b0c1fbf4832662c00cfcb70ab180d342ee27e210
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
4         https://bugs.webkit.org/show_bug.cgi?id=143532
5
6         Reviewed by Gavin Barraclough.
7         
8         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
9         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
10         would think that there never was wrap-around.
11         
12         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
13
14         * dfg/DFGIntegerCheckCombiningPhase.cpp:
15         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
16
17 2015-04-07  Michael Saboff  <msaboff@apple.com>
18
19         Lazily initialize LogToSystemConsole flag to reduce memory usage
20         https://bugs.webkit.org/show_bug.cgi?id=143506
21
22         Reviewed by Mark Lam.
23
24         Only call into CF preferences code when we need to in order to reduce memory usage.
25
26         * inspector/JSGlobalObjectConsoleClient.cpp:
27         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
28         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
29         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
30         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
31
32 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
33
34         Get the features.json files ready for open contributions
35         https://bugs.webkit.org/show_bug.cgi?id=143436
36
37         Reviewed by Darin Adler.
38
39         * features.json:
40
41 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
42
43         Constant folding of typed array properties should be handled by AI rather than strength reduction
44         https://bugs.webkit.org/show_bug.cgi?id=143496
45
46         Reviewed by Geoffrey Garen.
47         
48         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
49         phase and whatever other phase did the folding in order to find all constants.
50         
51         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
52         directly.
53         
54         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
55         found because all of the tests for it involved the property getting constant folded. I found that
56         the codegen was bad because an earlier version of the patch broke that constant folding. This
57         adds a new test for that node type, which makes constant folding impossible by allocating a new
58         typed array every type. The lesson here is: if you write a test for something, run the test with
59         full IR dumps to make sure it's actually testing the thing you want it to test.
60
61         * dfg/DFGAbstractInterpreterInlines.h:
62         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
63         * dfg/DFGClobberize.h:
64         (JSC::DFG::clobberize):
65         * dfg/DFGConstantFoldingPhase.cpp:
66         (JSC::DFG::ConstantFoldingPhase::foldConstants):
67         * dfg/DFGDoesGC.cpp:
68         (JSC::DFG::doesGC):
69         * dfg/DFGFixupPhase.cpp:
70         (JSC::DFG::FixupPhase::fixupNode):
71         * dfg/DFGGraph.cpp:
72         (JSC::DFG::Graph::dump):
73         (JSC::DFG::Graph::tryGetFoldableView):
74         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
75         * dfg/DFGGraph.h:
76         * dfg/DFGNode.h:
77         (JSC::DFG::Node::hasTypedArray): Deleted.
78         (JSC::DFG::Node::typedArray): Deleted.
79         * dfg/DFGNodeType.h:
80         * dfg/DFGPredictionPropagationPhase.cpp:
81         (JSC::DFG::PredictionPropagationPhase::propagate):
82         * dfg/DFGSafeToExecute.h:
83         (JSC::DFG::safeToExecute):
84         * dfg/DFGSpeculativeJIT.cpp:
85         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
86         * dfg/DFGSpeculativeJIT32_64.cpp:
87         (JSC::DFG::SpeculativeJIT::compile):
88         * dfg/DFGSpeculativeJIT64.cpp:
89         (JSC::DFG::SpeculativeJIT::compile):
90         * dfg/DFGStrengthReductionPhase.cpp:
91         (JSC::DFG::StrengthReductionPhase::handleNode):
92         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
93         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
94         * dfg/DFGWatchpointCollectionPhase.cpp:
95         (JSC::DFG::WatchpointCollectionPhase::handle):
96         (JSC::DFG::WatchpointCollectionPhase::addLazily):
97         * ftl/FTLCapabilities.cpp:
98         (JSC::FTL::canCompile):
99         * ftl/FTLLowerDFGToLLVM.cpp:
100         (JSC::FTL::LowerDFGToLLVM::compileNode):
101         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
102         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
103         * tests/stress/fold-typed-array-properties.js:
104         (foo):
105         * tests/stress/typed-array-byte-offset.js: Added.
