):
1097         (JSC::JIT::emitScopedArgumentsGetByVal):
1098         * jit/JITPropertyAccess32_64.cpp:
1099         (JSC::JIT::emitGetClosureVar):
1100         (JSC::JIT::emitPutClosureVar):
1101         (JSC::JIT::emit_op_get_from_arguments):
1102         (JSC::JIT::emit_op_put_to_arguments):
1103         (JSC::JIT::emit_op_init_global_const):
1104         * jit/SetupVarargsFrame.cpp:
1105         (JSC::emitSetupVarargsFrameFastCase):
1106         * llint/LLIntOffsetsExtractor.cpp:
1107         * llint/LLIntSlowPaths.cpp:
1108         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1109         * llint/LowLevelInterpreter.asm:
1110         * llint/LowLevelInterpreter32_64.asm:
1111         * llint/LowLevelInterpreter64.asm:
1112         * parser/Nodes.h:
1113         (JSC::ScopeNode::captures):
1114         * runtime/Arguments.cpp: Removed.
1115         * runtime/Arguments.h: Removed.
1116         * runtime/ArgumentsMode.h: Added.
1117         * runtime/DirectArgumentsOffset.cpp: Added.
1118         (JSC::DirectArgumentsOffset::dump):
1119         * runtime/DirectArgumentsOffset.h: Added.
1120         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
1121         * runtime/CommonSlowPaths.cpp:
1122         (JSC::SLOW_PATH_DECL):
1123         * runtime/CommonSlowPaths.h:
1124         * runtime/ConstantMode.cpp: Added.
1125         (WTF::printInternal):
1126         * runtime/ConstantMode.h:
1127         (JSC::modeForIsConstant):
1128         * runtime/DirectArguments.cpp: Added.
1129         (JSC::DirectArguments::DirectArguments):
1130         (JSC::DirectArguments::createUninitialized):
1131         (JSC::DirectArguments::create):
1132         (JSC::DirectArguments::createByCopying):
1133         (JSC::DirectArguments::visitChildren):
1134         (JSC::DirectArguments::copyBackingStore):
1135         (JSC::DirectArguments::createStructure):
1136         (JSC::DirectArguments::overrideThings):
1137         (JSC::DirectArguments::overrideThingsIfNecessary):
1138         (JSC::DirectArguments::overrideArgument):
1139         (JSC::DirectArguments::copyToArguments):
1140         (JSC::DirectArguments::overridesSize):
1141         * runtime/DirectArguments.h: Added.
1142         (JSC::DirectArguments::internalLength):
1143         (JSC::DirectArguments::length):
1144         (JSC::DirectArguments::canAccessIndexQuickly):
1145         (JSC::DirectArguments::getIndexQuickly):
1146         (JSC::DirectArguments::setIndexQuickly):
1147         (JSC::DirectArguments::callee):
1148         (JSC::DirectArguments::argument):
1149         (JSC::DirectArguments::overrodeThings):
1150         (JSC::DirectArguments::offsetOfCallee):
1151         (JSC::DirectArguments::offsetOfLength):
1152         (JSC::DirectArguments::offsetOfMinCapacity):
1153         (JSC::DirectArguments::offsetOfOverrides):
1154         (JSC::DirectArguments::storageOffset):
1155         (JSC::DirectArguments::offsetOfSlot):
1156         (JSC::DirectArguments::allocationSize):
1157         (JSC::DirectArguments::storage):
1158         * runtime/FunctionPrototype.cpp:
1159         * runtime/GenericArguments.h: Added.
1160         (JSC::GenericArguments::GenericArguments):
1161         * runtime/GenericArgumentsInlines.h: Added.
1162         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1163         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1164         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1165         (JSC::GenericArguments<Type>::put):
1166         (JSC::GenericArguments<Type>::putByIndex):
1167         (JSC::GenericArguments<Type>::deleteProperty):
1168         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1169         (JSC::GenericArguments<Type>::defineOwnProperty):
1170         (JSC::GenericArguments<Type>::copyToArguments):
1171         * runtime/GenericOffset.h: Added.
1172         (JSC::GenericOffset::GenericOffset):
1173         (JSC::GenericOffset::operator!):
1174         (JSC::GenericOffset::offsetUnchecked):
1175         (JSC::GenericOffset::offset):
1176         (JSC::GenericOffset::operator==):
1177         (JSC::GenericOffset::operator!=):
1178         (JSC::GenericOffset::operator<):
1179         (JSC::GenericOffset::operator>):
1180         (JSC::GenericOffset::operator<=):
1181         (JSC::GenericOffset::operator>=):
1182         (JSC::GenericOffset::operator+):
1183         (JSC::GenericOffset::operator-):
1184         (JSC::GenericOffset::operator+=):
1185         (JSC::GenericOffset::operator-=):
1186         * runtime/JSArgumentsIterator.cpp:
1187         (JSC::JSArgumentsIterator::finishCreation):
1188         (JSC::argumentsFuncIterator):
1189         * runtime/JSArgumentsIterator.h:
1190         (JSC::JSArgumentsIterator::create):
1191         (JSC::JSArgumentsIterator::next):
1192         * runtime/JSEnvironmentRecord.cpp:
1193         (JSC::JSEnvironmentRecord::visitChildren):
1194         * runtime/JSEnvironmentRecord.h:
1195         (JSC::JSEnvironmentRecord::variables):
1196         (JSC::JSEnvironmentRecord::isValid):
1197         (JSC::JSEnvironmentRecord::variableAt):
1198         (JSC::JSEnvironmentRecord::offsetOfVariables):
1199         (JSC::JSEnvironmentRecord::offsetOfVariable):
1200         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
1201         (JSC::JSEnvironmentRecord::allocationSize):
1202         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1203         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1204         (JSC::JSEnvironmentRecord::finishCreation):
1205         (JSC::JSEnvironmentRecord::registers): Deleted.
1206         (JSC::JSEnvironmentRecord::registerAt): Deleted.
1207         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
1208         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
1209         * runtime/JSFunction.cpp:
1210         * runtime/JSGlobalObject.cpp:
1211         (JSC::JSGlobalObject::init):
1212         (JSC::JSGlobalObject::addGlobalVar):
1213         (JSC::JSGlobalObject::addFunction):
1214         (JSC::JSGlobalObject::visitChildren):
1215         (JSC::JSGlobalObject::addStaticGlobals):
1216         * runtime/JSGlobalObject.h:
1217         (JSC::JSGlobalObject::directArgumentsStructure):
1218         (JSC::JSGlobalObject::scopedArgumentsStructure):
1219         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
1220         (JSC::JSGlobalObject::argumentsStructure): Deleted.
1221         * runtime/JSLexicalEnvironment.cpp:
1222         (JSC::JSLexicalEnvironment::symbolTableGet):
1223         (JSC::JSLexicalEnvironment::symbolTablePut):
1224         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1225         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1226         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
1227         * runtime/JSLexicalEnvironment.h:
1228         (JSC::JSLexicalEnvironment::create):
1229         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1230         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
1231         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
1232         (JSC::JSLexicalEnvironment::storage): Deleted.
1233         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
1234         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
1235         (JSC::JSLexicalEnvironment::isValid): Deleted.
1236         (JSC::JSLexicalEnvironment::registerAt): Deleted.
1237         * runtime/JSNameScope.cpp:
1238         (JSC::JSNameScope::visitChildren): Deleted.
1239         * runtime/JSNameScope.h:
1240         (JSC::JSNameScope::create):
1241         (JSC::JSNameScope::value):
1242         (JSC::JSNameScope::finishCreation):
1243         (JSC::JSNameScope::JSNameScope):
1244         * runtime/JSScope.cpp:
1245         (JSC::abstractAccess):
1246         * runtime/JSSegmentedVariableObject.cpp:
1247         (JSC::JSSegmentedVariableObject::findVariableIndex):
1248         (JSC::JSSegmentedVariableObject::addVariables):
1249         (JSC::JSSegmentedVariableObject::visitChildren):
1250         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
1251         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
1252         * runtime/JSSegmentedVariableObject.h:
1253         (JSC::JSSegmentedVariableObject::variableAt):
1254         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
1255         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
1256         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
1257         * runtime/JSSymbolTableObject.h:
1258         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
1259         (JSC::symbolTableGet):
1260         (JSC::symbolTablePut):
1261         (JSC::symbolTablePutWithAttributes):
1262         * runtime/JSType.h:
1263         * runtime/Options.h:
1264         * runtime/ClonedArguments.cpp: Added.
1265         (JSC::ClonedArguments::ClonedArguments):
1266         (JSC::ClonedArguments::createEmpty):
1267         (JSC::ClonedArguments::createWithInlineFrame):
1268         (JSC::ClonedArguments::createWithMachineFrame):
1269         (JSC::ClonedArguments::createByCopyingFrom):
1270         (JSC::ClonedArguments::createStructure):
1271         (JSC::ClonedArguments::getOwnPropertySlot):
1272         (JSC::ClonedArguments::getOwnPropertyNames):
1273         (JSC::ClonedArguments::put):
1274         (JSC::ClonedArguments::deleteProperty):
1275         (JSC::ClonedArguments::defineOwnProperty):
1276         (JSC::ClonedArguments::materializeSpecials):
1277         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
1278         * runtime/ClonedArguments.h: Added.
1279         (JSC::ClonedArguments::specialsMaterialized):
1280         * runtime/ScopeOffset.cpp: Added.
1281         (JSC::ScopeOffset::dump):
1282         * runtime/ScopeOffset.h: Added.
1283         (JSC::ScopeOffset::ScopeOffset):
1284         * runtime/ScopedArguments.cpp: Added.
1285         (JSC::ScopedArguments::ScopedArguments):
1286         (JSC::ScopedArguments::finishCreation):
1287         (JSC::ScopedArguments::createUninitialized):
1288         (JSC::ScopedArguments::create):
1289         (JSC::ScopedArguments::createByCopying):
1290         (JSC::ScopedArguments::createByCopyingFrom):
1291         (JSC::ScopedArguments::visitChildren):
1292         (JSC::ScopedArguments::createStructure):
1293         (JSC::ScopedArguments::overrideThings):
1294         (JSC::ScopedArguments::overrideThingsIfNecessary):
1295         (JSC::ScopedArguments::overrideArgument):
1296         (JSC::ScopedArguments::copyToArguments):
1297         * runtime/ScopedArguments.h: Added.
1298         (JSC::ScopedArguments::internalLength):
1299         (JSC::ScopedArguments::length):
1300         (JSC::ScopedArguments::canAccessIndexQuickly):
1301         (JSC::ScopedArguments::getIndexQuickly):
1302         (JSC::ScopedArguments::setIndexQuickly):
1303         (JSC::ScopedArguments::callee):
1304         (JSC::ScopedArguments::overrodeThings):
1305         (JSC::ScopedArguments::offsetOfOverrodeThings):
1306         (JSC::ScopedArguments::offsetOfTotalLength):
1307         (JSC::ScopedArguments::offsetOfTable):
1308         (JSC::ScopedArguments::offsetOfScope):
1309         (JSC::ScopedArguments::overflowStorageOffset):
1310         (JSC::ScopedArguments::allocationSize):
1311         (JSC::ScopedArguments::overflowStorage):
1312         * runtime/ScopedArgumentsTable.cpp: Added.
1313         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
1314         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
1315         (JSC::ScopedArgumentsTable::destroy):
1316         (JSC::ScopedArgumentsTable::create):
1317         (JSC::ScopedArgumentsTable::clone):
1318         (JSC::ScopedArgumentsTable::setLength):
1319         (JSC::ScopedArgumentsTable::set):
1320         (JSC::ScopedArgumentsTable::createStructure):
1321         * runtime/ScopedArgumentsTable.h: Added.
