a4ced7be9a7a47ce0624e690ff974972231ad58a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-08-25  Brian Burg  <bburg@apple.com>
2
3         Web Inspector: no need to allocate protocolErrors array for every dispatched backend command
4         https://bugs.webkit.org/show_bug.cgi?id=146466
5
6         Reviewed by Joseph Pecoraro.
7
8         Clean up some of the backend dispatcher code, with a focus on eliminating useless allocations
9         of objects in the common case when no protocol errors happen. This is done by saving the
10         current id of each request as it is being processed by the backend dispatcher, and tagging any
11         subsequent errors with that id. This also means we don't have to thread the requestId except
12         in the async command code path.
13
14         This patch also lifts some common code shared between all generated backend command
15         implementatations into the per-domain dispatch method instead. This reduces generated code size.
16
17         To be consistent, this patch standardizes on calling the id of a backend message its 'requestId'.
18         Requests can be handled synchronously or asynchronously (triggered via the 'async' property).
19
20         No new tests, covered by existing protocol tests.
21
22         * inspector/InspectorBackendDispatcher.cpp:
23         (Inspector::BackendDispatcher::CallbackBase::CallbackBase): Split the two code paths for reporting
24         success and failure.
25
26         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
27         (Inspector::BackendDispatcher::CallbackBase::sendSuccess): Renamed from sendIfActive.
28         (Inspector::BackendDispatcher::dispatch): Reset counters and current requestId before dispatching.
29         No need to manually thread the requestId to all reportProtocolError calls.
30
31         (Inspector::BackendDispatcher::hasProtocolErrors): Added.
32         (Inspector::BackendDispatcher::sendResponse):
33         (Inspector::BackendDispatcher::sendPendingErrors): Send any saved protocol errors to the frontend.
34         Always send a 'data' member with all of the errors, even if there's just one. We might want to add
35         more information about errors later.
36
37         (Inspector::BackendDispatcher::reportProtocolError): Enqueue a protocol error to be sent later.
38         (Inspector::BackendDispatcher::getPropertyValue): Remove useless type parameters and nuke most of
39         the type conversion methods. Use std::function types instead of function pointer types.
40
41         (Inspector::castToInteger): Added.
42         (Inspector::castToNumber): Added.
43         (Inspector::BackendDispatcher::getInteger):
44         (Inspector::BackendDispatcher::getDouble):
45         (Inspector::BackendDispatcher::getString):
46         (Inspector::BackendDispatcher::getBoolean):
47         (Inspector::BackendDispatcher::getObject):
48         (Inspector::BackendDispatcher::getArray):
49         (Inspector::BackendDispatcher::getValue):
50         (Inspector::getPropertyValue): Deleted.
51         (Inspector::AsMethodBridges::asInteger): Deleted.
52         (Inspector::AsMethodBridges::asDouble): Deleted.
53         (Inspector::AsMethodBridges::asString): Deleted.
54         (Inspector::AsMethodBridges::asBoolean): Deleted.
55         (Inspector::AsMethodBridges::asObject): Deleted.
56         (Inspector::AsMethodBridges::asArray): Deleted.
57         (Inspector::AsMethodBridges::asValue): Deleted.
58         * inspector/InspectorBackendDispatcher.h:
59         * inspector/scripts/codegen/cpp_generator_templates.py: Extract 'params' object in domain dispatch method.
60         Omit requestIds where possible. Convert dispatch tables to use NeverDestroyed. Check the protocol error count
61         to decide whether to abort the dispatch or not, rather than allocating our own errors array.
62
63         * inspector/scripts/codegen/cpp_generator_templates.py:
64         (void):
65         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: Revert to passing RefPtr<InspectorObject>
66         since parameters are now being passed rather than the message object. Some commands do not require parameters.
67         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
68         (CppBackendDispatcherImplementationGenerator.generate_output):
69         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
70         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
71         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
72         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
73         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
74         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command):
75         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
76         * inspector/scripts/codegen/objc_generator_templates.py:
77
78         Rebaseline some protocol generator tests.
79         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
80         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
81         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
82         * inspector/scripts/tests/expected/enum-values.json-result:
83         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
84         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
85         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
86         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
87         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
88         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
89         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
90         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
91         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
92
93 2015-08-25  Saam barati  <sbarati@apple.com>
94
95         Lets rename codeOriginIndex to callSiteIndex and get rid of CallFrame::Location.
96         https://bugs.webkit.org/show_bug.cgi?id=148213
97
98         Reviewed by Filip Pizlo.
99
100         This patch introduces a struct called CallSiteIndex which is
101         used as a wrapper for a 32-bit int to place things in the tag for ArgumentCount 
102         in the call frame. On 32-bit we place Instruction* into this slot for LLInt and Basline.
103         For 32-bit DFG we place a an index into the code origin table in this slot.
104         On 64-bit we place a bytecode offset into this slot for LLInt and Baseline.
105         On 64-bit we place the index into the code origin table in this slot in the
106         DFG/FTL.
107
108         This patch also gets rid of the encoding scheme that describes if something is a
109         bytecode index or a code origin table index. This information can always
110         be determined based on the CodeBlock's' JITType.
111
112         StructureStubInfo now also has a CallSiteIndex which it stores to
113         the call frame when making a call.
114
115         * bytecode/CodeBlock.h:
116         (JSC::CodeBlock::hasCodeOrigins):
117         (JSC::CodeBlock::canGetCodeOrigin):
118         (JSC::CodeBlock::codeOrigin):
119         (JSC::CodeBlock::addFrequentExitSite):
120         * bytecode/StructureStubInfo.h:
121         (JSC::StructureStubInfo::StructureStubInfo):
122         * dfg/DFGCommonData.cpp:
123         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
124         (JSC::DFG::CommonData::addCodeOrigin):
125         (JSC::DFG::CommonData::shrinkToFit):
126         * dfg/DFGCommonData.h:
127         (JSC::DFG::CommonData::CommonData):
128         * dfg/DFGJITCompiler.h:
129         (JSC::DFG::JITCompiler::setEndOfCode):
130         (JSC::DFG::JITCompiler::addCallSite):
131         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
132         * dfg/DFGOSRExitCompilerCommon.cpp:
133         (JSC::DFG::reifyInlinedCallFrames):
134         * dfg/DFGSpeculativeJIT.cpp:
135         (JSC::DFG::SpeculativeJIT::compileIn):
136         * dfg/DFGSpeculativeJIT32_64.cpp:
137         (JSC::DFG::SpeculativeJIT::cachedGetById):
138         (JSC::DFG::SpeculativeJIT::cachedPutById):
139         * dfg/DFGSpeculativeJIT64.cpp:
140         (JSC::DFG::SpeculativeJIT::cachedGetById):
141         (JSC::DFG::SpeculativeJIT::cachedPutById):
142         * ftl/FTLCompile.cpp:
143         (JSC::FTL::mmAllocateDataSection):
144         * ftl/FTLInlineCacheDescriptor.h:
145         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
146         (JSC::FTL::InlineCacheDescriptor::stackmapID):
147         (JSC::FTL::InlineCacheDescriptor::callSiteIndex):
148         (JSC::FTL::InlineCacheDescriptor::uid):
149         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
150         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
151         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
152         (JSC::FTL::InlineCacheDescriptor::codeOrigin): Deleted.
153         * ftl/FTLLink.cpp:
154         (JSC::FTL::link):
155         * ftl/FTLLowerDFGToLLVM.cpp:
156         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
157         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
158         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
159         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
160         * ftl/FTLSlowPathCall.cpp:
161         (JSC::FTL::storeCodeOrigin):
162         * interpreter/CallFrame.cpp:
163         (JSC::CallFrame::currentVPC):
164         (JSC::CallFrame::setCurrentVPC):
165         (JSC::CallFrame::callSiteBitsAsBytecodeOffset):
166         (JSC::CallFrame::bytecodeOffset):
167         (JSC::CallFrame::codeOrigin):
168         (JSC::CallFrame::topOfFrameInternal):
169         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
170         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
171         (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex): Deleted.
172         * interpreter/CallFrame.h:
173         (JSC::CallSiteIndex::CallSiteIndex):
174         (JSC::CallSiteIndex::bits):
175         (JSC::ExecState::returnPCOffset):
176         (JSC::ExecState::abstractReturnPC):
177         (JSC::ExecState::topOfFrame):
178         (JSC::ExecState::setCallerFrame):
179         (JSC::ExecState::setScope):
180         (JSC::ExecState::currentVPC): Deleted.
181         (JSC::ExecState::setCurrentVPC): Deleted.
182         * interpreter/CallFrameInlines.h:
183         (JSC::CallFrame::callSiteBitsAreBytecodeOffset):
184         (JSC::CallFrame::callSiteBitsAreCodeOriginIndex):
185         (JSC::CallFrame::callSiteAsRawBits):
186         (JSC::CallFrame::callSiteIndex):
187         (JSC::CallFrame::hasActivation):
188         (JSC::CallFrame::Location::encode): Deleted.
189         (JSC::CallFrame::Location::decode): Deleted.
190         (JSC::CallFrame::Location::encodeAsBytecodeOffset): Deleted.
191         (JSC::CallFrame::Location::encodeAsBytecodeInstruction): Deleted.
192         (JSC::CallFrame::Location::encodeAsCodeOriginIndex): Deleted.
193         (JSC::CallFrame::Location::isBytecodeLocation): Deleted.
194         (JSC::CallFrame::Location::isCodeOriginIndex): Deleted.
195         (JSC::CallFrame::hasLocationAsBytecodeOffset): Deleted.
196         (JSC::CallFrame::hasLocationAsCodeOriginIndex): Deleted.
197         (JSC::CallFrame::locationAsRawBits): Deleted.
198         (JSC::CallFrame::setLocationAsRawBits): Deleted.
199         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
200         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
201         (JSC::CallFrame::locationAsCodeOriginIndex): Deleted.
202         * interpreter/StackVisitor.cpp:
203         (JSC::StackVisitor::readFrame):
204         (JSC::StackVisitor::readNonInlinedFrame):
205         (JSC::StackVisitor::Frame::print):
206         * jit/JITCall.cpp:
207         (JSC::JIT::compileOpCall):
208         * jit/JITCall32_64.cpp:
209         (JSC::JIT::compileOpCall):
210         * jit/JITInlineCacheGenerator.cpp:
211         (JSC::garbageStubInfo):
212         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
213         (JSC::JITByIdGenerator::JITByIdGenerator):
214         (JSC::JITByIdGenerator::generateFastPathChecks):
215         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
216         (JSC::JITGetByIdGenerator::generateFastPath):
217         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
218         * jit/JITInlineCacheGenerator.h:
219         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
220         (JSC::JITInlineCacheGenerator::stubInfo):
221         (JSC::JITByIdGenerator::JITByIdGenerator):
222         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
223         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
224         * jit/JITInlines.h:
225         (JSC::JIT::updateTopCallFrame):
226         * jit/JITOperations.cpp:
227         (JSC::getByVal):
228         (JSC::tryGetByValOptimize):
229         * jit/JITPropertyAccess.cpp:
230         (JSC::JIT::emitGetByValWithCachedId):
231         (JSC::JIT::emitPutByValWithCachedId):
232         (JSC::JIT::emit_op_get_by_id):
233         (JSC::JIT::emit_op_put_by_id):
234         * jit/JITPropertyAccess32_64.cpp:
235         (JSC::JIT::emitGetByValWithCachedId):
236         (JSC::JIT::emitPutByValWithCachedId):
237         (JSC::JIT::emit_op_get_by_id):
238         (JSC::JIT::emit_op_put_by_id):
239         * jit/Repatch.cpp:
240         (JSC::generateByIdStub):
241
242 2015-08-25 Aleksandr Skachkov   <gskachkov@gmail.com>
243
244         Function.prototype.toString is incorrect for ArrowFunction
245         https://bugs.webkit.org/show_bug.cgi?id=148148
246
247         Reviewed by Saam Barati.
248         
249         Added correct support of toString() method for arrow function.
250
251         * parser/ASTBuilder.h:
252         (JSC::ASTBuilder::createFunctionMetadata):
253         (JSC::ASTBuilder::createArrowFunctionExpr):
254         * parser/Nodes.cpp:
255         (JSC::FunctionMetadataNode::FunctionMetadataNode):
256         * parser/Nodes.h:
257         * parser/Parser.cpp:
258         (JSC::Parser<LexerType>::parseFunctionBody):
259         (JSC::Parser<LexerType>::parseFunctionInfo):
260         * parser/SyntaxChecker.h:
261         (JSC::SyntaxChecker::createFunctionMetadata):
262         * runtime/FunctionPrototype.cpp:
263         (JSC::functionProtoFuncToString):
264         * tests/stress/arrowfunction-tostring.js: Added.
265
266 2015-08-25  Saam barati  <sbarati@apple.com>
267
268         Callee can be incorrectly overridden when it's captured
269         https://bugs.webkit.org/show_bug.cgi?id=148400
270
271         Reviewed by Filip Pizlo.
272
273         We now resort to always creating the function name scope
274         when the function name is in scope. Because the bytecode
275         generator now has a notion of local lexical scoping,
276         this incurs no runtime penalty for function expression names
277         that aren't heap allocated. If they are heap allocated,
278         this means we may now have one more scope on the runtime
279         scope stack than before. This modification simplifies the
280         callee initialization code and uses the lexical scoping constructs
281         to implement this. This implementation also ensures
282         that everything Just Works for function's with default
283         parameter values. Before this patch, IIFE functions
284         with default parameter values and a captured function
285         name would crash JSC.
286
287         * bytecompiler/BytecodeGenerator.cpp:
288         (JSC::BytecodeGenerator::BytecodeGenerator):
289         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
290         (JSC::BytecodeGenerator::popLexicalScopeInternal):
291         (JSC::BytecodeGenerator::variable):
292         (JSC::BytecodeGenerator::resolveType):
293         (JSC::BytecodeGenerator::emitThrowTypeError):
294         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
295         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
296         * bytecompiler/BytecodeGenerator.h:
297         (JSC::Variable::isReadOnly):
298         (JSC::Variable::isSpecial):
299         (JSC::Variable::isConst):
300         (JSC::Variable::setIsReadOnly):
301         * bytecompiler/NodesCodegen.cpp:
302         (JSC::PostfixNode::emitResolve):
303         (JSC::PrefixNode::emitResolve):
304         (JSC::ReadModifyResolveNode::emitBytecode):
305         (JSC::AssignResolveNode::emitBytecode):
306         (JSC::BindingNode::bindValue):
307         * tests/stress/IIFE-es6-default-parameters.js: Added.
308         (assert):
309         (.):
310         * tests/stress/IIFE-function-name-captured.js: Added.
311         (assert):
312         (.):
313
314 2015-08-24  Brian Burg  <bburg@apple.com>
315
316         Web Inspector: add protocol test for existing error handling performed by the backend
317         https://bugs.webkit.org/show_bug.cgi?id=147097
318
319         Reviewed by Joseph Pecoraro.
320
321         A new test revealed that the protocol "method" parameter was being parsed in a naive way.
322         Rewrite it to use String::split and improve error checking to avoid failing later.
323
324         * inspector/InspectorBackendDispatcher.cpp:
325         (Inspector::BackendDispatcher::dispatch):
326
327 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
328
329         [ES6] Return JSInternalPromise as result of evaluateModule
330         https://bugs.webkit.org/show_bug.cgi?id=148173
331
332         Reviewed by Saam Barati.
333
334         Now evaluateModule returns JSInternalPromise* as its result value.
335         When an error occurs while loading or executing the modules,
336         this promise is rejected by that error. By leveraging this, we implemented
337         asynchronous error reporting when executing the modules in JSC shell.
338
339         And this patch also changes the evaluateModule signature to accept the entry
340         point by the moduleName. By using it, JSC shell can start executing the modules
341         with the entry point module name.
342
343         * builtins/ModuleLoaderObject.js:
344         (loadModule):
345         * jsc.cpp:
346         (dumpException):
347         (runWithScripts):
348         * runtime/Completion.cpp:
349         (JSC::evaluateModule):
350         * runtime/Completion.h:
351         * runtime/JSInternalPromise.cpp:
352         (JSC::JSInternalPromise::then):
353         * runtime/JSInternalPromise.h:
354         * runtime/ModuleLoaderObject.cpp:
355         (JSC::ModuleLoaderObject::requestInstantiateAll):
356         (JSC::ModuleLoaderObject::loadModule):
357         (JSC::ModuleLoaderObject::resolve):
358         (JSC::ModuleLoaderObject::fetch):
359         (JSC::ModuleLoaderObject::translate):
360         (JSC::ModuleLoaderObject::instantiate):
361         (JSC::moduleLoaderObjectParseModule):
362         * runtime/ModuleLoaderObject.h:
363
364 2015-08-24  Basile Clement  <basile_clement@apple.com>
365
366         REPTACH is not a word
367         https://bugs.webkit.org/show_bug.cgi?id=148401
368
369         Reviewed by Saam Barati.
370
371         * assembler/MacroAssemblerX86_64.h:
372         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
373         (JSC::MacroAssemblerX86_64::call):
374         (JSC::MacroAssemblerX86_64::tailRecursiveCall):
375         (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
376         (JSC::MacroAssemblerX86_64::readCallTarget):
377         (JSC::MacroAssemblerX86_64::linkCall):
378         (JSC::MacroAssemblerX86_64::repatchCall):
379
380 2015-08-24  Mark Lam  <mark.lam@apple.com>
381
382         Add support for setting JSC options from a file.
383         https://bugs.webkit.org/show_bug.cgi?id=148394
384
385         Reviewed by Saam Barati.
386
387         This is needed for environments where the JSC executable does not have access to
388         environmental variables.  This is only needed for debugging, and is currently
389         guarded under a #define USE_OPTIONS_FILE in Options.cpp, and is disabled by
390         default.
391
392         Also fixed Options::setOptions() to be allow for whitespace that is not a single
393         ' '.  This makes setOptions() much more flexible and friendlier to use for loading
394         options in general.
395
396         For example, this current use case of loading options from a file may have '\n's
397         in the character stream, and this feature is easier to implement if setOptions()
398         just support more than 1 whitespace char between options, and recognize whitespace
399         characters other than ' '.
400
401         * runtime/Options.cpp:
402         (JSC::parse):
403         (JSC::Options::initialize):
404         (JSC::Options::setOptions):
405
406 2015-08-24  Filip Pizlo  <fpizlo@apple.com>
407
408         DFG::FixupPhase should use the lambda form of m_graph.doToChildren() rather than the old macro
409         https://bugs.webkit.org/show_bug.cgi?id=148397
410
411         Reviewed by Geoffrey Garen.
412
413         We used to iterate the edges of a node by using the DFG_NODE_DO_TO_CHILDREN macro. We
414         don't need to do that anymore since we have the lambda-based m_graph.doToChildren(). This
415         allows us to get rid of a bunch of helper methods in DFG::FixupPhase.
416
417         I also took the opportunity to give the injectTypeConversionsInBlock() method a more
418         generic name, since after https://bugs.webkit.org/show_bug.cgi?id=145204 it will be used
419         for fix-up of checks more broadly.
420
421         * dfg/DFGFixupPhase.cpp:
422         (JSC::DFG::FixupPhase::run):
423         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
424         (JSC::DFG::FixupPhase::fixupChecksInBlock):
425         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): Deleted.
426         (JSC::DFG::FixupPhase::tryToRelaxRepresentation): Deleted.
427         (JSC::DFG::FixupPhase::fixEdgeRepresentation): Deleted.
428         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Deleted.
429
430 2015-08-24  Geoffrey Garen  <ggaren@apple.com>
431
432         Some renaming to clarify CodeBlock and UnlinkedCodeBlock
433         https://bugs.webkit.org/show_bug.cgi?id=148391
434
435         Reviewed by Saam Barati.
436
437         * bytecode/UnlinkedFunctionExecutable.cpp:
438         (JSC::generateUnlinkedFunctionCodeBlock):
439         (JSC::UnlinkedFunctionExecutable::visitChildren):
440         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
441         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
442         (JSC::generateFunctionCodeBlock): Deleted.
443         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Deleted.
444         * bytecode/UnlinkedFunctionExecutable.h: Call our CodeBlocks "unlinked"
445         in the name for clarity, since we are unlinked. 
446
447         * heap/Heap.cpp:
448         (JSC::Heap::objectTypeCounts):
449         (JSC::Heap::deleteAllCodeBlocks):
450         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
451         (JSC::Heap::clearUnmarkedExecutables):
452         (JSC::Heap::deleteOldCode):
453         (JSC::Heap::FinalizerOwner::finalize):
454         (JSC::Heap::addExecutable):
455         (JSC::Heap::collectAllGarbageIfNotDoneRecently):
456         (JSC::Heap::deleteAllCompiledCode): Deleted.
457         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted.
458         (JSC::Heap::addCompiledCode): Deleted.
459         * heap/Heap.h:
460         (JSC::Heap::notifyIsSafeToCollect):
461         (JSC::Heap::isSafeToCollect):
462         (JSC::Heap::sizeBeforeLastFullCollection):
463         (JSC::Heap::sizeAfterLastFullCollection):
464         (JSC::Heap::compiledCode): Deleted.
465
466             deleteAllCompiledCode => deleteAllCodeBlocks because "compiled"
467             is a broad phrase these days.
468
469             m_compiledCode => m_executables for the same reason.
470
471             addCompiledCode => addExecutable for the same reason.
472
473             deleteAllUnlinkedFunctionCode => deleteAllUnlinkedCodeBlocks
474             for consistency.
475
476         * jsc.cpp:
477         (functionDeleteAllCompiledCode):
478
479         * runtime/Executable.cpp:
480         (JSC::ScriptExecutable::newCodeBlockFor): codeBlockFor => unlinkedCodeBlockFor
481
482         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
483         It was strange to put this function on executable, since its name implied
484         that it only changed the executable, but it actually changed all cached
485         code. Now, a client that wants to change cached code must do so explicitly.
486
487         * runtime/Executable.h:
488         (JSC::ScriptExecutable::finishCreation):
489         * runtime/VM.cpp:
490         (JSC::VM::deleteAllCode):
491         * runtime/VMEntryScope.cpp:
492         (JSC::VMEntryScope::VMEntryScope): Updated for renames above.
493
494 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
495
496         DFG::InsertionSet should be tolerant of occasional out-of-order insertions
497         https://bugs.webkit.org/show_bug.cgi?id=148367
498
499         Reviewed by Geoffrey Garen and Saam Barati.
500
501         Since forever, the DFG::InsertionSet has been the way we insert nodes into DFG IR, and it
502         requires that you walk a block in order and perform insertions in order: you can't insert
503         something at index J, then at index I where I < J, except if you do a second pass.
