ES6 class syntax should allow static setters and getters
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2
3         ES6 class syntax should allow static setters and getters
4         https://bugs.webkit.org/show_bug.cgi?id=143180
5
6         Reviewed by Filip Pizlo
7
8         Apparently I misread the spec when I initially implemented parseClass.
9         ES6 class syntax allows static getters and setters so just allow that.
10
11         * parser/Parser.cpp:
12         (JSC::Parser<LexerType>::parseClass):
13
14 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
15
16         PutClosureVar CSE def() rule has a wrong base
17         https://bugs.webkit.org/show_bug.cgi?id=143280
18
19         Reviewed by Michael Saboff.
20         
21         I think that this code was incorrect in a benign way, since the base of a
22         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
23
24         * dfg/DFGClobberize.h:
25         (JSC::DFG::clobberize):
26
27 2015-03-31  Commit Queue  <commit-queue@webkit.org>
28
29         Unreviewed, rolling out r182200.
30         https://bugs.webkit.org/show_bug.cgi?id=143279
31
32         Probably causing assertion extravaganza on bots. (Requested by
33         kling on #webkit).
34
35         Reverted changeset:
36
37         "Logically empty WeakBlocks should not pin down their
38         MarkedBlocks indefinitely."
39         https://bugs.webkit.org/show_bug.cgi?id=143210
40         http://trac.webkit.org/changeset/182200
41
42 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
43
44         Clean up Identifier factories to clarify the meaning of StringImpl*
45         https://bugs.webkit.org/show_bug.cgi?id=143146
46
47         Reviewed by Filip Pizlo.
48
49         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
50         However, it's ambiguous because `StringImpl*` has 2 different meanings.
51         1) normal string, it is replacable with `WTFString` and
52         2) `uid`, which holds `isSymbol` information to represent Symbols.
53         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
54         + `Identifier::fromString(VM*/ExecState*, const String&)`.
55         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
56         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
57         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
58
59         And to clean up `StringImpl` which is used as uid,
60         we introduce `StringKind` into `StringImpl`. There's 3 kinds
61         1. StringNormal (non-atomic, non-symbol)
62         2. StringAtomic (atomic, non-symbol)
63         3. StringSymbol (non-atomic, symbol)
64         They are mutually exclusive. And (atomic, symbol) case should not exist.
65
66         * API/JSCallbackObjectFunctions.h:
67         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
68         * API/JSObjectRef.cpp:
69         (JSObjectMakeFunction):
70         * API/OpaqueJSString.cpp:
71         (OpaqueJSString::identifier):
72         * bindings/ScriptFunctionCall.cpp:
73         (Deprecated::ScriptFunctionCall::call):
74         * builtins/BuiltinExecutables.cpp:
75         (JSC::BuiltinExecutables::createExecutableInternal):
76         * builtins/BuiltinNames.h:
77         (JSC::BuiltinNames::BuiltinNames):
78         * bytecompiler/BytecodeGenerator.cpp:
79         (JSC::BytecodeGenerator::BytecodeGenerator):
80         (JSC::BytecodeGenerator::emitThrowReferenceError):
81         (JSC::BytecodeGenerator::emitThrowTypeError):
82         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
83         (JSC::BytecodeGenerator::emitEnumeration):
84         * dfg/DFGDesiredIdentifiers.cpp:
85         (JSC::DFG::DesiredIdentifiers::reallyAdd):
86         * inspector/JSInjectedScriptHost.cpp:
87         (Inspector::JSInjectedScriptHost::functionDetails):
88         (Inspector::constructInternalProperty):
89         (Inspector::JSInjectedScriptHost::weakMapEntries):
90         (Inspector::JSInjectedScriptHost::iteratorEntries):
91         * inspector/JSInjectedScriptHostPrototype.cpp:
92         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
93         * inspector/JSJavaScriptCallFramePrototype.cpp:
94         * inspector/ScriptCallStackFactory.cpp:
95         (Inspector::extractSourceInformationFromException):
96         * jit/JITOperations.cpp:
97         * jsc.cpp:
98         (GlobalObject::finishCreation):
99         (GlobalObject::addFunction):
100         (GlobalObject::addConstructableFunction):
101         (functionRun):
102         (runWithScripts):
103         * llint/LLIntData.cpp:
104         (JSC::LLInt::Data::performAssertions):
105         * llint/LowLevelInterpreter.asm:
106         * parser/ASTBuilder.h:
107         (JSC::ASTBuilder::addVar):
108         * parser/Parser.cpp:
109         (JSC::Parser<LexerType>::parseInner):
110         (JSC::Parser<LexerType>::createBindingPattern):
111         * parser/ParserArena.h:
112         (JSC::IdentifierArena::makeIdentifier):
113         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
114         (JSC::IdentifierArena::makeNumericIdentifier):
115         * runtime/ArgumentsIteratorPrototype.cpp:
116         (JSC::ArgumentsIteratorPrototype::finishCreation):
117         * runtime/ArrayIteratorPrototype.cpp:
118         (JSC::ArrayIteratorPrototype::finishCreation):
119         * runtime/ArrayPrototype.cpp:
120         (JSC::ArrayPrototype::finishCreation):
121         (JSC::arrayProtoFuncPush):
122         * runtime/ClonedArguments.cpp:
123         (JSC::ClonedArguments::getOwnPropertySlot):
124         * runtime/CommonIdentifiers.cpp:
125         (JSC::CommonIdentifiers::CommonIdentifiers):
126         * runtime/CommonIdentifiers.h:
127         * runtime/Error.cpp:
128         (JSC::addErrorInfo):
129         (JSC::hasErrorInfo):
130         * runtime/ExceptionHelpers.cpp:
131         (JSC::createUndefinedVariableError):
132         * runtime/GenericArgumentsInlines.h:
133         (JSC::GenericArguments<Type>::getOwnPropertySlot):
134         * runtime/Identifier.h:
135         (JSC::Identifier::isSymbol):
136         (JSC::Identifier::Identifier):
137         (JSC::Identifier::from): Deleted.
138         * runtime/IdentifierInlines.h:
139         (JSC::Identifier::Identifier):
140         (JSC::Identifier::fromUid):
141         (JSC::Identifier::fromString):
142         * runtime/JSCJSValue.cpp:
143         (JSC::JSValue::dumpInContextAssumingStructure):
144         * runtime/JSCJSValueInlines.h:
145         (JSC::JSValue::toPropertyKey):
146         * runtime/JSGlobalObject.cpp:
147         (JSC::JSGlobalObject::init):
148         * runtime/JSLexicalEnvironment.cpp:
149         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
150         * runtime/JSObject.cpp:
151         (JSC::getClassPropertyNames):
152         (JSC::JSObject::reifyStaticFunctionsForDelete):
153         * runtime/JSObject.h:
154         (JSC::makeIdentifier):
155         * runtime/JSPromiseConstructor.cpp:
156         (JSC::JSPromiseConstructorFuncRace):
157         (JSC::JSPromiseConstructorFuncAll):
158         * runtime/JSString.h:
159         (JSC::JSString::toIdentifier):
160         * runtime/JSSymbolTableObject.cpp:
161         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
162         * runtime/LiteralParser.cpp:
163         (JSC::LiteralParser<CharType>::tryJSONPParse):
164         (JSC::LiteralParser<CharType>::makeIdentifier):
165         * runtime/Lookup.h:
166         (JSC::reifyStaticProperties):
167         * runtime/MapConstructor.cpp:
168         (JSC::constructMap):
169         * runtime/MapIteratorPrototype.cpp:
170         (JSC::MapIteratorPrototype::finishCreation):
171         * runtime/MapPrototype.cpp:
172         (JSC::MapPrototype::finishCreation):
173         * runtime/MathObject.cpp:
174         (JSC::MathObject::finishCreation):
175         * runtime/NumberConstructor.cpp:
176         (JSC::NumberConstructor::finishCreation):
177         * runtime/ObjectConstructor.cpp:
178         (JSC::ObjectConstructor::finishCreation):
179         * runtime/PrivateName.h:
180         (JSC::PrivateName::PrivateName):
181         * runtime/PropertyMapHashTable.h:
182         (JSC::PropertyTable::find):
183         (JSC::PropertyTable::get):
184         * runtime/PropertyName.h:
185         (JSC::PropertyName::PropertyName):
186         (JSC::PropertyName::publicName):
187         (JSC::PropertyName::asIndex):
188         * runtime/PropertyNameArray.cpp:
189         (JSC::PropertyNameArray::add):
190         * runtime/PropertyNameArray.h:
191         (JSC::PropertyNameArray::addKnownUnique):
192         * runtime/RegExpConstructor.cpp:
193         (JSC::RegExpConstructor::finishCreation):
194         * runtime/SetConstructor.cpp:
195         (JSC::constructSet):
196         * runtime/SetIteratorPrototype.cpp:
197         (JSC::SetIteratorPrototype::finishCreation):
198         * runtime/SetPrototype.cpp:
199         (JSC::SetPrototype::finishCreation):
200         * runtime/StringIteratorPrototype.cpp:
201         (JSC::StringIteratorPrototype::finishCreation):
202         * runtime/StringPrototype.cpp:
203         (JSC::StringPrototype::finishCreation):
204         * runtime/Structure.cpp:
205         (JSC::Structure::getPropertyNamesFromStructure):
206         * runtime/SymbolConstructor.cpp:
207         * runtime/VM.cpp:
208         (JSC::VM::throwException):
209         * runtime/WeakMapConstructor.cpp:
210         (JSC::constructWeakMap):
211
212 2015-03-31  Andreas Kling  <akling@apple.com>
213
214         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
215         <https://webkit.org/b/143210>
216
217         Reviewed by Geoffrey Garen.
218
219         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
220         we had a little problem where WeakBlocks with only null pointers would still keep their
221         MarkedBlock alive.
222
223         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
224         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
225         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
226         destroying them once they're fully dead.
227
228         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
229         a mysterious issue where doing two full garbage collections back-to-back would free additional
230         memory in the second collection.
231
232         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
233         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
234         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
235
236         * heap/Heap.h:
237         * heap/Heap.cpp:
238         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
239         owned by Heap, after everything else has been swept.
240
241         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
242         after a full garbage collection ends. Note that we don't do this after Eden collections, since
243         they are unlikely to cause entire WeakBlocks to go empty.
244
245         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
246         to the Heap when it's detached from a WeakSet.
247
248         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
249         of the logically empty WeakBlocks owned by Heap.
250
251         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
252         and updates the next-logically-empty-weak-block-to-sweep index.
253
254         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
255         won't be another chance after this.
256
257         * heap/IncrementalSweeper.h:
258         (JSC::IncrementalSweeper::hasWork): Deleted.
259
260         * heap/IncrementalSweeper.cpp:
261         (JSC::IncrementalSweeper::fullSweep):
262         (JSC::IncrementalSweeper::doSweep):
263         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
264         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
265         changed to return a bool (true if there's more work to be done.)
266
267         * heap/WeakBlock.cpp:
268         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
269         contain any pointers to live objects. The answer is stored in a new SweepResult member.
270
271         * heap/WeakBlock.h:
272         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
273         if the WeakBlock could be detached from the MarkedBlock.
274
275         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
276         when declaring them.
277
278 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
279
280         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
281         https://bugs.webkit.org/show_bug.cgi?id=142883
282
283         Reviewed by Filip Pizlo.
284
285         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
286
287         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
288         in eval inside a derived class' constructor.
289
290         * bytecode/EvalCodeCache.h:
291         (JSC::EvalCodeCache::getSlow):
292         * bytecompiler/NodesCodegen.cpp:
293         (JSC::ThisNode::emitBytecode):
294         * debugger/DebuggerCallFrame.cpp:
295         (JSC::DebuggerCallFrame::evaluate):
296         * interpreter/Interpreter.cpp:
297         (JSC::eval):
298         * parser/ASTBuilder.h:
299         (JSC::ASTBuilder::thisExpr):
300         * parser/NodeConstructors.h:
301         (JSC::ThisNode::ThisNode):
302         * parser/Nodes.h:
303         * parser/Parser.cpp:
304         (JSC::Parser<LexerType>::Parser):
305         (JSC::Parser<LexerType>::parsePrimaryExpression):
306         * parser/Parser.h:
307         (JSC::parse):
308         * parser/ParserModes.h:
309         * parser/SyntaxChecker.h:
310         (JSC::SyntaxChecker::thisExpr):
311         * runtime/CodeCache.cpp:
312         (JSC::CodeCache::getGlobalCodeBlock):
313         (JSC::CodeCache::getProgramCodeBlock):
314         (JSC::CodeCache::getEvalCodeBlock):
315         * runtime/CodeCache.h:
316         (JSC::SourceCodeKey::SourceCodeKey):
317         * runtime/Executable.cpp:
318         (JSC::EvalExecutable::create):
319         * runtime/Executable.h:
320         * runtime/JSGlobalObject.cpp:
321         (JSC::JSGlobalObject::createEvalCodeBlock):
322         * runtime/JSGlobalObject.h:
323         * runtime/JSGlobalObjectFunctions.cpp:
324         (JSC::globalFuncEval):
325         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
326         * tests/stress/class-syntax-tdz-in-eval.js: Added.
327
328 2015-03-31  Commit Queue  <commit-queue@webkit.org>
329
330         Unreviewed, rolling out r182186.
331         https://bugs.webkit.org/show_bug.cgi?id=143270
332
333         it crashes all the WebGL tests on the Debug bots (Requested by
334         dino on #webkit).
335
336         Reverted changeset:
337
338         "Web Inspector: add 2D/WebGL canvas instrumentation
339         infrastructure"
340         https://bugs.webkit.org/show_bug.cgi?id=137278
341         http://trac.webkit.org/changeset/182186
342
343 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
344
345         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
346         https://bugs.webkit.org/show_bug.cgi?id=142937
347
348         Reviewed by Darin Adler.
349
350         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
351         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
352         But now, several functions perform ToObject onto a non-object parameter.
353         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
354         It is described in ES6 Annex E.
355         Functions different from ES5 are following.
356
357         1. An attempt is make to coerce the argument using ToObject.
358             Object.getOwnPropertyDescriptor
359             Object.getOwnPropertyNames
360             Object.getPrototypeOf
361             Object.keys
362
363         2. Treated as if it was a non-extensible ordinary object with no own properties.
364             Object.freeze
365             Object.isExtensible
366             Object.isFrozen
367             Object.isSealed
368             Object.preventExtensions
369             Object.seal
370
371         * runtime/ObjectConstructor.cpp:
372         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
373         (JSC::objectConstructorGetPrototypeOf):
374         (JSC::objectConstructorGetOwnPropertyDescriptor):
375         (JSC::objectConstructorGetOwnPropertyNames):
376         (JSC::objectConstructorKeys):
377         (JSC::objectConstructorSeal):
378         (JSC::objectConstructorFreeze):
379         (JSC::objectConstructorPreventExtensions):
380         (JSC::objectConstructorIsSealed):
381         (JSC::objectConstructorIsFrozen):
382         (JSC::objectConstructorIsExtensible):
383         * tests/stress/object-freeze-accept-non-object.js: Added.
384         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
385         (canary):
386         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
387         (compare):
388         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
389         * tests/stress/object-is-extensible-accept-non-object.js: Added.
390         * tests/stress/object-is-frozen-accept-non-object.js: Added.
391         * tests/stress/object-is-sealed-accept-non-object.js: Added.
392         * tests/stress/object-keys-perform-to-object.js: Added.
393         (compare):
394         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
395         * tests/stress/object-seal-accept-non-object.js: Added.
396
397 2015-03-31  Matt Baker  <mattbaker@apple.com>
398
399         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
400         https://bugs.webkit.org/show_bug.cgi?id=137278
401
402         Reviewed by Timothy Hatcher.
403
404         Added Canvas protocol which defines types used by InspectorCanvasAgent.
405
406         * CMakeLists.txt:
407         * DerivedSources.make:
408         * inspector/protocol/Canvas.json: Added.
409
410         * inspector/scripts/codegen/generator.py:
411         (Generator.stylized_name_for_enum_value):
412         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
413
414 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
415
416         Extending null should set __proto__ to null
417         https://bugs.webkit.org/show_bug.cgi?id=142882
418
419         Reviewed by Geoffrey Garen and Benjamin Poulain.
420
421         Set Derived.prototype.__proto__ to null when extending null.
422
423         * bytecompiler/NodesCodegen.cpp:
424         (JSC::ClassExprNode::emitBytecode):
425
426 2015-03-30  Mark Lam  <mark.lam@apple.com>
427
428         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
429         <https://webkit.org/b/143105>
430
431         Reviewed by Filip Pizlo.
432
433         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
434         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
435         JIT frames that may have its scope register not set.  The Debugger's current implementation
436         which relies on the scope register is not happy about this.  For example, this results in a
437         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
438
439         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
440         ensure that the scope register value is flushed to the register in the stack frame.