1322         (JSC::ScopedArgumentsTable::length):
1323         (JSC::ScopedArgumentsTable::get):
1324         (JSC::ScopedArgumentsTable::lock):
1325         (JSC::ScopedArgumentsTable::offsetOfLength):
1326         (JSC::ScopedArgumentsTable::offsetOfArguments):
1327         (JSC::ScopedArgumentsTable::at):
1328         * runtime/SymbolTable.cpp:
1329         (JSC::SymbolTableEntry::prepareToWatch):
1330         (JSC::SymbolTable::SymbolTable):
1331         (JSC::SymbolTable::visitChildren):
1332         (JSC::SymbolTable::localToEntry):
1333         (JSC::SymbolTable::entryFor):
1334         (JSC::SymbolTable::cloneScopePart):
1335         (JSC::SymbolTable::prepareForTypeProfiling):
1336         (JSC::SymbolTable::uniqueIDForOffset):
1337         (JSC::SymbolTable::globalTypeSetForOffset):
1338         (JSC::SymbolTable::cloneCapturedNames): Deleted.
1339         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1340         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1341         * runtime/SymbolTable.h:
1342         (JSC::SymbolTableEntry::varOffsetFromBits):
1343         (JSC::SymbolTableEntry::scopeOffsetFromBits):
1344         (JSC::SymbolTableEntry::Fast::varOffset):
1345         (JSC::SymbolTableEntry::Fast::scopeOffset):
1346         (JSC::SymbolTableEntry::Fast::isDontEnum):
1347         (JSC::SymbolTableEntry::Fast::getAttributes):
1348         (JSC::SymbolTableEntry::SymbolTableEntry):
1349         (JSC::SymbolTableEntry::varOffset):
1350         (JSC::SymbolTableEntry::isWatchable):
1351         (JSC::SymbolTableEntry::scopeOffset):
1352         (JSC::SymbolTableEntry::setAttributes):
1353         (JSC::SymbolTableEntry::constantMode):
1354         (JSC::SymbolTableEntry::isDontEnum):
1355         (JSC::SymbolTableEntry::disableWatching):
1356         (JSC::SymbolTableEntry::pack):
1357         (JSC::SymbolTableEntry::isValidVarOffset):
1358         (JSC::SymbolTable::createNameScopeTable):
1359         (JSC::SymbolTable::maxScopeOffset):
1360         (JSC::SymbolTable::didUseScopeOffset):
1361         (JSC::SymbolTable::didUseVarOffset):
1362         (JSC::SymbolTable::scopeSize):
1363         (JSC::SymbolTable::nextScopeOffset):
1364         (JSC::SymbolTable::takeNextScopeOffset):
1365         (JSC::SymbolTable::add):
1366         (JSC::SymbolTable::set):
1367         (JSC::SymbolTable::argumentsLength):
1368         (JSC::SymbolTable::setArgumentsLength):
1369         (JSC::SymbolTable::argumentOffset):
1370         (JSC::SymbolTable::setArgumentOffset):
1371         (JSC::SymbolTable::arguments):
1372         (JSC::SlowArgument::SlowArgument): Deleted.
1373         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
1374         (JSC::SymbolTableEntry::getIndex): Deleted.
1375         (JSC::SymbolTableEntry::isValidIndex): Deleted.
1376         (JSC::SymbolTable::captureStart): Deleted.
1377         (JSC::SymbolTable::setCaptureStart): Deleted.
1378         (JSC::SymbolTable::captureEnd): Deleted.
1379         (JSC::SymbolTable::setCaptureEnd): Deleted.
1380         (JSC::SymbolTable::captureCount): Deleted.
1381         (JSC::SymbolTable::isCaptured): Deleted.
1382         (JSC::SymbolTable::parameterCount): Deleted.
1383         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
1384         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
1385         (JSC::SymbolTable::slowArguments): Deleted.
1386         (JSC::SymbolTable::setSlowArguments): Deleted.
1387         * runtime/VM.cpp:
1388         (JSC::VM::VM):
1389         * runtime/VM.h:
1390         * runtime/VarOffset.cpp: Added.
1391         (JSC::VarOffset::dump):
1392         (WTF::printInternal):
1393         * runtime/VarOffset.h: Added.
1394         (JSC::VarOffset::VarOffset):
1395         (JSC::VarOffset::assemble):
1396         (JSC::VarOffset::isValid):
1397         (JSC::VarOffset::operator!):
1398         (JSC::VarOffset::kind):
1399         (JSC::VarOffset::isStack):
1400         (JSC::VarOffset::isScope):
1401         (JSC::VarOffset::isDirectArgument):
1402         (JSC::VarOffset::stackOffsetUnchecked):
1403         (JSC::VarOffset::scopeOffsetUnchecked):
1404         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
1405         (JSC::VarOffset::stackOffset):
1406         (JSC::VarOffset::scopeOffset):
1407         (JSC::VarOffset::capturedArgumentsOffset):
1408         (JSC::VarOffset::rawOffset):
1409         (JSC::VarOffset::checkSanity):
1410         (JSC::VarOffset::operator==):
1411         (JSC::VarOffset::operator!=):
1412         (JSC::VarOffset::hash):
1413         (JSC::VarOffset::isHashTableDeletedValue):
1414         (JSC::VarOffsetHash::hash):
1415         (JSC::VarOffsetHash::equal):
1416         * tests/stress/arguments-exit-strict-mode.js: Added.
1417         * tests/stress/arguments-exit.js: Added.
1418         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
1419         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
1420         * tests/stress/arguments-inlined-exit.js: Added.
1421         * tests/stress/arguments-interference.js: Added.
1422         * tests/stress/arguments-interference-cfg.js: Added.
1423         * tests/stress/dead-get-closure-var.js: Added.
1424         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
1425         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
1426         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
1427         * tests/stress/varargs-closure-inlined-exit.js: Added.
1428         * tests/stress/varargs-exit.js: Added.
1429         * tests/stress/varargs-inlined-exit.js: Added.
1430         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
1431         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
1432         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
1433         * tests/stress/varargs-inlined-simple-exit.js: Added.
1434         * tests/stress/varargs-too-few-arguments.js: Added.
1435         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
1436         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
1437         * tests/stress/varargs-varargs-inlined-exit.js: Added.
1438
1439 2015-03-25  Andy Estes  <aestes@apple.com>
1440
1441         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
1442         https://bugs.webkit.org/show_bug.cgi?id=143068
1443
1444         Reviewed by Dan Bernstein.
1445
1446         * inspector/remote/RemoteInspectorXPCConnection.mm:
1447         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
1448
1449 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1450
1451         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
1452         https://bugs.webkit.org/show_bug.cgi?id=142993
1453
1454         Reviewed by Geoffrey Garen and Mark Lam.
1455         
1456         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
1457         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
1458         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
1459         failure, but also involves adding the same kind of thing to the stub generators in
1460         Repatch.
1461         
1462         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
1463         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
1464         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
1465         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
1466         printout.
1467         
1468         Also add a way of inducing executable allocation failure, so that we can test this.
1469
1470         * CMakeLists.txt:
1471         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1472         * JavaScriptCore.xcodeproj/project.pbxproj:
1473         * dfg/DFGJITCompiler.cpp:
1474         (JSC::DFG::JITCompiler::compile):
1475         (JSC::DFG::JITCompiler::compileFunction):
1476         (JSC::DFG::JITCompiler::link): Deleted.
1477         (JSC::DFG::JITCompiler::linkFunction): Deleted.
1478         * dfg/DFGJITCompiler.h:
1479         * dfg/DFGPlan.cpp:
1480         (JSC::DFG::Plan::compileInThreadImpl):
1481         * ftl/FTLCompile.cpp:
1482         (JSC::FTL::mmAllocateCodeSection):
1483         (JSC::FTL::mmAllocateDataSection):
1484         * ftl/FTLLink.cpp:
1485         (JSC::FTL::link):
1486         * ftl/FTLState.h:
1487         * jit/ArityCheckFailReturnThunks.cpp:
1488         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1489         * jit/ExecutableAllocationFuzz.cpp: Added.
1490         (JSC::numberOfExecutableAllocationFuzzChecks):
1491         (JSC::doExecutableAllocationFuzzing):
1492         * jit/ExecutableAllocationFuzz.h: Added.
1493         (JSC::doExecutableAllocationFuzzingIfEnabled):
1494         * jit/ExecutableAllocatorFixedVMPool.cpp:
1495         (JSC::ExecutableAllocator::allocate):
1496         * jit/JIT.cpp:
1497         (JSC::JIT::privateCompile):
1498         * jit/JITCompilationEffort.h:
1499         * jit/Repatch.cpp:
1500         (JSC::generateByIdStub):
1501         (JSC::tryCacheGetByID):
1502         (JSC::tryBuildGetByIDList):
1503         (JSC::emitPutReplaceStub):
1504         (JSC::emitPutTransitionStubAndGetOldStructure):
1505         (JSC::tryCachePutByID):
1506         (JSC::tryBuildPutByIdList):
1507         (JSC::tryRepatchIn):
1508         (JSC::linkPolymorphicCall):
1509         * jsc.cpp:
1510         (jscmain):
1511         * runtime/Options.h:
1512         * runtime/TestRunnerUtils.h:
1513         * runtime/VM.cpp:
1514         * tests/executableAllocationFuzz: Added.
1515         * tests/executableAllocationFuzz.yaml: Added.
1516         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
1517
1518 2015-03-25  Mark Lam  <mark.lam@apple.com>
1519
1520         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
1521         <https://webkit.org/b/135719>
1522
1523         Reviewed by Geoffrey Garen.
1524
1525         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
1526         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
1527         update the LLINT to access it as such.
1528
1529         The issue has only manifested so far on the CLoop tests because those are LLINT
1530         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
1531         hiding the bug in the LLINT.
1532
1533         * API/JSContextRef.cpp:
1534         (createWatchdogIfNeeded):
1535         (JSContextGroupSetExecutionTimeLimit):
1536         (JSContextGroupClearExecutionTimeLimit):
1537         * llint/LowLevelInterpreter.asm:
1538
1539 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1540
1541         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
1542
1543         Rubber stamped by Geoffrey Garen.
1544
1545         * bytecode/CodeBlock.cpp:
1546         (JSC::CodeBlock::visitAggregate):
1547
1548 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1549
1550         Fix formatting in BuiltinExecutables
1551         https://bugs.webkit.org/show_bug.cgi?id=143061
1552
1553         Reviewed by Ryosuke Niwa.
1554
1555         * builtins/BuiltinExecutables.cpp:
1556         (JSC::BuiltinExecutables::createExecutableInternal):
1557
1558 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1559
1560         ES6: Classes: Program level class statement throws exception in strict mode
1561         https://bugs.webkit.org/show_bug.cgi?id=143038
1562
1563         Reviewed by Ryosuke Niwa.
1564
1565         Classes expose a name to the current lexical environment. This treats
1566         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
1567         Also, improve error messages for class statements where the class is missing a name.
1568
1569         * parser/Parser.h:
1570         * parser/Parser.cpp:
1571         (JSC::Parser<LexerType>::parseClass):
1572         Fill name in info parameter if needed. Better error message if name is needed and missing.
1573
1574         (JSC::Parser<LexerType>::parseClassDeclaration):
1575         Pass info parameter to get name, and expose the name as a variable name.
1576
1577         (JSC::Parser<LexerType>::parsePrimaryExpression):
1578         Pass info parameter that is ignored.
1579
1580         * parser/ParserFunctionInfo.h:
1581         Add a parser info for class, to extract the name.
1582
1583 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1584
1585         New map and set modification tests in r181922 fails
1586         https://bugs.webkit.org/show_bug.cgi?id=143031
1587
1588         Reviewed and tweaked by Geoffrey Garen.
1589
1590         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
1591         to adjust for the packed backing store.