504
505         This restriction makes sense, because it enables a very fast algorithm. And it's very
506         rare that a phase would need to insert things out of order.
507
508         But sometimes - rarely - we need to insert things slightly out-of-order. For example we
509         may want to insert a node at index J, but to insert a check associated with that node, we
510         may need to use index I where I < J. This will come up from the work on
511         https://bugs.webkit.org/show_bug.cgi?id=145204. And it has already come up in the past.
512         It seems like it would be best to just lift this restriction.
513
514         * CMakeLists.txt:
515         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
516         * JavaScriptCore.xcodeproj/project.pbxproj:
517         * dfg/DFGInsertionSet.cpp: Added.
518         (JSC::DFG::InsertionSet::insertSlow):
519         * dfg/DFGInsertionSet.h:
520         (JSC::DFG::InsertionSet::InsertionSet):
521         (JSC::DFG::InsertionSet::graph):
522         (JSC::DFG::InsertionSet::insert):
523         (JSC::DFG::InsertionSet::execute):
524
525 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
526
527         Create ById IC for ByVal operation only when the specific Id comes more than once
528         https://bugs.webkit.org/show_bug.cgi?id=148288
529
530         Reviewed by Geoffrey Garen.
531
532         After introducing byId ICs into byVal ops, byVal ops creates much ICs than before.
533         The failure fixed in r188767 figures out these ICs are created even if this op is executed only once.
534
535         The situation is the following;
536         In the current code, when byVal op is executed with the Id, we immediately set up the byId IC for that byVal op.
537         But setting up JITGetByIdGenerator generates the fast path IC code and consumes executable memory.
538         As a result, if we call eval("contains byVal ops") with the different strings repeatedly under no-llint environment, each eval call creates byId IC for byVal and consumes executable memory.
539
540         To solve it, we will add "seen" flag to ByValInfo.
541         And we will create the IC on the second byVal op call with the same Id.
542
543         * bytecode/ByValInfo.h:
544         (JSC::ByValInfo::ByValInfo):
545         * jit/JITOperations.cpp:
546         (JSC::tryGetByValOptimize):
547         * jit/JITPropertyAccess.cpp:
548         (JSC::JIT::privateCompileGetByValWithCachedId): Deleted.
549         (JSC::JIT::privateCompilePutByValWithCachedId): Deleted.
550
551 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
552
553         [JSC] Get rid of NodePointerTraits
554         https://bugs.webkit.org/show_bug.cgi?id=148340
555
556         Reviewed by Anders Carlsson.
557
558         NodePointerTraits does exactly the same thing has the default trait.
559
560         * dfg/DFGBasicBlock.h:
561         * dfg/DFGCommon.h:
562         (JSC::DFG::NodePointerTraits::defaultValue): Deleted.
563         (JSC::DFG::NodePointerTraits::isEmptyForDump): Deleted.
564
565 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
566
567         [JSC] Reduce the memory usage of BytecodeLivenessAnalysis
568         https://bugs.webkit.org/show_bug.cgi?id=148353
569
570         Reviewed by Darin Adler.
571
572         BytecodeLivenessAnalysis easily takes kilobytes of memory for
573         non trivial blocks and that memory sticks around because
574         it stored on CodeBlock.
575
576         This patch reduces that memory use a bit.
577
578         Most of the memory is in the array of BytecodeBasicBlock.
579         BytecodeBasicBlock is shrunk by:
580         -Making it not ref-counted.
581         -Removing m_predecessors, it was only used for debugging and
582          is usually big.
583         -Added a shrinkToFit() phase to shrink the vectors once we are
584          done building the BytecodeBasicBlock.
585
586         There are more things we should do in the future:
587         -Store all the BytecodeBasicBlock direclty in the array.
588          We know the size ahead of time, this would be a pure win.
589          The only tricky part is changing m_successors to have the
590          index of the successor instead of a pointer.
591         -Stop putting duplicates in m_successors.
592
593         * bytecode/BytecodeBasicBlock.cpp:
594         (JSC::computeBytecodeBasicBlocks):
595         (JSC::BytecodeBasicBlock::shrinkToFit): Deleted.
596         (JSC::linkBlocks): Deleted.
597         * bytecode/BytecodeBasicBlock.h:
598         (JSC::BytecodeBasicBlock::addSuccessor):
599         (JSC::BytecodeBasicBlock::addPredecessor): Deleted.
600         (JSC::BytecodeBasicBlock::predecessors): Deleted.
601         * bytecode/BytecodeLivenessAnalysis.cpp:
602         (JSC::getLeaderOffsetForBasicBlock):
603         (JSC::findBasicBlockWithLeaderOffset):
604         (JSC::findBasicBlockForBytecodeOffset):
605         (JSC::stepOverInstruction):
606         (JSC::computeLocalLivenessForBytecodeOffset):
607         (JSC::computeLocalLivenessForBlock):
608         (JSC::BytecodeLivenessAnalysis::dumpResults): Deleted.
609         * bytecode/BytecodeLivenessAnalysis.h:
610
611 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
612
613         Unreviewed, rolling back in r188792.
614         https://bugs.webkit.org/show_bug.cgi?id=148347
615
616         Previously reverted changesets:
617
618         "Unify code paths for manually deleting all code"
619         https://bugs.webkit.org/show_bug.cgi?id=148280
620         http://trac.webkit.org/changeset/188792
621
622         The previous patch caused some inspector tests to hang because it
623         introduced extra calls to sourceParsed, and sourceParsed is
624         pathologically slow in WK1 debug builds. This patch restores pre-existing
625         code to limit calls to sourceParsed, excluding code not being debugged
626         (i.e., inspector code).
627
628 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
629
630         Unreviewed, rolling back in r188803.
631
632         Previously reverted changesets:
633
634         "Debugger's VM should never be null"
635         https://bugs.webkit.org/show_bug.cgi?id=148341
636         http://trac.webkit.org/changeset/188803
637
638         * debugger/Debugger.cpp:
639         (JSC::Debugger::Debugger):
640         (JSC::Debugger::attach):
641         (JSC::Debugger::detach):
642         (JSC::Debugger::isAttached):
643         (JSC::Debugger::setSteppingMode):
644         (JSC::Debugger::registerCodeBlock):
645         (JSC::Debugger::toggleBreakpoint):
646         (JSC::Debugger::recompileAllJSFunctions):
647         (JSC::Debugger::setBreakpoint):
648         (JSC::Debugger::clearBreakpoints):
649         (JSC::Debugger::clearDebuggerRequests):
650         (JSC::Debugger::setBreakpointsActivated):
651         (JSC::Debugger::breakProgram):
652         (JSC::Debugger::stepOutOfFunction):
653         (JSC::Debugger::returnEvent):
654         (JSC::Debugger::didExecuteProgram):
655         * debugger/Debugger.h:
656         * inspector/JSGlobalObjectScriptDebugServer.cpp:
657         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
658         (Inspector::JSGlobalObjectScriptDebugServer::removeListener):
659         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
660         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions): Deleted.
661         * inspector/JSGlobalObjectScriptDebugServer.h:
662         * inspector/ScriptDebugServer.cpp:
663         (Inspector::ScriptDebugServer::ScriptDebugServer):
664         * inspector/ScriptDebugServer.h:
665
666 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
667
668         DFG string concatenation shouldn't be playing fast and loose with effects and OSR exit
669         https://bugs.webkit.org/show_bug.cgi?id=148338
670
671         Reviewed by Michael Saboff and Saam Barati.
672
673         Prior to this change, DFG string concatenation appeared to have various different ways of
674         creating an OSR exit right after a side effect. That's bad, because the exit will cause
675         us to reexecute the side effect. The code appears to have some hacks for avoiding this,
676         but some cases are basically unavoidable, like the OOM case of string concatenation: in
677         trunk that could cause two executions of the toString operation.
678
679         This changes the string concatenation code to either be speculative or effectful but
680         never both. It's already the case that when this code needs to be effectful, it also
681         needs to be slow (it does int->string conversions, calls JS functions, etc). So, this is
682         a small price to pay for sanity.
683
684         The biggest part of this change is the introduction of StrCat, which is like MakeRope but
685         does toString conversions on its own instead of relying on separate nodes. StrCat can
686         take either 2 or 3 children. It's the effectful but not speculative version of MakeRope.
687
688         * dfg/DFGAbstractInterpreterInlines.h:
689         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
690         * dfg/DFGBackwardsPropagationPhase.cpp:
691         (JSC::DFG::BackwardsPropagationPhase::propagate):
692         * dfg/DFGByteCodeParser.cpp:
693         (JSC::DFG::ByteCodeParser::parseBlock):
694         * dfg/DFGClobberize.h:
695         (JSC::DFG::clobberize):
696         * dfg/DFGDoesGC.cpp:
697         (JSC::DFG::doesGC):
698         * dfg/DFGFixupPhase.cpp:
699         (JSC::DFG::FixupPhase::fixupNode):
700         (JSC::DFG::FixupPhase::convertStringAddUse):
701         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
702         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
703         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
704         * dfg/DFGNodeType.h:
705         * dfg/DFGOperations.cpp:
706         * dfg/DFGOperations.h:
707         * dfg/DFGPredictionPropagationPhase.cpp:
708         (JSC::DFG::PredictionPropagationPhase::propagate):
709         * dfg/DFGSafeToExecute.h:
710         (JSC::DFG::safeToExecute):
711         * dfg/DFGSpeculativeJIT.h:
712         (JSC::DFG::SpeculativeJIT::callOperation):
713         (JSC::DFG::JSValueOperand::JSValueOperand):
714         (JSC::DFG::JSValueOperand::~JSValueOperand):
715         * dfg/DFGSpeculativeJIT32_64.cpp:
716         (JSC::DFG::SpeculativeJIT::compile):
717         * dfg/DFGSpeculativeJIT64.cpp:
718         (JSC::DFG::SpeculativeJIT::compile):
719         * dfg/DFGValidate.cpp:
720         (JSC::DFG::Validate::validate):
721         * ftl/FTLCapabilities.cpp:
722         (JSC::FTL::canCompile):
723         * ftl/FTLIntrinsicRepository.h:
724         * ftl/FTLLowerDFGToLLVM.cpp:
725         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
726         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
727         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
728         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
729         * jit/JITOperations.h:
730         * tests/stress/exception-effect-strcat.js: Added. This test previously failed.
731         * tests/stress/exception-in-strcat-string-overflow.js: Added. An earlier version of this patch made this fail.
732         * tests/stress/exception-in-strcat.js: Added.
733
734 2015-08-22  Andreas Kling  <akling@apple.com>
735
736         [JSC] Static hash tables should be 100% compile-time constant.
737         <https://webkit.org/b/148359>
738
739         Reviewed by Michael Saboff.
740
741         We were dirtying the memory pages containing static hash tables the
742         first time they were used, when a dynamically allocated index-to-key
743         table was built and cached in the HashTable struct.
744
745         It turns out that this "optimization" was completely useless, since
746         we've long since decoupled static hash tables from the JSC::VM and
747         we can get the key for an index via HashTable::values[index].m_key!
748
749         We also get rid of VM::keywords which was a little wrapper around
750         a VM-specific copy of JSC::mainTable. There was nothing VM-specific
751         about it at all, so clients now use JSC::mainTable directly.
752
753         After this change all fooHashTable structs end up in __DATA __const
754         and no runtime initialization/allocation takes place.
755
756         * create_hash_table:
757         * jsc.cpp:
758         * parser/Lexer.cpp:
759         (JSC::isLexerKeyword):
760         (JSC::Lexer<LChar>::parseIdentifier):
761         (JSC::Lexer<UChar>::parseIdentifier):
762         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
763         (JSC::Keywords::Keywords): Deleted.
764         * parser/Lexer.h:
765         (JSC::Keywords::isKeyword): Deleted.
766         (JSC::Keywords::getKeyword): Deleted.
767         (JSC::Keywords::~Keywords): Deleted.
768         * runtime/LiteralParser.cpp:
769         (JSC::LiteralParser<CharType>::tryJSONPParse):
770         * runtime/Lookup.cpp:
771         (JSC::HashTable::createTable): Deleted.
772         (JSC::HashTable::deleteTable): Deleted.
773         * runtime/Lookup.h:
774         (JSC::HashTable::entry):
775         (JSC::HashTable::ConstIterator::key):
776         (JSC::HashTable::ConstIterator::skipInvalidKeys):
777         (JSC::HashTable::copy): Deleted.
778         (JSC::HashTable::initializeIfNeeded): Deleted.
779         (JSC::HashTable::begin): Deleted.
780         (JSC::HashTable::end): Deleted.
781         * runtime/VM.cpp:
782         (JSC::VM::VM): Deleted.
783         * runtime/VM.h:
784         * testRegExp.cpp:
785
786 2015-08-21  Commit Queue  <commit-queue@webkit.org>
787
788         Unreviewed, rolling out r188792 and r188803.
789         https://bugs.webkit.org/show_bug.cgi?id=148347
790
791         broke lots of tests, ggaren is going to investigate and reland
792         (Requested by thorton on #webkit).
793
794         Reverted changesets:
795
796         "Unify code paths for manually deleting all code"
797         https://bugs.webkit.org/show_bug.cgi?id=148280
798         http://trac.webkit.org/changeset/188792
799
800         "Debugger's VM should never be null"
801         https://bugs.webkit.org/show_bug.cgi?id=148341
802         http://trac.webkit.org/changeset/188803
803
804 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
805
806         Parse control flow statements in WebAssembly
807         https://bugs.webkit.org/show_bug.cgi?id=148333
808
809         Reviewed by Geoffrey Garen.
810
811         Parse control flow statements in WebAssembly files generated by pack-asmjs
812         <https://github.com/WebAssembly/polyfill-prototype-1>.
813
814         * wasm/WASMConstants.h:
815         * wasm/WASMFunctionParser.cpp:
816         (JSC::WASMFunctionParser::parseStatement):
817         (JSC::WASMFunctionParser::parseIfStatement):
818         (JSC::WASMFunctionParser::parseIfElseStatement):
819         (JSC::WASMFunctionParser::parseWhileStatement):
820         (JSC::WASMFunctionParser::parseDoStatement):
821         (JSC::WASMFunctionParser::parseLabelStatement):
822         (JSC::WASMFunctionParser::parseBreakStatement):
823         (JSC::WASMFunctionParser::parseBreakLabelStatement):
824         (JSC::WASMFunctionParser::parseContinueStatement):
825         (JSC::WASMFunctionParser::parseContinueLabelStatement):
826         (JSC::WASMFunctionParser::parseSwitchStatement):
827         * wasm/WASMFunctionParser.h:
828         (JSC::WASMFunctionParser::WASMFunctionParser):
829         * wasm/WASMReader.cpp:
830         (JSC::WASMReader::readCompactInt32):
831         (JSC::WASMReader::readSwitchCase):
832         * wasm/WASMReader.h:
833
834 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
835
836         Debugger's VM should never be null
837         https://bugs.webkit.org/show_bug.cgi?id=148341
838
839         Reviewed by Joseph Pecoraro.
840
841         It doesn't make sense for a Debugger's VM to be null, and code related
842         to maintaining that illusion just caused the Web Inspector to crash on
843         launch (https://bugs.webkit.org/show_bug.cgi?id=148312). So, let's stop
844         doing that.
845
846         Now, Debugger requires its subclass to provide a never-null VM&.
847
848         Also took the opportunity, based on review feedback, to remove some
849         confusion in the virtual recompileAllJSFunctions hierarchy, by eliminating
850         the pure virtual in ScriptDebugServer and the unnecessary override in
851         JSGlobalObjectScriptDebugServer.
852
853         * debugger/Debugger.cpp:
854         (JSC::Debugger::Debugger):
855         (JSC::Debugger::attach):
856         (JSC::Debugger::detach):
857         (JSC::Debugger::isAttached):
858         (JSC::Debugger::setSteppingMode):
859         (JSC::Debugger::registerCodeBlock):
860         (JSC::Debugger::toggleBreakpoint):
861         (JSC::Debugger::recompileAllJSFunctions):
862         (JSC::Debugger::setBreakpoint):
863         (JSC::Debugger::clearBreakpoints):
864         (JSC::Debugger::clearDebuggerRequests):
865         (JSC::Debugger::setBreakpointsActivated):
866         (JSC::Debugger::breakProgram):
867         (JSC::Debugger::stepOutOfFunction):
868         (JSC::Debugger::returnEvent):
869         (JSC::Debugger::didExecuteProgram):
870         * debugger/Debugger.h:
871         * inspector/JSGlobalObjectScriptDebugServer.cpp:
872         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
873         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions):
874         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
875         * inspector/ScriptDebugServer.cpp:
876         (Inspector::ScriptDebugServer::ScriptDebugServer):
877         * inspector/ScriptDebugServer.h:
878
879 2015-08-21  Basile Clement  <basile_clement@apple.com>
880
881         Remove unused code relative to allocation sinking
882         https://bugs.webkit.org/show_bug.cgi?id=148342
883
884         Reviewed by Mark Lam.
885
886         This removes two things:
887
888          - The DFGPromoteHeapAccess.h file which is a relic of the old sinking
889            phase and is no longer used (it has been subsumed by
890            ObjectAllocationSinking::promoteLocalHeap)
891
892          - Code in the allocation sinking phase for sinking
893            MaterializeCreateActivation and MaterializeNewObject. Handling those
894            is no longer necessary since the phase no longer runs in a fixpoint
895            and thus will never see those nodes, since no other phase creates
896            them.
897
898         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
899         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
900         * JavaScriptCore.xcodeproj/project.pbxproj:
901         * dfg/DFGObjectAllocationSinkingPhase.cpp:
902         * dfg/DFGPromoteHeapAccess.h: Removed.
903
904 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
905
906         Unify code paths for manually deleting all code
907         https://bugs.webkit.org/show_bug.cgi?id=148280
908
909         Reviewed by Saam Barati.
910
911         We used to have three paths for manually deleting all code. Now we have
912         one shared path.
913
914         * debugger/Debugger.cpp:
915         (JSC::Debugger::attach): Notify the debugger of all previous code when
916         it attaches. We used to do this when recompiling, which was only correct
917         by accident.
918
919         (JSC::Debugger::recompileAllJSFunctions): Switch to the shared path.
920
921         * heap/Heap.h:
922         (JSC::Heap::compiledCode):
923
924         * inspector/agents/InspectorRuntimeAgent.cpp:
925         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
926         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
927         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
928         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
929         (Inspector::TypeRecompiler::visit): Deleted.
930         (Inspector::TypeRecompiler::operator()): Deleted.
931         (Inspector::recompileAllJSFunctionsForTypeProfiling): Deleted. Switch
932         to the shared path.
933
934         * runtime/VM.cpp:
935         (JSC::VM::afterVMExit): Added a helper for scheduling an activity after
936         VM exit. We can't delete code while it's on the stack, and we can't
937         delete auxiliary profiling data while profiling code is on the stack,
938         so in those cases, we schedule the deletion for the next time we exit.
939
940         (JSC::VM::deleteAllCode): Use afterVMExit because we might have code
941         on the stack when debugger, profiler, or watchdog state changes.
942
943         * runtime/VM.h:
944
945         * runtime/VMEntryScope.cpp:
946         (JSC::VMEntryScope::VMEntryScope):
947         (JSC::VMEntryScope::addDidPopListener):
948         (JSC::VMEntryScope::~VMEntryScope):
949         (JSC::VMEntryScope::setEntryScopeDidPopListener): Deleted.
950         * runtime/VMEntryScope.h:
951         (JSC::VMEntryScope::globalObject): Removed the uniquing feature from
952         the scope pop listener list because we don't have a client that wants
953         it, and it's not convenient to use correctly since you can't take
954         the address of a member function, a lambda, or an std::function. We can
955         add this feature back if we discover that we want it.
956
957 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
958
959         Implement WebAssembly function parser
960         https://bugs.webkit.org/show_bug.cgi?id=147738
961
962         Reviewed by Filip Pizlo.
963
964         Implement WebAssembly function parser for WebAssembly files produced by pack-asmjs
965         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch parses only
966         some instructions on statements and int32 expressions. Parsing of the rest
967         will be implemented in subsequent patches. The instruction lists in WASMConstants.h
968         are slightly modified from
969         <https://github.com/WebAssembly/polyfill-prototype-1/blob/master/src/shared.h>.
970
971         * CMakeLists.txt:
972         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
973         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
974         * JavaScriptCore.xcodeproj/project.pbxproj:
975         * wasm/WASMConstants.h: Added.
976         * wasm/WASMFormat.h:
977         * wasm/WASMFunctionParser.cpp: Added.
978         (JSC::WASMFunctionParser::checkSyntax):
979         (JSC::WASMFunctionParser::parseFunction):
980         (JSC::WASMFunctionParser::parseLocalVariables):
981         (JSC::WASMFunctionParser::parseStatement):
982         (JSC::WASMFunctionParser::parseSetLocalStatement):
983         (JSC::WASMFunctionParser::parseReturnStatement):
984         (JSC::WASMFunctionParser::parseBlockStatement):
985         (JSC::WASMFunctionParser::parseExpression):
986         (JSC::WASMFunctionParser::parseExpressionI32):
987         (JSC::WASMFunctionParser::parseImmediateExpressionI32):
988         * wasm/WASMFunctionParser.h: Added.
989         (JSC::WASMFunctionParser::WASMFunctionParser):
990         * wasm/WASMFunctionSyntaxChecker.h: Renamed from Source/JavaScriptCore/wasm/WASMMagicNumber.h.
991         * wasm/WASMModuleParser.cpp:
992         (JSC::WASMModuleParser::WASMModuleParser):
993         (JSC::WASMModuleParser::parseFunctionDefinitionSection):
994         (JSC::WASMModuleParser::parseFunctionDefinition):
995         * wasm/WASMModuleParser.h:
996         * wasm/WASMReader.cpp:
997         (JSC::WASMReader::readType):
998         (JSC::WASMReader::readExpressionType):
999         (JSC::WASMReader::readExportFormat):
1000         (JSC::WASMReader::readOpStatement):
1001         (JSC::WASMReader::readOpExpressionI32):
1002         (JSC::WASMReader::readVariableTypes):
1003         (JSC::WASMReader::readOp):
1004         * wasm/WASMReader.h:
1005         (JSC::WASMReader::offset):
1006         (JSC::WASMReader::setOffset):
1007
1008 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1009
1010         DFG::PutStackSinkingPhase doesn't need to emit KillStack nodes
1011         https://bugs.webkit.org/show_bug.cgi?id=148331
1012
1013         Reviewed by Geoffrey Garen.
1014
1015         PutStackSinkingPhase previously emitted a KillStack node when it sank a PutStack. This
1016         isn't necessary because KillStack is only interesting for OSR exit, and PutStack nodes
1017         that are relevant to OSR will already be preceded by a KillStack/MovHint pair.