441
442         * dfg/DFGByteCodeParser.cpp:
443         (JSC::DFG::ByteCodeParser::ByteCodeParser):
444         (JSC::DFG::ByteCodeParser::setLocal):
445         (JSC::DFG::ByteCodeParser::flush):
446         - Add code to flush the scope register.
447         (JSC::DFG::ByteCodeParser::inliningCost):
448         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
449           disabling inlining whenever the debugger is in use.
450         * dfg/DFGGraph.cpp:
451         (JSC::DFG::Graph::Graph):
452         * dfg/DFGGraph.h:
453         (JSC::DFG::Graph::hasDebuggerEnabled):
454         * dfg/DFGStackLayoutPhase.cpp:
455         (JSC::DFG::StackLayoutPhase::run):
456         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
457         * ftl/FTLCompile.cpp:
458         (JSC::FTL::mmAllocateDataSection):
459         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
460
461 2015-03-30  Michael Saboff  <msaboff@apple.com>
462
463         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
464         https://bugs.webkit.org/show_bug.cgi?id=138391
465
466         Reviewed by Mark Lam.
467
468         Re-enabling these tests as I can't get them to fail on local iOS test devices.
469         There have been many changes since these tests were disabled.
470         I'll watch automated test results for failures.  If there are failures running automated
471         testing, it might be due to the device's relative CPU performance.
472         
473         * tests/stress/float32-repeat-out-of-bounds.js:
474         * tests/stress/int8-repeat-out-of-bounds.js:
475
476 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
477
478         Web Inspector: Regression: Preview for [[null]] shouldn't be []
479         https://bugs.webkit.org/show_bug.cgi?id=143208
480
481         Reviewed by Mark Lam.
482
483         * inspector/InjectedScriptSource.js:
484         Handle null when generating simple object previews.
485
486 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
487
488         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
489         https://bugs.webkit.org/show_bug.cgi?id=143134
490
491         Reviewed by Geoffrey Garen.
492
493         * jit/JSInterfaceJIT.h:
494         * jit/Repatch.cpp:
495         (JSC::tryCacheGetByID):
496
497 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
498
499         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
500         https://bugs.webkit.org/show_bug.cgi?id=143104
501
502         Reviewed by Geoffrey Garen.
503         
504         Created a test that is a 100% repro of the flaky failure. This test is called
505         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
506         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
507         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
508         
509         Also created three more tests for three similar, but not identical, failures.
510         
511         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
512         only reading those parts of the stack that are relevant to the current semantic code origin.
513         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
514         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
515         read parts of the stack associated with the inline call frame for the phantom arguments. This
516         may not be subsumed by the current semantic origin's stack area in cases that the arguments
517         were allowed to "locally" escape.
518         
519         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
520         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
521         the stack due to function.arguments, but there are a bunch of other ways that we could also
522         read the stack and those operations may read any stack slot. I believe that this change makes
523         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
524         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
525         readTop() in PreciseLocalClobberize does the right thing.
526
527         * dfg/DFGClobberize.h:
528         (JSC::DFG::clobberize):
529         * dfg/DFGPreciseLocalClobberize.h:
530         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
531         * dfg/DFGPutStackSinkingPhase.cpp:
532         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
533         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
534         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
535         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
536         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
537
538 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
539
540         Start the features.json files
541         https://bugs.webkit.org/show_bug.cgi?id=143207
542
543         Reviewed by Darin Adler.
544
545         Start the features.json files to have something to experiment
546         with for the UI.
547
548         * features.json: Added.
549
550 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
551
552         [Win] Addresing post-review comment after r182122
553         https://bugs.webkit.org/show_bug.cgi?id=143189
554
555         Unreviewed.
556
557 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
558
559         [Win] Allow building JavaScriptCore without Cygwin
560         https://bugs.webkit.org/show_bug.cgi?id=143189
561
562         Reviewed by Brent Fulgham.
563
564         Paths like /usr/bin/ don't exist on Windows.
565         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
566         Prefixing commands with environment variables doesn't work on Windows.
567         Windows doesn't have 'cmp'
568         Windows uses 'del' instead of 'rm'
569         Windows uses 'type NUL' intead of 'touch'
570
571         * DerivedSources.make:
572         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
573         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
574         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
575         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
576         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
577         * JavaScriptCore.vcxproj/build-generated-files.pl:
578         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
579
580 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
581
582         Clean up JavaScriptCore/builtins
583         https://bugs.webkit.org/show_bug.cgi?id=143177
584
585         Reviewed by Ryosuke Niwa.
586
587         * builtins/ArrayConstructor.js:
588         (from):
589         - We can compare to undefined instead of using a typeof undefined check.
590         - Converge on double quoted strings everywhere.
591
592         * builtins/ArrayIterator.prototype.js:
593         (next):
594         * builtins/StringIterator.prototype.js:
595         (next):
596         - Use shorthand object construction to avoid duplication.
597         - Improve grammar in error messages.
598
599         * tests/stress/array-iterators-next-with-call.js:
600         * tests/stress/string-iterators.js:
601         - Update for new error message strings.
602
603 2015-03-28  Saam Barati  <saambarati1@gmail.com>
604
605         Web Inspector: ES6: Better support for Symbol types in Type Profiler
606         https://bugs.webkit.org/show_bug.cgi?id=141257
607
608         Reviewed by Joseph Pecoraro.
609
610         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
611         type profiler support this new primitive type.
612
613         * dfg/DFGFixupPhase.cpp:
614         (JSC::DFG::FixupPhase::fixupNode):
615         * inspector/protocol/Runtime.json:
616         * runtime/RuntimeType.cpp:
617         (JSC::runtimeTypeForValue):
618         * runtime/RuntimeType.h:
619         (JSC::runtimeTypeIsPrimitive):
620         * runtime/TypeSet.cpp:
621         (JSC::TypeSet::addTypeInformation):
622         (JSC::TypeSet::dumpTypes):
623         (JSC::TypeSet::doesTypeConformTo):
624         (JSC::TypeSet::displayName):
625         (JSC::TypeSet::inspectorTypeSet):
626         (JSC::TypeSet::toJSONString):
627         * runtime/TypeSet.h:
628         (JSC::TypeSet::seenTypes):
629         * tests/typeProfiler/driver/driver.js:
630         * tests/typeProfiler/symbol.js: Added.
631         (wrapper.foo):
632         (wrapper.bar):
633         (wrapper.bar.bar.baz):
634         (wrapper):
635
636 2015-03-27  Saam Barati  <saambarati1@gmail.com>
637
638         Deconstruction parameters are bound too late
639         https://bugs.webkit.org/show_bug.cgi?id=143148
640
641         Reviewed by Filip Pizlo.
642
643         Currently, a deconstruction pattern named with the same
644         name as a function will shadow the function. This is
645         wrong. It should be the other way around.
646
647         * bytecompiler/BytecodeGenerator.cpp:
648         (JSC::BytecodeGenerator::generate):
649
650 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
651
652         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
653         https://bugs.webkit.org/show_bug.cgi?id=143170
654
655         Reviewed by Benjamin Poulain.
656
657         Assert that we never use 16-bit version of the parser to parse a default constructor
658         since both base and derived default constructors should be using a 8-bit string.
659
660         * parser/Parser.h:
661         (JSC::parse):
662
663 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
664
665         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
666         https://bugs.webkit.org/show_bug.cgi?id=142862
667
668         Reviewed by Benjamin Poulain.
669
670         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
671
672         * tests/stress/class-syntax-derived-default-constructor.js: Added.
673
674 2015-03-27  Michael Saboff  <msaboff@apple.com>
675
676         load8Signed() and load16Signed() should be renamed to avoid confusion
677         https://bugs.webkit.org/show_bug.cgi?id=143168
678
679         Reviewed by Benjamin Poulain.
680
681         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
682
683         * assembler/MacroAssemblerARM.h:
684         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
685         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
686         (JSC::MacroAssemblerARM::load8Signed): Deleted.
687         (JSC::MacroAssemblerARM::load16Signed): Deleted.
688         * assembler/MacroAssemblerARM64.h:
689         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
690         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
691         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
692         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
693         * assembler/MacroAssemblerARMv7.h:
694         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
695         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
696         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
697         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
698         * assembler/MacroAssemblerMIPS.h:
699         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
700         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
701         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
702         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
703         * assembler/MacroAssemblerSH4.h:
704         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
705         (JSC::MacroAssemblerSH4::load8):
706         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
707         (JSC::MacroAssemblerSH4::load16):
708         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
709         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
710         * assembler/MacroAssemblerX86Common.h:
711         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
712         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
713         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
714         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
715         * dfg/DFGSpeculativeJIT.cpp:
716         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
717         * jit/JITPropertyAccess.cpp:
718         (JSC::JIT::emitIntTypedArrayGetByVal):
719
720 2015-03-27  Michael Saboff  <msaboff@apple.com>
721
722         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
723         https://bugs.webkit.org/show_bug.cgi?id=138390
724
725         Reviewed by Mark Lam.
726
727         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
728         instead of 64 bits.  This is what X86-64 does.
729
730         * assembler/MacroAssemblerARM64.h:
731         (JSC::MacroAssemblerARM64::load16Signed):
732         (JSC::MacroAssemblerARM64::load8Signed):
733
734 2015-03-27  Saam Barati  <saambarati1@gmail.com>
735
736         Add back previously broken assert from bug 141869
737         https://bugs.webkit.org/show_bug.cgi?id=143005
738
739         Reviewed by Michael Saboff.
740
741         * runtime/ExceptionHelpers.cpp:
742         (JSC::invalidParameterInSourceAppender):
743
744 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
745
746         Make some more objects use FastMalloc
747         https://bugs.webkit.org/show_bug.cgi?id=143122
748
749         Reviewed by Csaba Osztrogonác.
750
751         * API/JSCallbackObject.h:
752         * heap/IncrementalSweeper.h:
753         * jit/JITThunks.h:
754         * runtime/JSGlobalObjectDebuggable.h:
755         * runtime/RegExpCache.h:
756
757 2015-03-27  Michael Saboff  <msaboff@apple.com>
758
759         Objects with numeric properties intermittently get a phantom 'length' property
760         https://bugs.webkit.org/show_bug.cgi?id=142792
761
762         Reviewed by Csaba Osztrogonác.
763
764         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
765         test and branch instructions.  This function is used for linking tbz/tbnz branches between
766         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
767         the failure case checks in the GetById array length stub created for "obj.length" access.
768         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
769         being set when we should have been looking for bit 0.
770
771         * assembler/ARM64Assembler.h:
772         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
773
774 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
775
776         Insert exception check around toPropertyKey call
777         https://bugs.webkit.org/show_bug.cgi?id=142922
778
779         Reviewed by Geoffrey Garen.
780
781         In some places, exception check is missing after/before toPropertyKey.
782         However, since it calls toString, it's observable to users,
783
784         Missing exception checks in Object.prototype methods can be
785         observed since it would be overridden with toObject(null/undefined) errors.
786         We inserted exception checks after toPropertyKey.
787
788         Missing exception checks in GetById related code can be
789         observed since it would be overridden with toObject(null/undefined) errors.
790         In this case, we need to insert exception checks before/after toPropertyKey
791         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
792
793         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
794         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
795         According to the spec, we first perform RequireObjectCoercible and check the exception.
796         And second, we perform ToPropertyKey and check the exception.
797         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
798         For example, if the target is not object coercible,
799         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
800         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
801
802         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
803
804         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
805
806         toObject converts primitive types into wrapper objects.
807         But it is not efficient since wrapper objects are not necessary
808         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
809
810         2. Using the result of toObject is not correct to the spec.
811
812         To align to the spec correctly, we cannot use JSObject::get
813         by using the wrapper object produced by the toObject suggested in (1).
814         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
815         It is not correct since getter should be called with the original |this| value that may be primitive types.
816
817         So in this patch, we use JSValue::requireObjectCoercible
818         to check the target is object coercible and raise an error if it's not.
819
820         * dfg/DFGOperations.cpp:
821         * jit/JITOperations.cpp:
822         (JSC::getByVal):
823         * llint/LLIntSlowPaths.cpp:
824         (JSC::LLInt::getByVal):
825         * runtime/CommonSlowPaths.cpp:
826         (JSC::SLOW_PATH_DECL):
827         * runtime/JSCJSValue.h:
828         * runtime/JSCJSValueInlines.h:
829         (JSC::JSValue::requireObjectCoercible):
830         * runtime/ObjectPrototype.cpp:
831         (JSC::objectProtoFuncHasOwnProperty):
832         (JSC::objectProtoFuncDefineGetter):
833         (JSC::objectProtoFuncDefineSetter):
834         (JSC::objectProtoFuncLookupGetter):
835         (JSC::objectProtoFuncLookupSetter):
836         (JSC::objectProtoFuncPropertyIsEnumerable):
837         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
838         (shouldThrow):
839         (if):
840         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
841         (shouldThrow):
842         (.):
843
844 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
845
846         WebContent Crash when instantiating class with Type Profiling enabled
847         https://bugs.webkit.org/show_bug.cgi?id=143037
848
849         Reviewed by Ryosuke Niwa.
850
851         * bytecompiler/BytecodeGenerator.h:
852         * bytecompiler/BytecodeGenerator.cpp:
853         (JSC::BytecodeGenerator::BytecodeGenerator):
854         (JSC::BytecodeGenerator::emitMoveEmptyValue):
855         We cannot profile the type of an uninitialized empty JSValue.
856         Nor do we expect this to be necessary, since it is effectively
857         an unseen undefined value. So add a way to put the empty value
858         without profiling.
859
860         (JSC::BytecodeGenerator::emitMove):
861         Add an assert to try to catch this issue early on, and force
862         callers to explicitly use emitMoveEmptyValue instead.
863
864         * tests/typeProfiler/classes.js: Added.
865         (wrapper.Base):
866         (wrapper.Derived):
867         (wrapper):
868         Add test coverage both for this case and classes in general.
869
870 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
871
872         Web Inspector: ES6: Provide a better view for Classes in the console
873         https://bugs.webkit.org/show_bug.cgi?id=142999
874
875         Reviewed by Timothy Hatcher.
876
877         * inspector/protocol/Runtime.json:
878         Provide a new `subtype` enum "class". This is a subtype of `type`
879         "function", all other subtypes are subtypes of `object` types.
880         For a class, the frontend will immediately want to get the prototype
881         to enumerate its methods, so include the `classPrototype`.
882
883         * inspector/JSInjectedScriptHost.cpp:
884         (Inspector::JSInjectedScriptHost::subtype):
885         Denote class construction functions as "class" subtypes.
886
887         * inspector/InjectedScriptSource.js:
888         Handling for the new "class" type.
889
890         * bytecode/UnlinkedCodeBlock.h:
891         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
892         * runtime/Executable.h:
893         (JSC::FunctionExecutable::isClassConstructorFunction):
894         * runtime/JSFunction.h:
895         * runtime/JSFunctionInlines.h:
896         (JSC::JSFunction::isClassConstructorFunction):
897         Check if this function is a class constructor function. That information
898         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
899
900 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
901
902         Function.prototype.toString should not decompile the AST
903         https://bugs.webkit.org/show_bug.cgi?id=142853
904
905         Reviewed by Darin Adler.
906
907         Following up on Darin's review comments.
908
909         * runtime/FunctionConstructor.cpp:
910         (JSC::constructFunctionSkippingEvalEnabledCheck):
911
912 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
913
914         "lineNo" does not match WebKit coding style guidelines
915         https://bugs.webkit.org/show_bug.cgi?id=143119
916
917         Reviewed by Michael Saboff.
918
919         We can afford to use whole words.
920
921         * bytecode/CodeBlock.cpp:
922         (JSC::CodeBlock::lineNumberForBytecodeOffset):
923         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
924         * bytecode/UnlinkedCodeBlock.cpp:
925         (JSC::UnlinkedFunctionExecutable::link):
926         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
927         * bytecode/UnlinkedCodeBlock.h:
928         * bytecompiler/NodesCodegen.cpp:
929         (JSC::WhileNode::emitBytecode):
930         * debugger/Debugger.cpp:
931         (JSC::Debugger::toggleBreakpoint):
932         * interpreter/Interpreter.cpp:
933         (JSC::StackFrame::computeLineAndColumn):
934         (JSC::GetStackTraceFunctor::operator()):
935         (JSC::Interpreter::execute):
936         * interpreter/StackVisitor.cpp:
937         (JSC::StackVisitor::Frame::computeLineAndColumn):
938         * parser/Nodes.h:
939         (JSC::Node::firstLine):
940         (JSC::Node::lineNo): Deleted.