1592
1593         Consider the following map data.
1594
1595         x: deleted, o: exists
1596         0 1 2 3 4
1597         x x x x o
1598
1599         And iterator with m_index 3.
1600
1601         When packing the map data, map data will become,
1602
1603         0
1604         o
1605
1606         At that time, we perfom didRemoveEntry 4 times on iterators.
1607         times => m_index/index/result
1608         1 => 3/0/dec
1609         2 => 2/1/dec
1610         3 => 1/2/nothing
1611         4 => 1/3/nothing
1612
1613         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
1614         This is because if we use decremented m_index for comparison,
1615         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
1616
1617         In this patch, we compare against the packed index instead.
1618         times => m_index/packedIndex/result
1619         1 => 3/0/dec
1620         2 => 2/0/dec
1621         3 => 1/0/dec
1622         4 => 0/0/nothing
1623
1624         So m_index becomes 0 as expected.
1625
1626         And according to the spec, once the iterator is closed (becomes done: true),
1627         its internal [[Map]]/[[Set]] is set to undefined.
1628         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
1629
1630         In this patch, we change 2 things.
1631         1.
1632         Compare an iterator's index against the packed index when removing an entry.
1633
1634         2.
1635         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
1636
1637         * runtime/MapData.h:
1638         (JSC::MapDataImpl::IteratorData::finish):
1639         (JSC::MapDataImpl::IteratorData::isFinished):
1640         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
1641         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
1642         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
1643         * runtime/MapDataInlines.h:
1644         (JSC::JSIterator>::replaceAndPackBackingStore):
1645         * tests/stress/modify-map-during-iteration.js:
1646         * tests/stress/modify-set-during-iteration.js:
1647
1648 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1649
1650         Setter should have a single formal parameter, Getter no parameters
1651         https://bugs.webkit.org/show_bug.cgi?id=142903
1652
1653         Reviewed by Geoffrey Garen.
1654
1655         * parser/Parser.cpp:
1656         (JSC::Parser<LexerType>::parseFunctionInfo):
1657         Enforce no parameters for getters and a single parameter
1658         for setters, with informational error messages.
1659
1660 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1661
1662         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
1663         https://bugs.webkit.org/show_bug.cgi?id=143012
1664
1665         Reviewed by Ryosuke Niwa.
1666
1667         * bytecompiler/BytecodeGenerator.cpp:
1668         (JSC::BytecodeGenerator::emitReturn):
1669         Fix handling of "undefined" when returned from a Derived class. It was
1670         returning "undefined" when it should have returned "this".
1671
1672 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1673
1674         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
1675         https://bugs.webkit.org/show_bug.cgi?id=142696
1676
1677         Reviewed and tweaked by Geoffrey Garen.
1678
1679         Before r142556, JSSetIterator::destroy was not defined.
1680         So accidentally MapData::const_iterator in JSSet was never destroyed.
1681         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
1682
1683         After r142556, JSSetIterator::destroy works.
1684         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
1685         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
1686
1687         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
1688         and marks it in visitChildren (WriteBarrier<Unknown>).
1689         However, the order of destructions is not guaranteed in GC-ed system.
1690
1691         Consider the following case,
1692         allocate JSSet and subsequently allocate JSSetIterator.
1693         And they resides in the separated MarkedBlock, <1> and <2>.
1694
1695         JSSet<1> <- JSSetIterator<2>
1696
1697         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
1698         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
1699
1700         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
1701         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
1702         However, JSSetIterator<2>'s destructor,
1703         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
1704
1705         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
1706         When packing the removed elements in JSSet/JSMap, we apply the change to all live
1707         iterators tracked by WeakGCMap.
1708
1709         WeakGCMap can only track JSCell since they are managed by GC.
1710         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
1711         introduces JS style iterator signatures into C++ class IteratorData.
1712         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
1713         IteratorData directly.
1714
1715         * runtime/JSMap.cpp:
1716         (JSC::JSMap::destroy):
1717         * runtime/JSMap.h:
1718         (JSC::JSMap::JSMap):
1719         (JSC::JSMap::begin): Deleted.
1720         (JSC::JSMap::end): Deleted.
1721         * runtime/JSMapIterator.cpp:
1722         (JSC::JSMapIterator::destroy):
1723         * runtime/JSMapIterator.h:
1724         (JSC::JSMapIterator::next):
1725         (JSC::JSMapIterator::nextKeyValue):
1726         (JSC::JSMapIterator::iteratorData):
1727         (JSC::JSMapIterator::JSMapIterator):
1728         * runtime/JSSet.cpp:
1729         (JSC::JSSet::destroy):
1730         * runtime/JSSet.h:
1731         (JSC::JSSet::JSSet):
1732         (JSC::JSSet::begin): Deleted.
1733         (JSC::JSSet::end): Deleted.
1734         * runtime/JSSetIterator.cpp:
1735         (JSC::JSSetIterator::destroy):
1736         * runtime/JSSetIterator.h:
1737         (JSC::JSSetIterator::next):
1738         (JSC::JSSetIterator::iteratorData):
1739         (JSC::JSSetIterator::JSSetIterator):
1740         * runtime/MapData.h:
1741         (JSC::MapDataImpl::IteratorData::finish):
1742         (JSC::MapDataImpl::IteratorData::isFinished):
1743         (JSC::MapDataImpl::shouldPack):
1744         (JSC::JSIterator>::MapDataImpl):
1745         (JSC::JSIterator>::KeyType::KeyType):
1746         (JSC::JSIterator>::IteratorData::IteratorData):
1747         (JSC::JSIterator>::IteratorData::next):
1748         (JSC::JSIterator>::IteratorData::ensureSlot):
1749         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
1750         (JSC::JSIterator>::IteratorData::refreshCursor):
1751         (JSC::MapDataImpl::const_iterator::key): Deleted.
1752         (JSC::MapDataImpl::const_iterator::value): Deleted.
1753         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
1754         (JSC::MapDataImpl::const_iterator::finish): Deleted.
1755         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
1756         (JSC::MapDataImpl::begin): Deleted.
1757         (JSC::MapDataImpl::end): Deleted.
1758         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
1759         (JSC::MapDataImpl<Entry>::clear): Deleted.
1760         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
1761         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
1762         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
1763         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
1764         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
1765         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
1766         (JSC::=): Deleted.
1767         * runtime/MapDataInlines.h:
1768         (JSC::JSIterator>::clear):
1769         (JSC::JSIterator>::find):
1770         (JSC::JSIterator>::contains):
1771         (JSC::JSIterator>::add):
1772         (JSC::JSIterator>::set):
1773         (JSC::JSIterator>::get):
1774         (JSC::JSIterator>::remove):
1775         (JSC::JSIterator>::replaceAndPackBackingStore):
1776         (JSC::JSIterator>::replaceBackingStore):
1777         (JSC::JSIterator>::ensureSpaceForAppend):
1778         (JSC::JSIterator>::visitChildren):
1779         (JSC::JSIterator>::copyBackingStore):
1780         (JSC::JSIterator>::applyMapDataPatch):
1781         (JSC::MapDataImpl<Entry>::find): Deleted.
1782         (JSC::MapDataImpl<Entry>::contains): Deleted.
1783         (JSC::MapDataImpl<Entry>::add): Deleted.
1784         (JSC::MapDataImpl<Entry>::set): Deleted.
1785         (JSC::MapDataImpl<Entry>::get): Deleted.
1786         (JSC::MapDataImpl<Entry>::remove): Deleted.
1787         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
1788         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
1789         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
1790         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
1791         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
1792         * runtime/MapPrototype.cpp:
1793         (JSC::mapProtoFuncForEach):
1794         * runtime/SetPrototype.cpp:
1795         (JSC::setProtoFuncForEach):
1796         * runtime/WeakGCMap.h:
1797         (JSC::WeakGCMap::forEach):
1798         * tests/stress/modify-map-during-iteration.js: Added.
1799         (testValue):
1800         (identityPairs):
1801         (.set if):
1802         (var):
1803         (set map):
1804         * tests/stress/modify-set-during-iteration.js: Added.
1805         (testValue):
1806         (set forEach):
1807         (set delete):
1808
1809 2015-03-24  Mark Lam  <mark.lam@apple.com>
1810
1811         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
1812         <https://webkit.org/b/143024>
1813
1814         Reviewed by Geoffrey Garen.
1815
1816         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
1817         passed in from testapi.c.  It should create its own for better
1818         encapsulation of the test.
1819
1820         * API/tests/ExecutionTimeLimitTest.cpp:
1821         (currentCPUTimeAsJSFunctionCallback):
1822         (testExecutionTimeLimit):
1823         * API/tests/ExecutionTimeLimitTest.h:
1824         * API/tests/testapi.c:
1825         (main):
1826
1827 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1828
1829         ES6: Object Literal Methods toString is missing method name
1830         https://bugs.webkit.org/show_bug.cgi?id=142992
1831
1832         Reviewed by Geoffrey Garen.
1833
1834         Always stringify functions in the pattern:
1835
1836           "function " + <function name> + <text from opening parenthesis to closing brace>.
1837
1838         * runtime/FunctionPrototype.cpp:
1839         (JSC::functionProtoFuncToString):
1840         Update the path that was not stringifying in this pattern.
1841
1842         * bytecode/UnlinkedCodeBlock.cpp:
1843         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1844         * bytecode/UnlinkedCodeBlock.h:
1845         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
1846         * parser/Nodes.h:
1847         * runtime/Executable.cpp:
1848         (JSC::FunctionExecutable::FunctionExecutable):
1849         * runtime/Executable.h:
1850         (JSC::FunctionExecutable::parametersStartOffset):
1851         Pass the already known function parameter opening parenthesis
1852         start offset through to the FunctionExecutable. 
1853
1854         * tests/mozilla/js1_5/Scope/regress-185485.js:
1855         (with.g):
1856         Add back original space in this test that was removed by r181810
1857         now that we have the space again in stringification.
1858
1859 2015-03-24  Michael Saboff  <msaboff@apple.com>
1860
1861         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
1862         https://bugs.webkit.org/show_bug.cgi?id=142856
1863
1864         Reviewed by Filip Pizlo.
1865
1866         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
1867         get info for three loops to iterate over indexed properties, structure properties and other properties,
1868         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
1869         for all loops before we exectue any enumeration.
1870
1871         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
1872         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
1873         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
1874
1875         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
1876         op_next_enumerator_pname.
1877         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
1878         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
1879         end value we stop iterating on.