1018
1019         * dfg/DFGPutStackSinkingPhase.cpp:
1020
1021 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1022
1023         DFG::NodeOrigin should have a flag determining if exiting is OK right now
1024         https://bugs.webkit.org/show_bug.cgi?id=148323
1025
1026         Reviewed by Saam Barati.
1027
1028         * dfg/DFGByteCodeParser.cpp:
1029         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
1030         (JSC::DFG::ByteCodeParser::branchData):
1031         * dfg/DFGInsertionSet.h:
1032         (JSC::DFG::InsertionSet::insertConstant):
1033         (JSC::DFG::InsertionSet::insertConstantForUse):
1034         (JSC::DFG::InsertionSet::insertBottomConstantForUse):
1035         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1036         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1037         * dfg/DFGLICMPhase.cpp:
1038         (JSC::DFG::LICMPhase::attemptHoist):
1039         * dfg/DFGNodeOrigin.h:
1040         (JSC::DFG::NodeOrigin::NodeOrigin):
1041         (JSC::DFG::NodeOrigin::isSet):
1042         (JSC::DFG::NodeOrigin::withSemantic):
1043         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1044
1045 2015-08-21  Saam barati  <sbarati@apple.com>
1046
1047         DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks
1048         https://bugs.webkit.org/show_bug.cgi?id=147988
1049
1050         Reviewed by Geoffrey Garen.
1051
1052         This is in preparation for the DFG being able to handle exceptions. 
1053         To do this, we need more control over when we emit exception checks.
1054         Specifically, we want to be able to silentFill before emitting an exception check.
1055         This patch does that. This patch also allows us to easily see which
1056         operations do and do not emit exception checks. Finding this information
1057         out before was a pain.
1058
1059         * assembler/AbortReason.h:
1060         * dfg/DFGArrayifySlowPathGenerator.h:
1061         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1062         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1063         * dfg/DFGJITCompiler.h:
1064         (JSC::DFG::JITCompiler::appendCall):
1065         (JSC::DFG::JITCompiler::exceptionCheck):
1066         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1067         * dfg/DFGSlowPathGenerator.h:
1068         (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
1069         (JSC::DFG::CallSlowPathGenerator::tearDown):
1070         (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::CallResultAndNoArgumentsSlowPathGenerator):
1071         (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::CallResultAndOneArgumentSlowPathGenerator):
1072         (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::CallResultAndTwoArgumentsSlowPathGenerator):
1073         (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::CallResultAndThreeArgumentsSlowPathGenerator):
1074         (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::CallResultAndFourArgumentsSlowPathGenerator):
1075         (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::CallResultAndFiveArgumentsSlowPathGenerator):
1076         (JSC::DFG::slowPathCall):
1077         * dfg/DFGSpeculativeJIT.cpp:
1078         (JSC::DFG::SpeculativeJIT::compileIn):
1079         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1080         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1081         (JSC::DFG::SpeculativeJIT::compileArithRound):
1082         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1083         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1084         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1085         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1086         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1087         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1088         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1089         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1090         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1091         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1092         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1093         * dfg/DFGSpeculativeJIT.h:
1094         (JSC::DFG::SpeculativeJIT::callOperation):
1095         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
1096         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
1097         (JSC::DFG::SpeculativeJIT::appendCall):
1098         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1099         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1100         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1101         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): Deleted.
1102         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult): Deleted.
1103         * dfg/DFGSpeculativeJIT32_64.cpp:
1104         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1105         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1106         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1107         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1108         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1109         (JSC::DFG::SpeculativeJIT::emitCall):
1110         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1111         (JSC::DFG::SpeculativeJIT::compile):
1112         * dfg/DFGSpeculativeJIT64.cpp:
1113         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1114         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1115         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1116         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1117         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1118         (JSC::DFG::SpeculativeJIT::emitCall):
1119         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1120         (JSC::DFG::SpeculativeJIT::compile):
1121         * ftl/FTLIntrinsicRepository.h:
1122         * ftl/FTLLowerDFGToLLVM.cpp:
1123         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1124         * jit/AssemblyHelpers.cpp:
1125         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1126         (JSC::AssemblyHelpers::jitAssertNoException):
1127         (JSC::AssemblyHelpers::callExceptionFuzz):
1128         (JSC::AssemblyHelpers::emitExceptionCheck):
1129         * jit/AssemblyHelpers.h:
1130         (JSC::AssemblyHelpers::jitAssertIsInt32):
1131         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1132         (JSC::AssemblyHelpers::jitAssertIsNull):
1133         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1134         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1135         (JSC::AssemblyHelpers::jitAssertNoException):
1136         * jit/JITOperations.cpp:
1137         * jit/JITOperations.h:
1138         * runtime/VM.h:
1139         (JSC::VM::scratchBufferForSize):
1140         (JSC::VM::exceptionFuzzingBuffer):
1141
1142 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1143
1144         REGRESSION (r188714): RELEASE_ASSERT in JSC::Heap::incrementDeferralDepth() opening Web Inspector on daringfireball.net
1145         https://bugs.webkit.org/show_bug.cgi?id=148312
1146
1147         Reviewed by Mark Lam.
1148
1149         * debugger/Debugger.cpp:
1150         (JSC::Debugger::recompileAllJSFunctions): Use our vm argument instead of
1151         m_vm because sometimes they are different and m_vm is null. (This behavior
1152         is very strange, and we should probably eliminate it -- but we need a 
1153         fix for this serious regression right now.)
1154
1155 2015-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1156
1157         [ES6] prototyping module loader in JSC shell
1158         https://bugs.webkit.org/show_bug.cgi?id=147876
1159
1160         Reviewed by Saam Barati.
1161
1162         This patch implements ES6 Module Loader part. The implementation is based on
1163         the latest draft[1, 2]. The naive implementation poses several problems.
1164         This patch attempts to solve the spec issues and proposes the fix[3, 4, 5].
1165
1166         We construct the JSC internal module loader based on the ES6 Promises.
1167         The chain of the promises represents the dependency graph of the modules and
1168         it automatically enables asynchronous module fetching.
1169         To leverage the Promises internally, we use the InternalPromise landed in r188681.
1170
1171         The loader has several platform-dependent hooks. The platform can implement
1172         these hooks to provide the functionality missing in the module loaders, like
1173         "how to fetch the resources". The method table of the JSGlobalObject is extended
1174         to accept these hooks from the platform.
1175
1176         This patch focus on the loading part. So we don't create the module environment
1177         and don't link the modules yet.
1178
1179         To test the current module progress easily, we add the `-m` option to the JSC shell.
1180         When this option is specified, we load the given script as the module. And to use
1181         the module loading inside the JSC shell, we added the simple loader hook for fetching.
1182         It fetches the module content from the file system.
1183
1184         And to use the ES6 Map in the Loader implementation, we added @get and @set methods to the Map.
1185         But it conflicts with the existing `getPrivateName` method. Rename it to `lookUpPrivateName`.
1186
1187         [1]: https://whatwg.github.io/loader/
1188         [2]: https://github.com/whatwg/loader/commit/214c7a6625b445bdf411c39984f36f01139a24be
1189         [3]: https://github.com/whatwg/loader/pull/66
1190         [4]: https://github.com/whatwg/loader/pull/67
1191         [5]: https://github.com/whatwg/loader/issues/68
1192         [6]: https://bugs.webkit.org/show_bug.cgi?id=148136
1193
1194         * CMakeLists.txt:
1195         * DerivedSources.make:
1196         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1197         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1198         * JavaScriptCore.xcodeproj/project.pbxproj:
1199         * builtins/BuiltinNames.h:
1200         (JSC::BuiltinNames::lookUpPrivateName):
1201         (JSC::BuiltinNames::lookUpPublicName):
1202         (JSC::BuiltinNames::getPrivateName): Deleted.
1203         (JSC::BuiltinNames::getPublicName): Deleted.
1204         * builtins/ModuleLoaderObject.js: Added.
1205         (setStateToMax):
1206         (newRegistryEntry):
1207         (forceFulfillPromise):
1208         (fulfillFetch):
1209         (fulfillTranslate):
1210         (fulfillInstantiate):
1211         (instantiation):
1212         (requestFetch):
1213         (requestTranslate):
1214         (requestInstantiate):
1215         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then.):
1216         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then):
1217         (requestResolveDependencies):
1218         (requestInstantiateAll):
1219         (provide):
1220         * jsc.cpp:
1221         (stringFromUTF):
1222         (jscSource):
1223         (GlobalObject::moduleLoaderFetch):
1224         (functionCheckModuleSyntax):
1225         (dumpException):
1226         (runWithScripts):
1227         (printUsageStatement):
1228         (CommandLine::parseArguments):
1229         (jscmain):
1230         (CommandLine::CommandLine): Deleted.
1231         * parser/Lexer.cpp:
1232         (JSC::Lexer<LChar>::parseIdentifier):
1233         (JSC::Lexer<UChar>::parseIdentifier):
1234         * parser/ModuleAnalyzer.cpp:
1235         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1236         (JSC::ModuleAnalyzer::exportVariable):
1237         (JSC::ModuleAnalyzer::analyze):
1238         * parser/ModuleAnalyzer.h:
1239         (JSC::ModuleAnalyzer::moduleRecord):
1240         * parser/ModuleRecord.cpp:
1241         (JSC::printableName): Deleted.
1242         (JSC::ModuleRecord::dump): Deleted.
1243         * parser/ModuleRecord.h:
1244         (JSC::ModuleRecord::ImportEntry::isNamespace): Deleted.
1245         (JSC::ModuleRecord::create): Deleted.
1246         (JSC::ModuleRecord::appendRequestedModule): Deleted.
1247         (JSC::ModuleRecord::addImportEntry): Deleted.
1248         (JSC::ModuleRecord::addExportEntry): Deleted.
1249         (JSC::ModuleRecord::addStarExportEntry): Deleted.
1250         * parser/Nodes.h:
1251         * parser/NodesAnalyzeModule.cpp:
1252         (JSC::ImportDeclarationNode::analyzeModule):
1253         (JSC::ExportAllDeclarationNode::analyzeModule):
1254         (JSC::ExportNamedDeclarationNode::analyzeModule):
1255         * runtime/CommonIdentifiers.cpp:
1256         (JSC::CommonIdentifiers::lookUpPrivateName):
1257         (JSC::CommonIdentifiers::lookUpPublicName):
1258         (JSC::CommonIdentifiers::getPrivateName): Deleted.
1259         (JSC::CommonIdentifiers::getPublicName): Deleted.
1260         * runtime/CommonIdentifiers.h:
1261         * runtime/Completion.cpp:
1262         (JSC::checkModuleSyntax):
1263         (JSC::evaluateModule):
1264         * runtime/Completion.h:
1265         * runtime/ExceptionHelpers.cpp:
1266         (JSC::createUndefinedVariableError):
1267         * runtime/Identifier.h:
1268         * runtime/JSGlobalObject.cpp:
1269         (JSC::JSGlobalObject::init):
1270         (JSC::JSGlobalObject::visitChildren):
1271         * runtime/JSGlobalObject.h:
1272         (JSC::JSGlobalObject::moduleLoader):
1273         (JSC::JSGlobalObject::moduleRecordStructure):
1274         * runtime/JSModuleRecord.cpp: Renamed from Source/JavaScriptCore/parser/ModuleRecord.cpp.
1275         (JSC::JSModuleRecord::destroy):
1276         (JSC::JSModuleRecord::finishCreation):
1277         (JSC::printableName):
1278         (JSC::JSModuleRecord::dump):
1279         * runtime/JSModuleRecord.h: Renamed from Source/JavaScriptCore/parser/ModuleRecord.h.
1280         (JSC::JSModuleRecord::ImportEntry::isNamespace):
1281         (JSC::JSModuleRecord::createStructure):
1282         (JSC::JSModuleRecord::create):
1283         (JSC::JSModuleRecord::requestedModules):
1284         (JSC::JSModuleRecord::JSModuleRecord):
1285         (JSC::JSModuleRecord::appendRequestedModule):
1286         (JSC::JSModuleRecord::addImportEntry):
1287         (JSC::JSModuleRecord::addExportEntry):
1288         (JSC::JSModuleRecord::addStarExportEntry):
1289         * runtime/MapPrototype.cpp:
1290         (JSC::MapPrototype::finishCreation):
1291         * runtime/ModuleLoaderObject.cpp: Added.
1292         (JSC::ModuleLoaderObject::ModuleLoaderObject):
1293         (JSC::ModuleLoaderObject::finishCreation):
1294         (JSC::ModuleLoaderObject::getOwnPropertySlot):
1295         (JSC::printableModuleKey):
1296         (JSC::ModuleLoaderObject::provide):
1297         (JSC::ModuleLoaderObject::requestInstantiateAll):
1298         (JSC::ModuleLoaderObject::resolve):
1299         (JSC::ModuleLoaderObject::fetch):
1300         (JSC::ModuleLoaderObject::translate):
1301         (JSC::ModuleLoaderObject::instantiate):
1302         (JSC::moduleLoaderObjectParseModule):
1303         (JSC::moduleLoaderObjectRequestedModules):
1304         (JSC::moduleLoaderObjectResolve):
1305         (JSC::moduleLoaderObjectFetch):
1306         (JSC::moduleLoaderObjectTranslate):
1307         (JSC::moduleLoaderObjectInstantiate):
1308         * runtime/ModuleLoaderObject.h: Added.
1309         (JSC::ModuleLoaderObject::create):
1310         (JSC::ModuleLoaderObject::createStructure):
1311         * runtime/Options.h:
1312
1313 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
1314
1315         DFG should have a KnownBooleanUse for cases where we are required to know that the child is a boolean and it's not OK to speculate
1316         https://bugs.webkit.org/show_bug.cgi?id=148286
1317
1318         Reviewed by Benjamin Poulain.
1319
1320         This enables us to ensure that the Branch or LogicalNot after an effectful CompareXYZ can
1321         be marked as !mayExit(). I need that for https://bugs.webkit.org/show_bug.cgi?id=145204.
1322
1323         * dfg/DFGFixupPhase.cpp:
1324         (JSC::DFG::FixupPhase::fixupNode):
1325         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1326         * dfg/DFGSafeToExecute.h:
1327         (JSC::DFG::SafeToExecuteEdge::operator()):
1328         * dfg/DFGSpeculativeJIT.cpp:
1329         (JSC::DFG::SpeculativeJIT::speculate):
1330         * dfg/DFGSpeculativeJIT.h:
1331         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1332         * dfg/DFGSpeculativeJIT32_64.cpp:
1333         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1334         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1335         (JSC::DFG::SpeculativeJIT::emitBranch):
1336         * dfg/DFGSpeculativeJIT64.cpp:
1337         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1338         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1339         (JSC::DFG::SpeculativeJIT::emitBranch):
1340         * dfg/DFGUseKind.cpp:
1341         (WTF::printInternal):
1342         * dfg/DFGUseKind.h:
1343         (JSC::DFG::typeFilterFor):
1344         (JSC::DFG::shouldNotHaveTypeCheck):
1345         * ftl/FTLCapabilities.cpp:
1346         (JSC::FTL::canCompile):
1347         * ftl/FTLLowerDFGToLLVM.cpp:
1348         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1349         (JSC::FTL::DFG::LowerDFGToLLVM::lowBoolean):
1350
1351 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
1352
1353         Overflow check elimination fails for a simple test case
1354         https://bugs.webkit.org/show_bug.cgi?id=147387
1355
1356         Reviewed by Benjamin Poulain.
1357
1358         Overflow check elimination was having issues when things got constant-folded, because whereas an
1359         Add or LessThan operation teaches us about relationships between the things being added or
1360         compared, we don't do that when we see a JSConstant. We don't create a relationship between every
1361         JSConstant and every other JSConstant. So, if we constant-fold an Add, we forget the relationships
1362         that it would have had with its inputs.
1363
1364         One solution would be to have every JSConstant create a relationship with every other JSConstant.
1365         This is dangerous, since it would create O(n^2) explosion of relationships.
1366
1367         Instead, this patch teaches filtration and merging how to behave "as if" there were inter-constant
1368         relationships. Normally those operations only work on two relationships involving the same node
1369         pair. But now, if we have @x op @c and @x op @d, where @c and @d are different nodes but both are
1370         constants, we will do merging or filtering by grokking the constant values.
1371
1372         This speeds up lots of tests in JSRegress, because it enables overflow check elimination on things
1373         like:
1374
1375         for (var i = 0; i < 100; ++i)
1376
1377         Previously, the fact that this was all constants would throw off the analysis because the analysis
1378         wouldn't "know" that 0 < 100.
1379
1380         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1381
1382 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
1383
1384         forEachCodeBlock should wait for all CodeBlocks automatically
1385         https://bugs.webkit.org/show_bug.cgi?id=148255
1386
1387         Add back a line of code I deleted by accident in my last patch due to
1388         incorrect merge.
1389
1390         Unreviewed.
1391
1392         * runtime/VM.cpp:
1393         (JSC::VM::deleteAllCode):
1394
1395 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
1396
1397         forEachCodeBlock should wait for all CodeBlocks automatically
1398         https://bugs.webkit.org/show_bug.cgi?id=148255
1399
1400         Reviewed by Saam Barati.
1401
1402         Previously, all clients needed to wait manually before calling
1403         forEachCodeBlock. That's easy to get wrong, and at least one place
1404         got it wrong. Let's do this automatically instead.
1405
1406         * debugger/Debugger.cpp:
1407         (JSC::Debugger::Debugger):
1408         (JSC::Debugger::setSteppingMode):
1409         (JSC::Debugger::toggleBreakpoint): No need to wait manually;
1410         forEachCodeBlock will do it automatically now.
1411
1412         (JSC::Debugger::recompileAllJSFunctions): We still need to wait manually
1413         here because this is an iteration of the heap, which does not wait
1414         automatically. Use the new helper function for waiting.
1415
1416         (JSC::Debugger::clearBreakpoints):
1417         (JSC::Debugger::clearDebuggerRequests):
1418         (JSC::Debugger::setBreakpointsActivated):
1419         (JSC::Debugger::forEachCodeBlock): Deleted. No need to wait manually.
1420
1421         * debugger/Debugger.h:
1422
1423         * dfg/DFGWorklist.cpp:
1424         (JSC::DFG::completeAllPlansForVM):
1425         * dfg/DFGWorklist.h:
1426         (JSC::DFG::completeAllPlansForVM): Added a helper function that replaces
1427         vm.prepareToDeleteCode. This new function is clearer because we need
1428         to call it sometimes even if we are not going to delete code.
1429
1430         * heap/HeapInlines.h:
1431         (JSC::Heap::forEachCodeBlock): Moved.
1432
1433         * inspector/agents/InspectorRuntimeAgent.cpp:
1434         (Inspector::recompileAllJSFunctionsForTypeProfiling): Use the new helper
1435         function.
1436
1437         * runtime/JSCInlines.h:
1438         (JSC::Heap::forEachCodeBlock): Do the waiting automatically.
1439
1440         * runtime/VM.cpp:
1441         (JSC::VM::stopSampling):
1442         (JSC::VM::deleteAllCode):
1443         (JSC::VM::setEnabledProfiler):
1444         (JSC::VM::prepareToDeleteCode): Deleted.
1445         * runtime/VM.h: No need to wait manually.
1446
1447 2015-08-20  Commit Queue  <commit-queue@webkit.org>
1448
1449         Unreviewed, rolling out r188675.
1450         https://bugs.webkit.org/show_bug.cgi?id=148244
1451
1452         "caused a 17% Mac PLT regression" (Requested by ggaren on
1453         #webkit).
1454
1455         Reverted changeset:
1456
1457         "clearCode() should clear code"
1458         https://bugs.webkit.org/show_bug.cgi?id=148203
1459         http://trac.webkit.org/changeset/188675
1460
1461 2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1462
1463         Introduce put_by_id like IC into put_by_val when the given name is String or Symbol
1464         https://bugs.webkit.org/show_bug.cgi?id=147760
1465
1466         Reviewed by Filip Pizlo.
1467
1468         This patch adds put_by_id IC to put_by_val by caching the one candidate id,
1469         it is the same thing to the get_by_val IC extension.
1470         It will encourage the use of ES6 Symbols and ES6 computed properties in the object literals.
1471
1472         In this patch, we leverage the existing CheckIdent and PutById / PutByVal in DFG,
1473         so this patch does not change FTL because the above operations are already supported in FTL.
1474
1475         And this patch also includes refactoring to leverage byValInfo->slowPathCount in the cached Id path.
1476
1477         Performance results report there's no regression in the existing tests. And in the synthetic
1478         benchmarks created by modifying put-by-id to put-by-val, we can see significant performance
1479         improvements up to 13.9x.
1480
1481         * bytecode/PutByIdStatus.cpp:
1482         (JSC::PutByIdStatus::computeForStubInfo):
1483         * bytecode/PutByIdStatus.h:
1484         * dfg/DFGByteCodeParser.cpp:
1485         (JSC::DFG::ByteCodeParser::parseBlock):
1486         * jit/JIT.h:
1487         (JSC::JIT::compilePutByValWithCachedId):
1488         * jit/JITOperations.cpp:
1489         (JSC::getByVal):
1490         (JSC::tryGetByValOptimize):
1491         * jit/JITOperations.h:
1492         * jit/JITPropertyAccess.cpp:
1493         (JSC::JIT::emitGetByValWithCachedId):
1494         (JSC::JIT::emit_op_put_by_val):
1495         (JSC::JIT::emitPutByValWithCachedId):
1496         (JSC::JIT::emitSlow_op_put_by_val):
1497         (JSC::JIT::emitIdentifierCheck):
1498         (JSC::JIT::privateCompilePutByValWithCachedId):
1499         * jit/JITPropertyAccess32_64.cpp:
1500         (JSC::JIT::emitGetByValWithCachedId):
1501         (JSC::JIT::emit_op_put_by_val):
1502         (JSC::JIT::emitPutByValWithCachedId):
1503         (JSC::JIT::emitSlow_op_put_by_val):
1504         * tests/stress/put-by-val-with-string-break.js: Added.
1505         (shouldBe):
1506         (assign):
1507         * tests/stress/put-by-val-with-string-generated.js: Added.