941         (JSC::StatementNode::firstLine): Deleted.
942         * parser/ParserError.h:
943         (JSC::ParserError::toErrorObject):
944         * profiler/LegacyProfiler.cpp:
945         (JSC::createCallIdentifierFromFunctionImp):
946         * runtime/CodeCache.cpp:
947         (JSC::CodeCache::getGlobalCodeBlock):
948         * runtime/Executable.cpp:
949         (JSC::ScriptExecutable::ScriptExecutable):
950         (JSC::ScriptExecutable::newCodeBlockFor):
951         (JSC::FunctionExecutable::fromGlobalCode):
952         * runtime/Executable.h:
953         (JSC::ScriptExecutable::firstLine):
954         (JSC::ScriptExecutable::setOverrideLineNumber):
955         (JSC::ScriptExecutable::hasOverrideLineNumber):
956         (JSC::ScriptExecutable::overrideLineNumber):
957         (JSC::ScriptExecutable::lineNo): Deleted.
958         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
959         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
960         (JSC::ScriptExecutable::overrideLineNo): Deleted.
961         * runtime/FunctionConstructor.cpp:
962         (JSC::constructFunctionSkippingEvalEnabledCheck):
963         * runtime/FunctionConstructor.h:
964         * tools/CodeProfile.cpp:
965         (JSC::CodeProfile::report):
966         * tools/CodeProfile.h:
967         (JSC::CodeProfile::CodeProfile):
968
969 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
970
971         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
972         https://bugs.webkit.org/show_bug.cgi?id=142974
973
974         Reviewed by Joseph Pecoraro.
975
976         This patch does two things:
977
978         (1) Restore JavaScriptCore's sanitization of line and column numbers to
979         one-based values.
980
981         We need this because WebCore sometimes provides huge negative column
982         numbers.
983
984         (2) Solve the attribute event listener line numbering problem a different
985         way: Rather than offseting all line numbers by -1 in an attribute event
986         listener in order to arrange for a custom result, instead use an explicit
987         feature for saying "all errors in this code should map to this line number".
988
989         * bytecode/UnlinkedCodeBlock.cpp:
990         (JSC::UnlinkedFunctionExecutable::link):
991         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
992         * bytecode/UnlinkedCodeBlock.h:
993         * interpreter/Interpreter.cpp:
994         (JSC::StackFrame::computeLineAndColumn):
995         (JSC::GetStackTraceFunctor::operator()):
996         * interpreter/Interpreter.h:
997         * interpreter/StackVisitor.cpp:
998         (JSC::StackVisitor::Frame::computeLineAndColumn):
999         * parser/ParserError.h:
1000         (JSC::ParserError::toErrorObject): Plumb through an override line number.
1001         When a function has an override line number, all syntax and runtime
1002         errors in the function will map to it. This is useful for attribute event
1003         listeners.
1004  
1005         * parser/SourceCode.h:
1006         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
1007         column numbers to one-based integers. It was kind of a hack to remove this.
1008
1009         * runtime/Executable.cpp:
1010         (JSC::ScriptExecutable::ScriptExecutable):
1011         (JSC::FunctionExecutable::fromGlobalCode):
1012         * runtime/Executable.h:
1013         (JSC::ScriptExecutable::setOverrideLineNo):
1014         (JSC::ScriptExecutable::hasOverrideLineNo):
1015         (JSC::ScriptExecutable::overrideLineNo):
1016         * runtime/FunctionConstructor.cpp:
1017         (JSC::constructFunctionSkippingEvalEnabledCheck):
1018         * runtime/FunctionConstructor.h: Plumb through an override line number.
1019
1020 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1021
1022         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
1023
1024         Reviewed by Michael Saboff.
1025
1026         * jit/JITPropertyAccess.cpp:
1027         (JSC::JIT::emitScopedArgumentsGetByVal):
1028         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
1029
1030 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1031
1032         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
1033         https://bugs.webkit.org/show_bug.cgi?id=143098
1034
1035         Reviewed by Csaba Osztrogonác.
1036
1037         * ftl/FTLLowerDFGToLLVM.cpp:
1038         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
1039         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
1040
1041 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
1042
1043         Unreviewed gardening, skip failing tests on AArch64 Linux.
1044
1045         * tests/mozilla/mozilla-tests.yaml:
1046         * tests/stress/cached-prototype-setter.js:
1047
1048 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1049
1050         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
1051
1052         * dfg/DFGConstantFoldingPhase.cpp:
1053         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
1054         * ftl/FTLCompile.cpp:
1055         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
1056         * ftl/FTLState.cpp:
1057         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
1058         * ftl/FTLState.h:
1059
1060 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1061
1062         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
1063         right, so this just makes 32-bit do the same.
1064
1065         * dfg/DFGSpeculativeJIT32_64.cpp:
1066         (JSC::DFG::SpeculativeJIT::emitCall):
1067
1068 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1069
1070         Fix a typo that ggaren found but that I didn't fix before.
1071
1072         * runtime/DirectArgumentsOffset.h:
1073
1074 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1075
1076         Unreviewed, VC found a bug. This fixes the bug.
1077
1078         * dfg/DFGConstantFoldingPhase.cpp:
1079         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1080
1081 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1082
1083         Unreviewed, try to fix Windows build.
1084
1085         * runtime/ClonedArguments.cpp:
1086         (JSC::ClonedArguments::createWithInlineFrame):
1087
1088 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1089
1090         Unreviewed, fix debug build.
1091
1092         * bytecompiler/NodesCodegen.cpp:
1093         (JSC::ConstDeclNode::emitCodeSingle):
1094
1095 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1096
1097         Unreviewed, fix CLOOP build.
1098
1099         * dfg/DFGMinifiedID.h:
1100
1101 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1102
1103         Heap variables shouldn't end up in the stack frame
1104         https://bugs.webkit.org/show_bug.cgi?id=141174
1105
1106         Reviewed by Geoffrey Garen.
1107         
1108         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
1109         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
1110         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
1111         simplifications:
1112         
1113         - Accesses to variables no longer need checks or indirections to determine where the variable is
1114           at that moment in time. For example, loading a closure variable now takes just one load instead
1115           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
1116           (when no arguments object allocation is required) while previously that same operation required
1117           a "did I allocate arguments yet" check, a bounds check, and then the load.
1118         
1119         - Reasoning about the allocation of an activation or arguments object now follows the same simple
1120           logic as the allocation of any other kind of object. Previously, those objects were lazily
1121           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
1122           allocate anything at all. This made the implementation of traditional escape analyses really
1123           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
1124           arguments object using the usual SSA tricks which allows for more comprehensive removal.
1125         
1126         - The allocations of arguments objects, functions, and activations are now much faster. While
1127           this patch generally expands our ability to eliminate arguments object allocations, an earlier
1128           version of the patch - which lacked that functionality - was a progression on some arguments-
1129           and closure-happy benchmarks because although no allocations were eliminated, all allocations
1130           were faster.
1131         
1132         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
1133           its arguments objects or activations. The runtime doesn't have to do things to the arguments
1134           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
1135           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
1136           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
1137           now gone. This also enables implementing block-scoping. Without this change, block-scope
1138           support would require telling CodeBlock and all of the rest of the runtime about all of the
1139           variables that store currently-live scopes. That would have been so disastrously hard that it
1140           might as well be impossible. With this change, it's fair game for the bytecode generator to
1141           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
1142           however long it wants. This all works, because after bytecode generation, an activation is just
1143           an object and variables that refer to it are just normal variables.
1144         
1145         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
1146           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
1147           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
1148           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
1149           an arguments object.
1150         
1151         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
1152           using activations used to prevent inlining; now functions that use activations can be inlined
1153           just fine.
1154         
1155         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
1156         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
1157         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
1158         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
1159         
1160         The easiest way of understanding this change is to start by looking at the changes in runtime/,
1161         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
1162
1163         * CMakeLists.txt:
1164         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1165         * JavaScriptCore.xcodeproj/project.pbxproj:
1166         * assembler/AbortReason.h:
1167         * assembler/AbstractMacroAssembler.h:
1168         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
1169         * bytecode/ByValInfo.h:
1170         (JSC::hasOptimizableIndexingForJSType):
1171         (JSC::hasOptimizableIndexing):
1172         (JSC::jitArrayModeForJSType):
1173         (JSC::jitArrayModePermitsPut):
1174         (JSC::jitArrayModeForStructure):
1175         * bytecode/BytecodeKills.h: Added.
1176         (JSC::BytecodeKills::BytecodeKills):
1177         (JSC::BytecodeKills::operandIsKilled):
1178         (JSC::BytecodeKills::forEachOperandKilledAt):
1179         (JSC::BytecodeKills::KillSet::KillSet):
1180         (JSC::BytecodeKills::KillSet::add):
1181         (JSC::BytecodeKills::KillSet::forEachLocal):
1182         (JSC::BytecodeKills::KillSet::contains):
1183         * bytecode/BytecodeList.json:
1184         * bytecode/BytecodeLivenessAnalysis.cpp:
1185         (JSC::isValidRegisterForLiveness):
1186         (JSC::stepOverInstruction):
1187         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
1188         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1189         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
1190         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1191         (JSC::BytecodeLivenessAnalysis::computeKills):
1192         (JSC::indexForOperand): Deleted.
1193         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
1194         (JSC::getLivenessInfo): Deleted.
1195         * bytecode/BytecodeLivenessAnalysis.h:
1196         * bytecode/BytecodeLivenessAnalysisInlines.h:
1197         (JSC::operandIsAlwaysLive):
1198         (JSC::operandThatIsNotAlwaysLiveIsLive):
1199         (JSC::operandIsLive):
1200         * bytecode/BytecodeUseDef.h:
1201         (JSC::computeUsesForBytecodeOffset):
1202         (JSC::computeDefsForBytecodeOffset):
1203         * bytecode/CodeBlock.cpp:
1204         (JSC::CodeBlock::dumpBytecode):
1205         (JSC::CodeBlock::CodeBlock):
1206         (JSC::CodeBlock::nameForRegister):
1207         (JSC::CodeBlock::validate):
1208         (JSC::CodeBlock::isCaptured): Deleted.
1209         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
1210         (JSC::CodeBlock::machineSlowArguments): Deleted.
1211         * bytecode/CodeBlock.h:
1212         (JSC::unmodifiedArgumentsRegister): Deleted.
1213         (JSC::CodeBlock::setArgumentsRegister): Deleted.
1214         (JSC::CodeBlock::argumentsRegister): Deleted.
1215         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
1216         (JSC::CodeBlock::usesArguments): Deleted.
1217         (JSC::CodeBlock::captureCount): Deleted.
1218         (JSC::CodeBlock::captureStart): Deleted.
1219         (JSC::CodeBlock::captureEnd): Deleted.
1220         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
1221         (JSC::CodeBlock::hasSlowArguments): Deleted.
1222         (JSC::ExecState::argumentAfterCapture): Deleted.
1223         * bytecode/CodeOrigin.h:
1224         * bytecode/DataFormat.h:
1225         (JSC::dataFormatToString):
1226         * bytecode/FullBytecodeLiveness.h:
1227         (JSC::FullBytecodeLiveness::getLiveness):
1228         (JSC::FullBytecodeLiveness::operandIsLive):
1229         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
1230         (JSC::FullBytecodeLiveness::getOut): Deleted.
1231         * bytecode/Instruction.h:
1232         (JSC::Instruction::Instruction):
1233         * bytecode/Operands.h:
1234         (JSC::Operands::virtualRegisterForIndex):
1235         * bytecode/SpeculatedType.cpp:
1236         (JSC::dumpSpeculation):
1237         (JSC::speculationToAbbreviatedString):
1238         (JSC::speculationFromClassInfo):
1239         * bytecode/SpeculatedType.h:
1240         (JSC::isDirectArgumentsSpeculation):
1241         (JSC::isScopedArgumentsSpeculation):
1242         (JSC::isActionableMutableArraySpeculation):
1243         (JSC::isActionableArraySpeculation):
1244         (JSC::isArgumentsSpeculation): Deleted.
1245         * bytecode/UnlinkedCodeBlock.cpp:
1246         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1247         * bytecode/UnlinkedCodeBlock.h:
1248         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
1249         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
1250         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
1251         * bytecode/ValueRecovery.cpp:
1252         (JSC::ValueRecovery::dumpInContext):
1253         * bytecode/ValueRecovery.h:
1254         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
1255         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
1256         (JSC::ValueRecovery::nodeID):
1257         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
1258         * bytecode/VirtualRegister.h:
1259         (JSC::VirtualRegister::operator==):
1260         (JSC::VirtualRegister::operator!=):
1261         (JSC::VirtualRegister::operator<):
1262         (JSC::VirtualRegister::operator>):
1263         (JSC::VirtualRegister::operator<=):
1264         (JSC::VirtualRegister::operator>=):
1265         * bytecompiler/BytecodeGenerator.cpp:
1266         (JSC::BytecodeGenerator::generate):
1267         (JSC::BytecodeGenerator::BytecodeGenerator):
1268         (JSC::BytecodeGenerator::initializeNextParameter):
1269         (JSC::BytecodeGenerator::visibleNameForParameter):
1270         (JSC::BytecodeGenerator::emitMove):
1271         (JSC::BytecodeGenerator::variable):
1272         (JSC::BytecodeGenerator::createVariable):
1273         (JSC::BytecodeGenerator::emitResolveScope):
1274         (JSC::BytecodeGenerator::emitGetFromScope):
1275         (JSC::BytecodeGenerator::emitPutToScope):
1276         (JSC::BytecodeGenerator::initializeVariable):
1277         (JSC::BytecodeGenerator::emitInstanceOf):
1278         (JSC::BytecodeGenerator::emitNewFunction):
1279         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1280         (JSC::BytecodeGenerator::emitCall):
1281         (JSC::BytecodeGenerator::emitReturn):
1282         (JSC::BytecodeGenerator::emitConstruct):
1283         (JSC::BytecodeGenerator::isArgumentNumber):
1284         (JSC::BytecodeGenerator::emitEnumeration):
1285         (JSC::BytecodeGenerator::addVar): Deleted.
1286         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
1287         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
1288         (JSC::BytecodeGenerator::resolveCallee): Deleted.
1289         (JSC::BytecodeGenerator::addCallee): Deleted.
1290         (JSC::BytecodeGenerator::addParameter): Deleted.
1291         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
1292         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
1293         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
1294         (JSC::BytecodeGenerator::isCaptured): Deleted.
1295         (JSC::BytecodeGenerator::local): Deleted.
1296         (JSC::BytecodeGenerator::constLocal): Deleted.
1297         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
1298         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
1299         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
1300         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
1301         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
1302         * bytecompiler/BytecodeGenerator.h:
1303         (JSC::Variable::Variable):
1304         (JSC::Variable::isResolved):
1305         (JSC::Variable::ident):
1306         (JSC::Variable::offset):
1307         (JSC::Variable::isLocal):
1308         (JSC::Variable::local):
1309         (JSC::Variable::isSpecial):
1310         (JSC::BytecodeGenerator::argumentsRegister):
1311         (JSC::BytecodeGenerator::emitNode):
1312         (JSC::BytecodeGenerator::registerFor):
1313         (JSC::Local::Local): Deleted.
1314         (JSC::Local::operator bool): Deleted.
1315         (JSC::Local::get): Deleted.
1316         (JSC::Local::isSpecial): Deleted.
1317         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
1318         (JSC::ResolveScopeInfo::isLocal): Deleted.
1319         (JSC::ResolveScopeInfo::localIndex): Deleted.
1320         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
1321         (JSC::BytecodeGenerator::captureMode): Deleted.
1322         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
1323         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
1324         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
1325         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
1326         * bytecompiler/NodesCodegen.cpp:
1327         (JSC::ResolveNode::isPure):
1328         (JSC::ResolveNode::emitBytecode):
1329         (JSC::BracketAccessorNode::emitBytecode):
1330         (JSC::DotAccessorNode::emitBytecode):
1331         (JSC::EvalFunctionCallNode::emitBytecode):
1332         (JSC::FunctionCallResolveNode::emitBytecode):
1333         (JSC::CallFunctionCallDotNode::emitBytecode):
1334         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1335         (JSC::PostfixNode::emitResolve):
1336         (JSC::DeleteResolveNode::emitBytecode):
1337         (JSC::TypeOfResolveNode::emitBytecode):
1338         (JSC::PrefixNode::emitResolve):
1339         (JSC::ReadModifyResolveNode::emitBytecode):
1340         (JSC::AssignResolveNode::emitBytecode):
1341         (JSC::ConstDeclNode::emitCodeSingle):
1342         (JSC::EmptyVarExpression::emitBytecode):
1343         (JSC::ForInNode::tryGetBoundLocal):
1344         (JSC::ForInNode::emitLoopHeader):
1345         (JSC::ForOfNode::emitBytecode):
1346         (JSC::ArrayPatternNode::emitDirectBinding):
1347         (JSC::BindingNode::bindValue):
1348         (JSC::getArgumentByVal): Deleted.