1880
1881         Made corresponding node changes to the DFG and FTL for the bytecode changes.
1882
1883         * bytecode/BytecodeList.json:
1884         * bytecode/BytecodeUseDef.h:
1885         (JSC::computeUsesForBytecodeOffset):
1886         (JSC::computeDefsForBytecodeOffset):
1887         * bytecode/CodeBlock.cpp:
1888         (JSC::CodeBlock::dumpBytecode):
1889         * bytecompiler/BytecodeGenerator.cpp:
1890         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
1891         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
1892         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
1893         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
1894         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
1895         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
1896         * bytecompiler/BytecodeGenerator.h:
1897         * bytecompiler/NodesCodegen.cpp:
1898         (JSC::ForInNode::emitMultiLoopBytecode):
1899         * dfg/DFGAbstractInterpreterInlines.h:
1900         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1901         * dfg/DFGByteCodeParser.cpp:
1902         (JSC::DFG::ByteCodeParser::parseBlock):
1903         * dfg/DFGCapabilities.cpp:
1904         (JSC::DFG::capabilityLevel):
1905         * dfg/DFGClobberize.h:
1906         (JSC::DFG::clobberize):
1907         * dfg/DFGDoesGC.cpp:
1908         (JSC::DFG::doesGC):
1909         * dfg/DFGFixupPhase.cpp:
1910         (JSC::DFG::FixupPhase::fixupNode):
1911         * dfg/DFGNodeType.h:
1912         * dfg/DFGPredictionPropagationPhase.cpp:
1913         (JSC::DFG::PredictionPropagationPhase::propagate):
1914         * dfg/DFGSafeToExecute.h:
1915         (JSC::DFG::safeToExecute):
1916         * dfg/DFGSpeculativeJIT32_64.cpp:
1917         (JSC::DFG::SpeculativeJIT::compile):
1918         * dfg/DFGSpeculativeJIT64.cpp:
1919         (JSC::DFG::SpeculativeJIT::compile):
1920         * ftl/FTLAbstractHeapRepository.h:
1921         * ftl/FTLCapabilities.cpp:
1922         (JSC::FTL::canCompile):
1923         * ftl/FTLLowerDFGToLLVM.cpp:
1924         (JSC::FTL::LowerDFGToLLVM::compileNode):
1925         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
1926         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
1927         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
1928         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
1929         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
1930         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
1931         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
1932         * jit/JIT.cpp:
1933         (JSC::JIT::privateCompileMainPass):
1934         * jit/JIT.h:
1935         * jit/JITOpcodes.cpp:
1936         (JSC::JIT::emit_op_enumerator_structure_pname):
1937         (JSC::JIT::emit_op_enumerator_generic_pname):
1938         (JSC::JIT::emit_op_get_property_enumerator):
1939         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
1940         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
1941         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
1942         * jit/JITOpcodes32_64.cpp:
1943         (JSC::JIT::emit_op_enumerator_structure_pname):
1944         (JSC::JIT::emit_op_enumerator_generic_pname):
1945         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
1946         * jit/JITOperations.cpp:
1947         * jit/JITOperations.h:
1948         * llint/LowLevelInterpreter.asm:
1949         * runtime/CommonSlowPaths.cpp:
1950         (JSC::SLOW_PATH_DECL):
1951         * runtime/CommonSlowPaths.h:
1952         * runtime/JSPropertyNameEnumerator.cpp:
1953         (JSC::JSPropertyNameEnumerator::create):
1954         (JSC::JSPropertyNameEnumerator::finishCreation):
1955         * runtime/JSPropertyNameEnumerator.h:
1956         (JSC::JSPropertyNameEnumerator::indexedLength):
1957         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
1958         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
1959         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
1960         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
1961         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
1962         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
1963         (JSC::propertyNameEnumerator):
1964         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
1965         (JSC::structurePropertyNameEnumerator): Deleted.
1966         (JSC::genericPropertyNameEnumerator): Deleted.
1967         * runtime/Structure.cpp:
1968         (JSC::Structure::setCachedPropertyNameEnumerator):
1969         (JSC::Structure::cachedPropertyNameEnumerator):
1970         (JSC::Structure::canCachePropertyNameEnumerator):
1971         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
1972         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
1973         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
1974         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
1975         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
1976         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
1977         * runtime/Structure.h:
1978         * runtime/StructureRareData.cpp:
1979         (JSC::StructureRareData::visitChildren):
1980         (JSC::StructureRareData::cachedPropertyNameEnumerator):
1981         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
1982         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
1983         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
1984         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
1985         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
1986         * runtime/StructureRareData.h:
1987         * tests/stress/for-in-delete-during-iteration.js:
1988
1989 2015-03-24  Michael Saboff  <msaboff@apple.com>
1990
1991         Unreviewed build fix for debug builds.
1992
1993         * runtime/ExceptionHelpers.cpp:
1994         (JSC::invalidParameterInSourceAppender):
1995
1996 2015-03-24  Saam Barati  <saambarati1@gmail.com>
1997
1998         Improve error messages in JSC
1999         https://bugs.webkit.org/show_bug.cgi?id=141869
2000
2001         Reviewed by Geoffrey Garen.
2002
2003         JavaScriptCore has some unintuitive error messages associated
2004         with certain common errors. This patch changes some specific
2005         error messages to be more understandable and also creates a
2006         mechanism that will allow for easy modification of error messages
2007         in the future. The specific errors we change are not a function
2008         errors and invalid parameter errors.
2009
2010         * CMakeLists.txt:
2011         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2012         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2013         * JavaScriptCore.xcodeproj/project.pbxproj:
2014         * interpreter/Interpreter.cpp:
2015         (JSC::sizeOfVarargs):
2016         * jit/JITOperations.cpp:
2017         op_throw_static_error always has a JSString as its argument.
2018         There is no need to dance around this, and we should assert
2019         that this always holds. This JSString represents the error 
2020         message we want to display to the user, so there is no need
2021         to pass it into errorDescriptionForValue which will now place
2022         quotes around the string.
2023
2024         * llint/LLIntSlowPaths.cpp:
2025         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2026         * runtime/CommonSlowPaths.h:
2027         (JSC::CommonSlowPaths::opIn):
2028         * runtime/ErrorInstance.cpp:
2029         (JSC::ErrorInstance::ErrorInstance):
2030         * runtime/ErrorInstance.h:
2031         (JSC::ErrorInstance::hasSourceAppender):
2032         (JSC::ErrorInstance::sourceAppender):
2033         (JSC::ErrorInstance::setSourceAppender):
2034         (JSC::ErrorInstance::clearSourceAppender):
2035         (JSC::ErrorInstance::setRuntimeTypeForCause):
2036         (JSC::ErrorInstance::runtimeTypeForCause):
2037         (JSC::ErrorInstance::clearRuntimeTypeForCause):
2038         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
2039         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
2040         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
2041         * runtime/ExceptionHelpers.cpp:
2042         (JSC::errorDescriptionForValue):
2043         (JSC::defaultApproximateSourceError):
2044         (JSC::defaultSourceAppender):
2045         (JSC::functionCallBase):
2046         (JSC::notAFunctionSourceAppender):
2047         (JSC::invalidParameterInSourceAppender):
2048         (JSC::invalidParameterInstanceofSourceAppender):
2049         (JSC::createError):
2050         (JSC::createInvalidFunctionApplyParameterError):
2051         (JSC::createInvalidInParameterError):
2052         (JSC::createInvalidInstanceofParameterError):
2053         (JSC::createNotAConstructorError):
2054         (JSC::createNotAFunctionError):
2055         (JSC::createNotAnObjectError):
2056         (JSC::createInvalidParameterError): Deleted.
2057         * runtime/ExceptionHelpers.h:
2058         * runtime/JSObject.cpp:
2059         (JSC::JSObject::hasInstance):
2060         * runtime/RuntimeType.cpp: Added.
2061         (JSC::runtimeTypeForValue):
2062         (JSC::runtimeTypeAsString):
2063         * runtime/RuntimeType.h: Added.
2064         * runtime/TypeProfilerLog.cpp:
2065         (JSC::TypeProfilerLog::processLogEntries):
2066         * runtime/TypeSet.cpp:
2067         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
2068         * runtime/TypeSet.h:
2069         * runtime/VM.cpp:
2070         (JSC::appendSourceToError):
2071         (JSC::VM::throwException):
2072
2073 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
2074
2075         JSC should have a low-cost asynchronous disassembler
2076         https://bugs.webkit.org/show_bug.cgi?id=142997
2077
2078         Reviewed by Mark Lam.
2079         
2080         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
2081         doesn't block execution. Some code will live a little longer because of this, since the
2082         work tasks hold a ref to the code, but other than that there is basically no overhead.
2083         
2084         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
2085         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
2086         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
2087         JSC_asyncDisassembly has bizarre behavior - so just choose one.
2088         
2089         A simple way of understanding how great this is, is to run a small benchmark like
2090         V8Spider/earley-boyer.
2091         
2092         Performance without any disassembly flags: 60ms
2093         Performance with JSC_showDisassembly=true: 477ms
2094         Performance with JSC_asyncDisassembly=true: 65ms
2095         
2096         So, the overhead of disassembly goes from 8x to 8%.
2097         
2098         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
2099         measuring benchmark performance. This is because at VM exit, we wait for all async
2100         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
2101         after the benchmark completely finishes to finish the disassemblies. This small weirdness
2102         should be OK for the intended use-cases, since all you have to do to get around it is to
2103         measure the execution time of the benchmark payload rather than the end-to-end time of
2104         launching the VM.
2105
2106         * assembler/LinkBuffer.cpp:
2107         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2108         * assembler/LinkBuffer.h:
2109         (JSC::LinkBuffer::wasAlreadyDisassembled):
2110         (JSC::LinkBuffer::didAlreadyDisassemble):
2111         * dfg/DFGJITCompiler.cpp:
2112         (JSC::DFG::JITCompiler::disassemble):
2113         * dfg/DFGJITFinalizer.cpp:
2114         (JSC::DFG::JITFinalizer::finalize):
2115         (JSC::DFG::JITFinalizer::finalizeFunction):
2116         * disassembler/Disassembler.cpp:
2117         (JSC::disassembleAsynchronously):
2118         (JSC::waitForAsynchronousDisassembly):
2119         * disassembler/Disassembler.h:
2120         * ftl/FTLCompile.cpp:
2121         (JSC::FTL::mmAllocateDataSection):
2122         * ftl/FTLLink.cpp:
2123         (JSC::FTL::link):
2124         * jit/JIT.cpp:
2125         (JSC::JIT::privateCompile):
2126         * jsc.cpp:
2127         * runtime/Options.h:
2128         * runtime/VM.cpp:
2129         (JSC::VM::~VM):
2130
2131 2015-03-23  Dean Jackson  <dino@apple.com>
2132
2133         ES7: Implement Array.prototype.includes
2134         https://bugs.webkit.org/show_bug.cgi?id=142707
2135
2136         Reviewed by Geoffrey Garen.
2137
2138         Add support for the ES7 includes method on Arrays.
2139         https://github.com/tc39/Array.prototype.includes
2140
2141         * builtins/Array.prototype.js:
2142         (includes): Implementation in JS.
2143         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
2144
2145 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2146
2147         __defineGetter__/__defineSetter__ should throw exceptions
2148         https://bugs.webkit.org/show_bug.cgi?id=142934
2149
2150         Reviewed by Geoffrey Garen.
2151
2152         * runtime/ObjectPrototype.cpp:
2153         (JSC::objectProtoFuncDefineGetter):
2154         (JSC::objectProtoFuncDefineSetter):
2155         Throw exceptions when these functions are used directly.
2156
2157 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2158
2159         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
2160         https://bugs.webkit.org/show_bug.cgi?id=142952
2161
2162         Reviewed by Geoffrey Garen.
2163
2164         * runtime/Structure.cpp:
2165         (JSC::PropertyTable::checkConsistency):
2166         The check offset method doesn't exist in PropertyTable, it exists in Structure.
2167
2168         (JSC::Structure::checkConsistency):
2169         So move it here, and always put it at the start to match normal behavior.
2170
2171 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2172
2173         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
2174         https://bugs.webkit.org/show_bug.cgi?id=142956
2175
2176         Rubber stamped by Gyuyoung Kim.
2177         
2178         Just removing dead code.
2179
2180         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2181         * JavaScriptCore.xcodeproj/project.pbxproj:
2182         * dfg/DFGOSRExit.h:
2183         * dfg/DFGOSRExitCompiler.cpp:
2184         * dfg/DFGValueRecoveryOverride.h: Removed.
2185
2186 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2187
2188         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
2189         https://bugs.webkit.org/show_bug.cgi?id=142948
2190
2191         Reviewed by Sam Weinig.
2192         
2193         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
2194         since a signal may clobber the area below the stack pointer. When the DFG is executing,
2195         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
2196         baseline, we will use a different amount of stack. This is because baseline is a different
2197         compiler. It will make different decisions. So it will use a different amount of stack.
2198         
2199         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
2200         incrementally transforming the stack from how it looked in the DFG to how it will look in
2201         baseline. The most conservative approach would be to set the stack pointer to the max of
2202         DFG and baseline.
2203         
2204         When this code was written, a reckless assumption was made: that the stack usage in
2205         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
2206         assumption, the code first adjusts the stack pointer to account for the baseline stack
2207         usage. This sort of usually works, because usually baseline does happen to use more stack.
2208         But that's not an invariant. Nobody guarantees this. We will never make any changes that
2209         would make this be guaranteed, because that would be antithetical to how optimizing
2210         compilers work. The DFG should be allowed to use however much stack it decides that it
2211         should use in order to get good performance, and it shouldn't try to guarantee that it
2212         always uses less stack than baseline.