1508         (shouldBe):
1509         (gen1):
1510         (gen2):
1511         (assign):
1512         * tests/stress/put-by-val-with-string-generic.js: Added.
1513         (shouldBe):
1514         (assign):
1515         * tests/stress/put-by-val-with-symbol-break.js: Added.
1516         (shouldBe):
1517         (assign):
1518         * tests/stress/put-by-val-with-symbol-generic.js: Added.
1519         (shouldBe):
1520         (assign):
1521
1522 2015-08-20  Alex Christensen  <achristensen@webkit.org>
1523
1524         Clean up CMake build after r188673
1525         https://bugs.webkit.org/show_bug.cgi?id=148234
1526
1527         Reviewed by Tim Horton.
1528
1529         * shell/PlatformWin.cmake:
1530         Define WIN_CAIRO so the WinCairo jsc.exe can find the correct dlls.
1531
1532 2015-08-20  Mark Lam  <mark.lam@apple.com>
1533
1534         A watchdog tests is failing on Windows.
1535         https://bugs.webkit.org/show_bug.cgi?id=148228
1536
1537         Reviewed by Brent Fulgham.
1538
1539         The test just needed a little more time because Windows' timer resolution is low.
1540         After increasing the test deadlines, the test started passing.
1541
1542         * API/tests/ExecutionTimeLimitTest.cpp:
1543         (testExecutionTimeLimit):
1544
1545 2015-08-20  Mark Lam  <mark.lam@apple.com>
1546
1547         Fixed some warnings on Windows.
1548         https://bugs.webkit.org/show_bug.cgi?id=148224
1549
1550         Reviewed by Brent Fulgham.
1551
1552         The Windows build was complaining that function params were hiding a global variable.
1553         Since the function params were unused, I resolved this by removing the param names.
1554
1555         * API/tests/ExecutionTimeLimitTest.cpp:
1556         (currentCPUTimeAsJSFunctionCallback):
1557         (shouldTerminateCallback):
1558         (cancelTerminateCallback):
1559         (extendTerminateCallback):
1560
1561 2015-08-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1562
1563         Add InternalPromise to use Promises safely in the internals
1564         https://bugs.webkit.org/show_bug.cgi?id=148136
1565
1566         Reviewed by Saam Barati.
1567
1568         This patch implements InternalPromise.
1569         It is completely different instance set (constructor, prototype, instance)
1570         but it has the same feature to the Promise.
1571
1572         In the Promise operations, when resolving the promise with the returned promise
1573         from the fulfill handler, we need to look up "then" method.
1574
1575         e.g.
1576             var p3 = p1.then(function handler(...) {
1577                 return p2;
1578             });
1579
1580         When handler is executed, we retrieve the returned `p2` promise. And to resolve
1581         the returned promise by "then" method (that is `p3`), we construct the chain by executing
1582         `p2.then(resolving function for p3)`. So if the user modify the Promise.prototype.then,
1583         we can observe the internal operations.
1584
1585         By using InternalPromise, we completely hide InternalPromise.prototype from the users.
1586         It allows JSC to use Promises internally; even if the user modify / override
1587         the Promise.prototype.then function, it does not effect on InternalPromise.
1588
1589         One limitation is that the implementation need to take care not to leak the InternalPromise instance
1590         to the user space.
1591
1592         * CMakeLists.txt:
1593         * DerivedSources.make:
1594         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1595         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1596         * JavaScriptCore.xcodeproj/project.pbxproj:
1597         * builtins/InternalPromiseConstructor.js: Added.
1598         (internalAll.newResolveElement):
1599         (internalAll):
1600         * builtins/Operations.Promise.js:
1601         (newPromiseDeferred): Deleted.
1602         * builtins/PromiseConstructor.js:
1603         (privateAll.newResolveElement): Deleted.
1604         (privateAll): Deleted.
1605         * runtime/CommonIdentifiers.h:
1606         * runtime/JSGlobalObject.cpp:
1607         (JSC::JSGlobalObject::init):
1608         (JSC::JSGlobalObject::visitChildren):
1609         * runtime/JSGlobalObject.h:
1610         (JSC::JSGlobalObject::promiseConstructor):
1611         (JSC::JSGlobalObject::internalPromiseConstructor):
1612         (JSC::JSGlobalObject::newPromiseCapabilityFunction):
1613         (JSC::JSGlobalObject::newPromiseDeferredFunction): Deleted.
1614         * runtime/JSInternalPromise.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
1615         (JSC::JSInternalPromise::create):
1616         (JSC::JSInternalPromise::createStructure):
1617         (JSC::JSInternalPromise::JSInternalPromise):
1618         * runtime/JSInternalPromise.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
1619         * runtime/JSInternalPromiseConstructor.cpp: Added.
1620         (JSC::JSInternalPromiseConstructor::create):
1621         (JSC::JSInternalPromiseConstructor::createStructure):
1622         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1623         (JSC::constructPromise):
1624         (JSC::JSInternalPromiseConstructor::getConstructData):
1625         (JSC::JSInternalPromiseConstructor::getCallData):
1626         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot):
1627         * runtime/JSInternalPromiseConstructor.h: Copied from Source/JavaScriptCore/runtime/JSPromiseConstructor.h.
1628         * runtime/JSInternalPromiseDeferred.cpp: Added.
1629         (JSC::JSInternalPromiseDeferred::create):
1630         (JSC::JSInternalPromiseDeferred::JSInternalPromiseDeferred):
1631         (JSC::JSInternalPromiseDeferred::promise):
1632         * runtime/JSInternalPromiseDeferred.h: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
1633         * runtime/JSInternalPromisePrototype.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.cpp.
1634         (JSC::JSInternalPromisePrototype::create):
1635         (JSC::JSInternalPromisePrototype::createStructure):
1636         (JSC::JSInternalPromisePrototype::JSInternalPromisePrototype):
1637         * runtime/JSInternalPromisePrototype.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
1638         * runtime/JSPromise.cpp:
1639         (JSC::JSPromise::create):
1640         (JSC::JSPromise::JSPromise):
1641         (JSC::JSPromise::initialize):
1642         * runtime/JSPromise.h:
1643         * runtime/JSPromiseConstructor.cpp:
1644         (JSC::JSPromiseConstructor::JSPromiseConstructor):
1645         (JSC::constructPromise):
1646         (JSC::JSPromiseConstructor::getOwnPropertySlot):
1647         (JSC::JSPromiseConstructor::finishCreation): Deleted.
1648         * runtime/JSPromiseConstructor.h:
1649         * runtime/JSPromiseDeferred.cpp:
1650         (JSC::newPromiseCapability):
1651         (JSC::JSPromiseDeferred::create):
1652         (JSC::JSPromiseDeferred::JSPromiseDeferred):
1653         * runtime/JSPromiseDeferred.h:
1654         * runtime/JSPromisePrototype.cpp:
1655         (JSC::JSPromisePrototype::getOwnPropertySlot):
1656         * runtime/JSPromisePrototype.h:
1657         * runtime/VM.cpp:
1658         (JSC::VM::VM):
1659         * runtime/VM.h:
1660
1661 2015-08-19  Filip Pizlo  <fpizlo@apple.com>
1662
1663         Remove WTF::SpinLock
1664         https://bugs.webkit.org/show_bug.cgi?id=148208
1665
1666         Reviewed by Geoffrey Garen.
1667
1668         Remove the one remaining use of SpinLock.
1669
1670         * API/JSValue.mm:
1671         (handerForStructTag):
1672
1673 2015-08-19  Geoffrey Garen  <ggaren@apple.com>
1674
1675         clearCode() should clear code
1676         https://bugs.webkit.org/show_bug.cgi?id=148203
1677
1678         Reviewed by Saam Barati.
1679
1680         Clearing code used to require two steps: clearCode() and
1681         clearUnlinkedCodeForRecompilation(). Unsurprisingly, clients sometimes
1682         did one or the other or both without much rhyme or reason.
1683
1684         This patch simplifies things by merging both functions into clearCode().
1685
1686         * bytecode/UnlinkedFunctionExecutable.h:
1687         * debugger/Debugger.cpp:
1688         * heap/Heap.cpp:
1689         (JSC::Heap::deleteAllCompiledCode):
1690         (JSC::Heap::clearUnmarkedExecutables):
1691         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted. No need for this
1692         function anymore since it was only used by clients who already called
1693         clearCode() (and it would be terribly wrong to use without doing both.)
1694
1695         * heap/Heap.h:
1696         (JSC::Heap::sizeAfterLastFullCollection):
1697         * inspector/agents/InspectorRuntimeAgent.cpp:
1698         (Inspector::TypeRecompiler::visit):
1699         (Inspector::TypeRecompiler::operator()):
1700         * runtime/Executable.cpp:
1701         (JSC::FunctionExecutable::visitChildren):
1702         (JSC::FunctionExecutable::clearCode):
1703         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
1704         * runtime/Executable.h:
1705         * runtime/VM.cpp:
1706         (JSC::VM::deleteAllCode):
1707
1708 2015-08-19  Alex Christensen  <achristensen@webkit.org>
1709
1710         CMake Windows build should not include files directly from other Source directories
1711         https://bugs.webkit.org/show_bug.cgi?id=148198
1712
1713         Reviewed by Brent Fulgham.
1714
1715         * CMakeLists.txt:
1716         JavaScriptCore_FORWARDING_HEADERS_FILES is no longer necessary because all the headers
1717         that used to be in it are now in JavaScriptCore_FORWARDING_HEADERS_DIRECTORIES
1718         * PlatformEfl.cmake:
1719         * PlatformGTK.cmake:
1720         * PlatformMac.cmake:
1721         * PlatformWin.cmake:
1722
1723 2015-08-19  Eric Carlson  <eric.carlson@apple.com>
1724
1725         Remove ENABLE_WEBVTT_REGIONS
1726         https://bugs.webkit.org/show_bug.cgi?id=148184
1727
1728         Reviewed by Jer Noble.
1729
1730         * Configurations/FeatureDefines.xcconfig: Remove ENABLE_WEBVTT_REGIONS.
1731
1732 2015-08-19  Joseph Pecoraro  <pecoraro@apple.com>
1733
1734         Web Inspector: Unexpected node preview format for an element with newlines in className attribute
1735         https://bugs.webkit.org/show_bug.cgi?id=148192
1736
1737         Reviewed by Brian Burg.
1738
1739         * inspector/InjectedScriptSource.js:
1740         (InjectedScript.prototype._nodePreview):
1741         Replace whitespace blocks with single spaces to produce a simpler class string for previews.
1742
1743 2015-08-19  Mark Lam  <mark.lam@apple.com>
1744
1745         Add support for CheckWatchdogTimer as slow path in DFG and FTL.
1746         https://bugs.webkit.org/show_bug.cgi?id=147968
1747
1748         Reviewed by Michael Saboff.
1749
1750         Re-implement the DFG's CheckWatchdogTimer as a slow path instead of a speculation
1751         check.  Since the watchdog timer can fire spuriously, this allows the code to
1752         stay optimized if all we have are spurious fires.
1753
1754         Implement the equivalent slow path for CheckWatchdogTimer in the FTL. 
1755
1756         The watchdog tests in ExecutionTimeLimitTest.cpp has already been updated in
1757         https://bugs.webkit.org/show_bug.cgi?id=148125 to test for the FTL's watchdog
1758         implementation.
1759
1760         * dfg/DFGSpeculativeJIT32_64.cpp:
1761         (JSC::DFG::SpeculativeJIT::compile):
1762         * dfg/DFGSpeculativeJIT64.cpp:
1763         (JSC::DFG::SpeculativeJIT::compile):
1764         * ftl/FTLCapabilities.cpp:
1765         (JSC::FTL::canCompile):
1766         * ftl/FTLLowerDFGToLLVM.cpp:
1767         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1768         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
1769         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
1770         (JSC::FTL::DFG::LowerDFGToLLVM::isInlinableSize):
1771
1772         * jit/JIT.h:
1773         * jit/JITInlines.h:
1774         (JSC::JIT::callOperation):
1775         * jit/JITOperations.cpp:
1776         * jit/JITOperations.h:
1777         - Changed operationHandleWatchdogTimer() to return an unused nullptr.  This
1778           allows me to reuse the existing DFG slow path generator mechanism.  I didn't
1779           think that operationHandleWatchdogTimer() was worth introducing a whole new set
1780           of machinery just so we can have a slow path that returns void.
1781
1782 2015-08-19  Mark Lam  <mark.lam@apple.com>
1783
1784         Add ability to save and restore JSC options.
1785         https://bugs.webkit.org/show_bug.cgi?id=148125
1786
1787         Reviewed by Saam Barati.
1788
1789         * API/tests/ExecutionTimeLimitTest.cpp:
1790         (testExecutionTimeLimit):
1791         - Employ the new options getter/setter to run watchdog tests for each of the
1792           execution engine tiers.
1793         - Also altered the test scripts to be in a function instead of global code.
1794           This is one of 2 changes needed to give them an opportunity to be FTL compiled.
1795           The other is to add support for compiling CheckWatchdogTimer in the FTL (which
1796           will be addressed in a separate patch).
1797
1798         * jsc.cpp:
1799         (CommandLine::parseArguments):
1800         * runtime/Options.cpp:
1801         (JSC::parse):
1802         - Add the ability to clear a string option with a nullptr value.
1803           This is needed to restore a default string option value which may be null.
1804
1805         (JSC::OptionRange::init):
1806         - Add the ability to clear a range option with a null value.
1807           This is needed to restore a default range option value which may be null.
1808
1809         (JSC::Options::initialize):
1810         (JSC::Options::dumpOptionsIfNeeded):
1811         - Factor code to dump options out to dumpOptionsIfNeeded() since we will need
1812           that logic elsewhere.
1813
1814         (JSC::Options::setOptions):
1815         - Parse an options string and set each of the specified options.
1816
1817         (JSC::Options::dumpAllOptions):
1818         (JSC::Options::dumpAllOptionsInALine):
1819         (JSC::Options::dumpOption):
1820         (JSC::Option::dump):
1821         - Refactored so that the underlying dumper dumps to a StringBuilder instead of
1822           stderr.  This lets us reuse this code to serialize all the options into a
1823           single string for dumpAllOptionsInALine().
1824
1825         * runtime/Options.h:
1826         (JSC::OptionRange::rangeString):
1827
1828 2015-08-18  Filip Pizlo  <fpizlo@apple.com>
1829
1830         Replace all uses of std::mutex/std::condition_variable with WTF::Lock/WTF::Condition
1831         https://bugs.webkit.org/show_bug.cgi?id=148140
1832
1833         Reviewed by Geoffrey Garen.
1834
1835         * inspector/remote/RemoteInspector.h:
1836         * inspector/remote/RemoteInspector.mm:
1837         (Inspector::RemoteInspector::registerDebuggable):
1838         (Inspector::RemoteInspector::unregisterDebuggable):
1839         (Inspector::RemoteInspector::updateDebuggable):
1840         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1841         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
1842         (Inspector::RemoteInspector::setupFailed):
1843         (Inspector::RemoteInspector::setupCompleted):
1844         (Inspector::RemoteInspector::start):
1845         (Inspector::RemoteInspector::stop):
1846         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1847         (Inspector::RemoteInspector::setParentProcessInformation):
1848         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1849         (Inspector::RemoteInspector::xpcConnectionFailed):
1850         (Inspector::RemoteInspector::pushListingSoon):
1851         (Inspector::RemoteInspector::receivedIndicateMessage):
1852         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
1853         * inspector/remote/RemoteInspectorXPCConnection.h:
1854         * inspector/remote/RemoteInspectorXPCConnection.mm:
1855         (Inspector::RemoteInspectorXPCConnection::close):
1856         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
1857         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
1858         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1859
1860 2015-08-18  Joseph Pecoraro  <pecoraro@apple.com>
1861
1862         Web Inspector: Links for rules in <style> are incorrect, do not account for <style> offset in the document
1863         https://bugs.webkit.org/show_bug.cgi?id=148141
1864
1865         Reviewed by Brian Burg.
1866
1867         * inspector/protocol/CSS.json:
1868         Extend StyleSheetHeader to include start offset information and a bit
1869         for whether or not this was an inline style tag created by the parser.
1870         These match additions to Blink's protocol.
1871
1872 2015-08-18  Benjamin Poulain  <bpoulain@apple.com>
1873
1874         [JSC] Optimize more cases of something-compared-to-null/undefined
1875         https://bugs.webkit.org/show_bug.cgi?id=148157
1876
1877         Reviewed by Geoffrey Garen and Filip Pizlo.
1878
1879         CompareEq is fairly trivial if you assert one of the operands is either
1880         null or undefined. Under those conditions, the only way to have "true"
1881         is to have the other operand be null/undefined or have an object
1882         that masquerades to undefined.
1883
1884         JSC already had a fast path in CompareEqConstant.
1885         With this patch, I generalize this fast path to more cases and try
1886         to eliminate the checks whenever possible.
1887
1888         CompareEq now does the job of CompareEqConstant. If any operand can
1889         be proved to be undefined/other, its edge is set to OtherUse. Whenever
1890         any edge is OtherUse, we generate the fast code we had for CompareEqConstant.
1891
1892         The AbstractInterpreter has additional checks to reduce the node to a constant
1893         whenever possible.
1894
1895         There are two additional changes in this patch:
1896         -The Fixup Phase tries to set edges to OtherUse early. This is done correctly
1897          in ConstantFoldingPhase but setting it up early helps the phases relying
1898          on Clobberize.
1899         -The codegen for CompareEqConstant was improved. The reason is the comparison
1900          for ObjectOrOther could be faster just because the codegen was better.
1901
1902         * dfg/DFGAbstractInterpreterInlines.h:
1903         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1904         * dfg/DFGByteCodeParser.cpp:
1905         (JSC::DFG::ByteCodeParser::parseBlock):
1906         * dfg/DFGClobberize.h:
1907         (JSC::DFG::clobberize): Deleted.
1908         * dfg/DFGConstantFoldingPhase.cpp:
1909         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1910         * dfg/DFGDoesGC.cpp:
1911         (JSC::DFG::doesGC): Deleted.
1912         * dfg/DFGFixupPhase.cpp:
1913         (JSC::DFG::FixupPhase::fixupNode):
1914         * dfg/DFGNode.h:
1915         (JSC::DFG::Node::isUndefinedOrNullConstant):
1916         * dfg/DFGNodeType.h:
1917         * dfg/DFGPredictionPropagationPhase.cpp:
1918         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
1919         * dfg/DFGSafeToExecute.h:
1920         (JSC::DFG::safeToExecute): Deleted.
1921         * dfg/DFGSpeculativeJIT.cpp:
1922         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1923         (JSC::DFG::SpeculativeJIT::compare):
1924         * dfg/DFGSpeculativeJIT.h:
1925         (JSC::DFG::SpeculativeJIT::isKnownNotOther):
1926         * dfg/DFGSpeculativeJIT32_64.cpp:
1927         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1928         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1929         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
1930         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
1931         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
1932         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1933         * dfg/DFGSpeculativeJIT64.cpp:
1934         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1935         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1936         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
1937         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
1938         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
1939         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1940         * dfg/DFGValidate.cpp:
1941         (JSC::DFG::Validate::validate): Deleted.
1942         * dfg/DFGWatchpointCollectionPhase.cpp:
1943         (JSC::DFG::WatchpointCollectionPhase::handle):
1944         * ftl/FTLCapabilities.cpp:
1945         (JSC::FTL::canCompile):
1946         * ftl/FTLLowerDFGToLLVM.cpp:
1947         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
1948         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
1949         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEqConstant): Deleted.
1950         * tests/stress/compare-eq-on-null-and-undefined-non-peephole.js: Added.
1951         (string_appeared_here.useForMath):
1952         (testUseForMath):
1953         * tests/stress/compare-eq-on-null-and-undefined-optimized-in-constant-folding.js: Added.
1954         (string_appeared_here.unreachableCodeTest):
1955         (inlinedCompareToNull):
1956         (inlinedComparedToUndefined):
1957         (warmupInlineFunctions):
1958         (testInlineFunctions):
1959         * tests/stress/compare-eq-on-null-and-undefined.js: Added.
1960         (string_appeared_here.compareConstants):
1961         (opaqueNull):
1962         (opaqueUndefined):
1963         (compareConstantsAndDynamicValues):
1964         (compareDynamicValues):
1965         (compareDynamicValueToItself):
1966         (arrayTesting):
1967         (opaqueCompare1):
1968         (testNullComparatorUpdate):
1969         (opaqueCompare2):
1970         (testUndefinedComparatorUpdate):
1971         (opaqueCompare3):
1972         (testNullAndUndefinedComparatorUpdate):
1973
1974 2015-08-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1975
1976         Introduce non-user-observable Promise functions to use Promises internally
1977         https://bugs.webkit.org/show_bug.cgi?id=148118
1978
1979         Reviewed by Saam Barati.
1980
1981         To leverage the Promises internally (like ES6 Module Loaders), we add
1982         the several non-user-observable private methods, like @then, @all. And
1983         refactor the existing Promises implementation to make it easy to use
1984         internally.
1985
1986         But still the trappable part remains. When resolving the promise with
1987         the returned value, we look up the "then" function. So users can trap
1988         by replacing "then" function of the Promise's prototype.
1989         To avoid this situation, we'll introduce completely differnt promise
1990         instances called InternalPromise in the subsequent patch[1].
1991
1992         No behavior change.
1993
1994         [1]: https://bugs.webkit.org/show_bug.cgi?id=148136
1995
1996         * builtins/PromiseConstructor.js:
1997         (privateAll.newResolveElement):
1998         (privateAll):
1999         * runtime/JSGlobalObject.cpp:
2000         (JSC::JSGlobalObject::init):
2001         (JSC::JSGlobalObject::visitChildren): Deleted.
2002         * runtime/JSGlobalObject.h:
2003         (JSC::JSGlobalObject::promiseConstructor): Deleted.
2004         (JSC::JSGlobalObject::promisePrototype): Deleted.
2005         (JSC::JSGlobalObject::promiseStructure): Deleted.