1349         * dfg/DFGAbstractHeap.h:
1350         * dfg/DFGAbstractInterpreter.h:
1351         * dfg/DFGAbstractInterpreterInlines.h:
1352         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1353         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1354         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
1355         * dfg/DFGAbstractValue.h:
1356         * dfg/DFGArgumentPosition.h:
1357         (JSC::DFG::ArgumentPosition::addVariable):
1358         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
1359         (JSC::DFG::performArgumentsElimination):
1360         * dfg/DFGArgumentsEliminationPhase.h: Added.
1361         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
1362         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
1363         * dfg/DFGArgumentsUtilities.cpp: Added.
1364         (JSC::DFG::argumentsInvolveStackSlot):
1365         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1366         * dfg/DFGArgumentsUtilities.h: Added.
1367         * dfg/DFGArrayMode.cpp:
1368         (JSC::DFG::ArrayMode::refine):
1369         (JSC::DFG::ArrayMode::alreadyChecked):
1370         (JSC::DFG::arrayTypeToString):
1371         * dfg/DFGArrayMode.h:
1372         (JSC::DFG::ArrayMode::canCSEStorage):
1373         (JSC::DFG::ArrayMode::modeForPut):
1374         * dfg/DFGAvailabilityMap.cpp:
1375         (JSC::DFG::AvailabilityMap::prune):
1376         * dfg/DFGAvailabilityMap.h:
1377         (JSC::DFG::AvailabilityMap::closeOverNodes):
1378         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
1379         * dfg/DFGBackwardsPropagationPhase.cpp:
1380         (JSC::DFG::BackwardsPropagationPhase::propagate):
1381         * dfg/DFGByteCodeParser.cpp:
1382         (JSC::DFG::ByteCodeParser::newVariableAccessData):
1383         (JSC::DFG::ByteCodeParser::getLocal):
1384         (JSC::DFG::ByteCodeParser::setLocal):
1385         (JSC::DFG::ByteCodeParser::getArgument):
1386         (JSC::DFG::ByteCodeParser::setArgument):
1387         (JSC::DFG::ByteCodeParser::flushDirect):
1388         (JSC::DFG::ByteCodeParser::flush):
1389         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
1390         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1391         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1392         (JSC::DFG::ByteCodeParser::handleInlining):
1393         (JSC::DFG::ByteCodeParser::parseBlock):
1394         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1395         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1396         * dfg/DFGCPSRethreadingPhase.cpp:
1397         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1398         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1399         * dfg/DFGCSEPhase.cpp:
1400         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
1401         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
1402         * dfg/DFGCapabilities.cpp:
1403         (JSC::DFG::isSupportedForInlining):
1404         (JSC::DFG::capabilityLevel):
1405         * dfg/DFGClobberize.h:
1406         (JSC::DFG::clobberize):
1407         * dfg/DFGCommon.h:
1408         * dfg/DFGCommonData.h:
1409         (JSC::DFG::CommonData::CommonData):
1410         * dfg/DFGConstantFoldingPhase.cpp:
1411         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1412         * dfg/DFGDCEPhase.cpp:
1413         (JSC::DFG::DCEPhase::cleanVariables):
1414         * dfg/DFGDisassembler.h:
1415         * dfg/DFGDoesGC.cpp:
1416         (JSC::DFG::doesGC):
1417         * dfg/DFGFixupPhase.cpp:
1418         (JSC::DFG::FixupPhase::fixupNode):
1419         * dfg/DFGFlushFormat.cpp:
1420         (WTF::printInternal):
1421         * dfg/DFGFlushFormat.h:
1422         (JSC::DFG::resultFor):
1423         (JSC::DFG::useKindFor):
1424         (JSC::DFG::dataFormatFor):
1425         * dfg/DFGForAllKills.h: Added.
1426         (JSC::DFG::forAllLiveNodesAtTail):
1427         (JSC::DFG::forAllDirectlyKilledOperands):
1428         (JSC::DFG::forAllKilledOperands):
1429         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1430         (JSC::DFG::forAllKillsInBlock):
1431         * dfg/DFGGraph.cpp:
1432         (JSC::DFG::Graph::Graph):
1433         (JSC::DFG::Graph::dump):
1434         (JSC::DFG::Graph::substituteGetLocal):
1435         (JSC::DFG::Graph::livenessFor):
1436         (JSC::DFG::Graph::killsFor):
1437         (JSC::DFG::Graph::tryGetConstantClosureVar):
1438         (JSC::DFG::Graph::tryGetRegisters): Deleted.
1439         * dfg/DFGGraph.h:
1440         (JSC::DFG::Graph::symbolTableFor):
1441         (JSC::DFG::Graph::uses):
1442         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
1443         (JSC::DFG::Graph::capturedVarsFor): Deleted.
1444         (JSC::DFG::Graph::usesArguments): Deleted.
1445         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
1446         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
1447         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
1448         * dfg/DFGHeapLocation.cpp:
1449         (WTF::printInternal):
1450         * dfg/DFGHeapLocation.h:
1451         * dfg/DFGInPlaceAbstractState.cpp:
1452         (JSC::DFG::InPlaceAbstractState::initialize):
1453         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1454         * dfg/DFGJITCompiler.cpp:
1455         (JSC::DFG::JITCompiler::link):
1456         * dfg/DFGMayExit.cpp:
1457         (JSC::DFG::mayExit):
1458         * dfg/DFGMinifiedID.h:
1459         * dfg/DFGMinifiedNode.cpp:
1460         (JSC::DFG::MinifiedNode::fromNode):
1461         * dfg/DFGMinifiedNode.h:
1462         (JSC::DFG::belongsInMinifiedGraph):
1463         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
1464         (JSC::DFG::MinifiedNode::inlineCallFrame):
1465         * dfg/DFGNode.cpp:
1466         (JSC::DFG::Node::convertToIdentityOn):
1467         * dfg/DFGNode.h:
1468         (JSC::DFG::Node::hasConstant):
1469         (JSC::DFG::Node::constant):
1470         (JSC::DFG::Node::hasScopeOffset):
1471         (JSC::DFG::Node::scopeOffset):
1472         (JSC::DFG::Node::hasDirectArgumentsOffset):
1473         (JSC::DFG::Node::capturedArgumentsOffset):
1474         (JSC::DFG::Node::variablePointer):
1475         (JSC::DFG::Node::hasCallVarargsData):
1476         (JSC::DFG::Node::hasLoadVarargsData):
1477         (JSC::DFG::Node::hasHeapPrediction):
1478         (JSC::DFG::Node::hasCellOperand):
1479         (JSC::DFG::Node::objectMaterializationData):
1480         (JSC::DFG::Node::isPhantomAllocation):
1481         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1482         (JSC::DFG::Node::shouldSpeculateDirectArguments):
1483         (JSC::DFG::Node::shouldSpeculateScopedArguments):
1484         (JSC::DFG::Node::isPhantomArguments): Deleted.
1485         (JSC::DFG::Node::hasVarNumber): Deleted.
1486         (JSC::DFG::Node::varNumber): Deleted.
1487         (JSC::DFG::Node::registerPointer): Deleted.
1488         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
1489         * dfg/DFGNodeType.h:
1490         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1491         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1492         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1493         * dfg/DFGOSRExitCompiler.cpp:
1494         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
1495         * dfg/DFGOSRExitCompiler.h:
1496         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
1497         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
1498         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
1499         * dfg/DFGOSRExitCompiler32_64.cpp:
1500         (JSC::DFG::OSRExitCompiler::compileExit):
1501         * dfg/DFGOSRExitCompiler64.cpp:
1502         (JSC::DFG::OSRExitCompiler::compileExit):
1503         * dfg/DFGOSRExitCompilerCommon.cpp:
1504         (JSC::DFG::reifyInlinedCallFrames):
1505         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
1506         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
1507         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
1508         * dfg/DFGOSRExitCompilerCommon.h:
1509         * dfg/DFGOperations.cpp:
1510         * dfg/DFGOperations.h:
1511         * dfg/DFGPlan.cpp:
1512         (JSC::DFG::Plan::compileInThreadImpl):
1513         * dfg/DFGPreciseLocalClobberize.h:
1514         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
1515         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
1516         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
1517         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1518         (JSC::DFG::preciseLocalClobberize):
1519         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
1520         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
1521         * dfg/DFGPredictionPropagationPhase.cpp:
1522         (JSC::DFG::PredictionPropagationPhase::run):
1523         (JSC::DFG::PredictionPropagationPhase::propagate):
1524         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1525         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
1526         * dfg/DFGPromoteHeapAccess.h:
1527         (JSC::DFG::promoteHeapAccess):
1528         * dfg/DFGPromotedHeapLocation.cpp:
1529         (WTF::printInternal):
1530         * dfg/DFGPromotedHeapLocation.h:
1531         * dfg/DFGSSAConversionPhase.cpp:
1532         (JSC::DFG::SSAConversionPhase::run):
1533         * dfg/DFGSafeToExecute.h:
1534         (JSC::DFG::safeToExecute):
1535         * dfg/DFGSpeculativeJIT.cpp:
1536         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1537         (JSC::DFG::SpeculativeJIT::emitGetLength):
1538         (JSC::DFG::SpeculativeJIT::emitGetCallee):
1539         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
1540         (JSC::DFG::SpeculativeJIT::checkArray):
1541         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1542         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1543         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1544         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1545         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1546         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1547         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1548         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1549         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1550         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1551         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1552         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
1553         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
1554         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
1555         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
1556         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
1557         * dfg/DFGSpeculativeJIT.h:
1558         (JSC::DFG::SpeculativeJIT::callOperation):
1559         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1560         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1561         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
1562         * dfg/DFGSpeculativeJIT32_64.cpp:
1563         (JSC::DFG::SpeculativeJIT::emitCall):
1564         (JSC::DFG::SpeculativeJIT::compile):
1565         * dfg/DFGSpeculativeJIT64.cpp:
1566         (JSC::DFG::SpeculativeJIT::emitCall):
1567         (JSC::DFG::SpeculativeJIT::compile):
1568         * dfg/DFGStackLayoutPhase.cpp:
1569         (JSC::DFG::StackLayoutPhase::run):
1570         * dfg/DFGStrengthReductionPhase.cpp:
1571         (JSC::DFG::StrengthReductionPhase::handleNode):
1572         * dfg/DFGStructureRegistrationPhase.cpp:
1573         (JSC::DFG::StructureRegistrationPhase::run):
1574         * dfg/DFGUnificationPhase.cpp:
1575         (JSC::DFG::UnificationPhase::run):
1576         * dfg/DFGValidate.cpp:
1577         (JSC::DFG::Validate::validateCPS):
1578         * dfg/DFGValueSource.cpp:
1579         (JSC::DFG::ValueSource::dump):
1580         * dfg/DFGValueSource.h:
1581         (JSC::DFG::dataFormatToValueSourceKind):
1582         (JSC::DFG::valueSourceKindToDataFormat):
1583         (JSC::DFG::ValueSource::ValueSource):
1584         (JSC::DFG::ValueSource::forFlushFormat):
1585         (JSC::DFG::ValueSource::valueRecovery):
1586         * dfg/DFGVarargsForwardingPhase.cpp: Added.
1587         (JSC::DFG::performVarargsForwarding):
1588         * dfg/DFGVarargsForwardingPhase.h: Added.
1589         * dfg/DFGVariableAccessData.cpp:
1590         (JSC::DFG::VariableAccessData::VariableAccessData):
1591         (JSC::DFG::VariableAccessData::flushFormat):
1592         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1593         * dfg/DFGVariableAccessData.h:
1594         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
1595         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1596         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
1597         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
1598         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
1599         * dfg/DFGVariableAccessDataDump.cpp:
1600         (JSC::DFG::VariableAccessDataDump::dump):
1601         * dfg/DFGVariableAccessDataDump.h:
1602         * dfg/DFGVariableEventStream.cpp:
1603         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1604         * dfg/DFGVariableEventStream.h:
1605         * ftl/FTLAbstractHeap.cpp:
1606         (JSC::FTL::AbstractHeap::dump):
1607         (JSC::FTL::AbstractField::dump):
1608         (JSC::FTL::IndexedAbstractHeap::dump):
1609         (JSC::FTL::NumberedAbstractHeap::dump):
1610         (JSC::FTL::AbsoluteAbstractHeap::dump):
1611         * ftl/FTLAbstractHeap.h:
1612         * ftl/FTLAbstractHeapRepository.cpp:
1613         * ftl/FTLAbstractHeapRepository.h:
1614         * ftl/FTLCapabilities.cpp:
1615         (JSC::FTL::canCompile):
1616         * ftl/FTLCompile.cpp:
1617         (JSC::FTL::mmAllocateDataSection):
1618         * ftl/FTLExitArgument.cpp:
1619         (JSC::FTL::ExitArgument::dump):
1620         * ftl/FTLExitPropertyValue.cpp:
1621         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
1622         * ftl/FTLExitPropertyValue.h:
1623         * ftl/FTLExitTimeObjectMaterialization.cpp:
1624         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1625         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
1626         * ftl/FTLExitTimeObjectMaterialization.h:
1627         (JSC::FTL::ExitTimeObjectMaterialization::origin):
1628         * ftl/FTLExitValue.cpp:
1629         (JSC::FTL::ExitValue::withLocalsOffset):
1630         (JSC::FTL::ExitValue::valueFormat):
1631         (JSC::FTL::ExitValue::dumpInContext):
1632         * ftl/FTLExitValue.h:
1633         (JSC::FTL::ExitValue::isArgument):
1634         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
1635         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
1636         (JSC::FTL::ExitValue::valueFormat): Deleted.
1637         * ftl/FTLInlineCacheSize.cpp:
1638         (JSC::FTL::sizeOfCallForwardVarargs):
1639         (JSC::FTL::sizeOfConstructForwardVarargs):
1640         (JSC::FTL::sizeOfICFor):
1641         * ftl/FTLInlineCacheSize.h:
1642         * ftl/FTLIntrinsicRepository.h:
1643         * ftl/FTLJSCallVarargs.cpp:
1644         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1645         (JSC::FTL::JSCallVarargs::emit):
1646         * ftl/FTLJSCallVarargs.h:
1647         * ftl/FTLLowerDFGToLLVM.cpp:
1648         (JSC::FTL::LowerDFGToLLVM::lower):
1649         (JSC::FTL::LowerDFGToLLVM::compileNode):
1650         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
1651         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1652         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1653         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1654         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1655         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1656         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1657         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1658         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1659         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
1660         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
1661         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
1662         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1663         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
1664         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1665         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
1666         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
1667         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1668         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
1669         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
1670         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
1671         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1672         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
1673         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
1674         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
1675         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
1676         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
1677         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
1678         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1679         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1680         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
1681         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1682         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1683         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1684         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1685         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1686         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1687         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
1688         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
1689         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
1690         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
1691         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
1692         * ftl/FTLOSRExitCompiler.cpp:
1693         (JSC::FTL::compileRecovery):
1694         (JSC::FTL::compileStub):
1695         * ftl/FTLOperations.cpp:
1696         (JSC::FTL::operationMaterializeObjectInOSR):
1697         * ftl/FTLOutput.h:
1698         (JSC::FTL::Output::aShr):
1699         (JSC::FTL::Output::lShr):
1700         (JSC::FTL::Output::zeroExtPtr):
1701         * heap/CopyToken.h:
1702         * interpreter/CallFrame.h:
1703         (JSC::ExecState::getArgumentUnsafe):
1704         * interpreter/Interpreter.cpp:
1705         (JSC::sizeOfVarargs):
1706         (JSC::sizeFrameForVarargs):
1707         (JSC::loadVarargs):
1708         (JSC::unwindCallFrame):
1709         * interpreter/Interpreter.h:
1710         * interpreter/StackVisitor.cpp:
1711         (JSC::StackVisitor::Frame::createArguments):
1712         (JSC::StackVisitor::Frame::existingArguments): Deleted.