2213         
2214         As such, we must always assume that the frame size for DFG execution (i.e.
2215         frameRegisterCount) and the frame size in baseline once we exit (i.e.
2216         requiredRegisterCountForExit) are two independent quantities and they have no
2217         relationship.
2218         
2219         Fortunately, though, this code can be made correct by just moving the stack adjustment to
2220         just before we do conversions. This is because we have since changed the OSR exit
2221         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
2222         drop it out of the scratch buffer and into the stack according to the baseline layout. The
2223         point just before conversions is the point where we have finished reading the DFG frame
2224         and will not read it anymore, and we haven't started writing the baseline frame. So, at
2225         this point it is safe to set the stack pointer to account for the frame size at exit.
2226         
2227         This is benign because baseline happens to create larger frames than DFG.
2228
2229         * dfg/DFGOSRExitCompiler32_64.cpp:
2230         (JSC::DFG::OSRExitCompiler::compileExit):
2231         * dfg/DFGOSRExitCompiler64.cpp:
2232         (JSC::DFG::OSRExitCompiler::compileExit):
2233         * dfg/DFGOSRExitCompilerCommon.cpp:
2234         (JSC::DFG::adjustAndJumpToTarget):
2235
2236 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2237
2238         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
2239
2240         Rubber stamped by Sam Weinig.
2241
2242         * tests/stress/equals-masquerader.js:
2243
2244 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2245
2246         tests/stress/*tdz* tests do 10x more iterations than necessary
2247         https://bugs.webkit.org/show_bug.cgi?id=142946
2248
2249         Reviewed by Ryosuke Niwa.
2250         
2251         The stress test harness runs all of these tests in various configurations. This includes
2252         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
2253         enough to get to the highest tier. The only exceptions are very large functions or
2254         functions that have some reoptimizations. That happens rarely, and when it does happen,
2255         usually 20,000 iterations is enough.
2256         
2257         Therefore, these tests use 10x too many iterations. This is bad, since these tests
2258         allocate on each iteration, and so they run very slowly in debug mode.
2259
2260         * tests/stress/class-syntax-no-loop-tdz.js:
2261         * tests/stress/class-syntax-no-tdz-in-catch.js:
2262         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2263         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2264         * tests/stress/class-syntax-no-tdz-in-loop.js:
2265         * tests/stress/class-syntax-no-tdz.js:
2266         * tests/stress/class-syntax-tdz-in-catch.js:
2267         * tests/stress/class-syntax-tdz-in-conditional.js:
2268         * tests/stress/class-syntax-tdz-in-loop.js:
2269         * tests/stress/class-syntax-tdz.js:
2270
2271 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2272
2273         Fix a typo in Parser error message
2274         https://bugs.webkit.org/show_bug.cgi?id=142942
2275
2276         Reviewed by Alexey Proskuryakov.
2277
2278         * jit/JITPropertyAccess.cpp:
2279         (JSC::JIT::emitSlow_op_resolve_scope):
2280         * jit/JITPropertyAccess32_64.cpp:
2281         (JSC::JIT::emitSlow_op_resolve_scope):
2282         * parser/Parser.cpp:
2283         (JSC::Parser<LexerType>::parseClass):
2284         Fix a common identifier typo.
2285
2286 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2287
2288         Computed Property names should allow only AssignmentExpressions not any Expression
2289         https://bugs.webkit.org/show_bug.cgi?id=142902
2290
2291         Reviewed by Ryosuke Niwa.
2292
2293         * parser/Parser.cpp:
2294         (JSC::Parser<LexerType>::parseProperty):
2295         Limit computed expressions to just assignment expressions instead of
2296         any expression (which allowed comma expressions).
2297
2298 2015-03-21  Andreas Kling  <akling@apple.com>
2299
2300         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
2301         <https://webkit.org/b/142939>
2302
2303         Reviewed by Mark Hahnenberg.
2304
2305         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
2306         a 128-byte heap cell instead of requiring a 256-byte one.
2307
2308         Threw in a static_assert to catch anyone pushing it over the limit again.
2309
2310         * bytecode/UnlinkedCodeBlock.cpp:
2311         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2312         * bytecode/UnlinkedCodeBlock.h:
2313         (JSC::UnlinkedFunctionExecutable::functionMode):
2314
2315 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
2316
2317         GCTimer should know keep track of nested GC phases
2318         https://bugs.webkit.org/show_bug.cgi?id=142675
2319
2320         Reviewed by Darin Adler.
2321
2322         This improves the GC phase timing output in Heap.cpp by linking
2323         phases nested inside other phases together, allowing tools
2324         to compute how much time we're spending in various nested phases.
2325
2326         * heap/Heap.cpp:
2327
2328 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
2329
2330         FunctionBodyNode should known where its parameters started
2331         https://bugs.webkit.org/show_bug.cgi?id=142926
2332
2333         Reviewed by Ryosuke Niwa.
2334
2335         This will allow us to re-parse parameters instead of keeping the
2336         parameters piece of the AST around forever.
2337
2338         I also took the opportunity to initialize most FunctionBodyNode data
2339         members at construction time, to help clarify that they are set right.
2340
2341         * parser/ASTBuilder.h:
2342         (JSC::ASTBuilder::createFunctionExpr): No need to pass
2343         functionKeywordStart here; we now provide it at FunctionBodyNode
2344         creation time.
2345
2346         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
2347         construction time, including the start of our parameters.
2348
2349         (JSC::ASTBuilder::createGetterOrSetterProperty):
2350         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
2351         functionKeywordStart here; we now provide it at FunctionBodyNode
2352         creation time.
2353
2354         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
2355
2356         * parser/Nodes.cpp:
2357         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
2358         construction time.
2359
2360         * parser/Nodes.h: Added a field for the location of our parameters.
2361
2362         * parser/Parser.cpp:
2363         (JSC::Parser<LexerType>::parseFunctionBody):
2364         (JSC::Parser<LexerType>::parseFunctionInfo):
2365         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2366         (JSC::Parser<LexerType>::parseClass):
2367         (JSC::Parser<LexerType>::parsePropertyMethod):
2368         (JSC::Parser<LexerType>::parseGetterSetter):
2369         (JSC::Parser<LexerType>::parsePrimaryExpression):
2370         * parser/Parser.h: Refactored to match above interface changes.
2371
2372         * parser/SyntaxChecker.h:
2373         (JSC::SyntaxChecker::createFunctionExpr):
2374         (JSC::SyntaxChecker::createFunctionBody):
2375         (JSC::SyntaxChecker::createFuncDeclStatement):
2376         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
2377         above interface changes.
2378
2379         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
2380
2381 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
2382
2383         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
2384         https://bugs.webkit.org/show_bug.cgi?id=142920
2385
2386         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
2387         
2388         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
2389         executed, then something other than the bytecode instruction's specified outcome will
2390         happen.
2391
2392         We almost never had observably effectful nodes except at the end of the bytecode
2393         instruction.  The exception is a lowered transitioning PutById:
2394
2395         PutStructure(@o, S1 -> S2)
2396         PutByOffset(@o, @o, @v)
2397
2398         The PutStructure is observably effectful: if you try to reexecute the bytecode after
2399         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
2400         first checking what the old structure of the object is; but if we reexecute, the old
2401         structure will seem to be the new structure.  But the property ensured by the new
2402         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
2403
2404         Intriguingly, however, none of the other operations involved in the PutById are
2405         observably effectful.  Consider this example:
2406
2407         PutByOffset(@o, @o, @v)
2408         PutStructure(@o, S1 -> S2)
2409
2410         Note that the PutStructure node doesn't reallocate property storage; see further below
2411         for an example that does that. Because no property storage is happening, we know that we
2412         already had room for the new property.  This means that the PutByOffset is no observable
2413         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
2414         observably effectful.
2415
2416         Now consider this:
2417
2418         b: AllocatePropertyStorage(@o)
2419         PutByOffset(@b, @o, @v)
2420         PutStructure(@o, S1 -> S2)
2421
2422         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
2423         effectful. It *does* reallocate the property storage and the new property storage pointer
2424         is stored into the object. But until the PutStructure occurs, the world will just think
2425         that the reallocation didn't happen, in the sense that we'll think that the property
2426         storage is using less memory than what we just allocated. That's harmless.
2427
2428         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
2429         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
2430         everything could be expected to be fine, so long as all of @o, @v and @b are on the
2431         stack. If they are all on the stack, then the GC will leave the property storage alone
2432         (so the extra memory we just allocated would be safe). The GC will not scan the part of
2433         the property storage that contains @v, but that's fine, so long as @v is on the stack.
2434         
2435         The better long-term solution is probably bug 142921.
2436         
2437         But for now, this:
2438         
2439         - Fixes an object materialization bug, exemplified by the two tests, that previously
2440           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
2441         
2442         - Allows us to remove the workaround introduced in r174856.
2443
2444         * dfg/DFGByteCodeParser.cpp:
2445         (JSC::DFG::ByteCodeParser::handlePutById):
2446         * dfg/DFGConstantFoldingPhase.cpp:
2447         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2448         * dfg/DFGFixupPhase.cpp:
2449         (JSC::DFG::FixupPhase::insertCheck):
2450         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
2451         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
2452         * dfg/DFGInsertionSet.h:
2453         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
2454         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
2455         * tests/stress/materialize-past-butterfly-allocation.js: Added.
2456         (bar):
2457         (foo0):
2458         (foo1):
2459         (foo2):
2460         (foo3):
2461         (foo4):
2462         * tests/stress/materialize-past-put-structure.js: Added.
2463         (foo):
2464
2465 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2466
2467         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
2468         https://bugs.webkit.org/show_bug.cgi?id=142410
2469
2470         Reviewed by Geoffrey Garen.
2471
2472         Before this patch, added function JSValue::toPropertyKey returns PropertyName.
2473         Since PropertyName doesn't have AtomicStringImpl ownership,
2474         if Identifier is implicitly converted to PropertyName and Identifier is destructed,
2475         PropertyName may refer freed AtomicStringImpl*.
2476
2477         This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
2478         to keep AtomicStringImpl* ownership after the toPropertyName call is done.
2479         And receive the result value as Identifier type to keep ownership in the caller side.
2480
2481         To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
2482
2483         However, now we don't need to have both Identifier and PropertyName.
2484         So we'll merge PropertyName to Identifier in the subsequent patch.
2485
2486         * dfg/DFGOperations.cpp:
2487         (JSC::DFG::operationPutByValInternal):
2488         * jit/JITOperations.cpp:
2489         (JSC::getByVal):
2490         * llint/LLIntSlowPaths.cpp:
2491         (JSC::LLInt::getByVal):
2492         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2493         * runtime/CommonSlowPaths.cpp:
2494         (JSC::SLOW_PATH_DECL):
2495         * runtime/CommonSlowPaths.h:
2496         (JSC::CommonSlowPaths::opIn):
2497         * runtime/JSCJSValue.h:
2498         * runtime/JSCJSValueInlines.h:
2499         (JSC::JSValue::toPropertyKey):
2500         * runtime/ObjectConstructor.cpp:
2501         (JSC::objectConstructorGetOwnPropertyDescriptor):
2502         (JSC::objectConstructorDefineProperty):
2503         * runtime/ObjectPrototype.cpp:
2504         (JSC::objectProtoFuncPropertyIsEnumerable):
2505
2506 2015-03-18  Geoffrey Garen  <ggaren@apple.com>
2507
2508         Function.prototype.toString should not decompile the AST
2509         https://bugs.webkit.org/show_bug.cgi?id=142853
2510
2511         Reviewed by Sam Weinig.
2512
2513         To recover the function parameter string, Function.prototype.toString
2514         decompiles the function parameters from the AST. This is bad for a few
2515         reasons:
2516
2517         (1) It requires us to keep pieces of the AST live forever. This is an
2518         awkward design and a waste of memory.