106         (foo):
107
108 2015-04-07  Matthew Mirman  <mmirman@apple.com>
109
110         Source and stack information should get appended only to native errors
111         and should be added directly after construction rather than when thrown. 
112         This fixes frozen objects being unfrozen when thrown while conforming to 
113         ecma script standard and other browser behavior.
114         rdar://problem/19927293
115         https://bugs.webkit.org/show_bug.cgi?id=141871
116         
117         Reviewed by Geoffrey Garen.
118
119         Appending stack, source, line, and column information to an object whenever that object is thrown 
120         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
121         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
122         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
123         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
124         a control flow construct rather than just an error reporting mechanism.  
125         
126         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
127         appending the error properties as a seperate call after construction of the error is required 
128         to avoid having to manually truncate the stack and gather local source information due to 
129         the stack being extended by a nested call to construct one of the native jsc error.
130         
131         * interpreter/Interpreter.cpp:
132         (JSC::Interpreter::execute):
133         * interpreter/Interpreter.h:
134         * parser/ParserError.h:
135         (JSC::ParserError::toErrorObject):
136         * runtime/CommonIdentifiers.h:
137         * runtime/Error.cpp:
138         (JSC::createError):
139         (JSC::createEvalError):
140         (JSC::createRangeError):
141         (JSC::createReferenceError):
142         (JSC::createSyntaxError):
143         (JSC::createTypeError):
144         (JSC::createNotEnoughArgumentsError):
145         (JSC::createURIError):
146         (JSC::createOutOfMemoryError):
147         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
148         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
149         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
150         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
151         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
152         (JSC::addErrorInfo): Added special case for appending complete error info 
153         to a newly constructed error object.
154         * runtime/Error.h:
155         * runtime/ErrorConstructor.cpp:
156         (JSC::Interpreter::constructWithErrorConstructor):
157         (JSC::Interpreter::callErrorConstructor):
158         * runtime/ErrorInstance.cpp:
159         (JSC::appendSourceToError): Moved from VM.cpp
160         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
161         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
162         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
163         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
164         (JSC::addErrorInfoAndGetBytecodeOffset):
165         (JSC::ErrorInstance::finishCreation):
166         * runtime/ErrorInstance.h:
167         (JSC::ErrorInstance::create):
168         * runtime/ErrorPrototype.cpp:
169         (JSC::ErrorPrototype::finishCreation):
170         * runtime/ExceptionFuzz.cpp:
171         (JSC::doExceptionFuzzing):
172         * runtime/ExceptionHelpers.cpp:
173         (JSC::createError):
174         (JSC::createInvalidFunctionApplyParameterError):
175         (JSC::createInvalidInParameterError):
176         (JSC::createInvalidInstanceofParameterError):
177         (JSC::createNotAConstructorError):
178         (JSC::createNotAFunctionError):
179         (JSC::createNotAnObjectError):
180         (JSC::throwOutOfMemoryError):
181         (JSC::createStackOverflowError): Deleted.
182         (JSC::createOutOfMemoryError): Deleted.
183         * runtime/ExceptionHelpers.h:
184         * runtime/JSArrayBufferConstructor.cpp:
185         (JSC::constructArrayBuffer):
186         * runtime/JSArrayBufferPrototype.cpp:
187         (JSC::arrayBufferProtoFuncSlice):
188         * runtime/JSGenericTypedArrayViewInlines.h:
189         (JSC::JSGenericTypedArrayView<Adaptor>::create):
190         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
191         * runtime/NativeErrorConstructor.cpp:
192         (JSC::Interpreter::constructWithNativeErrorConstructor):
193         (JSC::Interpreter::callNativeErrorConstructor):
194         * runtime/VM.cpp:
195         (JSC::VM::throwException):
196         (JSC::appendSourceToError): Moved to Error.cpp
197         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
198         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
199         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
200         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
201         * tests/stress/freeze_leek.js: Added.
202
203 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
204
205         Web Inspector: ES6: Show Symbol properties on Objects
206         https://bugs.webkit.org/show_bug.cgi?id=141279
207
208         Reviewed by Timothy Hatcher.
209
210         * inspector/protocol/Runtime.json:
211         Give PropertyDescriptor a reference to the Symbol RemoteObject
212         if the property is a symbol property.