1713         * interpreter/StackVisitor.h:
1714         * jit/AssemblyHelpers.h:
1715         (JSC::AssemblyHelpers::storeValue):
1716         (JSC::AssemblyHelpers::loadValue):
1717         (JSC::AssemblyHelpers::storeTrustedValue):
1718         (JSC::AssemblyHelpers::branchIfNotCell):
1719         (JSC::AssemblyHelpers::branchIsEmpty):
1720         (JSC::AssemblyHelpers::argumentsStart):
1721         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
1722         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
1723         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
1724         * jit/CCallHelpers.h:
1725         (JSC::CCallHelpers::setupArgument):
1726         * jit/GPRInfo.h:
1727         (JSC::JSValueRegs::withTwoAvailableRegs):
1728         * jit/JIT.cpp:
1729         (JSC::JIT::privateCompileMainPass):
1730         (JSC::JIT::privateCompileSlowCases):
1731         * jit/JIT.h:
1732         * jit/JITCall.cpp:
1733         (JSC::JIT::compileSetupVarargsFrame):
1734         * jit/JITCall32_64.cpp:
1735         (JSC::JIT::compileSetupVarargsFrame):
1736         * jit/JITInlines.h:
1737         (JSC::JIT::callOperation):
1738         * jit/JITOpcodes.cpp:
1739         (JSC::JIT::emit_op_create_lexical_environment):
1740         (JSC::JIT::emit_op_new_func):
1741         (JSC::JIT::emit_op_create_direct_arguments):
1742         (JSC::JIT::emit_op_create_scoped_arguments):
1743         (JSC::JIT::emit_op_create_out_of_band_arguments):
1744         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1745         (JSC::JIT::emit_op_create_arguments): Deleted.
1746         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1747         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1748         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1749         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1750         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1751         * jit/JITOpcodes32_64.cpp:
1752         (JSC::JIT::emit_op_create_lexical_environment):
1753         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1754         (JSC::JIT::emit_op_create_arguments): Deleted.
1755         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1756         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1757         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1758         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1759         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1760         * jit/JITOperations.cpp:
1761         * jit/JITOperations.h:
1762         * jit/JITPropertyAccess.cpp:
1763         (JSC::JIT::emitGetClosureVar):
1764         (JSC::JIT::emitPutClosureVar):
1765         (JSC::JIT::emit_op_get_from_arguments):
1766         (JSC::JIT::emit_op_put_to_arguments):
1767         (JSC::JIT::emit_op_init_global_const):
1768         (JSC::JIT::privateCompileGetByVal):
1769         (JSC::JIT::emitDirectArgumentsGetByVal):
1770         (JSC::JIT::emitScopedArgumentsGetByVal):
1771         * jit/JITPropertyAccess32_64.cpp:
1772         (JSC::JIT::emitGetClosureVar):
1773         (JSC::JIT::emitPutClosureVar):
1774         (JSC::JIT::emit_op_get_from_arguments):
1775         (JSC::JIT::emit_op_put_to_arguments):
1776         (JSC::JIT::emit_op_init_global_const):
1777         * jit/SetupVarargsFrame.cpp:
1778         (JSC::emitSetupVarargsFrameFastCase):
1779         * llint/LLIntOffsetsExtractor.cpp:
1780         * llint/LLIntSlowPaths.cpp:
1781         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1782         * llint/LowLevelInterpreter.asm:
1783         * llint/LowLevelInterpreter32_64.asm:
1784         * llint/LowLevelInterpreter64.asm:
1785         * parser/Nodes.h:
1786         (JSC::ScopeNode::captures):
1787         * runtime/Arguments.cpp: Removed.
1788         * runtime/Arguments.h: Removed.
1789         * runtime/ArgumentsMode.h: Added.
1790         * runtime/DirectArgumentsOffset.cpp: Added.
1791         (JSC::DirectArgumentsOffset::dump):
1792         * runtime/DirectArgumentsOffset.h: Added.
1793         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
1794         * runtime/CommonSlowPaths.cpp:
1795         (JSC::SLOW_PATH_DECL):
1796         * runtime/CommonSlowPaths.h:
1797         * runtime/ConstantMode.cpp: Added.
1798         (WTF::printInternal):
1799         * runtime/ConstantMode.h:
1800         (JSC::modeForIsConstant):
1801         * runtime/DirectArguments.cpp: Added.
1802         (JSC::DirectArguments::DirectArguments):
1803         (JSC::DirectArguments::createUninitialized):
1804         (JSC::DirectArguments::create):
1805         (JSC::DirectArguments::createByCopying):
1806         (JSC::DirectArguments::visitChildren):
1807         (JSC::DirectArguments::copyBackingStore):
1808         (JSC::DirectArguments::createStructure):
1809         (JSC::DirectArguments::overrideThings):
1810         (JSC::DirectArguments::overrideThingsIfNecessary):
1811         (JSC::DirectArguments::overrideArgument):
1812         (JSC::DirectArguments::copyToArguments):
1813         (JSC::DirectArguments::overridesSize):
1814         * runtime/DirectArguments.h: Added.
1815         (JSC::DirectArguments::internalLength):
1816         (JSC::DirectArguments::length):
1817         (JSC::DirectArguments::canAccessIndexQuickly):
1818         (JSC::DirectArguments::getIndexQuickly):
1819         (JSC::DirectArguments::setIndexQuickly):
1820         (JSC::DirectArguments::callee):
1821         (JSC::DirectArguments::argument):
1822         (JSC::DirectArguments::overrodeThings):
1823         (JSC::DirectArguments::offsetOfCallee):
1824         (JSC::DirectArguments::offsetOfLength):
1825         (JSC::DirectArguments::offsetOfMinCapacity):
1826         (JSC::DirectArguments::offsetOfOverrides):
1827         (JSC::DirectArguments::storageOffset):
1828         (JSC::DirectArguments::offsetOfSlot):
1829         (JSC::DirectArguments::allocationSize):
1830         (JSC::DirectArguments::storage):
1831         * runtime/FunctionPrototype.cpp:
1832         * runtime/GenericArguments.h: Added.
1833         (JSC::GenericArguments::GenericArguments):
1834         * runtime/GenericArgumentsInlines.h: Added.
1835         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1836         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1837         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1838         (JSC::GenericArguments<Type>::put):
1839         (JSC::GenericArguments<Type>::putByIndex):
1840         (JSC::GenericArguments<Type>::deleteProperty):
1841         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1842         (JSC::GenericArguments<Type>::defineOwnProperty):
1843         (JSC::GenericArguments<Type>::copyToArguments):
1844         * runtime/GenericOffset.h: Added.
1845         (JSC::GenericOffset::GenericOffset):
1846         (JSC::GenericOffset::operator!):
1847         (JSC::GenericOffset::offsetUnchecked):
1848         (JSC::GenericOffset::offset):
1849         (JSC::GenericOffset::operator==):
1850         (JSC::GenericOffset::operator!=):
1851         (JSC::GenericOffset::operator<):
1852         (JSC::GenericOffset::operator>):
1853         (JSC::GenericOffset::operator<=):
1854         (JSC::GenericOffset::operator>=):
1855         (JSC::GenericOffset::operator+):
1856         (JSC::GenericOffset::operator-):
1857         (JSC::GenericOffset::operator+=):
1858         (JSC::GenericOffset::operator-=):
1859         * runtime/JSArgumentsIterator.cpp:
1860         (JSC::JSArgumentsIterator::finishCreation):
1861         (JSC::argumentsFuncIterator):
1862         * runtime/JSArgumentsIterator.h:
1863         (JSC::JSArgumentsIterator::create):
1864         (JSC::JSArgumentsIterator::next):
1865         * runtime/JSEnvironmentRecord.cpp:
1866         (JSC::JSEnvironmentRecord::visitChildren):
1867         * runtime/JSEnvironmentRecord.h:
1868         (JSC::JSEnvironmentRecord::variables):
1869         (JSC::JSEnvironmentRecord::isValid):
1870         (JSC::JSEnvironmentRecord::variableAt):
1871         (JSC::JSEnvironmentRecord::offsetOfVariables):
1872         (JSC::JSEnvironmentRecord::offsetOfVariable):
1873         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
1874         (JSC::JSEnvironmentRecord::allocationSize):
1875         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1876         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1877         (JSC::JSEnvironmentRecord::finishCreation):
1878         (JSC::JSEnvironmentRecord::registers): Deleted.
1879         (JSC::JSEnvironmentRecord::registerAt): Deleted.
1880         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
1881         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
1882         * runtime/JSFunction.cpp:
1883         * runtime/JSGlobalObject.cpp:
1884         (JSC::JSGlobalObject::init):
1885         (JSC::JSGlobalObject::addGlobalVar):
1886         (JSC::JSGlobalObject::addFunction):
1887         (JSC::JSGlobalObject::visitChildren):
1888         (JSC::JSGlobalObject::addStaticGlobals):
1889         * runtime/JSGlobalObject.h:
1890         (JSC::JSGlobalObject::directArgumentsStructure):
1891         (JSC::JSGlobalObject::scopedArgumentsStructure):
1892         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
1893         (JSC::JSGlobalObject::argumentsStructure): Deleted.
1894         * runtime/JSLexicalEnvironment.cpp:
1895         (JSC::JSLexicalEnvironment::symbolTableGet):
1896         (JSC::JSLexicalEnvironment::symbolTablePut):
1897         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1898         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1899         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
1900         * runtime/JSLexicalEnvironment.h:
1901         (JSC::JSLexicalEnvironment::create):
1902         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1903         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
1904         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
1905         (JSC::JSLexicalEnvironment::storage): Deleted.
1906         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
1907         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
1908         (JSC::JSLexicalEnvironment::isValid): Deleted.
1909         (JSC::JSLexicalEnvironment::registerAt): Deleted.
1910         * runtime/JSNameScope.cpp:
1911         (JSC::JSNameScope::visitChildren): Deleted.
1912         * runtime/JSNameScope.h:
1913         (JSC::JSNameScope::create):
1914         (JSC::JSNameScope::value):
1915         (JSC::JSNameScope::finishCreation):
1916         (JSC::JSNameScope::JSNameScope):
1917         * runtime/JSScope.cpp:
1918         (JSC::abstractAccess):
1919         * runtime/JSSegmentedVariableObject.cpp:
1920         (JSC::JSSegmentedVariableObject::findVariableIndex):
1921         (JSC::JSSegmentedVariableObject::addVariables):
1922         (JSC::JSSegmentedVariableObject::visitChildren):
1923         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
1924         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
1925         * runtime/JSSegmentedVariableObject.h:
1926         (JSC::JSSegmentedVariableObject::variableAt):
1927         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
1928         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
1929         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
1930         * runtime/JSSymbolTableObject.h:
1931         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
1932         (JSC::symbolTableGet):
1933         (JSC::symbolTablePut):
1934         (JSC::symbolTablePutWithAttributes):
1935         * runtime/JSType.h:
1936         * runtime/Options.h:
1937         * runtime/ClonedArguments.cpp: Added.
1938         (JSC::ClonedArguments::ClonedArguments):
1939         (JSC::ClonedArguments::createEmpty):
1940         (JSC::ClonedArguments::createWithInlineFrame):
1941         (JSC::ClonedArguments::createWithMachineFrame):
1942         (JSC::ClonedArguments::createByCopyingFrom):
1943         (JSC::ClonedArguments::createStructure):
1944         (JSC::ClonedArguments::getOwnPropertySlot):
1945         (JSC::ClonedArguments::getOwnPropertyNames):
1946         (JSC::ClonedArguments::put):
1947         (JSC::ClonedArguments::deleteProperty):
1948         (JSC::ClonedArguments::defineOwnProperty):
1949         (JSC::ClonedArguments::materializeSpecials):
1950         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
1951         * runtime/ClonedArguments.h: Added.
1952         (JSC::ClonedArguments::specialsMaterialized):
1953         * runtime/ScopeOffset.cpp: Added.
1954         (JSC::ScopeOffset::dump):
1955         * runtime/ScopeOffset.h: Added.
1956         (JSC::ScopeOffset::ScopeOffset):
1957         * runtime/ScopedArguments.cpp: Added.
1958         (JSC::ScopedArguments::ScopedArguments):
1959         (JSC::ScopedArguments::finishCreation):
1960         (JSC::ScopedArguments::createUninitialized):
1961         (JSC::ScopedArguments::create):
1962         (JSC::ScopedArguments::createByCopying):
1963         (JSC::ScopedArguments::createByCopyingFrom):
1964         (JSC::ScopedArguments::visitChildren):
1965         (JSC::ScopedArguments::createStructure):
1966         (JSC::ScopedArguments::overrideThings):
1967         (JSC::ScopedArguments::overrideThingsIfNecessary):
1968         (JSC::ScopedArguments::overrideArgument):
1969         (JSC::ScopedArguments::copyToArguments):
1970         * runtime/ScopedArguments.h: Added.
1971         (JSC::ScopedArguments::internalLength):
1972         (JSC::ScopedArguments::length):
1973         (JSC::ScopedArguments::canAccessIndexQuickly):
1974         (JSC::ScopedArguments::getIndexQuickly):
1975         (JSC::ScopedArguments::setIndexQuickly):
1976         (JSC::ScopedArguments::callee):
1977         (JSC::ScopedArguments::overrodeThings):
1978         (JSC::ScopedArguments::offsetOfOverrodeThings):
1979         (JSC::ScopedArguments::offsetOfTotalLength):
1980         (JSC::ScopedArguments::offsetOfTable):
1981         (JSC::ScopedArguments::offsetOfScope):
1982         (JSC::ScopedArguments::overflowStorageOffset):
1983         (JSC::ScopedArguments::allocationSize):
1984         (JSC::ScopedArguments::overflowStorage):
1985         * runtime/ScopedArgumentsTable.cpp: Added.
1986         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
1987         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
1988         (JSC::ScopedArgumentsTable::destroy):
1989         (JSC::ScopedArgumentsTable::create):
1990         (JSC::ScopedArgumentsTable::clone):
1991         (JSC::ScopedArgumentsTable::setLength):
1992         (JSC::ScopedArgumentsTable::set):
1993         (JSC::ScopedArgumentsTable::createStructure):
1994         * runtime/ScopedArgumentsTable.h: Added.
1995         (JSC::ScopedArgumentsTable::length):
1996         (JSC::ScopedArgumentsTable::get):
1997         (JSC::ScopedArgumentsTable::lock):
1998         (JSC::ScopedArgumentsTable::offsetOfLength):
1999         (JSC::ScopedArgumentsTable::offsetOfArguments):
2000         (JSC::ScopedArgumentsTable::at):
2001         * runtime/SymbolTable.cpp:
2002         (JSC::SymbolTableEntry::prepareToWatch):
2003         (JSC::SymbolTable::SymbolTable):
2004         (JSC::SymbolTable::visitChildren):
2005         (JSC::SymbolTable::localToEntry):
2006         (JSC::SymbolTable::entryFor):
2007         (JSC::SymbolTable::cloneScopePart):
2008         (JSC::SymbolTable::prepareForTypeProfiling):
2009         (JSC::SymbolTable::uniqueIDForOffset):
2010         (JSC::SymbolTable::globalTypeSetForOffset):
2011         (JSC::SymbolTable::cloneCapturedNames): Deleted.
2012         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
2013         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
2014         * runtime/SymbolTable.h:
2015         (JSC::SymbolTableEntry::varOffsetFromBits):
2016         (JSC::SymbolTableEntry::scopeOffsetFromBits):
2017         (JSC::SymbolTableEntry::Fast::varOffset):
2018         (JSC::SymbolTableEntry::Fast::scopeOffset):
2019         (JSC::SymbolTableEntry::Fast::isDontEnum):
2020         (JSC::SymbolTableEntry::Fast::getAttributes):
2021         (JSC::SymbolTableEntry::SymbolTableEntry):
2022         (JSC::SymbolTableEntry::varOffset):
2023         (JSC::SymbolTableEntry::isWatchable):
2024         (JSC::SymbolTableEntry::scopeOffset):
2025         (JSC::SymbolTableEntry::setAttributes):
2026         (JSC::SymbolTableEntry::constantMode):
2027         (JSC::SymbolTableEntry::isDontEnum):
2028         (JSC::SymbolTableEntry::disableWatching):
2029         (JSC::SymbolTableEntry::pack):
2030         (JSC::SymbolTableEntry::isValidVarOffset):
2031         (JSC::SymbolTable::createNameScopeTable):
2032         (JSC::SymbolTable::maxScopeOffset):
2033         (JSC::SymbolTable::didUseScopeOffset):
2034         (JSC::SymbolTable::didUseVarOffset):
2035         (JSC::SymbolTable::scopeSize):
2036         (JSC::SymbolTable::nextScopeOffset):
2037         (JSC::SymbolTable::takeNextScopeOffset):
2038         (JSC::SymbolTable::add):
2039         (JSC::SymbolTable::set):
2040         (JSC::SymbolTable::argumentsLength):
2041         (JSC::SymbolTable::setArgumentsLength):
2042         (JSC::SymbolTable::argumentOffset):
2043         (JSC::SymbolTable::setArgumentOffset):
2044         (JSC::SymbolTable::arguments):
2045         (JSC::SlowArgument::SlowArgument): Deleted.