2519
2520         (2) It doesn't match Firefox or Chrome (because it changes whitespace
2521         and ES6 destructuring expressions).
2522
2523         (3) It doesn't scale to ES6 default argument parameters, which require
2524         arbitrarily complex decompilation.
2525
2526         (4) It can counterfeit all the line numbers in a function (because
2527         whitespace can include newlines).
2528
2529         (5) It's expensive, and we've seen cases where websites invoke
2530         Function.prototype.toString a lot by accident.
2531
2532         The fix is to do what we do for the rest of the function: Just quote the
2533         original source text.
2534
2535         Since this change inevitably changes some function stringification, I
2536         took the opportunity to make our stringification match Firefox's and
2537         Chrome's.
2538
2539         * API/tests/testapi.c:
2540         (assertEqualsAsUTF8String): Be more informative when this fails.
2541
2542         (main): Updated to match new stringification rules.
2543
2544         * bytecode/UnlinkedCodeBlock.cpp:
2545         (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
2546         * bytecode/UnlinkedCodeBlock.h:
2547
2548         * parser/Nodes.h:
2549         (JSC::StatementNode::isFuncDeclNode): New helper for constructing
2550         anonymous functions.
2551
2552         * parser/SourceCode.h:
2553         (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.
2554
2555         * runtime/CodeCache.cpp:
2556         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
2557         of function declaration over function expression.
2558
2559         * runtime/Executable.cpp:
2560         (JSC::FunctionExecutable::paramString): Deleted. Yay!
2561         * runtime/Executable.h:
2562         (JSC::FunctionExecutable::parameterCount):
2563
2564         * runtime/FunctionConstructor.cpp:
2565         (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
2566         the opening brace to match Firefox and Chrome, and a space after the comma
2567         to match Firefox and WebKit coding style. Added the function name to
2568         the text of the function so it would look right when stringify-ing. Switched
2569         from parentheses to braces to produce a function declaration instead of
2570         a function expression because we are required to exclude the function's
2571         name from its scope, and that's what a function declaration does.
2572
2573         * runtime/FunctionPrototype.cpp:
2574         (JSC::functionProtoFuncToString): Removed an old workaround because the
2575         library it worked around doesn't really exist anymore, and the behavior
2576         doesn't match Firefox or Chrome. Use type profiling offsets instead of
2577         function body offsets because we want to include the function name and
2578         the parameter string, rather than stitching them in manually by
2579         decompiling the AST.
2580
2581         (JSC::insertSemicolonIfNeeded): Deleted.
2582
2583         * tests/mozilla/js1_2/function/tostring-1.js:
2584         * tests/mozilla/js1_5/Scope/regress-185485.js:
2585         (with.g): Updated these test results for formatting changes.
2586
2587 2015-03-20  Joseph Pecoraro  <pecoraro@apple.com>
2588
2589         SyntaxChecker assertion is trapped with computed property name and getter
2590         https://bugs.webkit.org/show_bug.cgi?id=142863
2591
2592         Reviewed by Ryosuke Niwa.
2593
2594         * parser/SyntaxChecker.h:
2595         (JSC::SyntaxChecker::getName):
2596         Remove invalid assert. Computed properties will not have a name
2597         and the calling code is checking for null expecting it. The
2598         AST path (non-CheckingPath) already does this without the assert
2599         so it is well tested.
2600
2601 2015-03-19  Mark Lam  <mark.lam@apple.com>
2602
2603         JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
2604         <https://webkit.org/b/142846>
2605
2606         Reviewed by Geoffrey Garen.
2607
2608         Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
2609         1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
2610            that a JSCallbackObject references.
2611         2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
2612            vm.heap.addFinalizer() which destroys the JSCallbackObject.
2613
2614         The first finalizer is implemented as a virtual function of a JSCallbackObjectData
2615         instance that will be destructed if the 2nd finalizer is called.  Hence, if the
2616         2nd finalizer if called first, the later invocation of the 1st finalizer will
2617         result in a crash.
2618
2619         This patch fixes the issue by eliminating the finalizer registration in init().
2620         Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
2621         if needed.  This ensures that these finalizers are called before the JSCallbackObject
2622         is destructor.
2623
2624         Also added assertions to a few Heap functions because JSCell::classInfo() expects
2625         all objects that are allocated from MarkedBlock::Normal blocks to be derived from
2626         JSDestructibleObject.  These assertions will help us catch violations of this
2627         expectation earlier.
2628
2629         * API/JSCallbackObject.cpp:
2630         (JSC::JSCallbackObjectData::finalize): Deleted.
2631         * API/JSCallbackObject.h:
2632         (JSC::JSCallbackObjectData::~JSCallbackObjectData):
2633         * API/JSCallbackObjectFunctions.h:
2634         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2635         (JSC::JSCallbackObject<Parent>::init):
2636         * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
2637         (finalize):
2638         (testGlobalContextWithFinalizer):
2639         * API/tests/GlobalContextWithFinalizerTest.h: Added.
2640         * API/tests/testapi.c:
2641         (main):
2642         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
2643         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
2644         * JavaScriptCore.xcodeproj/project.pbxproj:
2645         * heap/HeapInlines.h:
2646         (JSC::Heap::allocateObjectOfType):
2647         (JSC::Heap::subspaceForObjectOfType):
2648         (JSC::Heap::allocatorForObjectOfType):
2649
2650 2015-03-19  Andreas Kling  <akling@apple.com>
2651
2652         JSCallee unnecessarily overrides a bunch of things in the method table.
2653         <https://webkit.org/b/142855>
2654
2655         Reviewed by Geoffrey Garen.
2656
2657         Remove JSCallee method table overrides that simply call to base class.
2658         This makes JSFunction property slot lookups slightly more efficient since
2659         they can take the fast path when passing over JSCallee in the base class chain.
2660
2661         * runtime/JSCallee.cpp:
2662         (JSC::JSCallee::getOwnPropertySlot): Deleted.
2663         (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted.
2664         (JSC::JSCallee::put): Deleted.
2665         (JSC::JSCallee::deleteProperty): Deleted.
2666         (JSC::JSCallee::defineOwnProperty): Deleted.
2667         * runtime/JSCallee.h:
2668
2669 2015-03-19  Andreas Kling  <akling@apple.com>
2670
2671         DFGAllocator should use bmalloc's aligned allocator.
2672         <https://webkit.org/b/142871>
2673
2674         Reviewed by Geoffrey Garen.
2675
2676         Switch DFGAllocator to using bmalloc through fastAlignedMalloc().
2677
2678         * dfg/DFGAllocator.h:
2679         (JSC::DFG::Allocator<T>::allocateSlow):
2680         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
2681         * heap/CopiedSpace.h:
2682         * heap/MarkedBlock.h:
2683         * heap/MarkedSpace.h:
2684
2685 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2686
2687         ES6 Classes: Extends should accept an expression without parenthesis
2688         https://bugs.webkit.org/show_bug.cgi?id=142840
2689
2690         Reviewed by Ryosuke Niwa.
2691
2692         * parser/Parser.cpp:
2693         (JSC::Parser<LexerType>::parseClass):
2694         "extends" allows a LeftHandExpression (new expression / call expression,
2695         which includes a member expression), not a primary expression. Our
2696         parseMemberExpression does all of these.
2697
2698 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2699
2700         Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection
2701         https://bugs.webkit.org/show_bug.cgi?id=142830
2702
2703         Reviewed by Timothy Hatcher.
2704
2705         * inspector/agents/InspectorDebuggerAgent.cpp:
2706         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2707         Give Probe Samples object previews.
2708
2709 2015-03-17  Ryuan Choi  <ryuan.choi@navercorp.com>
2710
2711         [EFL] Expose JavaScript binding interface through ewk_extension
2712         https://bugs.webkit.org/show_bug.cgi?id=142033
2713
2714         Reviewed by Gyuyoung Kim.
2715
2716         * PlatformEfl.cmake: Install Javascript APIs.
2717
2718 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2719
2720         Function bodies should always include braces
2721         https://bugs.webkit.org/show_bug.cgi?id=142795
2722
2723         Reviewed by Michael Saboff.
2724
2725         Having a mode for excluding the opening and closing braces from a function
2726         body was unnecessary and confusing.
2727
2728         * bytecode/CodeBlock.cpp:
2729         (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function.
2730
2731         * bytecode/UnlinkedCodeBlock.cpp:
2732         (JSC::generateFunctionCodeBlock):
2733         (JSC::UnlinkedFunctionExecutable::link):
2734         (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through
2735         a boolean: there is only one kind of function now.
2736
2737         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted.
2738         (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only
2739         have one way to do things. This removes the old mode that would pretend
2740         that a function always started at column 1. That pretense was not true:
2741         an attribute event listener does not necessarily start at column 1.
2742
2743         * bytecode/UnlinkedCodeBlock.h:
2744         * generate-js-builtins: Adopt the new one true linking function.
2745
2746         * parser/Parser.h:
2747         (JSC::Parser<LexerType>::parse):
2748         (JSC::parse): needsReparsingAdjustment is always true now, so I removed it.
2749
2750         * runtime/Executable.cpp:
2751         (JSC::ScriptExecutable::newCodeBlockFor):
2752         (JSC::FunctionExecutable::FunctionExecutable):
2753         (JSC::ProgramExecutable::initializeGlobalProperties):
2754         (JSC::FunctionExecutable::fromGlobalCode):
2755         * runtime/Executable.h:
2756         (JSC::FunctionExecutable::create):
2757         (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff.
2758
2759         * runtime/FunctionConstructor.cpp:
2760         (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a
2761         leading space because that's what this function's comment says is required
2762         for web compatibility. We used to fake this up after the fact when
2763         stringifying, based on the bodyIncludesBraces flag, but that flag is gone now.
2764
2765         * runtime/FunctionPrototype.cpp:
2766         (JSC::insertSemicolonIfNeeded):
2767         (JSC::functionProtoFuncToString): No need to add braces and/or a space
2768         after the fact -- we always have them now.
2769
2770 2015-03-17  Mark Lam  <mark.lam@apple.com>
2771
2772         Refactor execution time limit tests out of testapi.c.
2773         <https://webkit.org/b/142798>
2774
2775         Rubber stamped by Michael Saboff.
2776
2777         These tests were sometimes failing to time out on C loop builds.  Let's
2778         refactor them out of the big monolith that is testapi.c so that we can
2779         reason more easily about them and make adjustments if needed.
2780
2781         * API/tests/ExecutionTimeLimitTest.cpp: Added.
2782         (currentCPUTime):
2783         (currentCPUTimeAsJSFunctionCallback):
2784         (shouldTerminateCallback):
2785         (cancelTerminateCallback):
2786         (extendTerminateCallback):
2787         (testExecutionTimeLimit):
2788         * API/tests/ExecutionTimeLimitTest.h: Added.
2789         * API/tests/testapi.c:
2790         (main):
2791         (currentCPUTime): Deleted.
2792         (currentCPUTime_callAsFunction): Deleted.
2793         (shouldTerminateCallback): Deleted.
2794         (cancelTerminateCallback): Deleted.
2795         (extendTerminateCallback): Deleted.
2796         * JavaScriptCore.xcodeproj/project.pbxproj:
2797
2798 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2799
2800         Built-in functions should know that they use strict mode
2801         https://bugs.webkit.org/show_bug.cgi?id=142788
2802
2803         Reviewed by Mark Lam.
2804
2805         Even though all of our builtin functions use strict mode, the parser
2806         thinks that they don't. This is because Executable::toStrictness treats
2807         builtin-ness and strict-ness as mutually exclusive.
2808
2809         The fix is to disambiguate builtin-ness from strict-ness.
2810
2811         This bug is currently unobservable because of some other parser bugs. But
2812         it causes lots of test failures once those other bugs are fixed.
2813
2814         * API/JSScriptRef.cpp:
2815         (parseScript):
2816         * builtins/BuiltinExecutables.cpp:
2817         (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API
2818         for a separate value to indicate builtin-ness vs strict-ness.