213
214         * inspector/InjectedScriptSource.js:
215         Enumerate symbol properties on objects.
216
217 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
218
219         Make it possible to enable LLVM FastISel
220         https://bugs.webkit.org/show_bug.cgi?id=143489
221
222         Reviewed by Michael Saboff.
223
224         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
225         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
226         if we should enable it.
227
228         * ftl/FTLCompile.cpp:
229         (JSC::FTL::mmAllocateDataSection):
230         * llvm/InitializeLLVM.cpp:
231         (JSC::initializeLLVMImpl):
232         * llvm/InitializeLLVM.h:
233         * llvm/InitializeLLVMLinux.cpp:
234         (JSC::getLLVMInitializerFunction):
235         (JSC::initializeLLVMImpl): Deleted.
236         * llvm/InitializeLLVMMac.cpp:
237         (JSC::getLLVMInitializerFunction):
238         (JSC::initializeLLVMImpl): Deleted.
239         * llvm/InitializeLLVMPOSIX.cpp:
240         (JSC::getLLVMInitializerFunctionPOSIX):
241         (JSC::initializeLLVMPOSIX): Deleted.
242         * llvm/InitializeLLVMPOSIX.h:
243         * llvm/InitializeLLVMWin.cpp:
244         (JSC::getLLVMInitializerFunction):
245         (JSC::initializeLLVMImpl): Deleted.
246         * llvm/LLVMAPI.cpp:
247         * llvm/LLVMAPI.h:
248         * llvm/library/LLVMExports.cpp:
249         (initCommandLine):
250         (initializeAndGetJSCLLVMAPI):
251         * runtime/Options.cpp:
252         (JSC::Options::initialize):
253
254 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
255
256         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
257         https://bugs.webkit.org/show_bug.cgi?id=140426
258
259         Reviewed by Darin Adler.
260
261         In the put_by_val_direct operation, we use JSObject::putDirect.
262         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
263         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
264
265         * dfg/DFGOperations.cpp:
266         (JSC::DFG::putByVal):
267         (JSC::DFG::operationPutByValInternal):
268         * jit/JITOperations.cpp:
269         * llint/LLIntSlowPaths.cpp:
270         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
271         * runtime/Identifier.h:
272         (JSC::isIndex):
273         (JSC::parseIndex):
274         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
275         (lookupWithKey):
276         (toStringThrowsError.toString):
277
278 2015-04-06  Alberto Garcia  <berto@igalia.com>
279
280         [GTK] Fix HPPA build
281         https://bugs.webkit.org/show_bug.cgi?id=143453
282
283         Reviewed by Darin Adler.
284
285         Add HPPA to the list of supported CPUs.
286
287         * CMakeLists.txt:
288
289 2015-04-06  Mark Lam  <mark.lam@apple.com>
290
291         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
292         <https://webkit.org/b/143396>
293
294         Reviewed by Filip Pizlo.
295
296         The DFG was neglecting to set the result boolean.  The FTL was setting it with
297         an inverted value.  Both of these are now resolved.
298
299         * dfg/DFGSpeculativeJIT64.cpp:
300         (JSC::DFG::SpeculativeJIT::compile):
301         * ftl/FTLLowerDFGToLLVM.cpp:
302         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
303         * tests/stress/for-in-array-mode.js: Added.
304         (.):
305         (test):
306
307 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
308
309         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
310         https://bugs.webkit.org/show_bug.cgi?id=143424
311
312         Reviewed by Geoffrey Garen.
313
314         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
315
316         ToString(symbol) throws a type error.
317         However, String(symbol) produces SymbolDescriptiveString(symbol).
318
319         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
320
321         Now, in the template literals patch, ToString DFG operation is planned to be used.
322         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
323         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
324         In CallStringConstructor, all behavior in DFG analysis is the same.
325         Only the difference from ToString is, when calling DFG operation functions, it calls
326         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
327         operationToStringOnCell and operationToString.