2046         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
2047         (JSC::SymbolTableEntry::getIndex): Deleted.
2048         (JSC::SymbolTableEntry::isValidIndex): Deleted.
2049         (JSC::SymbolTable::captureStart): Deleted.
2050         (JSC::SymbolTable::setCaptureStart): Deleted.
2051         (JSC::SymbolTable::captureEnd): Deleted.
2052         (JSC::SymbolTable::setCaptureEnd): Deleted.
2053         (JSC::SymbolTable::captureCount): Deleted.
2054         (JSC::SymbolTable::isCaptured): Deleted.
2055         (JSC::SymbolTable::parameterCount): Deleted.
2056         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
2057         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
2058         (JSC::SymbolTable::slowArguments): Deleted.
2059         (JSC::SymbolTable::setSlowArguments): Deleted.
2060         * runtime/VM.cpp:
2061         (JSC::VM::VM):
2062         * runtime/VM.h:
2063         * runtime/VarOffset.cpp: Added.
2064         (JSC::VarOffset::dump):
2065         (WTF::printInternal):
2066         * runtime/VarOffset.h: Added.
2067         (JSC::VarOffset::VarOffset):
2068         (JSC::VarOffset::assemble):
2069         (JSC::VarOffset::isValid):
2070         (JSC::VarOffset::operator!):
2071         (JSC::VarOffset::kind):
2072         (JSC::VarOffset::isStack):
2073         (JSC::VarOffset::isScope):
2074         (JSC::VarOffset::isDirectArgument):
2075         (JSC::VarOffset::stackOffsetUnchecked):
2076         (JSC::VarOffset::scopeOffsetUnchecked):
2077         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
2078         (JSC::VarOffset::stackOffset):
2079         (JSC::VarOffset::scopeOffset):
2080         (JSC::VarOffset::capturedArgumentsOffset):
2081         (JSC::VarOffset::rawOffset):
2082         (JSC::VarOffset::checkSanity):
2083         (JSC::VarOffset::operator==):
2084         (JSC::VarOffset::operator!=):
2085         (JSC::VarOffset::hash):
2086         (JSC::VarOffset::isHashTableDeletedValue):
2087         (JSC::VarOffsetHash::hash):
2088         (JSC::VarOffsetHash::equal):
2089         * tests/stress/arguments-exit-strict-mode.js: Added.
2090         * tests/stress/arguments-exit.js: Added.
2091         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
2092         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
2093         * tests/stress/arguments-inlined-exit.js: Added.
2094         * tests/stress/arguments-interference.js: Added.
2095         * tests/stress/arguments-interference-cfg.js: Added.
2096         * tests/stress/dead-get-closure-var.js: Added.
2097         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
2098         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
2099         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
2100         * tests/stress/varargs-closure-inlined-exit.js: Added.
2101         * tests/stress/varargs-exit.js: Added.
2102         * tests/stress/varargs-inlined-exit.js: Added.
2103         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
2104         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
2105         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
2106         * tests/stress/varargs-inlined-simple-exit.js: Added.
2107         * tests/stress/varargs-too-few-arguments.js: Added.
2108         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
2109         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
2110         * tests/stress/varargs-varargs-inlined-exit.js: Added.
2111
2112 2015-03-25  Andy Estes  <aestes@apple.com>
2113
2114         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
2115         https://bugs.webkit.org/show_bug.cgi?id=143068
2116
2117         Reviewed by Dan Bernstein.
2118
2119         * inspector/remote/RemoteInspectorXPCConnection.mm:
2120         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
2121
2122 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2123
2124         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
2125         https://bugs.webkit.org/show_bug.cgi?id=142993
2126
2127         Reviewed by Geoffrey Garen and Mark Lam.
2128         
2129         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
2130         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
2131         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
2132         failure, but also involves adding the same kind of thing to the stub generators in
2133         Repatch.
2134         
2135         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
2136         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
2137         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
2138         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
2139         printout.
2140         
2141         Also add a way of inducing executable allocation failure, so that we can test this.
2142
2143         * CMakeLists.txt:
2144         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2145         * JavaScriptCore.xcodeproj/project.pbxproj:
2146         * dfg/DFGJITCompiler.cpp:
2147         (JSC::DFG::JITCompiler::compile):
2148         (JSC::DFG::JITCompiler::compileFunction):
2149         (JSC::DFG::JITCompiler::link): Deleted.
2150         (JSC::DFG::JITCompiler::linkFunction): Deleted.
2151         * dfg/DFGJITCompiler.h:
2152         * dfg/DFGPlan.cpp:
2153         (JSC::DFG::Plan::compileInThreadImpl):
2154         * ftl/FTLCompile.cpp:
2155         (JSC::FTL::mmAllocateCodeSection):
2156         (JSC::FTL::mmAllocateDataSection):
2157         * ftl/FTLLink.cpp:
2158         (JSC::FTL::link):
2159         * ftl/FTLState.h:
2160         * jit/ArityCheckFailReturnThunks.cpp:
2161         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2162         * jit/ExecutableAllocationFuzz.cpp: Added.
2163         (JSC::numberOfExecutableAllocationFuzzChecks):
2164         (JSC::doExecutableAllocationFuzzing):
2165         * jit/ExecutableAllocationFuzz.h: Added.
2166         (JSC::doExecutableAllocationFuzzingIfEnabled):
2167         * jit/ExecutableAllocatorFixedVMPool.cpp:
2168         (JSC::ExecutableAllocator::allocate):
2169         * jit/JIT.cpp:
2170         (JSC::JIT::privateCompile):
2171         * jit/JITCompilationEffort.h:
2172         * jit/Repatch.cpp:
2173         (JSC::generateByIdStub):
2174         (JSC::tryCacheGetByID):
2175         (JSC::tryBuildGetByIDList):
2176         (JSC::emitPutReplaceStub):
2177         (JSC::emitPutTransitionStubAndGetOldStructure):
2178         (JSC::tryCachePutByID):
2179         (JSC::tryBuildPutByIdList):
2180         (JSC::tryRepatchIn):
2181         (JSC::linkPolymorphicCall):
2182         * jsc.cpp:
2183         (jscmain):
2184         * runtime/Options.h:
2185         * runtime/TestRunnerUtils.h:
2186         * runtime/VM.cpp:
2187         * tests/executableAllocationFuzz: Added.
2188         * tests/executableAllocationFuzz.yaml: Added.
2189         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
2190
2191 2015-03-25  Mark Lam  <mark.lam@apple.com>
2192
2193         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
2194         <https://webkit.org/b/135719>
2195
2196         Reviewed by Geoffrey Garen.
2197
2198         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
2199         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
2200         update the LLINT to access it as such.
2201
2202         The issue has only manifested so far on the CLoop tests because those are LLINT
2203         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
2204         hiding the bug in the LLINT.
2205
2206         * API/JSContextRef.cpp:
2207         (createWatchdogIfNeeded):
2208         (JSContextGroupSetExecutionTimeLimit):
2209         (JSContextGroupClearExecutionTimeLimit):
2210         * llint/LowLevelInterpreter.asm:
2211
2212 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2213
2214         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
2215
2216         Rubber stamped by Geoffrey Garen.
2217
2218         * bytecode/CodeBlock.cpp:
2219         (JSC::CodeBlock::visitAggregate):
2220
2221 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2222
2223         Fix formatting in BuiltinExecutables
2224         https://bugs.webkit.org/show_bug.cgi?id=143061
2225
2226         Reviewed by Ryosuke Niwa.
2227
2228         * builtins/BuiltinExecutables.cpp:
2229         (JSC::BuiltinExecutables::createExecutableInternal):
2230
2231 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2232
2233         ES6: Classes: Program level class statement throws exception in strict mode
2234         https://bugs.webkit.org/show_bug.cgi?id=143038
2235
2236         Reviewed by Ryosuke Niwa.
2237
2238         Classes expose a name to the current lexical environment. This treats
2239         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
2240         Also, improve error messages for class statements where the class is missing a name.
2241
2242         * parser/Parser.h:
2243         * parser/Parser.cpp:
2244         (JSC::Parser<LexerType>::parseClass):
2245         Fill name in info parameter if needed. Better error message if name is needed and missing.
2246
2247         (JSC::Parser<LexerType>::parseClassDeclaration):
2248         Pass info parameter to get name, and expose the name as a variable name.
2249
2250         (JSC::Parser<LexerType>::parsePrimaryExpression):
2251         Pass info parameter that is ignored.
2252
2253         * parser/ParserFunctionInfo.h:
2254         Add a parser info for class, to extract the name.
2255
2256 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2257
2258         New map and set modification tests in r181922 fails
2259         https://bugs.webkit.org/show_bug.cgi?id=143031
2260
2261         Reviewed and tweaked by Geoffrey Garen.
2262
2263         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
2264         to adjust for the packed backing store.
2265
2266         Consider the following map data.
2267
2268         x: deleted, o: exists
2269         0 1 2 3 4
2270         x x x x o
2271
2272         And iterator with m_index 3.
2273
2274         When packing the map data, map data will become,
2275
2276         0
2277         o
2278
2279         At that time, we perfom didRemoveEntry 4 times on iterators.
2280         times => m_index/index/result
2281         1 => 3/0/dec
2282         2 => 2/1/dec
2283         3 => 1/2/nothing
2284         4 => 1/3/nothing
2285
2286         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
2287         This is because if we use decremented m_index for comparison,
2288         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
2289
2290         In this patch, we compare against the packed index instead.
2291         times => m_index/packedIndex/result
2292         1 => 3/0/dec
2293         2 => 2/0/dec
2294         3 => 1/0/dec
2295         4 => 0/0/nothing
2296
2297         So m_index becomes 0 as expected.
2298
2299         And according to the spec, once the iterator is closed (becomes done: true),
2300         its internal [[Map]]/[[Set]] is set to undefined.
2301         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
2302
2303         In this patch, we change 2 things.
2304         1.
2305         Compare an iterator's index against the packed index when removing an entry.
2306
2307         2.
2308         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
2309
2310         * runtime/MapData.h:
2311         (JSC::MapDataImpl::IteratorData::finish):
2312         (JSC::MapDataImpl::IteratorData::isFinished):
2313         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
2314         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
2315         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
2316         * runtime/MapDataInlines.h:
2317         (JSC::JSIterator>::replaceAndPackBackingStore):
2318         * tests/stress/modify-map-during-iteration.js:
2319         * tests/stress/modify-set-during-iteration.js:
2320
2321 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2322
2323         Setter should have a single formal parameter, Getter no parameters
2324         https://bugs.webkit.org/show_bug.cgi?id=142903
2325
2326         Reviewed by Geoffrey Garen.
2327
2328         * parser/Parser.cpp:
2329         (JSC::Parser<LexerType>::parseFunctionInfo):
2330         Enforce no parameters for getters and a single parameter
2331         for setters, with informational error messages.
2332
2333 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2334
2335         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
2336         https://bugs.webkit.org/show_bug.cgi?id=143012
2337
2338         Reviewed by Ryosuke Niwa.
2339
2340         * bytecompiler/BytecodeGenerator.cpp:
2341         (JSC::BytecodeGenerator::emitReturn):
2342         Fix handling of "undefined" when returned from a Derived class. It was
2343         returning "undefined" when it should have returned "this".
2344
2345 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2346
2347         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
2348         https://bugs.webkit.org/show_bug.cgi?id=142696
2349
2350         Reviewed and tweaked by Geoffrey Garen.
2351
2352         Before r142556, JSSetIterator::destroy was not defined.
2353         So accidentally MapData::const_iterator in JSSet was never destroyed.
2354         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
2355
2356         After r142556, JSSetIterator::destroy works.
2357         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
2358         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
2359
2360         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
2361         and marks it in visitChildren (WriteBarrier<Unknown>).
2362         However, the order of destructions is not guaranteed in GC-ed system.
2363
2364         Consider the following case,
2365         allocate JSSet and subsequently allocate JSSetIterator.
2366         And they resides in the separated MarkedBlock, <1> and <2>.
2367
2368         JSSet<1> <- JSSetIterator<2>
2369
2370         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
2371         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
2372
2373         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
2374         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
2375         However, JSSetIterator<2>'s destructor,
2376         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
2377
2378         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
2379         When packing the removed elements in JSSet/JSMap, we apply the change to all live
2380         iterators tracked by WeakGCMap.
2381
2382         WeakGCMap can only track JSCell since they are managed by GC.
2383         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
2384         introduces JS style iterator signatures into C++ class IteratorData.
2385         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
2386         IteratorData directly.
2387
2388         * runtime/JSMap.cpp:
2389         (JSC::JSMap::destroy):
2390         * runtime/JSMap.h:
2391         (JSC::JSMap::JSMap):
2392         (JSC::JSMap::begin): Deleted.
2393         (JSC::JSMap::end): Deleted.
2394         * runtime/JSMapIterator.cpp:
2395         (JSC::JSMapIterator::destroy):
2396         * runtime/JSMapIterator.h:
2397         (JSC::JSMapIterator::next):
2398         (JSC::JSMapIterator::nextKeyValue):
2399         (JSC::JSMapIterator::iteratorData):
2400         (JSC::JSMapIterator::JSMapIterator):
2401         * runtime/JSSet.cpp:
2402         (JSC::JSSet::destroy):
2403         * runtime/JSSet.h:
2404         (JSC::JSSet::JSSet):
2405         (JSC::JSSet::begin): Deleted.
2406         (JSC::JSSet::end): Deleted.
2407         * runtime/JSSetIterator.cpp:
2408         (JSC::JSSetIterator::destroy):
2409         * runtime/JSSetIterator.h:
2410         (JSC::JSSetIterator::next):
2411         (JSC::JSSetIterator::iteratorData):
2412         (JSC::JSSetIterator::JSSetIterator):
2413         * runtime/MapData.h:
2414         (JSC::MapDataImpl::IteratorData::finish):
2415         (JSC::MapDataImpl::IteratorData::isFinished):
2416         (JSC::MapDataImpl::shouldPack):
2417         (JSC::JSIterator>::MapDataImpl):
2418         (JSC::JSIterator>::KeyType::KeyType):
2419         (JSC::JSIterator>::IteratorData::IteratorData):
2420         (JSC::JSIterator>::IteratorData::next):
2421         (JSC::JSIterator>::IteratorData::ensureSlot):
2422         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
2423         (JSC::JSIterator>::IteratorData::refreshCursor):
2424         (JSC::MapDataImpl::const_iterator::key): Deleted.
2425         (JSC::MapDataImpl::const_iterator::value): Deleted.
2426         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
2427         (JSC::MapDataImpl::const_iterator::finish): Deleted.
2428         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
2429         (JSC::MapDataImpl::begin): Deleted.
2430         (JSC::MapDataImpl::end): Deleted.
2431         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
2432         (JSC::MapDataImpl<Entry>::clear): Deleted.
2433         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
2434         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
2435         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
2436         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
2437         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
2438         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
2439         (JSC::=): Deleted.
2440         * runtime/MapDataInlines.h:
2441         (JSC::JSIterator>::clear):
2442         (JSC::JSIterator>::find):
2443         (JSC::JSIterator>::contains):
2444         (JSC::JSIterator>::add):
2445         (JSC::JSIterator>::set):
2446         (JSC::JSIterator>::get):
2447         (JSC::JSIterator>::remove):
2448         (JSC::JSIterator>::replaceAndPackBackingStore):
2449         (JSC::JSIterator>::replaceBackingStore):
2450         (JSC::JSIterator>::ensureSpaceForAppend):
2451         (JSC::JSIterator>::visitChildren):
2452         (JSC::JSIterator>::copyBackingStore):
2453         (JSC::JSIterator>::applyMapDataPatch):
2454         (JSC::MapDataImpl<Entry>::find): Deleted.
2455         (JSC::MapDataImpl<Entry>::contains): Deleted.
2456         (JSC::MapDataImpl<Entry>::add): Deleted.
2457         (JSC::MapDataImpl<Entry>::set): Deleted.
2458         (JSC::MapDataImpl<Entry>::get): Deleted.
2459         (JSC::MapDataImpl<Entry>::remove): Deleted.
2460         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
2461         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
2462         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
2463         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
2464         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
2465         * runtime/MapPrototype.cpp:
2466         (JSC::mapProtoFuncForEach):
2467         * runtime/SetPrototype.cpp:
2468         (JSC::setProtoFuncForEach):
2469         * runtime/WeakGCMap.h:
2470         (JSC::WeakGCMap::forEach):
2471         * tests/stress/modify-map-during-iteration.js: Added.