2819
2820         * bytecode/UnlinkedCodeBlock.cpp:
2821         (JSC::generateFunctionCodeBlock):
2822         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto.
2823
2824         * bytecode/UnlinkedCodeBlock.h:
2825         (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function
2826         was misleading since it pretended that no builtin function was ever
2827         strict, which is the opposite of true.
2828
2829         * parser/Lexer.cpp:
2830         (JSC::Lexer<T>::Lexer):
2831         * parser/Lexer.h:
2832         * parser/Parser.cpp:
2833         (JSC::Parser<LexerType>::Parser):
2834         * parser/Parser.h:
2835         (JSC::parse): Adopt the new API.
2836
2837         * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give
2838         existing modes clearer names.
2839
2840         * runtime/CodeCache.cpp:
2841         (JSC::CodeCache::getGlobalCodeBlock):
2842         (JSC::CodeCache::getProgramCodeBlock):
2843         (JSC::CodeCache::getEvalCodeBlock):
2844         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API.
2845
2846         * runtime/CodeCache.h:
2847         (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and
2848         bulitin-ness as separate pieces of the code cache key. We would not want
2849         a user function to match a built-in function in the cache, even if they
2850         agreed about strictness, since builtin functions have different lexing
2851         rules.
2852
2853         * runtime/Completion.cpp:
2854         (JSC::checkSyntax):
2855         * runtime/Executable.cpp:
2856         (JSC::FunctionExecutable::FunctionExecutable):
2857         (JSC::ProgramExecutable::checkSyntax):
2858         * runtime/Executable.h:
2859         (JSC::FunctionExecutable::create):
2860         * runtime/JSGlobalObject.cpp:
2861         (JSC::JSGlobalObject::createProgramCodeBlock):
2862         (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API.
2863
2864 2015-03-16  Filip Pizlo  <fpizlo@apple.com>
2865
2866         DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor
2867         https://bugs.webkit.org/show_bug.cgi?id=142769
2868
2869         Reviewed by Michael Saboff.
2870         
2871         When we sink an object allocation, we need to have some way of tracking what stores would
2872         have happened had the allocation not been sunk, so that we know how to rematerialize the
2873         object on OSR exit. Prior to this change, trunk had two ways of describing such a "put
2874         hint":
2875         
2876         - The PutStrutureHint and PutByOffsetHint node types.
2877         - The PromotedLocationDescriptor class, which has an enum with cases StructurePLoc and
2878           NamedPropertyPLoc.
2879         
2880         We also had ways of converting from a Node with those two node types to a
2881         PromotedLocationDescriptor, and we had a way of converting a PromotedLocationDescriptor to
2882         a Node.
2883         
2884         This change removes the redundancy. We now have just one node type that corresponds to a
2885         put hint, and it's called PutHint. It has a PromotedLocationDescriptor as metadata.
2886         Converting between a PutHint node and a PromotedLocationDescriptor and vice-versa is now
2887         trivial.
2888         
2889         This means that if we add new kinds of sunken objects, we'll have less pro-forma to write
2890         for the put hints to those objects. This is mainly to simplify the implementation of
2891         arguments elimination in bug 141174.
2892
2893         * dfg/DFGAbstractInterpreterInlines.h:
2894         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2895         * dfg/DFGClobberize.h:
2896         (JSC::DFG::clobberize):
2897         * dfg/DFGDoesGC.cpp:
2898         (JSC::DFG::doesGC):
2899         * dfg/DFGFixupPhase.cpp:
2900         (JSC::DFG::FixupPhase::fixupNode):
2901         * dfg/DFGGraph.cpp:
2902         (JSC::DFG::Graph::dump):
2903         (JSC::DFG::Graph::mergeRelevantToOSR):
2904         * dfg/DFGMayExit.cpp:
2905         (JSC::DFG::mayExit):
2906         * dfg/DFGNode.cpp:
2907         (JSC::DFG::Node::convertToPutHint):
2908         (JSC::DFG::Node::convertToPutStructureHint):
2909         (JSC::DFG::Node::convertToPutByOffsetHint):
2910         (JSC::DFG::Node::promotedLocationDescriptor):
2911         * dfg/DFGNode.h:
2912         (JSC::DFG::Node::hasIdentifier):
2913         (JSC::DFG::Node::hasPromotedLocationDescriptor):
2914         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
2915         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
2916         * dfg/DFGNodeType.h:
2917         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2918         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2919         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2920         (JSC::DFG::ObjectAllocationSinkingPhase::run):
2921         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
2922         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2923         * dfg/DFGPredictionPropagationPhase.cpp:
2924         (JSC::DFG::PredictionPropagationPhase::propagate):
2925         * dfg/DFGPromoteHeapAccess.h:
2926         (JSC::DFG::promoteHeapAccess):
2927         * dfg/DFGPromotedHeapLocation.cpp:
2928         (JSC::DFG::PromotedHeapLocation::createHint):
2929         * dfg/DFGPromotedHeapLocation.h:
2930         (JSC::DFG::PromotedLocationDescriptor::imm1):
2931         (JSC::DFG::PromotedLocationDescriptor::imm2):
2932         * dfg/DFGSafeToExecute.h:
2933         (JSC::DFG::safeToExecute):
2934         * dfg/DFGSpeculativeJIT32_64.cpp:
2935         (JSC::DFG::SpeculativeJIT::compile):
2936         * dfg/DFGSpeculativeJIT64.cpp:
2937         (JSC::DFG::SpeculativeJIT::compile):
2938         * dfg/DFGValidate.cpp:
2939         (JSC::DFG::Validate::validateCPS):
2940         * ftl/FTLCapabilities.cpp:
2941         (JSC::FTL::canCompile):
2942         * ftl/FTLLowerDFGToLLVM.cpp:
2943         (JSC::FTL::LowerDFGToLLVM::compileNode):
2944
2945 2015-03-17  Michael Saboff  <msaboff@apple.com>
2946
2947         Windows X86-64 should use the fixed executable allocator
2948         https://bugs.webkit.org/show_bug.cgi?id=142749
2949
2950         Reviewed by Filip Pizlo.
2951
2952         Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build.
2953
2954         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2955         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2956         * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows.
2957
2958 2015-03-17  Matt Baker  <mattbaker@apple.com>
2959
2960         Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline
2961         https://bugs.webkit.org/show_bug.cgi?id=142029
2962
2963         Reviewed by Timothy Hatcher.
2964
2965         * inspector/protocol/Timeline.json:
2966         Added new event type for runloop timeline records.
2967
2968 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
2969
2970         Enable ES6 classes by default
2971         https://bugs.webkit.org/show_bug.cgi?id=142774
2972
2973         Reviewed by Gavin Barraclough.
2974
2975         Enabled the feature and unskipped tests.
2976
2977         * Configurations/FeatureDefines.xcconfig:
2978         * tests/stress/class-syntax-no-loop-tdz.js:
2979         * tests/stress/class-syntax-no-tdz-in-catch.js:
2980         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2981         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2982         * tests/stress/class-syntax-no-tdz-in-loop.js:
2983         * tests/stress/class-syntax-no-tdz.js:
2984         * tests/stress/class-syntax-tdz-in-catch.js:
2985         * tests/stress/class-syntax-tdz-in-conditional.js:
2986         * tests/stress/class-syntax-tdz-in-loop.js:
2987         * tests/stress/class-syntax-tdz.js:
2988
2989 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
2990
2991         Web Inspector: Better Console Previews for Arrays / Small Objects
2992         https://bugs.webkit.org/show_bug.cgi?id=142322
2993
2994         Reviewed by Timothy Hatcher.
2995
2996         * inspector/InjectedScriptSource.js:
2997         Create deep valuePreviews for simple previewable objects,
2998         such as arrays with 5 values, or basic objects with
2999         3 properties.
3000
3001 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3002
3003         Add support for default constructor
3004         https://bugs.webkit.org/show_bug.cgi?id=142388
3005
3006         Reviewed by Filip Pizlo.
3007
3008         Added the support for default constructors. They're generated by ClassExprNode::emitBytecode
3009         via BuiltinExecutables::createDefaultConstructor.
3010
3011         UnlinkedFunctionExecutable now has the ability to override SourceCode provided by the owner
3012         executable. We can't make store SourceCode in UnlinkedFunctionExecutable since CodeCache can use
3013         the same UnlinkedFunctionExecutable to generate code blocks for multiple functions.
3014
3015         Parser now has the ability to treat any function expression as a constructor of the kind specified
3016         by m_defaultConstructorKind member variable.
3017
3018         * builtins/BuiltinExecutables.cpp:
3019         (JSC::BuiltinExecutables::createDefaultConstructor): Added.
3020         (JSC::BuiltinExecutables::createExecutableInternal): Generalized from createBuiltinExecutable.
3021         Parse default constructors as normal non-builtin functions. Override SourceCode in the unlinked
3022         function executable since the Miranda function's code is definitely not in the owner executable's
3023         source code. That's the whole point.
3024         * builtins/BuiltinExecutables.h:
3025         (UnlinkedFunctionExecutable::createBuiltinExecutable): Added. Wraps createExecutableInternal.
3026         * bytecode/UnlinkedCodeBlock.cpp:
3027         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3028         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable):
3029         (JSC::UnlinkedFunctionExecutable::linkGlobalCode):
3030         * bytecode/UnlinkedCodeBlock.h:
3031         (JSC::UnlinkedFunctionExecutable::create):
3032         (JSC::UnlinkedFunctionExecutable::symbolTable): Deleted.
3033         * bytecompiler/BytecodeGenerator.cpp:
3034         (JSC::BytecodeGenerator::emitNewDefaultConstructor): Added.
3035         * bytecompiler/BytecodeGenerator.h:
3036         * bytecompiler/NodesCodegen.cpp:
3037         (JSC::ClassExprNode::emitBytecode): Generate the default constructor if needed.
3038         * parser/Parser.cpp:
3039         (JSC::Parser<LexerType>::Parser):
3040         (JSC::Parser<LexerType>::parseFunctionInfo): Override ownerClassKind and assume the function as
3041         a constructor if we're parsing a default constructor.
3042         (JSC::Parser<LexerType>::parseClass): Allow omission of the class constructor.
3043         * parser/Parser.h:
3044         (JSC::parse):
3045
3046 2015-03-16  Alex Christensen  <achristensen@webkit.org>
3047
3048         Progress towards CMake on Mac
3049         https://bugs.webkit.org/show_bug.cgi?id=142747
3050
3051         Reviewed by Chris Dumez.
3052
3053         * CMakeLists.txt:
3054         Include AugmentableInspectorController.h in CMake build.
3055
3056 2015-03-16  Csaba Osztrogonác  <ossy@webkit.org>
3057
3058         [ARM] Enable generating idiv instructions if it is supported
3059         https://bugs.webkit.org/show_bug.cgi?id=142725
3060
3061         Reviewed by Michael Saboff.
3062
3063         * assembler/ARMAssembler.h: Added sdiv and udiv implementation for ARM Traditional instruction set.
3064         (JSC::ARMAssembler::sdiv):
3065         (JSC::ARMAssembler::udiv):
3066         * assembler/ARMv7Assembler.h: Use HAVE(ARM_IDIV_INSTRUCTIONS) instead of CPU(APPLE_ARMV7S).
3067         * assembler/AbstractMacroAssembler.h:
3068         (JSC::isARMv7IDIVSupported):
3069         (JSC::optimizeForARMv7IDIVSupported):
3070         (JSC::isARMv7s): Renamed to isARMv7IDIVSupported().
3071         (JSC::optimizeForARMv7s): Renamed to optimizeForARMv7IDIVSupported().