328
329         * dfg/DFGAbstractInterpreterInlines.h:
330         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
331         * dfg/DFGBackwardsPropagationPhase.cpp:
332         (JSC::DFG::BackwardsPropagationPhase::propagate):
333         * dfg/DFGByteCodeParser.cpp:
334         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
335         * dfg/DFGClobberize.h:
336         (JSC::DFG::clobberize):
337         * dfg/DFGDoesGC.cpp:
338         (JSC::DFG::doesGC):
339         * dfg/DFGFixupPhase.cpp:
340         (JSC::DFG::FixupPhase::fixupNode):
341         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
342         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
343         (JSC::DFG::FixupPhase::fixupToString): Deleted.
344         * dfg/DFGNodeType.h:
345         * dfg/DFGOperations.cpp:
346         * dfg/DFGOperations.h:
347         * dfg/DFGPredictionPropagationPhase.cpp:
348         (JSC::DFG::PredictionPropagationPhase::propagate):
349         * dfg/DFGSafeToExecute.h:
350         (JSC::DFG::safeToExecute):
351         * dfg/DFGSpeculativeJIT.cpp:
352         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
353         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
354         * dfg/DFGSpeculativeJIT.h:
355         * dfg/DFGSpeculativeJIT32_64.cpp:
356         (JSC::DFG::SpeculativeJIT::compile):
357         * dfg/DFGSpeculativeJIT64.cpp:
358         (JSC::DFG::SpeculativeJIT::compile):
359         * dfg/DFGStructureRegistrationPhase.cpp:
360         (JSC::DFG::StructureRegistrationPhase::run):
361         * ftl/FTLCapabilities.cpp:
362         (JSC::FTL::canCompile):
363         * ftl/FTLLowerDFGToLLVM.cpp:
364         (JSC::FTL::LowerDFGToLLVM::compileNode):
365         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
366         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
367         * runtime/StringConstructor.cpp:
368         (JSC::stringConstructor):
369         (JSC::callStringConstructor):
370         * runtime/StringConstructor.h:
371         * tests/stress/symbol-and-string-constructor.js: Added.
372         (performString):
373
374 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
375
376         Return Optional<uint32_t> from PropertyName::asIndex
377         https://bugs.webkit.org/show_bug.cgi?id=143422
378
379         Reviewed by Darin Adler.
380
381         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
382         But it's not obvious to callers.
383
384         This patch changes
385         1. PropertyName::asIndex() to return Optional<uint32_t> and
386         2. function name `asIndex()` to `parseIndex()`.
387         It forces callers to check the value is index or not explicitly.
388
389         * bytecode/GetByIdStatus.cpp:
390         (JSC::GetByIdStatus::computeFor):
391         * bytecode/PutByIdStatus.cpp:
392         (JSC::PutByIdStatus::computeFor):
393         * bytecompiler/BytecodeGenerator.cpp:
394         (JSC::BytecodeGenerator::emitDirectPutById):
395         * jit/Repatch.cpp:
396         (JSC::emitPutTransitionStubAndGetOldStructure):
397         * jsc.cpp:
398         * runtime/ArrayPrototype.cpp:
399         (JSC::arrayProtoFuncSort):
400         * runtime/GenericArgumentsInlines.h:
401         (JSC::GenericArguments<Type>::getOwnPropertySlot):
402         (JSC::GenericArguments<Type>::put):
403         (JSC::GenericArguments<Type>::deleteProperty):
404         (JSC::GenericArguments<Type>::defineOwnProperty):
405         * runtime/Identifier.h:
406         (JSC::parseIndex):
407         (JSC::Identifier::isSymbol):
408         * runtime/JSArray.cpp:
409         (JSC::JSArray::defineOwnProperty):
410         * runtime/JSCJSValue.cpp:
411         (JSC::JSValue::putToPrimitive):
412         * runtime/JSGenericTypedArrayViewInlines.h:
413         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
414         (JSC::JSGenericTypedArrayView<Adaptor>::put):
415         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
416         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
417         * runtime/JSObject.cpp:
418         (JSC::JSObject::put):
419         (JSC::JSObject::putDirectAccessor):
420         (JSC::JSObject::putDirectCustomAccessor):
421         (JSC::JSObject::deleteProperty):
422         (JSC::JSObject::putDirectMayBeIndex):
423         (JSC::JSObject::defineOwnProperty):
424         * runtime/JSObject.h:
425         (JSC::JSObject::getOwnPropertySlot):
426         (JSC::JSObject::getPropertySlot):
427         (JSC::JSObject::putDirectInternal):
428         * runtime/JSString.cpp:
429         (JSC::JSString::getStringPropertyDescriptor):
430         * runtime/JSString.h:
431         (JSC::JSString::getStringPropertySlot):
432         * runtime/LiteralParser.cpp:
433         (JSC::LiteralParser<CharType>::parse):
434         * runtime/PropertyName.h:
435         (JSC::parseIndex):
436         (JSC::toUInt32FromCharacters): Deleted.