2472         (testValue):
2473         (identityPairs):
2474         (.set if):
2475         (var):
2476         (set map):
2477         * tests/stress/modify-set-during-iteration.js: Added.
2478         (testValue):
2479         (set forEach):
2480         (set delete):
2481
2482 2015-03-24  Mark Lam  <mark.lam@apple.com>
2483
2484         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
2485         <https://webkit.org/b/143024>
2486
2487         Reviewed by Geoffrey Garen.
2488
2489         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
2490         passed in from testapi.c.  It should create its own for better
2491         encapsulation of the test.
2492
2493         * API/tests/ExecutionTimeLimitTest.cpp:
2494         (currentCPUTimeAsJSFunctionCallback):
2495         (testExecutionTimeLimit):
2496         * API/tests/ExecutionTimeLimitTest.h:
2497         * API/tests/testapi.c:
2498         (main):
2499
2500 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2501
2502         ES6: Object Literal Methods toString is missing method name
2503         https://bugs.webkit.org/show_bug.cgi?id=142992
2504
2505         Reviewed by Geoffrey Garen.
2506
2507         Always stringify functions in the pattern:
2508
2509           "function " + <function name> + <text from opening parenthesis to closing brace>.
2510
2511         * runtime/FunctionPrototype.cpp:
2512         (JSC::functionProtoFuncToString):
2513         Update the path that was not stringifying in this pattern.
2514
2515         * bytecode/UnlinkedCodeBlock.cpp:
2516         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2517         * bytecode/UnlinkedCodeBlock.h:
2518         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
2519         * parser/Nodes.h:
2520         * runtime/Executable.cpp:
2521         (JSC::FunctionExecutable::FunctionExecutable):
2522         * runtime/Executable.h:
2523         (JSC::FunctionExecutable::parametersStartOffset):
2524         Pass the already known function parameter opening parenthesis
2525         start offset through to the FunctionExecutable. 
2526
2527         * tests/mozilla/js1_5/Scope/regress-185485.js:
2528         (with.g):
2529         Add back original space in this test that was removed by r181810
2530         now that we have the space again in stringification.
2531
2532 2015-03-24  Michael Saboff  <msaboff@apple.com>
2533
2534         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
2535         https://bugs.webkit.org/show_bug.cgi?id=142856
2536
2537         Reviewed by Filip Pizlo.
2538
2539         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
2540         get info for three loops to iterate over indexed properties, structure properties and other properties,
2541         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
2542         for all loops before we exectue any enumeration.
2543
2544         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
2545         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
2546         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
2547
2548         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
2549         op_next_enumerator_pname.
2550         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
2551         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
2552         end value we stop iterating on.
2553
2554         Made corresponding node changes to the DFG and FTL for the bytecode changes.
2555
2556         * bytecode/BytecodeList.json:
2557         * bytecode/BytecodeUseDef.h:
2558         (JSC::computeUsesForBytecodeOffset):
2559         (JSC::computeDefsForBytecodeOffset):
2560         * bytecode/CodeBlock.cpp:
2561         (JSC::CodeBlock::dumpBytecode):
2562         * bytecompiler/BytecodeGenerator.cpp:
2563         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
2564         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
2565         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
2566         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
2567         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
2568         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
2569         * bytecompiler/BytecodeGenerator.h:
2570         * bytecompiler/NodesCodegen.cpp:
2571         (JSC::ForInNode::emitMultiLoopBytecode):
2572         * dfg/DFGAbstractInterpreterInlines.h:
2573         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2574         * dfg/DFGByteCodeParser.cpp:
2575         (JSC::DFG::ByteCodeParser::parseBlock):
2576         * dfg/DFGCapabilities.cpp:
2577         (JSC::DFG::capabilityLevel):
2578         * dfg/DFGClobberize.h:
2579         (JSC::DFG::clobberize):
2580         * dfg/DFGDoesGC.cpp:
2581         (JSC::DFG::doesGC):
2582         * dfg/DFGFixupPhase.cpp:
2583         (JSC::DFG::FixupPhase::fixupNode):
2584         * dfg/DFGNodeType.h:
2585         * dfg/DFGPredictionPropagationPhase.cpp:
2586         (JSC::DFG::PredictionPropagationPhase::propagate):
2587         * dfg/DFGSafeToExecute.h:
2588         (JSC::DFG::safeToExecute):
2589         * dfg/DFGSpeculativeJIT32_64.cpp:
2590         (JSC::DFG::SpeculativeJIT::compile):
2591         * dfg/DFGSpeculativeJIT64.cpp:
2592         (JSC::DFG::SpeculativeJIT::compile):
2593         * ftl/FTLAbstractHeapRepository.h:
2594         * ftl/FTLCapabilities.cpp:
2595         (JSC::FTL::canCompile):
2596         * ftl/FTLLowerDFGToLLVM.cpp:
2597         (JSC::FTL::LowerDFGToLLVM::compileNode):
2598         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2599         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
2600         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
2601         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
2602         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
2603         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
2604         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
2605         * jit/JIT.cpp:
2606         (JSC::JIT::privateCompileMainPass):
2607         * jit/JIT.h:
2608         * jit/JITOpcodes.cpp:
2609         (JSC::JIT::emit_op_enumerator_structure_pname):
2610         (JSC::JIT::emit_op_enumerator_generic_pname):
2611         (JSC::JIT::emit_op_get_property_enumerator):
2612         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2613         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
2614         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
2615         * jit/JITOpcodes32_64.cpp:
2616         (JSC::JIT::emit_op_enumerator_structure_pname):
2617         (JSC::JIT::emit_op_enumerator_generic_pname):
2618         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2619         * jit/JITOperations.cpp:
2620         * jit/JITOperations.h:
2621         * llint/LowLevelInterpreter.asm:
2622         * runtime/CommonSlowPaths.cpp:
2623         (JSC::SLOW_PATH_DECL):
2624         * runtime/CommonSlowPaths.h:
2625         * runtime/JSPropertyNameEnumerator.cpp:
2626         (JSC::JSPropertyNameEnumerator::create):
2627         (JSC::JSPropertyNameEnumerator::finishCreation):
2628         * runtime/JSPropertyNameEnumerator.h:
2629         (JSC::JSPropertyNameEnumerator::indexedLength):
2630         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
2631         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
2632         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
2633         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
2634         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
2635         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
2636         (JSC::propertyNameEnumerator):
2637         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
2638         (JSC::structurePropertyNameEnumerator): Deleted.
2639         (JSC::genericPropertyNameEnumerator): Deleted.
2640         * runtime/Structure.cpp:
2641         (JSC::Structure::setCachedPropertyNameEnumerator):
2642         (JSC::Structure::cachedPropertyNameEnumerator):
2643         (JSC::Structure::canCachePropertyNameEnumerator):
2644         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
2645         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
2646         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
2647         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
2648         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
2649         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
2650         * runtime/Structure.h:
2651         * runtime/StructureRareData.cpp:
2652         (JSC::StructureRareData::visitChildren):
2653         (JSC::StructureRareData::cachedPropertyNameEnumerator):
2654         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
2655         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
2656         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
2657         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
2658         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
2659         * runtime/StructureRareData.h:
2660         * tests/stress/for-in-delete-during-iteration.js:
2661
2662 2015-03-24  Michael Saboff  <msaboff@apple.com>
2663
2664         Unreviewed build fix for debug builds.
2665
2666         * runtime/ExceptionHelpers.cpp:
2667         (JSC::invalidParameterInSourceAppender):
2668
2669 2015-03-24  Saam Barati  <saambarati1@gmail.com>
2670
2671         Improve error messages in JSC
2672         https://bugs.webkit.org/show_bug.cgi?id=141869
2673
2674         Reviewed by Geoffrey Garen.
2675
2676         JavaScriptCore has some unintuitive error messages associated
2677         with certain common errors. This patch changes some specific
2678         error messages to be more understandable and also creates a
2679         mechanism that will allow for easy modification of error messages
2680         in the future. The specific errors we change are not a function
2681         errors and invalid parameter errors.
2682
2683         * CMakeLists.txt:
2684         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2685         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2686         * JavaScriptCore.xcodeproj/project.pbxproj:
2687         * interpreter/Interpreter.cpp:
2688         (JSC::sizeOfVarargs):
2689         * jit/JITOperations.cpp:
2690         op_throw_static_error always has a JSString as its argument.
2691         There is no need to dance around this, and we should assert
2692         that this always holds. This JSString represents the error 
2693         message we want to display to the user, so there is no need
2694         to pass it into errorDescriptionForValue which will now place
2695         quotes around the string.
2696
2697         * llint/LLIntSlowPaths.cpp:
2698         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2699         * runtime/CommonSlowPaths.h:
2700         (JSC::CommonSlowPaths::opIn):
2701         * runtime/ErrorInstance.cpp:
2702         (JSC::ErrorInstance::ErrorInstance):
2703         * runtime/ErrorInstance.h:
2704         (JSC::ErrorInstance::hasSourceAppender):
2705         (JSC::ErrorInstance::sourceAppender):
2706         (JSC::ErrorInstance::setSourceAppender):
2707         (JSC::ErrorInstance::clearSourceAppender):
2708         (JSC::ErrorInstance::setRuntimeTypeForCause):
2709         (JSC::ErrorInstance::runtimeTypeForCause):
2710         (JSC::ErrorInstance::clearRuntimeTypeForCause):
2711         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
2712         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
2713         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
2714         * runtime/ExceptionHelpers.cpp:
2715         (JSC::errorDescriptionForValue):
2716         (JSC::defaultApproximateSourceError):
2717         (JSC::defaultSourceAppender):
2718         (JSC::functionCallBase):
2719         (JSC::notAFunctionSourceAppender):
2720         (JSC::invalidParameterInSourceAppender):
2721         (JSC::invalidParameterInstanceofSourceAppender):
2722         (JSC::createError):
2723         (JSC::createInvalidFunctionApplyParameterError):
2724         (JSC::createInvalidInParameterError):
2725         (JSC::createInvalidInstanceofParameterError):
2726         (JSC::createNotAConstructorError):
2727         (JSC::createNotAFunctionError):
2728         (JSC::createNotAnObjectError):
2729         (JSC::createInvalidParameterError): Deleted.
2730         * runtime/ExceptionHelpers.h:
2731         * runtime/JSObject.cpp:
2732         (JSC::JSObject::hasInstance):
2733         * runtime/RuntimeType.cpp: Added.
2734         (JSC::runtimeTypeForValue):
2735         (JSC::runtimeTypeAsString):
2736         * runtime/RuntimeType.h: Added.
2737         * runtime/TypeProfilerLog.cpp:
2738         (JSC::TypeProfilerLog::processLogEntries):
2739         * runtime/TypeSet.cpp:
2740         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
2741         * runtime/TypeSet.h:
2742         * runtime/VM.cpp:
2743         (JSC::appendSourceToError):
2744         (JSC::VM::throwException):
2745
2746 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
2747
2748         JSC should have a low-cost asynchronous disassembler
2749         https://bugs.webkit.org/show_bug.cgi?id=142997
2750
2751         Reviewed by Mark Lam.
2752         
2753         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
2754         doesn't block execution. Some code will live a little longer because of this, since the
2755         work tasks hold a ref to the code, but other than that there is basically no overhead.
2756         
2757         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
2758         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
2759         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
2760         JSC_asyncDisassembly has bizarre behavior - so just choose one.
2761         
2762         A simple way of understanding how great this is, is to run a small benchmark like
2763         V8Spider/earley-boyer.
2764         
2765         Performance without any disassembly flags: 60ms
2766         Performance with JSC_showDisassembly=true: 477ms
2767         Performance with JSC_asyncDisassembly=true: 65ms
2768         
2769         So, the overhead of disassembly goes from 8x to 8%.
2770         
2771         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
2772         measuring benchmark performance. This is because at VM exit, we wait for all async
2773         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
2774         after the benchmark completely finishes to finish the disassemblies. This small weirdness
2775         should be OK for the intended use-cases, since all you have to do to get around it is to
2776         measure the execution time of the benchmark payload rather than the end-to-end time of
2777         launching the VM.
2778
2779         * assembler/LinkBuffer.cpp:
2780         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2781         * assembler/LinkBuffer.h:
2782         (JSC::LinkBuffer::wasAlreadyDisassembled):
2783         (JSC::LinkBuffer::didAlreadyDisassemble):
2784         * dfg/DFGJITCompiler.cpp:
2785         (JSC::DFG::JITCompiler::disassemble):
2786         * dfg/DFGJITFinalizer.cpp:
2787         (JSC::DFG::JITFinalizer::finalize):
2788         (JSC::DFG::JITFinalizer::finalizeFunction):
2789         * disassembler/Disassembler.cpp:
2790         (JSC::disassembleAsynchronously):
2791         (JSC::waitForAsynchronousDisassembly):
2792         * disassembler/Disassembler.h:
2793         * ftl/FTLCompile.cpp:
2794         (JSC::FTL::mmAllocateDataSection):
2795         * ftl/FTLLink.cpp:
2796         (JSC::FTL::link):
2797         * jit/JIT.cpp:
2798         (JSC::JIT::privateCompile):
2799         * jsc.cpp:
2800         * runtime/Options.h:
2801         * runtime/VM.cpp:
2802         (JSC::VM::~VM):
2803
2804 2015-03-23  Dean Jackson  <dino@apple.com>
2805
2806         ES7: Implement Array.prototype.includes
2807         https://bugs.webkit.org/show_bug.cgi?id=142707
2808
2809         Reviewed by Geoffrey Garen.
2810
2811         Add support for the ES7 includes method on Arrays.
2812         https://github.com/tc39/Array.prototype.includes
2813
2814         * builtins/Array.prototype.js:
2815         (includes): Implementation in JS.
2816         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
2817
2818 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2819
2820         __defineGetter__/__defineSetter__ should throw exceptions
2821         https://bugs.webkit.org/show_bug.cgi?id=142934
2822
2823         Reviewed by Geoffrey Garen.
2824
2825         * runtime/ObjectPrototype.cpp:
2826         (JSC::objectProtoFuncDefineGetter):
2827         (JSC::objectProtoFuncDefineSetter):
2828         Throw exceptions when these functions are used directly.
2829
2830 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2831
2832         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
2833         https://bugs.webkit.org/show_bug.cgi?id=142952
2834
2835         Reviewed by Geoffrey Garen.
2836
2837         * runtime/Structure.cpp:
2838         (JSC::PropertyTable::checkConsistency):
2839         The check offset method doesn't exist in PropertyTable, it exists in Structure.
2840
2841         (JSC::Structure::checkConsistency):
2842         So move it here, and always put it at the start to match normal behavior.
2843
2844 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2845
2846         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
2847         https://bugs.webkit.org/show_bug.cgi?id=142956
2848
2849         Rubber stamped by Gyuyoung Kim.
2850         
2851         Just removing dead code.
2852
2853         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2854         * JavaScriptCore.xcodeproj/project.pbxproj:
2855         * dfg/DFGOSRExit.h:
2856         * dfg/DFGOSRExitCompiler.cpp:
2857         * dfg/DFGValueRecoveryOverride.h: Removed.
2858
2859 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2860
2861         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
2862         https://bugs.webkit.org/show_bug.cgi?id=142948
2863
2864         Reviewed by Sam Weinig.
2865         
2866         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
2867         since a signal may clobber the area below the stack pointer. When the DFG is executing,
2868         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
2869         baseline, we will use a different amount of stack. This is because baseline is a different
2870         compiler. It will make different decisions. So it will use a different amount of stack.
2871         
2872         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
2873         incrementally transforming the stack from how it looked in the DFG to how it will look in
2874         baseline. The most conservative approach would be to set the stack pointer to the max of
2875         DFG and baseline.
2876         
2877         When this code was written, a reckless assumption was made: that the stack usage in
2878         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
2879         assumption, the code first adjusts the stack pointer to account for the baseline stack
2880         usage. This sort of usually works, because usually baseline does happen to use more stack.
2881         But that's not an invariant. Nobody guarantees this. We will never make any changes that
2882         would make this be guaranteed, because that would be antithetical to how optimizing
2883         compilers work. The DFG should be allowed to use however much stack it decides that it
2884         should use in order to get good performance, and it shouldn't try to guarantee that it
2885         always uses less stack than baseline.
2886         
2887         As such, we must always assume that the frame size for DFG execution (i.e.
2888         frameRegisterCount) and the frame size in baseline once we exit (i.e.
2889         requiredRegisterCountForExit) are two independent quantities and they have no
2890         relationship.
2891         
2892         Fortunately, though, this code can be made correct by just moving the stack adjustment to
2893         just before we do conversions. This is because we have since changed the OSR exit
2894         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
2895         drop it out of the scratch buffer and into the stack according to the baseline layout. The
2896         point just before conversions is the point where we have finished reading the DFG frame
2897         and will not read it anymore, and we haven't started writing the baseline frame. So, at
2898         this point it is safe to set the stack pointer to account for the frame size at exit.