3072         * dfg/DFGFixupPhase.cpp:
3073         (JSC::DFG::FixupPhase::fixupNode):
3074         * dfg/DFGSpeculativeJIT.cpp:
3075         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3076         (JSC::DFG::SpeculativeJIT::compileArithMod):
3077
3078 2015-03-15  Filip Pizlo  <fpizlo@apple.com>
3079
3080         DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source, and emit GetStacks when the stack's value is needed and none is deferred
3081         https://bugs.webkit.org/show_bug.cgi?id=141624
3082
3083         Reviewed by Geoffrey Garen.
3084
3085         Not eliminating GetStacks was an obvious omission from the original PutStackSinkingPhase.
3086         Previously, we would treat GetStacks conservatively and assume that the stack slot
3087         escaped. That's pretty dumb, since a GetStack is a local load of the stack. This change
3088         makes GetStack a no-op from the standpoint of this phase's deferral analysis. At the end
3089         we either keep the GetStack (if there was no concrete deferral) or we replace it with an
3090         identity over the value that would have been stored by the deferred PutStack. Note that
3091         this might be a Phi that the phase creates, so this is strictly stronger than what GCSE
3092         could do.
3093         
3094         But this change revealed the fact that this phase never correctly handled side effects in
3095         case that we had done a GetStack, then a side-effect, and then found ourselves wanting the
3096         value on the stack due to (for example) a Phi on a deferred PutStack and that GetStack.
3097         Basically, it's only correct to use the SSA converter's incoming value mapping if we have
3098         a concrete deferral - since anything but a concrete deferral may imply that the value has
3099         been clobbered.
3100         
3101         This has no performance change. I believe that the bug was previously benign because we
3102         have so few operations that clobber the stack anymore, and most of those get used in a
3103         very idiomatic way. The GetStack elimination will be very useful for the varargs
3104         simplification that is part of bug 141174.
3105         
3106         This includes a test for the case that Speedometer hit, plus tests for the other cases I
3107         thought of once I realized the deeper issue.
3108
3109         * dfg/DFGPutStackSinkingPhase.cpp:
3110         * tests/stress/get-stack-identity-due-to-sinking.js: Added.
3111         (foo):
3112         (bar):
3113         * tests/stress/get-stack-mapping-with-dead-get-stack.js: Added.
3114         (bar):
3115         (foo):
3116         * tests/stress/get-stack-mapping.js: Added.
3117         (bar):
3118         (foo):
3119         * tests/stress/weird-put-stack-varargs.js: Added.
3120         (baz):
3121         (foo):
3122         (fuzz):
3123         (bar):
3124
3125 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3126
3127         Update Map/Set to treat -0 and 0 as the same value
3128         https://bugs.webkit.org/show_bug.cgi?id=142709
3129
3130         Reviewed by Csaba Osztrogonác.
3131
3132         * runtime/MapData.h:
3133         (JSC::MapDataImpl<Entry>::KeyType::KeyType):
3134         No longer special case -0. It will be treated as the same as 0.
3135
3136 2015-03-15  Joseph Pecoraro  <pecoraro@apple.com>
3137
3138         Web Inspector: Better handle displaying -0
3139         https://bugs.webkit.org/show_bug.cgi?id=142708
3140
3141         Reviewed by Timothy Hatcher.
3142
3143         Modeled after a blink change:
3144
3145         Patch by <aandrey@chromium.org>
3146         DevTools: DevTools: Show -0 for negative zero in console
3147         https://src.chromium.org/viewvc/blink?revision=162605&view=revision
3148
3149         * inspector/InjectedScriptSource.js:
3150         When creating a description string, or preview value string
3151         for -0, be sure the string is "-0" and not "0".
3152
3153 2015-03-14  Ryosuke Niwa  <rniwa@webkit.org>
3154
3155         parseClass should popScope after pushScope
3156         https://bugs.webkit.org/show_bug.cgi?id=142689
3157
3158         Reviewed by Benjamin Poulain.
3159
3160         Pop the parser scope as needed.
3161
3162         * parser/Parser.cpp:
3163         (JSC::Parser<LexerType>::parseClass):
3164
3165 2015-03-14  Dean Jackson  <dino@apple.com>
3166
3167         Feature flag for Animations Level 2
3168         https://bugs.webkit.org/show_bug.cgi?id=142699
3169         <rdar://problem/20165097>
3170
3171         Reviewed by Brent Fulgham.
3172
3173         Add ENABLE_CSS_ANIMATIONS_LEVEL_2 and a runtime flag animationTriggersEnabled.
3174
3175         * Configurations/FeatureDefines.xcconfig:
3176
3177 2015-03-14  Commit Queue  <commit-queue@webkit.org>
3178
3179         Unreviewed, rolling out r181487.
3180         https://bugs.webkit.org/show_bug.cgi?id=142695
3181
3182         Caused Speedometer/Full.html to fail (Requested by smfr on
3183         #webkit).
3184
3185         Reverted changeset:
3186
3187         "DFG::PutStackSinkingPhase should eliminate GetStacks that
3188         have an obviously known source"
3189         https://bugs.webkit.org/show_bug.cgi?id=141624
3190         http://trac.webkit.org/changeset/181487
3191
3192 2015-03-14  Michael Saboff  <msaboff@apple.com>
3193
3194         ES6: Add binary and octal literal support
3195         https://bugs.webkit.org/show_bug.cgi?id=142681
3196
3197         Reviewed by Ryosuke Niwa.
3198
3199         Added a binary literal parser function, parseBinary(), to Lexer patterned after the octal parser.
3200         Refactored the parseBinary, parseOctal and parseDecimal to use a constant size for the number of
3201         characters to try and handle directly. Factored out the shifting past any prefix to be handled by
3202         the caller. Added binary and octal parsing to toDouble() via helper functions.
3203
3204         * parser/Lexer.cpp:
3205         (JSC::Lexer<T>::parseHex):
3206         (JSC::Lexer<T>::parseBinary):
3207         (JSC::Lexer<T>::parseOctal):
3208         (JSC::Lexer<T>::parseDecimal):
3209         (JSC::Lexer<T>::lex):
3210         * parser/Lexer.h:
3211         * parser/ParserTokens.h:
3212         * runtime/JSGlobalObjectFunctions.cpp:
3213         (JSC::jsBinaryIntegerLiteral):
3214         (JSC::jsOctalIntegerLiteral):
3215         (JSC::toDouble):
3216
3217 2015-03-13  Alex Christensen  <achristensen@webkit.org>
3218
3219         Progress towards CMake on Mac.
3220         https://bugs.webkit.org/show_bug.cgi?id=142680
3221
3222         Reviewed by Gyuyoung Kim.
3223
3224         * PlatformMac.cmake:
3225         Generate TracingDtrace.h based on project.pbxproj.
3226
3227 2015-03-13  Filip Pizlo  <fpizlo@apple.com>
3228
3229         Object allocation sinking phase shouldn't re-decorate previously sunken allocations on each fixpoint operation
3230         https://bugs.webkit.org/show_bug.cgi?id=142686
3231
3232         Reviewed by Oliver Hunt.
3233         
3234         Just because promoteHeapAccess() notifies us of an effect to a heap location in a node doesn't
3235         mean that we should handle it as if it was for one of our sinking candidates. Instead we should
3236         prune based on m_sinkCandidates.
3237         
3238         This fixes a benign bug where we would generate a lot of repeated IR for some pathological
3239         tests.
3240
3241         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3242         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
3243
3244 2015-03-13  Eric Carlson  <eric.carlson@apple.com>
3245
3246         [Mac] Enable WIRELESS_PLAYBACK_TARGET
3247         https://bugs.webkit.org/show_bug.cgi?id=142635
3248
3249         Reviewed by Darin Adler.
3250
3251         * Configurations/FeatureDefines.xcconfig:
3252
3253 2015-03-13  Ryosuke Niwa  <rniwa@webkit.org>
3254
3255         Class constructor should throw TypeError when "called"
3256         https://bugs.webkit.org/show_bug.cgi?id=142566
3257
3258         Reviewed by Michael Saboff.
3259
3260         Added ConstructorKind::None to denote code that doesn't belong to an ES6 class.
3261         This allows BytecodeGenerator to emit code to throw TypeError when generating code block
3262         to call ES6 class constructors.
3263
3264         Most of changes are about increasing the number of bits to store ConstructorKind from one
3265         bit to two bits.
3266
3267         * bytecode/UnlinkedCodeBlock.cpp:
3268         (JSC::generateFunctionCodeBlock):
3269         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3270         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3271         * bytecode/UnlinkedCodeBlock.h:
3272         (JSC::ExecutableInfo::ExecutableInfo):
3273         (JSC::ExecutableInfo::needsActivation):
3274         (JSC::ExecutableInfo::usesEval):
3275         (JSC::ExecutableInfo::isStrictMode):
3276         (JSC::ExecutableInfo::isConstructor):
3277         (JSC::ExecutableInfo::isBuiltinFunction):
3278         (JSC::ExecutableInfo::constructorKind):
3279         (JSC::UnlinkedFunctionExecutable::constructorKind):
3280         (JSC::UnlinkedCodeBlock::constructorKind):
3281         (JSC::UnlinkedFunctionExecutable::constructorKindIsDerived): Deleted.
3282         (JSC::UnlinkedCodeBlock::constructorKindIsDerived): Deleted.
3283         * bytecompiler/BytecodeGenerator.cpp:
3284         (JSC::BytecodeGenerator::generate): Don't emit bytecode when we had already emitted code
3285         to throw TypeError.
3286         (JSC::BytecodeGenerator::BytecodeGenerator): Emit code to throw TypeError when generating
3287         code to call.
3288         (JSC::BytecodeGenerator::emitReturn):
3289         * bytecompiler/BytecodeGenerator.h:
3290         (JSC::BytecodeGenerator::constructorKind):
3291         (JSC::BytecodeGenerator::constructorKindIsDerived): Deleted.
3292         * bytecompiler/NodesCodegen.cpp:
3293         (JSC::ThisNode::emitBytecode):
3294         (JSC::FunctionCallValueNode::emitBytecode):
3295         * parser/Nodes.cpp:
3296         (JSC::FunctionBodyNode::FunctionBodyNode):
3297         * parser/Nodes.h:
3298         * parser/Parser.cpp:
3299         (JSC::Parser<LexerType>::parseFunctionInfo): Renamed the incoming function argument to
3300         ownerClassKind. Set constructorKind to Base or Derived only if we're parsing a constructor.
3301         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3302         (JSC::Parser<LexerType>::parseClass): Don't parse static methods using MethodMode since that
3303         would result in BytecodeGenerator erroneously treating static method named "constructor" as
3304         a class constructor.
3305         (JSC::Parser<LexerType>::parsePropertyMethod):
3306         (JSC::Parser<LexerType>::parsePrimaryExpression):
3307         * parser/Parser.h:
3308         * parser/ParserModes.h:
3309         * runtime/Executable.h:
3310         (JSC::EvalExecutable::executableInfo):
3311         (JSC::ProgramExecutable::executableInfo):
3312
3313 2015-03-13  Filip Pizlo  <fpizlo@apple.com>
3314
3315         DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source
3316         https://bugs.webkit.org/show_bug.cgi?id=141624
3317
3318         Reviewed by Oliver Hunt.
3319         
3320         This was an obvious omission from the original PutStackSinkingPhase. Previously, we would treat
3321         GetStacks conservatively and assume that the stack slot escaped. That's pretty dumb, since a
3322         GetStack is a local load of the stack. This change makes GetStack a no-op from the standpoint of
3323         this phase's deferral analysis. At the end we either keep the GetStack (if there was no concrete
3324         deferral) or we replace it with an identity over the value that would have been stored by the
3325         deferred PutStack. Note that this might be a Phi that the phase creates, so this is strictly
3326         stronger than what GCSE could do.
3327         
3328         This is probably not a speed-up now, but it will be very useful for the varargs simplification
3329         done in bug 141174.
3330
3331         * dfg/DFGPutStackSinkingPhase.cpp:
3332
3333 2015-03-12  Geoffrey Garen  <ggaren@apple.com>