2006         * runtime/JSPromiseConstructor.cpp:
2007         (JSC::JSPromiseConstructor::finishCreation):
2008         * runtime/JSPromiseDeferred.cpp:
2009         (JSC::callFunction):
2010         (JSC::JSPromiseDeferred::resolve):
2011         (JSC::JSPromiseDeferred::reject):
2012         * runtime/JSPromiseDeferred.h:
2013         * runtime/JSPromisePrototype.cpp:
2014         (JSC::JSPromisePrototype::create):
2015         (JSC::JSPromisePrototype::JSPromisePrototype):
2016         * runtime/JSPromisePrototype.h:
2017
2018 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2019
2020         Try to fix the CLOOP build.
2021
2022         Unreviewed.
2023
2024         * bytecode/CodeBlock.cpp:
2025
2026 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2027
2028         Split InlineCallFrame into its own file
2029         https://bugs.webkit.org/show_bug.cgi?id=148131
2030
2031         Reviewed by Saam Barati.
2032
2033         * CMakeLists.txt:
2034         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2035         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2036         * JavaScriptCore.xcodeproj/project.pbxproj:
2037         * bytecode/CallLinkStatus.cpp:
2038         * bytecode/CodeBlock.h:
2039         (JSC::ExecState::r):
2040         (JSC::baselineCodeBlockForInlineCallFrame): Deleted.
2041         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock): Deleted.
2042         * bytecode/CodeOrigin.cpp:
2043         (JSC::CodeOrigin::inlineStack):
2044         (JSC::CodeOrigin::codeOriginOwner):
2045         (JSC::CodeOrigin::stackOffset):
2046         (JSC::CodeOrigin::dump):
2047         (JSC::CodeOrigin::dumpInContext):
2048         (JSC::InlineCallFrame::calleeConstant): Deleted.
2049         (JSC::InlineCallFrame::visitAggregate): Deleted.
2050         (JSC::InlineCallFrame::calleeForCallFrame): Deleted.
2051         (JSC::InlineCallFrame::hash): Deleted.
2052         (JSC::InlineCallFrame::hashAsStringIfPossible): Deleted.
2053         (JSC::InlineCallFrame::inferredName): Deleted.
2054         (JSC::InlineCallFrame::baselineCodeBlock): Deleted.
2055         (JSC::InlineCallFrame::dumpBriefFunctionInformation): Deleted.
2056         (JSC::InlineCallFrame::dumpInContext): Deleted.
2057         (JSC::InlineCallFrame::dump): Deleted.
2058         (WTF::printInternal): Deleted.
2059         * bytecode/CodeOrigin.h:
2060         (JSC::CodeOrigin::deletedMarker):
2061         (JSC::CodeOrigin::hash):
2062         (JSC::CodeOrigin::operator==):
2063         (JSC::CodeOriginHash::hash):
2064         (JSC::CodeOriginHash::equal):
2065         (JSC::InlineCallFrame::kindFor): Deleted.
2066         (JSC::InlineCallFrame::varargsKindFor): Deleted.
2067         (JSC::InlineCallFrame::specializationKindFor): Deleted.
2068         (JSC::InlineCallFrame::isVarargs): Deleted.
2069         (JSC::InlineCallFrame::InlineCallFrame): Deleted.
2070         (JSC::InlineCallFrame::specializationKind): Deleted.
2071         (JSC::InlineCallFrame::setStackOffset): Deleted.
2072         (JSC::InlineCallFrame::callerFrameOffset): Deleted.
2073         (JSC::InlineCallFrame::returnPCOffset): Deleted.
2074         (JSC::CodeOrigin::stackOffset): Deleted.
2075         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2076         * bytecode/InlineCallFrame.cpp: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.cpp.
2077         (JSC::InlineCallFrame::calleeConstant):
2078         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
2079         (JSC::CodeOrigin::inlineDepth): Deleted.
2080         (JSC::CodeOrigin::isApproximatelyEqualTo): Deleted.
2081         (JSC::CodeOrigin::approximateHash): Deleted.
2082         (JSC::CodeOrigin::inlineStack): Deleted.
2083         (JSC::CodeOrigin::dump): Deleted.
2084         (JSC::CodeOrigin::dumpInContext): Deleted.
2085         * bytecode/InlineCallFrame.h: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.h.
2086         (JSC::InlineCallFrame::isVarargs):
2087         (JSC::InlineCallFrame::InlineCallFrame):
2088         (JSC::InlineCallFrame::specializationKind):
2089         (JSC::baselineCodeBlockForInlineCallFrame):
2090         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2091         (JSC::CodeOrigin::CodeOrigin): Deleted.
2092         (JSC::CodeOrigin::isSet): Deleted.
2093         (JSC::CodeOrigin::operator!): Deleted.
2094         (JSC::CodeOrigin::isHashTableDeletedValue): Deleted.
2095         (JSC::CodeOrigin::operator!=): Deleted.
2096         (JSC::CodeOrigin::deletedMarker): Deleted.
2097         (JSC::CodeOrigin::stackOffset): Deleted.
2098         (JSC::CodeOrigin::hash): Deleted.
2099         (JSC::CodeOrigin::operator==): Deleted.
2100         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2101         (JSC::CodeOriginHash::hash): Deleted.
2102         (JSC::CodeOriginHash::equal): Deleted.
2103         (JSC::CodeOriginApproximateHash::hash): Deleted.
2104         (JSC::CodeOriginApproximateHash::equal): Deleted.
2105         * bytecode/InlineCallFrameSet.cpp:
2106         * dfg/DFGCommonData.cpp:
2107         * dfg/DFGOSRExitBase.cpp:
2108         * dfg/DFGVariableEventStream.cpp:
2109         * ftl/FTLOperations.cpp:
2110         * interpreter/CallFrame.cpp:
2111         * interpreter/StackVisitor.cpp:
2112         * jit/AssemblyHelpers.h:
2113         * profiler/ProfilerOriginStack.cpp:
2114         * runtime/ClonedArguments.cpp:
2115
2116 2015-08-18  Mark Lam  <mark.lam@apple.com>
2117
2118         Removed an unused param in Interpreter::initialize().
2119         https://bugs.webkit.org/show_bug.cgi?id=148129
2120
2121         Reviewed by Michael Saboff.
2122
2123         * interpreter/Interpreter.cpp:
2124         (JSC::Interpreter::~Interpreter):
2125         (JSC::Interpreter::initialize):
2126         * interpreter/Interpreter.h:
2127         (JSC::Interpreter::stack):
2128         * runtime/VM.cpp:
2129         (JSC::VM::VM):
2130
2131 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2132
2133         Add const to content extension parser
2134         https://bugs.webkit.org/show_bug.cgi?id=148044
2135
2136         Reviewed by Benjamin Poulain.
2137
2138         * runtime/JSObject.h:
2139         (JSC::JSObject::getIndexQuickly):
2140         (JSC::JSObject::tryGetIndexQuickly):
2141         (JSC::JSObject::getDirectIndex):
2142         (JSC::JSObject::getIndex):
2143         Added a few const keywords.
2144
2145 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2146
2147         Build Debug Suffix on Windows with CMake
2148         https://bugs.webkit.org/show_bug.cgi?id=148083
2149
2150         Reviewed by Brent Fulgham.
2151
2152         * CMakeLists.txt:
2153         * PlatformWin.cmake:
2154         * shell/CMakeLists.txt:
2155         * shell/PlatformWin.cmake:
2156         Add DEBUG_SUFFIX
2157
2158 2015-08-17  Saam barati  <sbarati@apple.com>
2159
2160         Web Inspector: Type profiler return types aren't showing up
2161         https://bugs.webkit.org/show_bug.cgi?id=147348
2162
2163         Reviewed by Brian Burg.
2164
2165         Bug #145995 changed the starting offset of a function to 
2166         be the open parenthesis of the function's parameter list.
2167         This broke JSC's type profiler protocol of communicating 
2168         return types of a function to the web inspector. This
2169         is now fixed. The text offset used in the protocol is now
2170         the first letter of the function/get/set/method name.
2171         So "f" in "function a() {}", "s" in "set foo(){}", etc.
2172
2173         * bytecode/CodeBlock.cpp:
2174         (JSC::CodeBlock::CodeBlock):
2175         * jsc.cpp:
2176         (functionReturnTypeFor):
2177
2178 2015-08-17 Aleksandr Skachkov   <gskachkov@gmail.com>
2179
2180         [ES6] Implement ES6 arrow function syntax. Arrow function specific features. Lexical bind of this
2181         https://bugs.webkit.org/show_bug.cgi?id=144956
2182
2183         Reviewed by Saam Barati.
2184
2185         Added support of ES6 arrow function specific feature, lexical bind of this and no constructor. http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax
2186         In patch were implemented the following cases:
2187            this - variable |this| is point to the |this| of the function where arrow function is declared. Lexical bind of |this|
2188            constructor - the using of the command |new| for arrow function leads to runtime error
2189            call(), apply(), bind()  - methods can only pass in arguments, but has no effect on |this| 
2190
2191
2192         * CMakeLists.txt:
2193         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2194         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2195         * JavaScriptCore.xcodeproj/project.pbxproj:
2196         * bytecode/BytecodeList.json:
2197         * bytecode/BytecodeUseDef.h:
2198         (JSC::computeUsesForBytecodeOffset):
2199         (JSC::computeDefsForBytecodeOffset):
2200         * bytecode/CodeBlock.cpp:
2201         (JSC::CodeBlock::dumpBytecode):
2202         * bytecode/ExecutableInfo.h:
2203         (JSC::ExecutableInfo::ExecutableInfo):
2204         (JSC::ExecutableInfo::isArrowFunction):
2205         * bytecode/UnlinkedCodeBlock.cpp:
2206         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2207         * bytecode/UnlinkedCodeBlock.h:
2208         (JSC::UnlinkedCodeBlock::isArrowFunction):
2209         * bytecode/UnlinkedFunctionExecutable.cpp:
2210         (JSC::generateFunctionCodeBlock):
2211         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2212         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2213         * bytecode/UnlinkedFunctionExecutable.h:
2214         * bytecompiler/BytecodeGenerator.cpp:
2215         (JSC::BytecodeGenerator::BytecodeGenerator):
2216         (JSC::BytecodeGenerator::emitNewFunctionCommon):
2217         (JSC::BytecodeGenerator::emitNewFunctionExpression):
2218         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2219         (JSC::BytecodeGenerator::emitLoadArrowFunctionThis):
2220         * bytecompiler/BytecodeGenerator.h:
2221         * bytecompiler/NodesCodegen.cpp:
2222         (JSC::ArrowFuncExprNode::emitBytecode):
2223         * dfg/DFGAbstractInterpreterInlines.h:
2224         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2225         * dfg/DFGByteCodeParser.cpp:
2226         (JSC::DFG::ByteCodeParser::parseBlock):
2227         * dfg/DFGCapabilities.cpp:
2228         (JSC::DFG::capabilityLevel):
2229         * dfg/DFGClobberize.h:
2230         (JSC::DFG::clobberize):
2231         * dfg/DFGDoesGC.cpp:
2232         (JSC::DFG::doesGC):
2233         * dfg/DFGFixupPhase.cpp:
2234         (JSC::DFG::FixupPhase::fixupNode):
2235         * dfg/DFGNode.h:
2236         (JSC::DFG::Node::convertToPhantomNewFunction):
2237         (JSC::DFG::Node::hasCellOperand):
2238         (JSC::DFG::Node::isFunctionAllocation):
2239         * dfg/DFGNodeType.h:
2240         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2241         * dfg/DFGPredictionPropagationPhase.cpp:
2242         (JSC::DFG::PredictionPropagationPhase::propagate):
2243         * dfg/DFGPromotedHeapLocation.cpp:
2244         (WTF::printInternal):
2245         * dfg/DFGPromotedHeapLocation.h:
2246         * dfg/DFGSafeToExecute.h:
2247         (JSC::DFG::safeToExecute):
2248         * dfg/DFGSpeculativeJIT.cpp:
2249         (JSC::DFG::SpeculativeJIT::compileLoadArrowFunctionThis):
2250         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2251         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2252         * dfg/DFGSpeculativeJIT.h:
2253         (JSC::DFG::SpeculativeJIT::callOperation):
2254         * dfg/DFGSpeculativeJIT32_64.cpp:
2255         (JSC::DFG::SpeculativeJIT::compile):
2256         * dfg/DFGSpeculativeJIT64.cpp:
2257         (JSC::DFG::SpeculativeJIT::compile):
2258         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2259         * dfg/DFGStructureRegistrationPhase.cpp:
2260         (JSC::DFG::StructureRegistrationPhase::run):
2261         * ftl/FTLAbstractHeapRepository.cpp:
2262         * ftl/FTLAbstractHeapRepository.h:
2263         * ftl/FTLCapabilities.cpp:
2264         (JSC::FTL::canCompile):
2265         * ftl/FTLIntrinsicRepository.h:
2266         * ftl/FTLLowerDFGToLLVM.cpp:
2267         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2268         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2269         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadArrowFunctionThis):
2270         * ftl/FTLOperations.cpp:
2271         (JSC::FTL::operationMaterializeObjectInOSR):
2272         * interpreter/Interpreter.cpp:
2273         * interpreter/Interpreter.h:
2274         * jit/CCallHelpers.h:
2275         (JSC::CCallHelpers::setupArgumentsWithExecState): Added 3 arguments version for windows build.
2276         * jit/JIT.cpp:
2277         (JSC::JIT::privateCompileMainPass):
2278         * jit/JIT.h:
2279         * jit/JITInlines.h:
2280         (JSC::JIT::callOperation):
2281         * jit/JITOpcodes.cpp:
2282         (JSC::JIT::emit_op_load_arrowfunction_this):
2283         (JSC::JIT::emit_op_new_func_exp):
2284         (JSC::JIT::emitNewFuncExprCommon):
2285         (JSC::JIT::emit_op_new_arrow_func_exp):
2286         * jit/JITOpcodes32_64.cpp:
2287         (JSC::JIT::emit_op_load_arrowfunction_this):
2288         * jit/JITOperations.cpp:
2289         * jit/JITOperations.h:
2290         * llint/LLIntOffsetsExtractor.cpp:
2291         * llint/LLIntSlowPaths.cpp:
2292         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2293         (JSC::LLInt::setUpCall):
2294         * llint/LLIntSlowPaths.h:
2295         * llint/LowLevelInterpreter.asm:
2296         * llint/LowLevelInterpreter32_64.asm:
2297         * llint/LowLevelInterpreter64.asm:
2298         * parser/ASTBuilder.h:
2299         (JSC::ASTBuilder::createFunctionMetadata):
2300         (JSC::ASTBuilder::createArrowFunctionExpr):
2301         * parser/NodeConstructors.h:
2302         (JSC::BaseFuncExprNode::BaseFuncExprNode):
2303         (JSC::FuncExprNode::FuncExprNode):
2304         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
2305         * parser/Nodes.cpp:
2306         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2307         * parser/Nodes.h:
2308         (JSC::ExpressionNode::isArrowFuncExprNode):
2309         * parser/Parser.cpp:
2310         (JSC::Parser<LexerType>::parseFunctionBody):
2311         (JSC::Parser<LexerType>::parseFunctionInfo):
2312         * parser/SyntaxChecker.h:
2313         (JSC::SyntaxChecker::createFunctionMetadata):
2314         * runtime/Executable.cpp:
2315         (JSC::ScriptExecutable::newCodeBlockFor):
2316         * runtime/Executable.h:
2317         * runtime/JSArrowFunction.cpp: Added.
2318         (JSC::JSArrowFunction::destroy):
2319         (JSC::JSArrowFunction::create):
2320         (JSC::JSArrowFunction::JSArrowFunction):
2321         (JSC::JSArrowFunction::createWithInvalidatedReallocationWatchpoint):
2322         (JSC::JSArrowFunction::visitChildren):
2323         (JSC::JSArrowFunction::getConstructData):
2324         * runtime/JSArrowFunction.h: Added.
2325         (JSC::JSArrowFunction::allocationSize):
2326         (JSC::JSArrowFunction::createImpl):
2327         (JSC::JSArrowFunction::boundThis):
2328         (JSC::JSArrowFunction::createStructure):
2329         (JSC::JSArrowFunction::offsetOfThisValue):
2330         * runtime/JSFunction.h:
2331         * runtime/JSFunctionInlines.h:
2332         (JSC::JSFunction::JSFunction):
2333         * runtime/JSGlobalObject.cpp:
2334         (JSC::JSGlobalObject::init):
2335         (JSC::JSGlobalObject::visitChildren):
2336         * runtime/JSGlobalObject.h:
2337         (JSC::JSGlobalObject::arrowFunctionStructure):
2338         * tests/stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js: Added.
2339         * tests/stress/arrowfunction-activation-sink-osrexit-default-value.js: Added.
2340         * tests/stress/arrowfunction-activation-sink-osrexit.js: Added.
2341         * tests/stress/arrowfunction-activation-sink.js: Added.
2342         * tests/stress/arrowfunction-bound.js: Added.
2343         * tests/stress/arrowfunction-call.js: Added.
2344         * tests/stress/arrowfunction-constructor.js: Added.
2345         * tests/stress/arrowfunction-lexical-bind-this-1.js: Added.
2346         * tests/stress/arrowfunction-lexical-bind-this-2.js: Added.
2347         * tests/stress/arrowfunction-lexical-bind-this-3.js: Added.
2348         * tests/stress/arrowfunction-lexical-bind-this-4.js: Added.
2349         * tests/stress/arrowfunction-lexical-bind-this-5.js: Added.
2350         * tests/stress/arrowfunction-lexical-bind-this-6.js: Added.
2351         * tests/stress/arrowfunction-lexical-this-activation-sink-osrexit.js: Added.
2352         * tests/stress/arrowfunction-lexical-this-activation-sink.js: Added.
2353         * tests/stress/arrowfunction-lexical-this-sinking-no-double-allocate.js: Added.
2354         * tests/stress/arrowfunction-lexical-this-sinking-osrexit.js: Added.
2355         * tests/stress/arrowfunction-lexical-this-sinking-put.js: Added.
2356         * tests/stress/arrowfunction-others.js: Added.
2357         * tests/stress/arrowfunction-run-10-1.js: Added.
2358         * tests/stress/arrowfunction-run-10-2.js: Added.
2359         * tests/stress/arrowfunction-run-10000-1.js: Added.
2360         * tests/stress/arrowfunction-run-10000-2.js: Added.
2361         * tests/stress/arrowfunction-sinking-no-double-allocate.js: Added.
2362         * tests/stress/arrowfunction-sinking-osrexit.js: Added.
2363         * tests/stress/arrowfunction-sinking-put.js: Added.
2364         * tests/stress/arrowfunction-tdz.js: Added.
2365         * tests/stress/arrowfunction-typeof.js: Added.
2366
2367 2015-07-28  Sam Weinig  <sam@webkit.org>
2368
2369         Cleanup the builtin JavaScript files
2370         https://bugs.webkit.org/show_bug.cgi?id=147382
2371
2372         Reviewed by Geoffrey Garen.
2373
2374         * builtins/Array.prototype.js:
2375         * builtins/ArrayConstructor.js:
2376         * builtins/ArrayIterator.prototype.js:
2377         * builtins/Function.prototype.js:
2378         * builtins/Iterator.prototype.js:
2379         * builtins/ObjectConstructor.js:
2380         * builtins/StringConstructor.js:
2381         * builtins/StringIterator.prototype.js:
2382         Unify the style of the built JavaScript files.
2383
2384 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2385
2386         Move some commands from ./CMakeLists.txt to Source/cmake
2387         https://bugs.webkit.org/show_bug.cgi?id=148003
2388
2389         Reviewed by Brent Fulgham.
2390
2391         * CMakeLists.txt:
2392         Added commands needed to build JSC by itself.
2393
2394 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2395
2396         [ES6] Implement Reflect.get
2397         https://bugs.webkit.org/show_bug.cgi?id=147925
2398
2399         Reviewed by Geoffrey Garen.
2400
2401         This patch implements Reflect.get API.
2402         It can take the receiver object as the third argument.
2403         When the receiver is specified and there's a getter for the given property name,
2404         we call the getter with the receiver as the |this| value.
2405
2406         * runtime/ReflectObject.cpp:
2407         (JSC::reflectObjectGet):
2408         * runtime/SparseArrayValueMap.cpp:
2409         (JSC::SparseArrayEntry::get): Deleted.
2410         * runtime/SparseArrayValueMap.h:
2411         * tests/stress/reflect-get.js: Added.
2412         (shouldBe):
2413         (shouldThrow):
2414         (.get shouldThrow):
2415         (.get var):
2416         (get var.object.get hello):
2417         (.get shouldBe):
2418         (get var.object.set hello):
2419
2420 2015-08-17  Simon Fraser  <simon.fraser@apple.com>
2421
2422         will-change should sometimes trigger compositing
2423         https://bugs.webkit.org/show_bug.cgi?id=148072
2424
2425         Reviewed by Tim Horton.
2426         
2427         Include will-change as a reason for compositing.
2428
2429         * inspector/protocol/LayerTree.json:
2430
2431 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2432
2433         [ES6] Implement Reflect.getOwnPropertyDescriptor
2434         https://bugs.webkit.org/show_bug.cgi?id=147929
2435
2436         Reviewed by Geoffrey Garen.
2437
2438         Implement Reflect.getOwnPropertyDescriptor.
2439         The difference from the Object.getOwnPropertyDescriptor is
2440         Reflect.getOwnPropertyDescriptor does not perform ToObject onto
2441         the first argument. If the first argument is not an Object, it
2442         immediately raises the TypeError.
2443
2444         * runtime/ObjectConstructor.cpp:
2445         (JSC::objectConstructorGetOwnPropertyDescriptor):
2446         * runtime/ObjectConstructor.h:
2447         * runtime/ReflectObject.cpp:
2448         (JSC::reflectObjectGetOwnPropertyDescriptor):
2449         * tests/stress/reflect-get-own-property.js: Added.
2450         (shouldBe):
2451         (shouldThrow):
2452
2453 2015-08-16  Benjamin Poulain  <bpoulain@apple.com>
2454
2455         [JSC] Use (x + x) instead of (x * 2) when possible
2456         https://bugs.webkit.org/show_bug.cgi?id=148051
2457
2458         Reviewed by Michael Saboff.
2459
2460         When multiplying a number by 2, JSC was loading a constant "2"
2461         in register and multiplying it with the first number:
2462
2463             mov $0x4000000000000000, %rcx
2464             movd %rcx, %xmm0
2465             mulsd %xmm0, %xmm1
2466
2467         This is a problem for a few reasons.
2468         1) "movd %rcx, %xmm0" only set half of XMM0. This instruction
2469            has to wait for any preceding instruction on XMM0 to finish
2470            before executing.
2471         2) The load and transform itself is large and unecessary.
2472
2473         To fix that, I added a StrengthReductionPhase to transform
2474         multiplications by 2 into a addition.
2475
2476         Unfortunately, that turned the code into:
2477             movsd %xmm0 %xmm1
2478             mulsd %xmm1 %xmm0
2479
2480         The reason is GenerationInfo::canReuse() was not accounting
2481         for nodes using other nodes multiple times.