2899         
2900         This is benign because baseline happens to create larger frames than DFG.
2901
2902         * dfg/DFGOSRExitCompiler32_64.cpp:
2903         (JSC::DFG::OSRExitCompiler::compileExit):
2904         * dfg/DFGOSRExitCompiler64.cpp:
2905         (JSC::DFG::OSRExitCompiler::compileExit):
2906         * dfg/DFGOSRExitCompilerCommon.cpp:
2907         (JSC::DFG::adjustAndJumpToTarget):
2908
2909 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2910
2911         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
2912
2913         Rubber stamped by Sam Weinig.
2914
2915         * tests/stress/equals-masquerader.js:
2916
2917 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2918
2919         tests/stress/*tdz* tests do 10x more iterations than necessary
2920         https://bugs.webkit.org/show_bug.cgi?id=142946
2921
2922         Reviewed by Ryosuke Niwa.
2923         
2924         The stress test harness runs all of these tests in various configurations. This includes
2925         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
2926         enough to get to the highest tier. The only exceptions are very large functions or
2927         functions that have some reoptimizations. That happens rarely, and when it does happen,
2928         usually 20,000 iterations is enough.
2929         
2930         Therefore, these tests use 10x too many iterations. This is bad, since these tests
2931         allocate on each iteration, and so they run very slowly in debug mode.
2932
2933         * tests/stress/class-syntax-no-loop-tdz.js:
2934         * tests/stress/class-syntax-no-tdz-in-catch.js:
2935         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2936         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2937         * tests/stress/class-syntax-no-tdz-in-loop.js:
2938         * tests/stress/class-syntax-no-tdz.js:
2939         * tests/stress/class-syntax-tdz-in-catch.js:
2940         * tests/stress/class-syntax-tdz-in-conditional.js:
2941         * tests/stress/class-syntax-tdz-in-loop.js:
2942         * tests/stress/class-syntax-tdz.js:
2943
2944 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2945
2946         Fix a typo in Parser error message
2947         https://bugs.webkit.org/show_bug.cgi?id=142942
2948
2949         Reviewed by Alexey Proskuryakov.
2950
2951         * jit/JITPropertyAccess.cpp:
2952         (JSC::JIT::emitSlow_op_resolve_scope):
2953         * jit/JITPropertyAccess32_64.cpp:
2954         (JSC::JIT::emitSlow_op_resolve_scope):
2955         * parser/Parser.cpp:
2956         (JSC::Parser<LexerType>::parseClass):
2957         Fix a common identifier typo.
2958
2959 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2960
2961         Computed Property names should allow only AssignmentExpressions not any Expression
2962         https://bugs.webkit.org/show_bug.cgi?id=142902
2963
2964         Reviewed by Ryosuke Niwa.
2965
2966         * parser/Parser.cpp:
2967         (JSC::Parser<LexerType>::parseProperty):
2968         Limit computed expressions to just assignment expressions instead of
2969         any expression (which allowed comma expressions).
2970
2971 2015-03-21  Andreas Kling  <akling@apple.com>
2972
2973         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
2974         <https://webkit.org/b/142939>
2975
2976         Reviewed by Mark Hahnenberg.
2977
2978         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
2979         a 128-byte heap cell instead of requiring a 256-byte one.
2980
2981         Threw in a static_assert to catch anyone pushing it over the limit again.
2982
2983         * bytecode/UnlinkedCodeBlock.cpp:
2984         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2985         * bytecode/UnlinkedCodeBlock.h:
2986         (JSC::UnlinkedFunctionExecutable::functionMode):
2987
2988 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
2989
2990         GCTimer should know keep track of nested GC phases
2991         https://bugs.webkit.org/show_bug.cgi?id=142675
2992
2993         Reviewed by Darin Adler.
2994
2995         This improves the GC phase timing output in Heap.cpp by linking
2996         phases nested inside other phases together, allowing tools
2997         to compute how much time we're spending in various nested phases.
2998
2999         * heap/Heap.cpp:
3000
3001 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
3002
3003         FunctionBodyNode should known where its parameters started
3004         https://bugs.webkit.org/show_bug.cgi?id=142926
3005
3006         Reviewed by Ryosuke Niwa.
3007
3008         This will allow us to re-parse parameters instead of keeping the
3009         parameters piece of the AST around forever.
3010
3011         I also took the opportunity to initialize most FunctionBodyNode data
3012         members at construction time, to help clarify that they are set right.
3013
3014         * parser/ASTBuilder.h:
3015         (JSC::ASTBuilder::createFunctionExpr): No need to pass
3016         functionKeywordStart here; we now provide it at FunctionBodyNode
3017         creation time.
3018
3019         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
3020         construction time, including the start of our parameters.
3021
3022         (JSC::ASTBuilder::createGetterOrSetterProperty):
3023         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
3024         functionKeywordStart here; we now provide it at FunctionBodyNode
3025         creation time.
3026
3027         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
3028
3029         * parser/Nodes.cpp:
3030         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
3031         construction time.
3032
3033         * parser/Nodes.h: Added a field for the location of our parameters.
3034
3035         * parser/Parser.cpp:
3036         (JSC::Parser<LexerType>::parseFunctionBody):
3037         (JSC::Parser<LexerType>::parseFunctionInfo):
3038         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3039         (JSC::Parser<LexerType>::parseClass):
3040         (JSC::Parser<LexerType>::parsePropertyMethod):
3041         (JSC::Parser<LexerType>::parseGetterSetter):
3042         (JSC::Parser<LexerType>::parsePrimaryExpression):
3043         * parser/Parser.h: Refactored to match above interface changes.
3044
3045         * parser/SyntaxChecker.h:
3046         (JSC::SyntaxChecker::createFunctionExpr):
3047         (JSC::SyntaxChecker::createFunctionBody):
3048         (JSC::SyntaxChecker::createFuncDeclStatement):
3049         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
3050         above interface changes.
3051
3052         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
3053
3054 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
3055
3056         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
3057         https://bugs.webkit.org/show_bug.cgi?id=142920
3058
3059         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
3060         
3061         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
3062         executed, then something other than the bytecode instruction's specified outcome will
3063         happen.
3064
3065         We almost never had observably effectful nodes except at the end of the bytecode
3066         instruction.  The exception is a lowered transitioning PutById:
3067
3068         PutStructure(@o, S1 -> S2)
3069         PutByOffset(@o, @o, @v)
3070
3071         The PutStructure is observably effectful: if you try to reexecute the bytecode after
3072         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
3073         first checking what the old structure of the object is; but if we reexecute, the old
3074         structure will seem to be the new structure.  But the property ensured by the new
3075         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
3076
3077         Intriguingly, however, none of the other operations involved in the PutById are
3078         observably effectful.  Consider this example:
3079
3080         PutByOffset(@o, @o, @v)
3081         PutStructure(@o, S1 -> S2)
3082
3083         Note that the PutStructure node doesn't reallocate property storage; see further below
3084         for an example that does that. Because no property storage is happening, we know that we
3085         already had room for the new property.  This means that the PutByOffset is no observable
3086         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
3087         observably effectful.
3088
3089         Now consider this:
3090
3091         b: AllocatePropertyStorage(@o)
3092         PutByOffset(@b, @o, @v)
3093         PutStructure(@o, S1 -> S2)
3094
3095         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
3096         effectful. It *does* reallocate the property storage and the new property storage pointer
3097         is stored into the object. But until the PutStructure occurs, the world will just think
3098         that the reallocation didn't happen, in the sense that we'll think that the property
3099         storage is using less memory than what we just allocated. That's harmless.
3100
3101         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
3102         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
3103         everything could be expected to be fine, so long as all of @o, @v and @b are on the
3104         stack. If they are all on the stack, then the GC will leave the property storage alone
3105         (so the extra memory we just allocated would be safe). The GC will not scan the part of
3106         the property storage that contains @v, but that's fine, so long as @v is on the stack.
3107         
3108         The better long-term solution is probably bug 142921.
3109         
3110         But for now, this:
3111         
3112         - Fixes an object materialization bug, exemplified by the two tests, that previously
3113           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
3114         
3115         - Allows us to remove the workaround introduced in r174856.
3116
3117         * dfg/DFGByteCodeParser.cpp:
3118         (JSC::DFG::ByteCodeParser::handlePutById):
3119         * dfg/DFGConstantFoldingPhase.cpp:
3120         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3121         * dfg/DFGFixupPhase.cpp:
3122         (JSC::DFG::FixupPhase::insertCheck):
3123         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
3124         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
3125         * dfg/DFGInsertionSet.h:
3126         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
3127         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
3128         * tests/stress/materialize-past-butterfly-allocation.js: Added.
3129         (bar):
3130         (foo0):
3131         (foo1):
3132         (foo2):
3133         (foo3):
3134         (foo4):
3135         * tests/stress/materialize-past-put-structure.js: Added.
3136         (foo):
3137
3138 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3139
3140         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
3141         https://bugs.webkit.org/show_bug.cgi?id=142410
3142
3143         Reviewed by Geoffrey Garen.
3144
3145         Before this patch, added function JSValue::toPropertyKey returns PropertyName.
3146         Since PropertyName doesn't have AtomicStringImpl ownership,
3147         if Identifier is implicitly converted to PropertyName and Identifier is destructed,
3148         PropertyName may refer freed AtomicStringImpl*.
3149
3150         This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
3151         to keep AtomicStringImpl* ownership after the toPropertyName call is done.
3152         And receive the result value as Identifier type to keep ownership in the caller side.
3153
3154         To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
3155
3156         However, now we don't need to have both Identifier and PropertyName.
3157         So we'll merge PropertyName to Identifier in the subsequent patch.
3158
3159         * dfg/DFGOperations.cpp:
3160         (JSC::DFG::operationPutByValInternal):
3161         * jit/JITOperations.cpp:
3162         (JSC::getByVal):
3163         * llint/LLIntSlowPaths.cpp:
3164         (JSC::LLInt::getByVal):
3165         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3166         * runtime/CommonSlowPaths.cpp:
3167         (JSC::SLOW_PATH_DECL):
3168         * runtime/CommonSlowPaths.h:
3169         (JSC::CommonSlowPaths::opIn):
3170         * runtime/JSCJSValue.h:
3171         * runtime/JSCJSValueInlines.h:
3172         (JSC::JSValue::toPropertyKey):
3173         * runtime/ObjectConstructor.cpp:
3174         (JSC::objectConstructorGetOwnPropertyDescriptor):
3175         (JSC::objectConstructorDefineProperty):
3176         * runtime/ObjectPrototype.cpp:
3177         (JSC::objectProtoFuncPropertyIsEnumerable):
3178
3179 2015-03-18  Geoffrey Garen  <ggaren@apple.com>
3180
3181         Function.prototype.toString should not decompile the AST
3182         https://bugs.webkit.org/show_bug.cgi?id=142853
3183
3184         Reviewed by Sam Weinig.
3185
3186         To recover the function parameter string, Function.prototype.toString
3187         decompiles the function parameters from the AST. This is bad for a few
3188         reasons:
3189
3190         (1) It requires us to keep pieces of the AST live forever. This is an
3191         awkward design and a waste of memory.
3192
3193         (2) It doesn't match Firefox or Chrome (because it changes whitespace
3194         and ES6 destructuring expressions).
3195
3196         (3) It doesn't scale to ES6 default argument parameters, which require
3197         arbitrarily complex decompilation.
3198
3199         (4) It can counterfeit all the line numbers in a function (because
3200         whitespace can include newlines).
3201
3202         (5) It's expensive, and we've seen cases where websites invoke
3203         Function.prototype.toString a lot by accident.
3204
3205         The fix is to do what we do for the rest of the function: Just quote the
3206         original source text.
3207
3208         Since this change inevitably changes some function stringification, I
3209         took the opportunity to make our stringification match Firefox's and
3210         Chrome's.
3211
3212         * API/tests/testapi.c:
3213         (assertEqualsAsUTF8String): Be more informative when this fails.
3214
3215         (main): Updated to match new stringification rules.
3216
3217         * bytecode/UnlinkedCodeBlock.cpp:
3218         (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
3219         * bytecode/UnlinkedCodeBlock.h:
3220
3221         * parser/Nodes.h:
3222         (JSC::StatementNode::isFuncDeclNode): New helper for constructing
3223         anonymous functions.
3224
3225         * parser/SourceCode.h:
3226         (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.
3227
3228         * runtime/CodeCache.cpp:
3229         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
3230         of function declaration over function expression.
3231
3232         * runtime/Executable.cpp:
3233         (JSC::FunctionExecutable::paramString): Deleted. Yay!
3234         * runtime/Executable.h:
3235         (JSC::FunctionExecutable::parameterCount):
3236
3237         * runtime/FunctionConstructor.cpp:
3238         (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
3239         the opening brace to match Firefox and Chrome, and a space after the comma
3240         to match Firefox and WebKit coding style. Added the function name to
3241         the text of the function so it would look right when stringify-ing. Switched
3242         from parentheses to braces to produce a function declaration instead of
3243         a function expression because we are required to exclude the function's
3244         name from its scope, and that's what a function declaration does.
3245
3246         * runtime/FunctionPrototype.cpp:
3247         (JSC::functionProtoFuncToString): Removed an old workaround because the
3248         library it worked around doesn't really exist anymore, and the behavior
3249         doesn't match Firefox or Chrome. Use type profiling offsets instead of
3250         function body offsets because we want to include the function name and
3251         the parameter string, rather than stitching them in manually by
3252         decompiling the AST.
3253
3254         (JSC::insertSemicolonIfNeeded): Deleted.
3255
3256         * tests/mozilla/js1_2/function/tostring-1.js:
3257         * tests/mozilla/js1_5/Scope/regress-185485.js:
3258         (with.g): Updated these test results for formatting changes.
3259
3260 2015-03-20  Joseph Pecoraro  <pecoraro@apple.com>
3261
3262         SyntaxChecker assertion is trapped with computed property name and getter
3263         https://bugs.webkit.org/show_bug.cgi?id=142863
3264
3265         Reviewed by Ryosuke Niwa.
3266
3267         * parser/SyntaxChecker.h:
3268         (JSC::SyntaxChecker::getName):
3269         Remove invalid assert. Computed properties will not have a name
3270         and the calling code is checking for null expecting it. The
3271         AST path (non-CheckingPath) already does this without the assert
3272         so it is well tested.
3273
3274 2015-03-19  Mark Lam  <mark.lam@apple.com>
3275
3276         JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
3277         <https://webkit.org/b/142846>
3278
3279         Reviewed by Geoffrey Garen.
3280
3281         Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
3282         1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
3283            that a JSCallbackObject references.
3284         2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
3285            vm.heap.addFinalizer() which destroys the JSCallbackObject.
3286
3287         The first finalizer is implemented as a virtual function of a JSCallbackObjectData
3288         instance that will be destructed if the 2nd finalizer is called.  Hence, if the
3289         2nd finalizer if called first, the later invocation of the 1st finalizer will
3290         result in a crash.
3291
3292         This patch fixes the issue by eliminating the finalizer registration in init().
3293         Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
3294         if needed.  This ensures that these finalizers are called before the JSCallbackObject
3295         is destructor.
3296
3297         Also added assertions to a few Heap functions because JSCell::classInfo() expects
3298         all objects that are allocated from MarkedBlock::Normal blocks to be derived from
3299         JSDestructibleObject.  These assertions will help us catch violations of this
3300         expectation earlier.
3301
3302         * API/JSCallbackObject.cpp:
3303         (JSC::JSCallbackObjectData::finalize): Deleted.
3304         * API/JSCallbackObject.h:
3305         (JSC::JSCallbackObjectData::~JSCallbackObjectData):
3306         * API/JSCallbackObjectFunctions.h:
3307         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
3308         (JSC::JSCallbackObject<Parent>::init):
3309         * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
3310         (finalize):
3311         (testGlobalContextWithFinalizer):
3312         * API/tests/GlobalContextWithFinalizerTest.h: Added.
3313         * API/tests/testapi.c:
3314         (main):
3315         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3316         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
3317         * JavaScriptCore.xcodeproj/project.pbxproj:
3318         * heap/HeapInlines.h:
3319         (JSC::Heap::allocateObjectOfType):
3320         (JSC::Heap::subspaceForObjectOfType):
3321         (JSC::Heap::allocatorForObjectOfType):
3322
3323 2015-03-19  Andreas Kling  <akling@apple.com>
3324
3325         JSCallee unnecessarily overrides a bunch of things in the method table.
3326         <https://webkit.org/b/142855>
3327
3328         Reviewed by Ge