437         (JSC::toUInt32FromStringImpl): Deleted.
438         (JSC::PropertyName::asIndex): Deleted.
439         * runtime/PropertyNameArray.cpp:
440         (JSC::PropertyNameArray::add):
441         * runtime/StringObject.cpp:
442         (JSC::StringObject::deleteProperty):
443         * runtime/Structure.cpp:
444         (JSC::Structure::prototypeChainMayInterceptStoreTo):
445
446 2015-04-05  Andreas Kling  <akling@apple.com>
447
448         URI encoding/escaping should use efficient string building instead of calling snprintf().
449         <https://webkit.org/b/143426>
450
451         Reviewed by Gavin Barraclough.
452
453         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
454         which seemed pretty silly. This change gets that down to nothing in favor of using our
455         existing JSStringBuilder and HexNumber.h facilities.
456
457         These APIs are well-exercised by our existing test suite.
458
459         * runtime/JSGlobalObjectFunctions.cpp:
460         (JSC::encode):
461         (JSC::globalFuncEscape):
462
463 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
464
465         documentation for ES Promises points to the wrong one
466         https://bugs.webkit.org/show_bug.cgi?id=143263
467
468         Reviewed by Darin Adler.
469
470         * features.json:
471
472 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
473
474         Remove "go ahead and" from comments
475         https://bugs.webkit.org/show_bug.cgi?id=143421
476
477         Reviewed by Darin Adler, Benjamin Poulain.
478
479         Remove the phrase "go ahead and" from comments where it doesn't add
480         anything (which is almost all of them).
481
482         * interpreter/JSStack.cpp:
483         (JSC::JSStack::growSlowCase):
484
485 2015-04-04  Andreas Kling  <akling@apple.com>
486
487         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
488         <https://webkit.org/b/143210>
489
490         Reviewed by Geoffrey Garen.
491
492         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
493         we had a little problem where WeakBlocks with only null pointers would still keep their
494         MarkedBlock alive.
495
496         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
497         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
498         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
499         destroying them once they're fully dead.
500
501         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
502         a mysterious issue where doing two full garbage collections back-to-back would free additional
503         memory in the second collection.
504
505         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
506         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
507         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
508
509         * heap/Heap.h:
510         * heap/Heap.cpp:
511         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
512         owned by Heap, after everything else has been swept.
513
514         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
515         after a full garbage collection ends. Note that we don't do this after Eden collections, since
516         they are unlikely to cause entire WeakBlocks to go empty.
517
518         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
519         to the Heap when it's detached from a WeakSet.
520
521         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
522         of the logically empty WeakBlocks owned by Heap.
523
524         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
525         and updates the next-logically-empty-weak-block-to-sweep index.
526
527         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
528         won't be another chance after this.
529
530         * heap/IncrementalSweeper.h:
531         (JSC::IncrementalSweeper::hasWork): Deleted.
532
533         * heap/IncrementalSweeper.cpp:
534         (JSC::IncrementalSweeper::fullSweep):
535         (JSC::IncrementalSweeper::doSweep):
536         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
537         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
538         changed to return a bool (true if there's more work to be done.)
539
540         * heap/WeakBlock.cpp:
541         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
542         contain any pointers to live objects. The answer is stored in a new SweepResult member.
543
544         * heap/WeakBlock.h:
545         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
546         if the WeakBlock could be detached from the MarkedBlock.