2482
2483         After fixing that too, we now have the multiplications by 2
2484         done as:
2485             addsd %xmm0 %xmm0
2486
2487         * dfg/DFGGenerationInfo.h:
2488         (JSC::DFG::GenerationInfo::useCount):
2489         (JSC::DFG::GenerationInfo::canReuse): Deleted.
2490         * dfg/DFGSpeculativeJIT.cpp:
2491         (JSC::DFG::FPRTemporary::FPRTemporary):
2492         * dfg/DFGSpeculativeJIT.h:
2493         (JSC::DFG::SpeculativeJIT::canReuse):
2494         (JSC::DFG::GPRTemporary::GPRTemporary):
2495         * dfg/DFGStrengthReductionPhase.cpp:
2496         (JSC::DFG::StrengthReductionPhase::handleNode):
2497
2498 2015-08-14  Basile Clement  <basile_clement@apple.com>
2499
2500         Occasional failure in v8-v6/v8-raytrace.js.ftl-eager
2501         https://bugs.webkit.org/show_bug.cgi?id=147165
2502
2503         Reviewed by Saam Barati.
2504
2505         The object allocation sinking phase was not properly checking that a
2506         MultiGetByOffset was safe to lower before lowering it.
2507         This makes it so that we only lower MultiGetByOffset if it only loads
2508         from direct properties of the object, and considers it as an escape in
2509         any other case (e.g. a load from the prototype).
2510
2511         It also ensure proper conversion of MultiGetByOffset into
2512         CheckStructureImmediate when needed.
2513
2514         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2515         * ftl/FTLLowerDFGToLLVM.cpp:
2516         (JSC::FTL::DFG::LowerDFGToLLVM::checkStructure):
2517             We were not compiling properly CheckStructure and
2518             CheckStructureImmediate nodes with an empty StructureSet.
2519         * tests/stress/sink-multigetbyoffset.js: Regression test.
2520
2521 2015-08-14  Filip Pizlo  <fpizlo@apple.com>
2522
2523         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
2524         https://bugs.webkit.org/show_bug.cgi?id=147999
2525
2526         Reviewed by Geoffrey Garen.
2527
2528         * API/JSVirtualMachine.mm:
2529         (initWrapperCache):
2530         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2531         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2532         (wrapperCacheMutex): Deleted.
2533         * bytecode/SamplingTool.cpp:
2534         (JSC::SamplingTool::doRun):
2535         (JSC::SamplingTool::notifyOfScope):
2536         * bytecode/SamplingTool.h:
2537         * dfg/DFGThreadData.h:
2538         * dfg/DFGWorklist.cpp:
2539         (JSC::DFG::Worklist::~Worklist):
2540         (JSC::DFG::Worklist::isActiveForVM):
2541         (JSC::DFG::Worklist::enqueue):
2542         (JSC::DFG::Worklist::compilationState):
2543         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2544         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2545         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2546         (JSC::DFG::Worklist::visitWeakReferences):
2547         (JSC::DFG::Worklist::removeDeadPlans):
2548         (JSC::DFG::Worklist::queueLength):
2549         (JSC::DFG::Worklist::dump):
2550         (JSC::DFG::Worklist::runThread):
2551         * dfg/DFGWorklist.h:
2552         * disassembler/Disassembler.cpp:
2553         * heap/CopiedSpace.cpp:
2554         (JSC::CopiedSpace::doneFillingBlock):
2555         (JSC::CopiedSpace::doneCopying):
2556         * heap/CopiedSpace.h:
2557         * heap/CopiedSpaceInlines.h:
2558         (JSC::CopiedSpace::recycleBorrowedBlock):
2559         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
2560         * heap/GCThread.cpp:
2561         (JSC::GCThread::waitForNextPhase):
2562         (JSC::GCThread::gcThreadMain):
2563         * heap/GCThreadSharedData.cpp:
2564         (JSC::GCThreadSharedData::GCThreadSharedData):
2565         (JSC::GCThreadSharedData::~GCThreadSharedData):
2566         (JSC::GCThreadSharedData::startNextPhase):
2567         (JSC::GCThreadSharedData::endCurrentPhase):
2568         (JSC::GCThreadSharedData::didStartMarking):
2569         (JSC::GCThreadSharedData::didFinishMarking):
2570         * heap/GCThreadSharedData.h:
2571         * heap/HeapTimer.h:
2572         * heap/MachineStackMarker.cpp:
2573         (JSC::ActiveMachineThreadsManager::Locker::Locker):
2574         (JSC::ActiveMachineThreadsManager::add):
2575         (JSC::ActiveMachineThreadsManager::remove):
2576         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
2577         (JSC::MachineThreads::~MachineThreads):
2578         (JSC::MachineThreads::addCurrentThread):
2579         (JSC::MachineThreads::removeThreadIfFound):
2580         (JSC::MachineThreads::tryCopyOtherThreadStack):
2581         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2582         (JSC::MachineThreads::gatherConservativeRoots):
2583         * heap/MachineStackMarker.h:
2584         * heap/SlotVisitor.cpp:
2585         (JSC::SlotVisitor::donateKnownParallel):
2586         (JSC::SlotVisitor::drain):
2587         (JSC::SlotVisitor::drainFromShared):
2588         (JSC::SlotVisitor::mergeOpaqueRoots):
2589         * heap/SlotVisitorInlines.h:
2590         (JSC::SlotVisitor::containsOpaqueRootTriState):
2591         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2592         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2593         (Inspector::RemoteInspectorHandleRunSourceGlobal):
2594         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
2595         (Inspector::RemoteInspectorInitializeGlobalQueue):
2596         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
2597         (Inspector::RemoteInspectorDebuggableConnection::setup):
2598         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
2599         (Inspector::RemoteInspectorDebuggableConnection::close):
2600         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2601         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
2602         * interpreter/JSStack.cpp:
2603         (JSC::JSStack::JSStack):
2604         (JSC::JSStack::releaseExcessCapacity):
2605         (JSC::JSStack::addToCommittedByteCount):
2606         (JSC::JSStack::committedByteCount):
2607         (JSC::stackStatisticsMutex): Deleted.
2608         (JSC::JSStack::initializeThreading): Deleted.
2609         * interpreter/JSStack.h:
2610         (JSC::JSStack::gatherConservativeRoots):
2611         (JSC::JSStack::sanitizeStack):
2612         (JSC::JSStack::size):
2613         (JSC::JSStack::initializeThreading): Deleted.
2614         * jit/ExecutableAllocator.cpp:
2615         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
2616         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
2617         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
2618         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
2619         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
2620         (JSC::DemandExecutableAllocator::allocators):
2621         (JSC::DemandExecutableAllocator::allocatorsMutex):
2622         * jit/JITThunks.cpp:
2623         (JSC::JITThunks::ctiStub):
2624         * jit/JITThunks.h:
2625         * profiler/ProfilerDatabase.cpp:
2626         (JSC::Profiler::Database::ensureBytecodesFor):
2627         (JSC::Profiler::Database::notifyDestruction):
2628         * profiler/ProfilerDatabase.h:
2629         * runtime/InitializeThreading.cpp:
2630         (JSC::initializeThreading):
2631         * runtime/JSLock.cpp:
2632         (JSC::GlobalJSLock::GlobalJSLock):
2633         (JSC::GlobalJSLock::~GlobalJSLock):
2634         (JSC::JSLockHolder::JSLockHolder):
2635         (JSC::GlobalJSLock::initialize): Deleted.
2636         * runtime/JSLock.h:
2637
2638 2015-08-14  Ryosuke Niwa  <rniwa@webkit.org>
2639
2640         ES6 class syntax should allow computed name method
2641         https://bugs.webkit.org/show_bug.cgi?id=142690
2642
2643         Reviewed by Saam Barati.
2644
2645         Added a new "attributes" attribute to op_put_getter_by_id, op_put_setter_by_id, op_put_getter_setter to specify
2646         the property descriptor options so that we can use use op_put_setter_by_id and op_put_getter_setter to define
2647         getters and setters for classes. Without this, getters and setters could erroneously override methods.
2648
2649         * bytecode/BytecodeList.json:
2650         * bytecode/BytecodeUseDef.h:
2651         (JSC::computeUsesForBytecodeOffset):
2652         * bytecode/CodeBlock.cpp:
2653         (JSC::CodeBlock::dumpBytecode):
2654         * bytecompiler/BytecodeGenerator.cpp:
2655         (JSC::BytecodeGenerator::emitDirectPutById):
2656         (JSC::BytecodeGenerator::emitPutGetterById):
2657         (JSC::BytecodeGenerator::emitPutSetterById):
2658         (JSC::BytecodeGenerator::emitPutGetterSetter):
2659         * bytecompiler/BytecodeGenerator.h:
2660         * bytecompiler/NodesCodegen.cpp:
2661         (JSC::PropertyListNode::emitBytecode): Always use emitPutGetterSetter to emit getters and setters for classes
2662         as done for object literals.
2663         (JSC::PropertyListNode::emitPutConstantProperty):
2664         (JSC::ClassExprNode::emitBytecode):
2665         * jit/CCallHelpers.h:
2666         (JSC::CCallHelpers::setupArgumentsWithExecState):
2667         * jit/JIT.h:
2668         * jit/JITInlines.h:
2669         (JSC::JIT::callOperation):
2670         * jit/JITOperations.cpp:
2671         * jit/JITOperations.h:
2672         * jit/JITPropertyAccess.cpp:
2673         (JSC::JIT::emit_op_put_getter_by_id):
2674         (JSC::JIT::emit_op_put_setter_by_id):
2675         (JSC::JIT::emit_op_put_getter_setter):
2676         (JSC::JIT::emit_op_del_by_id):
2677         * jit/JITPropertyAccess32_64.cpp:
2678         (JSC::JIT::emit_op_put_getter_by_id):
2679         (JSC::JIT::emit_op_put_setter_by_id):
2680         (JSC::JIT::emit_op_put_getter_setter):
2681         (JSC::JIT::emit_op_del_by_id):
2682         * llint/LLIntSlowPaths.cpp:
2683         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2684         * llint/LowLevelInterpreter.asm:
2685         * parser/ASTBuilder.h:
2686         (JSC::ASTBuilder::createProperty):
2687         (JSC::ASTBuilder::createPropertyList):
2688         * parser/NodeConstructors.h:
2689         (JSC::PropertyNode::PropertyNode):
2690         * parser/Nodes.h:
2691         (JSC::PropertyNode::expressionName):
2692         (JSC::PropertyNode::name):
2693         * parser/Parser.cpp:
2694         (JSC::Parser<LexerType>::parseClass): Added the support for computed property name. We don't support computed names
2695         for getters and setters.
2696         * parser/SyntaxChecker.h:
2697         (JSC::SyntaxChecker::createProperty):
2698         * runtime/JSObject.cpp:
2699         (JSC::JSObject::allowsAccessFrom):
2700         (JSC::JSObject::putGetter):
2701         (JSC::JSObject::putSetter):
2702         * runtime/JSObject.h:
2703         * runtime/PropertyDescriptor.h:
2704
2705 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2706
2707         Add InspectorInstrumentation builtin object to instrument the code in JS builtins like Promises
2708         https://bugs.webkit.org/show_bug.cgi?id=147942
2709
2710         Reviewed by Geoffrey Garen.
2711
2712         This patch adds new private global object, @InspectorInstrumentation.
2713         It is intended to be used as the namespace object (like Reflect/Math) for Inspector's
2714         instrumentation system and it is used to instrument the builtin JS code, like Promises.
2715
2716         * CMakeLists.txt:
2717         * DerivedSources.make:
2718         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2719         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2720         * JavaScriptCore.xcodeproj/project.pbxproj:
2721         * builtins/InspectorInstrumentationObject.js: Added.
2722         (debug):
2723         (promiseFulfilled):
2724         (promiseRejected):
2725         * builtins/Operations.Promise.js:
2726         (rejectPromise):
2727         (fulfillPromise):
2728         * runtime/CommonIdentifiers.h:
2729         * runtime/InspectorInstrumentationObject.cpp: Added.
2730         (JSC::InspectorInstrumentationObject::InspectorInstrumentationObject):
2731         (JSC::InspectorInstrumentationObject::finishCreation):
2732         (JSC::InspectorInstrumentationObject::getOwnPropertySlot):
2733         (JSC::InspectorInstrumentationObject::isEnabled):
2734         (JSC::InspectorInstrumentationObject::enable):
2735         (JSC::InspectorInstrumentationObject::disable):
2736         (JSC::inspectorInstrumentationObjectDataLogImpl):
2737         * runtime/InspectorInstrumentationObject.h: Added.
2738         (JSC::InspectorInstrumentationObject::create):
2739         (JSC::InspectorInstrumentationObject::createStructure):
2740         * runtime/JSGlobalObject.cpp:
2741         (JSC::JSGlobalObject::init):
2742
2743 2015-08-14  Commit Queue  <commit-queue@webkit.org>
2744
2745         Unreviewed, rolling out r188444.
2746         https://bugs.webkit.org/show_bug.cgi?id=148029
2747
2748         Broke GTK and EFL (see bug #148027) (Requested by philn on
2749         #webkit).
2750
2751         Reverted changeset:
2752
2753         "Use WTF::Lock and WTF::Condition instead of WTF::Mutex,
2754         WTF::ThreadCondition, std::mutex, and std::condition_variable"
2755         https://bugs.webkit.org/show_bug.cgi?id=147999
2756         http://trac.webkit.org/changeset/188444
2757
2758 2015-08-13  Filip Pizlo  <fpizlo@apple.com>
2759
2760         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
2761         https://bugs.webkit.org/show_bug.cgi?id=147999
2762
2763         Reviewed by Geoffrey Garen.
2764
2765         * API/JSVirtualMachine.mm:
2766         (initWrapperCache):
2767         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2768         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2769         (wrapperCacheMutex): Deleted.
2770         * bytecode/SamplingTool.cpp:
2771         (JSC::SamplingTool::doRun):
2772         (JSC::SamplingTool::notifyOfScope):
2773         * bytecode/SamplingTool.h:
2774         * dfg/DFGThreadData.h:
2775         * dfg/DFGWorklist.cpp:
2776         (JSC::DFG::Worklist::~Worklist):
2777         (JSC::DFG::Worklist::isActiveForVM):
2778         (JSC::DFG::Worklist::enqueue):
2779         (JSC::DFG::Worklist::compilationState):
2780         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2781         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2782         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2783         (JSC::DFG::Worklist::visitWeakReferences):
2784         (JSC::DFG::Worklist::removeDeadPlans):
2785         (JSC::DFG::Worklist::queueLength):
2786         (JSC::DFG::Worklist::dump):
2787         (JSC::DFG::Worklist::runThread):
2788         * dfg/DFGWorklist.h:
2789         * disassembler/Disassembler.cpp:
2790         * heap/CopiedSpace.cpp:
2791         (JSC::CopiedSpace::doneFillingBlock):
2792         (JSC::CopiedSpace::doneCopying):
2793         * heap/CopiedSpace.h:
2794         * heap/CopiedSpaceInlines.h:
2795         (JSC::CopiedSpace::recycleBorrowedBlock):
2796         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
2797         * heap/GCThread.cpp:
2798         (JSC::GCThread::waitForNextPhase):
2799         (JSC::GCThread::gcThreadMain):
2800         * heap/GCThreadSharedData.cpp:
2801         (JSC::GCThreadSharedData::GCThreadSharedData):
2802         (JSC::GCThreadSharedData::~GCThreadSharedData):
2803         (JSC::GCThreadSharedData::startNextPhase):
2804         (JSC::GCThreadSharedData::endCurrentPhase):
2805         (JSC::GCThreadSharedData::didStartMarking):
2806         (JSC::GCThreadSharedData::didFinishMarking):
2807         * heap/GCThreadSharedData.h:
2808         * heap/HeapTimer.h:
2809         * heap/MachineStackMarker.cpp:
2810         (JSC::ActiveMachineThreadsManager::Locker::Locker):
2811         (JSC::ActiveMachineThreadsManager::add):
2812         (JSC::ActiveMachineThreadsManager::remove):
2813         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
2814         (JSC::MachineThreads::~MachineThreads):
2815         (JSC::MachineThreads::addCurrentThread):
2816         (JSC::MachineThreads::removeThreadIfFound):
2817         (JSC::MachineThreads::tryCopyOtherThreadStack):
2818         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2819         (JSC::MachineThreads::gatherConservativeRoots):
2820         * heap/MachineStackMarker.h:
2821         * heap/SlotVisitor.cpp:
2822         (JSC::SlotVisitor::donateKnownParallel):
2823         (JSC::SlotVisitor::drain):
2824         (JSC::SlotVisitor::drainFromShared):
2825         (JSC::SlotVisitor::mergeOpaqueRoots):
2826         * heap/SlotVisitorInlines.h:
2827         (JSC::SlotVisitor::containsOpaqueRootTriState):
2828         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2829         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2830         (Inspector::RemoteInspectorHandleRunSourceGlobal):
2831         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
2832         (Inspector::RemoteInspectorInitializeGlobalQueue):
2833         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
2834         (Inspector::RemoteInspectorDebuggableConnection::setup):
2835         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
2836         (Inspector::RemoteInspectorDebuggableConnection::close):
2837         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2838         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
2839         * interpreter/JSStack.cpp:
2840         (JSC::JSStack::JSStack):
2841         (JSC::JSStack::releaseExcessCapacity):
2842         (JSC::JSStack::addToCommittedByteCount):
2843         (JSC::JSStack::committedByteCount):
2844         (JSC::stackStatisticsMutex): Deleted.
2845         (JSC::JSStack::initializeThreading): Deleted.
2846         * interpreter/JSStack.h:
2847         (JSC::JSStack::gatherConservativeRoots):
2848         (JSC::JSStack::sanitizeStack):
2849         (JSC::JSStack::size):
2850         (JSC::JSStack::initializeThreading): Deleted.
2851         * jit/ExecutableAllocator.cpp:
2852         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
2853         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
2854         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
2855         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
2856         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
2857         (JSC::DemandExecutableAllocator::allocators):
2858         (JSC::DemandExecutableAllocator::allocatorsMutex):
2859         * jit/JITThunks.cpp:
2860         (JSC::JITThunks::ctiStub):
2861         * jit/JITThunks.h:
2862         * profiler/ProfilerDatabase.cpp:
2863         (JSC::Profiler::Database::ensureBytecodesFor):
2864         (JSC::Profiler::Database::notifyDestruction):
2865         * profiler/ProfilerDatabase.h:
2866         * runtime/InitializeThreading.cpp:
2867         (JSC::initializeThreading):
2868         * runtime/JSLock.cpp:
2869         (JSC::GlobalJSLock::GlobalJSLock):
2870         (JSC::GlobalJSLock::~GlobalJSLock):
2871         (JSC::JSLockHolder::JSLockHolder):
2872         (JSC::GlobalJSLock::initialize): Deleted.
2873         * runtime/JSLock.h:
2874
2875 2015-08-13  Commit Queue  <commit-queue@webkit.org>
2876
2877         Unreviewed, rolling out r188428.
2878         https://bugs.webkit.org/show_bug.cgi?id=148015
2879
2880         broke cmake build (Requested by alexchristensen on #webkit).
2881
2882         Reverted changeset:
2883
2884         "Move some commands from ./CMakeLists.txt to Source/cmake"
2885         https://bugs.webkit.org/show_bug.cgi?id=148003
2886         http://trac.webkit.org/changeset/188428
2887
2888 2015-08-13  Commit Queue  <commit-queue@webkit.org>
2889
2890         Unreviewed, rolling out r188431.
2891         https://bugs.webkit.org/show_bug.cgi?id=148013
2892
2893         JSC headers are too hard to understand (Requested by smfr on
2894         #webkit).
2895
2896         Reverted changeset:
2897
2898         "Remove a few includes from JSGlobalObject.h"
2899         https://bugs.webkit.org/show_bug.cgi?id=148004
2900         http://trac.webkit.org/changeset/188431
2901
2902 2015-08-13  Benjamin Poulain  <bpoulain@apple.com>
2903
2904         [JSC] Add support for GetByVal on arrays of Undecided shape
2905         https://bugs.webkit.org/show_bug.cgi?id=147814
2906
2907         Reviewed by Filip Pizlo.
2908
2909         Previously, GetByVal on Array::Undecided would just take
2910         the generic path. The problem is the generic path is so
2911         slow that it could take a significant amount of time
2912         even for unfrequent accesses.
2913
2914         With this patch, if the following conditions are met,
2915         the GetByVal just returns a "undefined" constant:
2916         -The object is an OriginalArray.
2917         -The prototype chain is sane.
2918         -The index is an integer.
2919         -The integer is positive (runtime check).
2920
2921         Ideally, the 4th conditions should be removed
2922         deducing a compile-time constant gives us so much better
2923         opportunities at getting rid of this code.
2924
2925         There are two cases where this patch removes the runtime
2926         check:
2927         -If the index is constant (uncommon but easy)
2928         -If the index is within a range known to be positive.
2929          (common case and made possible with DFGIntegerRangeOptimizationPhase).
2930
2931         When we get into those cases, DFG just nukes everything
2932         and all we have left is a structure check :)
2933
2934         This patch is a 14% improvement on audio-beat-detection,
2935         a few percent faster here and there and no regression.
2936
2937         * dfg/DFGAbstractInterpreterInlines.h:
2938         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2939         If the index is a positive constant, we can get rid of the GetByVal
2940         entirely. :)
2941
2942         * dfg/DFGArrayMode.cpp:
2943         (JSC::DFG::ArrayMode::fromObserved):
2944         The returned type is now Array::Undecided + profiling information.
2945         The useful type is set in ArrayMode::refine().
2946
2947         (JSC::DFG::ArrayMode::refine):
2948         If we meet the particular set conditions, we speculate an Undecided
2949         array type with sane chain. Anything else comes back to Generic.
2950
2951         (JSC::DFG::ArrayMode::originalArrayStructure):
2952         To enable the structure check for Undecided array.
2953
2954         (JSC::DFG::ArrayMode::alreadyChecked):
2955         * dfg/DFGArrayMode.h:
2956         (JSC::DFG::ArrayMode::withProfile):
2957         (JSC::DFG::ArrayMode::canCSEStorage):
2958         (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
2959         (JSC::DFG::ArrayMode::lengthNeedsStorage): Deleted.
2960         (JSC::DFG::ArrayMode::isSpecific): Deleted.A
2961
2962         * dfg/DFGByteCodeParser.cpp:
2963         (JSC::DFG::ByteCodeParser::handleIntrinsic): Deleted.
2964         This is somewhat unrelated.
2965
2966         Having Array::Undecided on ArrayPush was impossible before
2967         since ArrayMode::fromObserved() used to return Array::Generic.
2968
2969         Now that Array::Undecided is possible, we must make sure not
2970         to provide it to ArrayPush since there is no code to handle it
2971         properly.
2972
2973         * dfg/DFGClobberize.h:
2974         (JSC::DFG::clobberize):
2975         The operation only depends on the index, it is pure.
2976
2977         * dfg/DFGFixupPhase.cpp:
2978         (JSC::DFG::FixupPhase::fixupNode): Deleted.
2979         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2980         * dfg/DFGSpeculativeJIT.cpp:
2981         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2982         (JSC::DFG::SpeculativeJIT::checkArray):
2983         * dfg/DFGSpeculativeJIT32_64.cpp:
2984         (JSC::DFG::SpeculativeJIT::compile):
2985         * dfg/DFGSpeculativeJIT64.cpp:
2986         (JSC::DFG::SpeculativeJIT::compile):
2987         * ftl/FTLCapabilities.cpp:
2988         (JSC::FTL::canCompile):
2989         * ftl/FTLLowerDFGToLLVM.cpp:
2990         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
2991         * tests/stress/get-by-val-on-undecided-array-type.js: Added.
2992         * tests/stress/get-by-val-on-undecided-sane-chain-1.js: Added.
2993         * tests/stress/get-by-val-on-undecided-sane-chain-2.js: Added.
2994         * tests/stress/get-by-val-on-undecided-sane-chain-3.js: Added.
2995         * tests/stress/get-by-val-on-undecided-sane-chain-4.js: Added.
2996         * tests/stress/get-by-val-on-undecided-sane-chain-5.js: Added.
2997         * tests/stress/get-by-val-on-undecided-sane-chain-6.js: Added.
2998
2999 2015-08-13  Simon Fraser  <simon.fraser@apple.com>
3000
3001         Remove a few includes from JSGlobalObject.h
3002         https://bugs.webkit.org/show_bug.cgi?id=148004
3003
3004         Reviewed by Tim Horton.
3005         
3006         Remove 4 #includes from JSGlobalObject.h, and fix the fallout.
3007
3008         * parser/VariableEnvironment.cpp:
3009         * parser/VariableEnvironment.h:
3010         * runtime/JSGlobalObject.h:
3011         * runtime/Structure.h:
3012         * runtime/StructureInlines.h:
3013
3014 2015-08-13  Alex Christensen  <achristensen@webkit.org>
3015
3016         Move some commands from ./CMakeLists.txt to Source/cmake
3017         https://bugs.webkit.org/show_bug.cgi?id=148003
3018
3019         Reviewed by Brent Fulgham.
3020
3021         * CMakeLists.txt:
3022         Added commands needed to build JSC by itself.
3023
3024 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3025
3026         Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode
3027         https://bugs.webkit.org/show_bug.cgi?id=147353
3028
3029         Reviewed by Saam Barati.
3030
3031         This is the follow-up patch after r188355.
3032         It includes the following changes.
3033
3034         - Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode
3035         - Make SourceParseMode to C++ strongly-typed enum.
3036         - Fix the comments.
3037         - Rename ModuleSpecifier to ModuleName.
3038         - Add the type name `ImportEntry` before the C++11 uniform initialization.
3039         - Fix the thrown message for duplicate 'default' names.
3040         - Assert the all statements in the top-level source elements are the module declarations under the module analyzer phase.
3041
3042         * API/JSScriptRef.cpp:
3043         (parseScript):
3044         * builtins/BuiltinExecutables.cpp:
3045         (JSC::BuiltinExecutables::createExecutableInternal):
3046         * bytecode/UnlinkedFunctionExecutable.cpp:
3047         (JSC::generateFunctionCodeBlock):
3048         * bytecode/UnlinkedFunctionExecutable.h:
3049         * bytecompiler/BytecodeGenerator.h:
3050         (JSC::BytecodeGenerator::makeFunction):
3051         * parser/ASTBuilder.h:
3052         (JSC::ASTBuilder::createFunctionMetadata):
3053         (JSC::ASTBuilder::createModuleName):
3054         (JSC::ASTBuilder::createImportDeclaration):
3055         (JSC::ASTBuilder::createExportAllDeclaration):
3056         (JSC::ASTBuilder::createExportNamedDeclaration):
3057         (JSC::ASTBuilder::createModuleSpecifier): Deleted.
3058         * parser/ModuleAnalyzer.cpp:
3059         (JSC::ModuleAnalyzer::analyze):
3060         * parser/NodeConstructors.h:
3061         (JSC::ModuleNameNode::ModuleNameNode):
3062         (JSC::ImportDeclarationNode::ImportDeclarationNode):
3063         (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
3064         (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
3065         (JSC::ModuleSpecifierNode::ModuleSpecifierNode): Deleted.
3066         * parser/Nodes.cpp:
3067         (JSC::FunctionMetadataNode::FunctionMetadataNode):
3068         * parser/Nodes.h:
3069         (JSC::StatementNode::isModuleDeclarationNode):
3070         (JSC::ModuleDeclarationNode::isModuleDeclarationNode):
3071         (JSC::ImportDeclarationNode::moduleName):
3072         (JSC::ExportAllDeclarationNode::moduleName):
3073         (JSC::ExportNamedDeclarationNode::moduleName):
3074         (JSC::ImportDeclarationNode::moduleSpecifier): Deleted.
3075         (JSC::ExportAllDeclarationNode::moduleSpecifier): Deleted.
3076         (JSC::ExportNamedDeclarationNode::moduleSpecifier): Deleted.
3077         * parser/NodesAnalyzeModule.cpp:
3078         (JSC::SourceElements::analyzeModule):
3079         (JSC::ImportDeclarationNode::analyzeModule):
3080         (JSC::ExportAllDeclarationNode::analyzeModule):
3081         (JSC::ExportNamedDeclarationNode::analyzeModule):
3082         * parser/Parser.cpp:
3083         (JSC::Parser<LexerType>::Parser):
3084         (JSC::Parser<LexerType>::parseInner):
3085         (JSC::Parser<LexerType>::parseModuleSourceElements):
3086         (JSC::Parser<LexerType>::parseFunctionBody):
3087         (JSC::stringForFunctionMode):
3088         (JSC::Parser<LexerType>::parseFunctionParameters):
3089         (JSC::Parser<LexerType>::parseFunctionInfo):
3090         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3091         (JSC::Parser<LexerType>::parseClass):
3092         (JSC::Parser<LexerType>::parseModuleName):
3093         (JSC::Parser<LexerType>::parseImportDeclaration):
3094         (JSC::Parser<LexerType>::parseExportDeclaration):
3095         (JSC::Parser<LexerType>::parsePropertyMethod):
3096         (JSC::Parser<LexerType>::parseGetterSetter):
3097         (JSC::Parser<LexerType>::parsePrimaryExpression):
3098         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3099         (JSC::Parser<LexerType>::parseModuleSpecifier): Deleted.
3100         * parser/Parser.h:
3101         (JSC::Parser<LexerType>::parse):
3102         (JSC::parse):
3103         * parser/ParserModes.h:
3104         (JSC::isFunctionParseMode):
3105         (JSC::isModuleParseMode):
3106         (JSC::isProgramParseMode):
3107         * parser/SyntaxChecker.h:
3108         (JSC::SyntaxChecker::createFunctionMetadata):
3109         (JSC::SyntaxChecker::createModuleName):
3110         (JSC::SyntaxChecker::createImportDeclaration):
3111         (JSC::SyntaxChecker::createExportAllDeclaration):
3112         (JSC::SyntaxChecker::createExportNamedDeclaration):
3113         (JSC::SyntaxChecker::createModuleSpecifier): Deleted.
3114         * runtime/CodeCache.cpp:
3115         (JSC::CodeCache::getGlobalCodeBlock):
3116         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3117         * runtime/Completion.cpp:
3118         (JSC::checkSyntax):
3119         (JSC::checkModuleSyntax):
3120         * runtime/Executable.cpp:
3121         (JSC::ProgramExecutable::checkSyntax):
3122         * tests/stress/modules-syntax-error-with-names.js:
3123
3124 2015-08-13  Joseph Pecoraro  <pecoraro@apple.com>
3125
3126         Web Inspector: A {Map, WeakMap, Set, WeakSet} object contains itself will hang the console
3127         https://bugs.webkit.org/show_bug.cgi?id=147966
3128
3129         Reviewed by Timothy Hatcher.
3130
3131         * inspector/InjectedScriptSource.js:
3132         (InjectedScript.prototype._initialPreview):
3133         Renamed to initial preview. This is not a complete preview for
3134         this object, and it needs some processing in order to be a
3135         complete accurate preview.
3136
3137         (InjectedScript.RemoteObject.prototype._emptyPreview):
3138         This attempts to be an accurate empty preview for the given object.
3139         For types with entries, it adds an empty entries list and updates
3140         the overflow and lossless properties.
3141
3142         (InjectedScript.RemoteObject.prototype._createObjectPreviewForValue):
3143         Take a generatePreview parameter to generate a full preview or empty preview.
3144
3145         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3146         (InjectedScript.RemoteObject.prototype._appendEntryPreviews):
3147         (InjectedScript.RemoteObject.prototype._isPreviewableObject):
3148         Take care to avoid cycles.
3149
3150 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3151
3152         Periodic code deletion should delete RegExp code
3153         https://bugs.webkit.org/show_bug.cgi?id=147990
3154
3155         Reviewed by Filip Pizlo.
3156
3157         The RegExp code cache was created for the sake of simple loops that
3158         re-created the same RegExps. It's reasonable to delete it periodically.
3159
3160         * heap/Heap.cpp:
3161         (JSC::Heap::deleteOldCode):
3162
3163 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3164
3165         RegExpCache::finalize should not delete code
3166         https://bugs.webkit.org/show_bug.cgi?id=147987
3167
3168         Reviewed by Mark Lam.
3169
3170         The RegExp object already knows how to delete its own code in its
3171         destructor. Our job is just to clear our stale pointer.
3172
3173         * runtime/RegExpCache.cpp:
3174         (JSC::RegExpCache::finalize):
3175         (JSC::RegExpCache::addToStrongCache):
3176
3177 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3178
3179         Standardize on the phrase "delete code"
3180         https://bugs.webkit.org/show_bug.cgi?id=147984
3181
3182         Reviewed by Mark Lam.
3183
3184         Use "delete" when we talk about throwing away code, as opposed to
3185         "invalidate" or "discard".
3186
3187         * debugger/Debugger.cpp:
3188         (JSC::Debugger::forEachCodeBlock):
3189         (JSC::Debugger::setSteppingMode):
3190         (JSC::Debugger::recompileAllJSFunctions):
3191         * heap/Heap.cpp:
3192         (JSC::Heap::deleteAllCompiledCode):
3193         * inspector/agents/InspectorRuntimeAgent.cpp:
3194         (Inspector::recompileAllJSFunctionsForTypeProfiling):
3195         * runtime/RegExp.cpp:
3196         (JSC::RegExp::match):
3197         (JSC::RegExp::deleteCode):
3198         (JSC::RegExp::invalidateCode): Deleted.
3199         * runtime/RegExp.h:
3200         * runtime/RegExpCache.cpp:
3201         (JSC::RegExpCache::finalize):
3202         (JSC::RegExpCache::addToStrongCache):
3203         (JSC::RegExpCache::deleteAllCode):
3204         (JSC::RegExpCache::invalidateCode): Deleted.
3205         * runtime/RegExpCache.h:
3206         * runtime/VM.cpp:
3207         (JSC::VM::stopSampling):
3208         (JSC::VM::prepareToDeleteCode):
3209         (JSC::VM::deleteAllCode):
3210         (JSC::VM::setEnabledProfiler):
3211         (JSC::VM::prepareToDiscardCode): Deleted.
3212         (JSC::VM::discardAllCode): Deleted.
3213         * runtime/VM.h:
3214         (JSC::VM::apiLock):
3215         (JSC::VM::codeCache):
3216         * runtime/Watchdog.cpp:
3217         (JSC::Watchdog::setTimeLimit):
3218
3219 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3220
3221         X.[[SetPrototypeOf]](Y) should succeed if X.[[Prototype]] is already Y even if X is not extensible
3222         https://bugs.webkit.org/show_bug.cgi?id=147930
3223
3224         Reviewed by Saam Barati.
3225
3226         When the passed prototype object to be set is the same to the existing
3227         prototype object, [[SetPrototypeOf]] just finishes its operation even
3228         if the extensibility of the target object is `false`.
3229
3230         * runtime/JSGlobalObjectFunctions.cpp:
3231         (JSC::globalFuncProtoSetter):
3232         * runtime/ObjectConstructor.cpp:
3233         (JSC::objectConstructorSetPrototypeOf):
3234         * runtime/ReflectObject.cpp:
3235         (JSC::reflectObjectSetPrototypeOf):
3236         * tests/stress/set-same-prototype.js: Added.
3237         (shouldBe):
3238         (shouldThrow):
3239
3240 2015-08-12  Geoffrey Garen  <ggaren@apple.com>
3241
3242         Removed clearEvalCodeCache()
3243         https://bugs.webkit.org/show_bug.cgi?id=147957
3244
3245         Reviewed by Filip Pizlo.
3246
3247         It was unused.
3248
3249         * bytecode/CodeBlock.cpp:
3250         (JSC::CodeBlock::linkIncomingCall):
3251         (JSC::CodeBlock::install):
3252         (JSC::CodeBlock::clearEvalCache): Deleted.
3253         * bytecode/CodeBlock.h:
3254         (JSC::CodeBlock::numberOfJumpTargets):
3255         (JSC::CodeBlock::jumpTarget):
3256         (JSC::CodeBlock::numberOfArgumentValueProfiles):
3257
3258 2015-08-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3259
3260         [ES6] Implement Reflect.defineProperty
3261         https://bugs.webkit.org/show_bug.cgi?id=147943
3262
3263         Reviewed by Saam Barati.
3264
3265         This patch implements Reflect.defineProperty.
3266         The difference from the Object.defineProperty is,
3267
3268         1. Reflect.defineProperty does not perform ToObject operation onto the first argument.
3269         2. Reflect.defineProperty does not throw a TypeError when the [[DefineOwnProperty]] operation fails.
3270         3. Reflect.defineProperty returns the boolean value that represents whether [[DefineOwnProperty]] succeeded.
3271
3272         And this patch comments the links to the ES6 spec.
3273
3274         * builtins/ReflectObject.js:
3275         * runtime/ObjectConstructor.cpp:
3276         (JSC::toPropertyDescriptor):
3277         * runtime/ObjectConstructor.h:
3278         * runtime/ReflectObject.cpp:
3279         (JSC::reflectObjectDefineProperty):
3280         * tests/stress/reflect-define-property.js: Added.
3281         (shouldBe):
3282         (shouldThrow):
3283         (.set getter):
3284         (setter):
3285         (.get testDescriptor):
3286         (.set get var):
3287         (.set testDescriptor):
3288         (.set get testDescriptor):
3289         (.set get shouldThrow):
3290         (.get var):
3291
3292 2015-08-12  Filip Pizlo  <fpizlo@apple.com>
3293
3294         DFG::ByteCodeParser should attempt constant folding on loads from structures that are DFG-watchable
3295         https://bugs.webkit.org/show_bug.cgi?id=147950
3296
3297         Reviewed by Michael Saboff.
3298
3299         Previously we reduced the constant folding power of ByteCodeParser::load() because that code was
3300         responsible for memory corruption, since it would sometimes install watchpoints on structures that
3301         weren't being traced.  It seemed like the safest fix was to remove the constant folding rule
3302         entirely since later phases also do constant folding, and they do it without introducing the bug.
3303         Well, that change (http://trac.webkit.org/changeset/188292) caused a big regression, because we
3304         still have some constant folding rules that only exist in ByteCodeParser, and so ByteCodeParser must
3305         be maximally aggressive in constant-folding whenever possible.
3306
3307         So, this change now brings back that constant folding rule - for loads from object constants that
3308         have DFG-watchable structures - and implements it properly, by ensuring that we only call into
3309         tryGetConstantProperty() if we have registered the structure set.
3310
3311         * dfg/DFGByteCodeParser.cpp:
3312         (JSC::DFG::ByteCodeParser::load):
3313
3314 2015-08-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3315
3316         [ES6] Add ES6 Modules preparsing phase to collect the dependencies
3317         https://bugs.webkit.org/show_bug.cgi?id=147353
3318
3319         Reviewed by Geoffrey Garen.
3320
3321         This patch implements ModuleRecord and ModuleAnalyzer.
3322         ModuleAnalyzer analyzes the produced AST from the parser.
3323         By collaborating with the parser, ModuleAnalyzer collects the information
3324         that is necessary to request the loading for the dependent modules and
3325         construct module's environment and namespace object before executing the actual
3326         module body.
3327
3328         In the parser, we annotate which variable is imported binding and which variable
3329         is exported from the current module. This information is leveraged in the ModuleAnalyzer
3330         to categorize the export entries.
3331
3332         To preparse the modules in the parser, we just add the new flag `ModuleParseMode`
3333         instead of introducing a new TreeContext type. This is because only 2 users use the
3334         parseModuleSourceElements; preparser and actual compiler. Adding the flag is simple
3335         enough to switch the context to the SyntaxChecker when parsing the non-module related
3336         statement in the preparsing phase.
3337
3338         To demonstrate the module analyzer, we added the new option dumpModuleRecord option
3339         into the JSC shell. By specifying this, the result of analysis is dumped when the module
3340         is parsed and analyzed.
3341
3342         * CMakeLists.txt:
3343         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3344         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3345         * JavaScriptCore.xcodeproj/project.pbxproj:
3346         * builtins/BuiltinNames.h:
3347         * parser/ASTBuilder.h:
3348         (JSC::ASTBuilder::createExportDefaultDeclaration):
3349         * parser/ModuleAnalyzer.cpp: Added.
3350         (JSC::ModuleAnalyzer::ModuleAnalyzer):
3351         (JSC::ModuleAnalyzer::exportedBinding):
3352         (JSC::ModuleAnalyzer::declareExportAlias):
3353         (JSC::ModuleAnalyzer::exportVariable):
3354         (JSC::ModuleAnalyzer::analyze):
3355         * parser/ModuleAnalyzer.h: Added.
3356         (JSC::ModuleAnalyzer::vm):
3357         (JSC::ModuleAnalyzer::moduleRecord):
3358         * parser/ModuleRecord.cpp: Added.
3359         (JSC::printableName):
3360         (JSC::ModuleRecord::dump):
3361         * parser/ModuleRecord.h: Added.
3362         (JSC::ModuleRecord::ImportEntry::isNamespace):
3363         (JSC::ModuleRecord::create):
3364         (JSC::ModuleRecord::appendRequestedModule):
3365         (JSC::ModuleRecord::addImportEntry):
3366         (JSC::ModuleRecord::addExportEntry):
3367         (JSC::ModuleRecord::addStarExportEntry):
3368         * parser/NodeConstructors.h:
3369         (JSC::ModuleDeclarationNode::ModuleDeclarationNode):
3370         (JSC::ImportDeclarationNode::ImportDeclarationNode):
3371         (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
3372         (JSC::ExportDefaultDeclarationNode::ExportDefaultDeclarationNode):
3373         (JSC::ExportLocalDeclarationNode::ExportLocalDeclarationNode):
3374         (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
3375         * parser/Nodes.h:
3376         (JSC::ExportDefaultDeclarationNode::localName):
3377         * parser/NodesAnalyzeModule.cpp: Added.
3378         (JSC::ScopeNode::analyzeModule):
3379         (JSC::SourceElements::analyzeModule):
3380         (JSC::ImportDeclarationNode::analyzeModule):
3381         (JSC::ExportAllDeclarationNode::analyzeModule):
3382         (JSC::ExportDefaultDeclarationNode::analyzeModule):
3383         (JSC::ExportLocalDeclarationNode::analyzeModule):
3384         (JSC::ExportNamedDeclarationNode::analyzeModule):
3385         * parser/Parser.cpp:
3386         (JSC::Parser<LexerType>::parseInner):
3387         (JSC::Parser<LexerType>::parseModuleSourceElements):
3388         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3389         (JSC::Parser<LexerType>::createBindingPattern):
3390         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3391         (JSC::Parser<LexerType>::parseClassDeclaration):
3392         (JSC::Parser<LexerType>::parseImportClauseItem):
3393         (JSC::Parser<LexerType>::parseExportSpecifier):
3394         (JSC::Parser<LexerType>::parseExportDeclaration):
3395         * parser/Parser.h:
3396         (JSC::Scope::lexicalVariables):
3397         (JSC::Scope::declareLexicalVariable):
3398         (JSC::Parser::declareVariable):
3399         (JSC::Parser::exportName):
3400         (JSC::Parser<LexerType>::parse):
3401         (JSC::parse):
3402         * parser/ParserModes.h:
3403         * parser/SyntaxChecker.h:
3404         (JSC::SyntaxChecker::createExportDefaultDeclaration):
3405         * parser/VariableEnvironment.cpp:
3406         (JSC::VariableEnvironment::markVariableAsImported):
3407         (JSC::VariableEnvironment::markVariableAsExported):
3408         * parser/VariableEnvironment.h:
3409         (JSC::VariableEnvironmentEntry::isExported):
3410         (JSC::VariableEnvironmentEntry::isImported):
3411         (JSC::VariableEnvironmentEntry::setIsExported):
3412         (JSC::VariableEnvironmentEntry::setIsImported):
3413         * runtime/CommonIdentifiers.h:
3414         * runtime/Completion.cpp:
3415         (JSC::checkModuleSyntax):
3416         * runtime/Options.h:
3417
3418 2015-08-12  Geoffrey Garen  <ggaren@apple.com>
3419
3420         Re-land r188339, since Alex fixed it in r188341 by landing the WebCore half.
3421
3422         * jit/ExecutableAllocator.h:
3423         * jsc.cpp:
3424         (GlobalObject::finishCreation):
3425         (functionAddressOf):
3426         (functionVersion):
3427         (functionReleaseExecutableMemory): Deleted.
3428         * runtime/VM.cpp:
3429         (JSC::StackPreservingRecompiler::operator()):
3430         (JSC::VM::throwException):
3431         (JSC::VM::updateFTLLargestStackSize):
3432         (JSC::VM::gatherConservativeRoots):
3433         (JSC::VM::releaseExecutableMemory): Deleted.