547
548         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
549         when declaring them.
550
551 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
552
553         Implement ES6 Object.getOwnPropertySymbols
554         https://bugs.webkit.org/show_bug.cgi?id=141106
555
556         Reviewed by Geoffrey Garen.
557
558         This patch implements `Object.getOwnPropertySymbols`.
559         One technical issue is that, since we use private symbols (such as `@Object`) in the
560         privileged JS code in `builtins/`, they should not be exposed.
561         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
562         before adding it into PropertyNameArray.
563
564         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
565         since all private symbols are held in this map.
566
567         * builtins/BuiltinExecutables.cpp:
568         (JSC::BuiltinExecutables::createExecutableInternal):
569         * builtins/BuiltinNames.h:
570         (JSC::BuiltinNames::isPrivateName):
571         * runtime/CommonIdentifiers.cpp:
572         (JSC::CommonIdentifiers::isPrivateName):
573         * runtime/CommonIdentifiers.h:
574         * runtime/EnumerationMode.h:
575         (JSC::EnumerationMode::EnumerationMode):
576         (JSC::EnumerationMode::includeSymbolProperties):
577         * runtime/ExceptionHelpers.cpp:
578         (JSC::createUndefinedVariableError):
579         * runtime/JSGlobalObject.cpp:
580         (JSC::JSGlobalObject::init):
581         * runtime/JSLexicalEnvironment.cpp:
582         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
583         * runtime/JSSymbolTableObject.cpp:
584         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
585         * runtime/ObjectConstructor.cpp:
586         (JSC::ObjectConstructor::finishCreation):
587         (JSC::objectConstructorGetOwnPropertySymbols):
588         (JSC::defineProperties):
589         (JSC::objectConstructorSeal):
590         (JSC::objectConstructorFreeze):
591         (JSC::objectConstructorIsSealed):
592         (JSC::objectConstructorIsFrozen):
593         * runtime/ObjectConstructor.h:
594         (JSC::ObjectConstructor::create):
595         * runtime/Structure.cpp:
596         (JSC::Structure::getPropertyNamesFromStructure):
597         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
598         (compare):
599         * tests/stress/object-get-own-property-symbols.js: Added.
600         (forIn):
601         * tests/stress/symbol-define-property.js: Added.
602         (testSymbol):
603         * tests/stress/symbol-seal-and-freeze.js: Added.
604         * tests/stress/symbol-with-json.js: Added.
605
606 2015-04-03  Mark Lam  <mark.lam@apple.com>
607
608         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
609         <https://webkit.org/b/143385>
610
611         Reviewed by Geoffrey Garen.
612
613         For debugging purposes, sometimes, we want to be able to make compilation happen
614         sooner to see if we can accelerate the manifestation of certain events / bugs.
615         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
616         which make up the compilation policy.  Let's add a single knob that can tune all
617         the thresholds up / down in one go proportionately so that we can easily tweak
618         how soon compilation occurs.
619
620         * runtime/Options.cpp:
621         (JSC::scaleJITPolicy):
622         (JSC::recomputeDependentOptions):
623         * runtime/Options.h:
624
625 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
626
627         is* API methods should be @properties
628         https://bugs.webkit.org/show_bug.cgi?id=143388
629
630         Reviewed by Mark Lam.
631
632         This appears to be the preferred idiom in WebKit, CA, AppKit, and
633         Foundation.
634
635         * API/JSValue.h: Be @properties.
636
637         * API/tests/testapi.mm:
638         (testObjectiveCAPI): Use the @properties.
639
640 2015-04-03  Mark Lam  <mark.lam@apple.com>
641
642         Some JSC Options refactoring and enhancements.
643         <https://webkit.org/b/143384>
644
645         Rubber stamped by Benjamin Poulain.
646
647         Create a better encapsulated Option class to make working with options easier.  This
648         is a building block towards a JIT policy scaling debugging option I will introduce later.
649
650         This work entails:
651         1. Convert Options::Option into a public class Option (who works closely with Options).
652         2. Convert Options::EntryType into an enum class Options::Type and make it public.
653         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
654         4. Add misc methods to class Option to make it more useable.