3434         (JSC::releaseExecutableMemory): Deleted.
3435         * runtime/VM.h:
3436         (JSC::VM::isCollectorBusy):
3437         * runtime/Watchdog.cpp:
3438         (JSC::Watchdog::setTimeLimit):
3439
3440 2015-08-12  Jon Honeycutt  <jhoneycutt@apple.com>
3441
3442         Roll out r188339, which broke the build.
3443
3444         Unreviewed.
3445
3446         * jit/ExecutableAllocator.h:
3447         * jsc.cpp:
3448         (GlobalObject::finishCreation):
3449         (functionReleaseExecutableMemory):
3450         * runtime/VM.cpp:
3451         (JSC::StackPreservingRecompiler::visit):
3452         (JSC::StackPreservingRecompiler::operator()):
3453         (JSC::VM::releaseExecutableMemory):
3454         (JSC::releaseExecutableMemory):
3455         * runtime/VM.h:
3456         * runtime/Watchdog.cpp:
3457         (JSC::Watchdog::setTimeLimit):
3458
3459 2015-08-12  Alex Christensen  <achristensen@webkit.org>
3460
3461         Fix Debug CMake builds on Windows
3462         https://bugs.webkit.org/show_bug.cgi?id=147940
3463
3464         Reviewed by Chris Dumez.
3465
3466         * PlatformWin.cmake:
3467         Copy the plist to the JavaScriptCore.resources directory.
3468
3469 2015-08-11  Geoffrey Garen  <ggaren@apple.com>
3470
3471         Remove VM::releaseExecutableMemory
3472         https://bugs.webkit.org/show_bug.cgi?id=147915
3473
3474         Reviewed by Saam Barati.
3475
3476         releaseExecutableMemory() was only used in one place, where discardAllCode()
3477         would work just as well.
3478
3479         It's confusing to have two slightly different ways to discard code. Also,
3480         releaseExecutableMemory() is unused in any production code, and it seems
3481         to have bit-rotted.
3482
3483         * jit/ExecutableAllocator.h:
3484         * jsc.cpp:
3485         (GlobalObject::finishCreation):
3486         (functionAddressOf):
3487         (functionVersion):
3488         (functionReleaseExecutableMemory): Deleted.
3489         * runtime/VM.cpp:
3490         (JSC::StackPreservingRecompiler::operator()):
3491         (JSC::VM::throwException):
3492         (JSC::VM::updateFTLLargestStackSize):
3493         (JSC::VM::gatherConservativeRoots):
3494         (JSC::VM::releaseExecutableMemory): Deleted.
3495         (JSC::releaseExecutableMemory): Deleted.
3496         * runtime/VM.h:
3497         (JSC::VM::isCollectorBusy):
3498         * runtime/Watchdog.cpp:
3499         (JSC::Watchdog::setTimeLimit):
3500
3501 2015-08-12  Mark Lam  <mark.lam@apple.com>
3502
3503         Add a JSC option to enable the watchdog for testing.
3504         https://bugs.webkit.org/show_bug.cgi?id=147939
3505
3506         Reviewed by Michael Saboff.
3507
3508         * API/JSContextRef.cpp:
3509         (JSContextGroupSetExecutionTimeLimit):
3510         (createWatchdogIfNeeded): Deleted.
3511         * runtime/Options.h:
3512         * runtime/VM.cpp:
3513         (JSC::VM::VM):
3514         (JSC::VM::~VM):
3515         (JSC::VM::sharedInstanceInternal):
3516         (JSC::VM::ensureWatchdog):
3517         (JSC::thunkGeneratorForIntrinsic):
3518         * runtime/VM.h:
3519
3520 2015-08-11  Mark Lam  <mark.lam@apple.com>
3521
3522         Implementation JavaScript watchdog using WTF::WorkQueue.
3523         https://bugs.webkit.org/show_bug.cgi?id=147107
3524
3525         Reviewed by Geoffrey Garen.
3526
3527         How the Watchdog works?
3528         ======================
3529
3530         1. When do we start the Watchdog?
3531            =============================
3532            The watchdog should only be started if both the following conditions are true:
3533            1. A time limit has been set.
3534            2. We have entered the VM.
3535  
3536         2. CPU time vs Wall Clock time
3537            ===========================
3538            Why do we need 2 time deadlines: m_cpuDeadline and m_wallClockDeadline?
3539
3540            The watchdog uses WorkQueue dispatchAfter() to queue a timer to measure the watchdog time
3541            limit. WorkQueue timers measure time in monotonic wall clock time. m_wallClockDeadline
3542            indicates the wall clock time point when the WorkQueue timer is expected to fire.
3543
3544            The time limit for which we allow JS code to run should be measured in CPU time, which can
3545            differ from wall clock time.  m_cpuDeadline indicates the CPU time point when the watchdog
3546            should fire.
3547
3548            Note: the timer firing is not the same thing as the watchdog firing.  When the timer fires,
3549            we need to check if m_cpuDeadline has been reached.
3550
3551            If m_cpuDeadline has been reached, the watchdog is considered to have fired.
3552
3553            If not, then we have a remaining amount of CPU time, Tremainder, that we should allow JS
3554            code to continue to run for.  Hence, we need to start a new timer to fire again after
3555            Tremainder microseconds.
3556     
3557            See Watchdog::didFireSlow().
3558
3559         3. Spurious wake ups
3560            =================
3561            Because the WorkQueue timer cannot be cancelled, the watchdog needs to ignore stale timers.
3562            It does this by checking the m_wallClockDeadline.  A wakeup that occurs right after
3563            m_wallClockDeadline expires is considered to be the wakeup for the active timer.  All other
3564            wake ups are considered to be spurious and will be ignored.
3565  
3566            See Watchdog::didFireSlow().
3567  
3568         4. Minimizing Timer creation cost
3569            ==============================
3570            Conceptually, we could start a new timer every time we start the watchdog. But we can do better
3571            than this.
3572  
3573            In practice, the time limit of a watchdog tends to be long, and the amount of time a watchdog
3574            stays active tends to be short for well-behaved JS code. The user also tends to re-use the same
3575            time limit. Consider the following example:
3576  
3577                |---|-----|---|----------------|---------|
3578                t0  t1    t2  t3            t0 + L    t2 + L 
3579
3580                |<--- T1 --------------------->|
3581                          |<--- T2 --------------------->|
3582                |<-- Td ->|                    |<-- Td ->|
3583
3584            1. The user initializes the watchdog with time limit L.
3585            2. At t0, we enter the VM to execute JS code, and starts the watchdog timer, T1.
3586               The timer is set to expire at t0 + L.
3587            3. At t1, we exit the VM.
3588            4. At t2, we enter the VM again, and would like to start a new watchdog timer, T2.
3589          
3590               However, we can note that the expiration time for T2 would be after the expiration time
3591               of T1. Specifically, T2 would have expired at Td after T1 expires.
3592          
3593               Hence, we can just wait for T1 to expire, and then start a new timer T2' at time t0 + L
3594               for a period or Td instead.
3595
3596            Note that didFireSlow() already compensates for time differences between wall clock and CPU time,
3597            as well as handle spurious wake ups (see note 2 and 3 above).  As a result, didFireSlow() will
3598            automatically take care of starting a new timer for the difference Td in the example above.
3599            Instead of starting the new timer T2 and time t2, we just verify that if the active timer, T1's
3600            expiration is less than T2s, then we are already covered by T1 and there's no need to start T2.
3601
3602            The benefit:
3603
3604            1. we minimize the number of timer instances we have queued in the workqueue at the same time
3605               (ideally only 1 or 0), and use less peak memory usage.
3606
3607            2. we minimize the frequency of instantiating timer instances. By waiting for the current
3608               active timer to expire first, on average, we get to start one timer per time limit
3609               (which is infrequent because time limits tend to be long) instead of one timer per
3610               VM entry (which tends to be frequent).
3611
3612            See Watchdog::startTimer().
3613
3614         * API/JSContextRef.cpp:
3615         (createWatchdogIfNeeded):
3616         (JSContextGroupClearExecutionTimeLimit):
3617         - No need to create the watchdog (if not already created) just to clear it.
3618           If the watchdog is not created yet, then it is effectively cleared.
3619
3620         * API/tests/ExecutionTimeLimitTest.cpp:
3621         (currentCPUTimeAsJSFunctionCallback):
3622         (testExecutionTimeLimit):
3623         (currentCPUTime): Deleted.
3624         * API/tests/testapi.c:
3625         (main):
3626         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3627         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
3628         - Enable watchdog tests for all platforms.
3629
3630         * CMakeLists.txt:
3631         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3632         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3633         * JavaScriptCore.xcodeproj/project.pbxproj:
3634         - Remove now unneeded WatchdogMac.cpp and WatchdogNone.cpp.
3635
3636         * PlatformEfl.cmake:
3637
3638         * dfg/DFGByteCodeParser.cpp:
3639         (JSC::DFG::ByteCodeParser::parseBlock):
3640         * dfg/DFGSpeculativeJIT32_64.cpp:
3641         * dfg/DFGSpeculativeJIT64.cpp:
3642         * interpreter/Interpreter.cpp:
3643         (JSC::Interpreter::execute):
3644         (JSC::Interpreter::executeCall):
3645         (JSC::Interpreter::executeConstruct):
3646         * jit/JITOpcodes.cpp:
3647         (JSC::JIT::emit_op_loop_hint):
3648         (JSC::JIT::emitSlow_op_loop_hint):
3649         * jit/JITOperations.cpp:
3650         * llint/LLIntOffsetsExtractor.cpp:
3651         * llint/LLIntSlowPaths.cpp:
3652         * runtime/VM.cpp:
3653         - #include Watchdog.h in these files directly instead of doing it via VM.h.
3654           These saves us from having to recompile the world when we change Watchdog.h.
3655
3656         * runtime/VM.h:
3657         - See comment in Watchdog::startTimer() below for why the Watchdog needs to be
3658           thread-safe ref counted.
3659
3660         * runtime/VMEntryScope.cpp:
3661         (JSC::VMEntryScope::VMEntryScope):
3662         (JSC::VMEntryScope::~VMEntryScope):
3663         - We have done away with the WatchdogScope and arming/disarming of the watchdog.
3664           Instead, the VMEntryScope will inform the watchdog of when we have entered and
3665           exited the VM.
3666
3667         * runtime/Watchdog.cpp:
3668         (JSC::currentWallClockTime):
3669         (JSC::Watchdog::Watchdog):
3670         (JSC::Watchdog::hasStartedTimer):
3671         (JSC::Watchdog::setTimeLimit):
3672         (JSC::Watchdog::didFireSlow):
3673         (JSC::Watchdog::hasTimeLimit):
3674         (JSC::Watchdog::fire):
3675         (JSC::Watchdog::enteredVM):
3676         (JSC::Watchdog::exitedVM):
3677
3678         (JSC::Watchdog::startTimer):
3679         - The Watchdog is now thread-safe ref counted because the WorkQueue may access it
3680           (from a different thread) even after the VM shuts down.  We need to keep it
3681           alive until the WorkQueue callback completes.
3682
3683           In Watchdog::startTimer(), we'll ref the Watchdog to keep it alive for each
3684           WorkQueue callback we dispatch.  The callback will deref the Watchdog after it
3685           is done with it.  This ensures that the Watchdog is kept alive until all
3686           WorkQueue callbacks are done.
3687
3688         (JSC::Watchdog::stopTimer):
3689         (JSC::Watchdog::~Watchdog): Deleted.
3690         (JSC::Watchdog::didFire): Deleted.
3691         (JSC::Watchdog::isEnabled): Deleted.
3692         (JSC::Watchdog::arm): Deleted.
3693         (JSC::Watchdog::disarm): Deleted.
3694         (JSC::Watchdog::startCountdownIfNeeded): Deleted.
3695         (JSC::Watchdog::startCountdown): Deleted.
3696         (JSC::Watchdog::stopCountdown): Deleted.
3697         * runtime/Watchdog.h:
3698         (JSC::Watchdog::didFire):
3699         (JSC::Watchdog::timerDidFireAddress):
3700         (JSC::Watchdog::isArmed): Deleted.
3701         (JSC::Watchdog::Scope::Scope): Deleted.
3702         (JSC::Watchdog::Scope::~Scope): Deleted.
3703         * runtime/WatchdogMac.cpp:
3704         (JSC::Watchdog::initTimer): Deleted.
3705         (JSC::Watchdog::destroyTimer): Deleted.
3706         (JSC::Watchdog::startTimer): Deleted.
3707         (JSC::Watchdog::stopTimer): Deleted.
3708         * runtime/WatchdogNone.cpp:
3709         (JSC::Watchdog::initTimer): Deleted.
3710         (JSC::Watchdog::destroyTimer): Deleted.
3711         (JSC::Watchdog::startTimer): Deleted.
3712         (JSC::Watchdog::stopTimer): Deleted.
3713
3714 2015-08-11  Filip Pizlo  <fpizlo@apple.com>
3715
3716         Always use a byte-sized lock implementation
3717         https://bugs.webkit.org/show_bug.cgi?id=147908
3718
3719         Reviewed by Geoffrey Garen.
3720
3721         * runtime/ConcurrentJITLock.h: Lock is now byte-sized and ByteLock is gone, so use Lock.
3722
3723 2015-08-11  Alexey Proskuryakov  <ap@apple.com>
3724
3725         Make ASan build not depend on asan.xcconfig
3726         https://bugs.webkit.org/show_bug.cgi?id=147840
3727         rdar://problem/21093702
3728
3729         Reviewed by Daniel Bates.
3730
3731         * dfg/DFGOSREntry.cpp:
3732         (JSC::DFG::OSREntryData::dump):
3733         (JSC::DFG::prepareOSREntry):
3734         * ftl/FTLOSREntry.cpp:
3735         (JSC::FTL::prepareOSREntry):
3736         * heap/ConservativeRoots.cpp:
3737         (JSC::ConservativeRoots::genericAddPointer):
3738         (JSC::ConservativeRoots::genericAddSpan):
3739         * heap/MachineStackMarker.cpp:
3740         (JSC::MachineThreads::removeThreadIfFound):
3741         (JSC::MachineThreads::gatherFromCurrentThread):
3742         (JSC::MachineThreads::Thread::captureStack):
3743         (JSC::copyMemory):
3744         * interpreter/Register.h:
3745         (JSC::Register::operator=):
3746         (JSC::Register::asanUnsafeJSValue):
3747         (JSC::Register::jsValue):
3748
3749 2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3750
3751         Introduce get_by_id like IC into get_by_val when the given name is String or Symbol
3752         https://bugs.webkit.org/show_bug.cgi?id=147480
3753
3754         Reviewed by Filip Pizlo.
3755
3756         This patch adds get_by_id IC to get_by_val operation by caching the string / symbol id.
3757         The IC site only caches one id. After checking that the given id is the same to the
3758         cached one, we perform the get_by_id IC onto it.
3759         And by collecting IC StructureStubInfo information, we pass it to the DFG and DFG
3760         compiles get_by_val op code into CheckIdent (with edge type check) and GetById related
3761         operations when the given get_by_val leverages the property load with the cached id.
3762
3763         To ensure the incoming value is the expected id, in DFG layer, we use SymbolUse and
3764         StringIdentUse to enforce the type. To use it, this patch implements SymbolUse.
3765         This can be leveraged to optimize symbol operations in DFG.
3766
3767         And since byValInfo is frequently used, we align the byValInfo design to the stubInfo like one.
3768         Allocated by the Bag and operations take the raw byValInfo pointer directly instead of performing
3769         binary search onto m_byValInfos. And by storing ArrayProfile* under the ByValInfo, we replaced the
3770         argument ArrayProfile* in the operations with ByValInfo*.
3771
3772         * bytecode/ByValInfo.h:
3773         (JSC::ByValInfo::ByValInfo):
3774         * bytecode/CodeBlock.cpp:
3775         (JSC::CodeBlock::getByValInfoMap):
3776         (JSC::CodeBlock::addByValInfo):
3777         * bytecode/CodeBlock.h:
3778         (JSC::CodeBlock::getByValInfo): Deleted.
3779         (JSC::CodeBlock::setNumberOfByValInfos): Deleted.
3780         (JSC::CodeBlock::numberOfByValInfos): Deleted.
3781         (JSC::CodeBlock::byValInfo): Deleted.
3782         * bytecode/ExitKind.cpp:
3783         (JSC::exitKindToString):
3784         * bytecode/ExitKind.h:
3785         * bytecode/GetByIdStatus.cpp:
3786         (JSC::GetByIdStatus::computeFor):
3787         (JSC::GetByIdStatus::computeForStubInfo):
3788         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3789         * bytecode/GetByIdStatus.h:
3790         * dfg/DFGAbstractInterpreterInlines.h:
3791         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3792         * dfg/DFGByteCodeParser.cpp:
3793         (JSC::DFG::ByteCodeParser::parseBlock):
3794         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3795         * dfg/DFGClobberize.h:
3796         (JSC::DFG::clobberize):
3797         * dfg/DFGConstantFoldingPhase.cpp:
3798         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3799         * dfg/DFGDoesGC.cpp:
3800         (JSC::DFG::doesGC):
3801         * dfg/DFGFixupPhase.cpp:
3802         (JSC::DFG::FixupPhase::fixupNode):
3803         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3804         * dfg/DFGNode.h:
3805         (JSC::DFG::Node::hasUidOperand):
3806         (JSC::DFG::Node::uidOperand):
3807         * dfg/DFGNodeType.h:
3808         * dfg/DFGPredictionPropagationPhase.cpp:
3809         (JSC::DFG::PredictionPropagationPhase::propagate):
3810         * dfg/DFGSafeToExecute.h:
3811         (JSC::DFG::SafeToExecuteEdge::operator()):
3812         (JSC::DFG::safeToExecute):
3813         * dfg/DFGSpeculativeJIT.cpp:
3814         (JSC::DFG::SpeculativeJIT::compileCheckIdent):
3815         (JSC::DFG::SpeculativeJIT::speculateSymbol):
3816         (JSC::DFG::SpeculativeJIT::speculate):
3817         * dfg/DFGSpeculativeJIT.h:
3818         * dfg/DFGSpeculativeJIT32_64.cpp:
3819         (JSC::DFG::SpeculativeJIT::compile):
3820         * dfg/DFGSpeculativeJIT64.cpp:
3821         (JSC::DFG::SpeculativeJIT::compile):
3822         * dfg/DFGUseKind.cpp:
3823         (WTF::printInternal):
3824         * dfg/DFGUseKind.h:
3825         (JSC::DFG::typeFilterFor):
3826         (JSC::DFG::isCell):
3827         * ftl/FTLAbstractHeapRepository.h:
3828         * ftl/FTLCapabilities.cpp:
3829         (JSC::FTL::canCompile):
3830         * ftl/FTLLowerDFGToLLVM.cpp:
3831         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3832         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckIdent):
3833         (JSC::FTL::DFG::LowerDFGToLLVM::lowSymbol):
3834         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
3835         (JSC::FTL::DFG::LowerDFGToLLVM::isNotSymbol):
3836         (JSC::FTL::DFG::LowerDFGToLLVM::speculateSymbol):
3837         * jit/JIT.cpp:
3838         (JSC::JIT::privateCompile):
3839         * jit/JIT.h:
3840         (JSC::ByValCompilationInfo::ByValCompilationInfo):
3841         (JSC::JIT::compileGetByValWithCachedId):
3842         * jit/JITInlines.h:
3843         (JSC::JIT::callOperation):
3844         * jit/JITOpcodes.cpp:
3845         (JSC::JIT::emit_op_has_indexed_property):
3846         (JSC::JIT::emitSlow_op_has_indexed_property):
3847         * jit/JITOpcodes32_64.cpp:
3848         (JSC::JIT::emit_op_has_indexed_property):
3849         (JSC::JIT::emitSlow_op_has_indexed_property):
3850         * jit/JITOperations.cpp:
3851         (JSC::getByVal):
3852         * jit/JITOperations.h:
3853         * jit/JITPropertyAccess.cpp:
3854         (JSC::JIT::emit_op_get_by_val):
3855         (JSC::JIT::emitGetByValWithCachedId):
3856         (JSC::JIT::emitSlow_op_get_by_val):
3857         (JSC::JIT::emit_op_put_by_val):
3858         (JSC::JIT::emitSlow_op_put_by_val):
3859         (JSC::JIT::privateCompileGetByVal):
3860         (JSC::JIT::privateCompileGetByValWithCachedId):
3861         * jit/JITPropertyAccess32_64.cpp:
3862         (JSC::JIT::emit_op_get_by_val):
3863         (JSC::JIT::emitGetByValWithCachedId):
3864         (JSC::JIT::emitSlow_op_get_by_val):
3865         (JSC::JIT::emit_op_put_by_val):
3866         (JSC::JIT::emitSlow_op_put_by_val):
3867         * runtime/Symbol.h:
3868         * tests/stress/get-by-val-with-string-constructor.js: Added.
3869         (Hello):
3870         (get Hello.prototype.generate):
3871         (ok):
3872         * tests/stress/get-by-val-with-string-exit.js: Added.
3873         (shouldBe):
3874         (getByVal):
3875         (getStr1):
3876         (getStr2):
3877         * tests/stress/get-by-val-with-string-generated.js: Added.
3878         (shouldBe):
3879         (getByVal):
3880         (getStr1):
3881         (getStr2):
3882         * tests/stress/get-by-val-with-string-getter.js: Added.
3883         (object.get hello):
3884         (ok):
3885         * tests/stress/get-by-val-with-string.js: Added.
3886         (shouldBe):
3887         (getByVal):
3888         (getStr1):
3889         (getStr2):
3890         * tests/stress/get-by-val-with-symbol-constructor.js: Added.
3891         (Hello):
3892         (get Hello.prototype.generate):
3893         (ok):
3894         * tests/stress/get-by-val-with-symbol-exit.js: Added.
3895         (shouldBe):
3896         (getByVal):
3897         (getSym1):
3898         (getSym2):
3899         * tests/stress/get-by-val-with-symbol-getter.js: Added.
3900         (object.get hello):
3901         (.get ok):
3902         * tests/stress/get-by-val-with-symbol.js: Added.
3903         (shouldBe):
3904         (getByVal):
3905         (getSym1):
3906         (getSym2):
3907
3908 2015-08-11  Filip Pizlo  <fpizlo@apple.com>
3909
3910         DFG::ByteCodeParser shouldn't call tryGetConstantProperty() with some StructureSet if it isn't checking that the base has a structure in that StructureSet
3911         https://bugs.webkit.org/show_bug.cgi?id=147891
3912         rdar://problem/22129447
3913