655
656         * runtime/Options.cpp:
657         (JSC::Options::dumpOption):
658         (JSC::Option::dump):
659         (JSC::Option::operator==):
660         (JSC::Options::Option::dump): Deleted.
661         (JSC::Options::Option::operator==): Deleted.
662         * runtime/Options.h:
663         (JSC::Option::Option):
664         (JSC::Option::operator!=):
665         (JSC::Option::name):
666         (JSC::Option::description):
667         (JSC::Option::type):
668         (JSC::Option::isOverridden):
669         (JSC::Option::defaultOption):
670         (JSC::Option::boolVal):
671         (JSC::Option::unsignedVal):
672         (JSC::Option::doubleVal):
673         (JSC::Option::int32Val):
674         (JSC::Option::optionRangeVal):
675         (JSC::Option::optionStringVal):
676         (JSC::Option::gcLogLevelVal):
677         (JSC::Options::Option::Option): Deleted.
678         (JSC::Options::Option::operator!=): Deleted.
679
680 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
681
682         JavaScriptCore API should support type checking for Array and Date
683         https://bugs.webkit.org/show_bug.cgi?id=143324
684
685         Follow-up to address a comment by Dan.
686
687         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
688         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
689         is equal to 101100.
690
691 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
692
693         JavaScriptCore API should support type checking for Array and Date
694         https://bugs.webkit.org/show_bug.cgi?id=143324
695
696         Follow-up to address a comment by Dan.
697
698         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
699         Added a comment explaining why.
700
701 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
702
703         FTL JIT tests should fail if LLVM library isn't available
704         https://bugs.webkit.org/show_bug.cgi?id=143374
705
706         Reviewed by Mark Lam.
707
708         * dfg/DFGPlan.cpp:
709         (JSC::DFG::Plan::compileInThreadImpl):
710         * runtime/Options.h:
711
712 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
713
714         Fix the EFL and GTK build after r182243
715         https://bugs.webkit.org/show_bug.cgi?id=143361
716
717         Reviewed by Csaba Osztrogonác.
718
719         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
720         DerivedSources/JavaScriptCore/inspector/ directory.
721
722 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
723
724         Unreviewed, fixing Clang builds of the GTK port on Linux.
725
726         * runtime/Options.cpp:
727         Include the <math.h> header for isnan().
728
729 2015-04-02  Mark Lam  <mark.lam@apple.com>
730
731         Enhance ability to dump JSC Options.
732         <https://webkit.org/b/143357>
733
734         Reviewed by Benjamin Poulain.
735
736         Some enhancements to how the JSC options work:
737
738         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
739            2 = All, 3 = Verbose.
740
741            The default is 0 (None).  This dumps nothing.
742            With the Overridden setting, at VM initialization time, we will dump all
743            option values that have been changed from their default.
744            With the All setting, at VM initialization time, we will dump all option values.
745            With the Verbose setting, at VM initialization time, we will dump all option
746            values along with their descriptions (if available).
747
748         2. We now store a copy of the default option values.
749
750            We later use this for comparison to tell if an option has been overridden, and
751            print the default value for reference.  As a result, we no longer need the
752            didOverride flag since we can compute whether the option is overridden at any time.
753
754         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
755
756            This will come in handy later when we want to rename some of the options to more sane
757            names that are easier to remember.  For example, we can change
758            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
759            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
760            of the description, we can afford to use shorter and less descriptive option names,
761            but they will be easier to remember and use for day to day debugging work.
762
763            In this patch, I did not change the names of any of the options yet.  I only added
764            description strings for options that I know about, and where I think the option name
765            isn't already descriptive enough.
766
767         4. Also deleted some unused code.
768
769         * jsc.cpp:
770         (CommandLine::parseArguments):
771         * runtime/Options.cpp:
772         (JSC::Options::initialize):
773         (JSC::Options::setOption):
774         (JSC::Options::dumpAllOptions):
775         (JSC::Options::dumpOption):
776         (JSC::Options::Option::dump):
777         (JSC::Options::Option::operator==):
778         * runtime/Options.h:
779         (JSC::OptionRange::rangeString):
780         (JSC::Options::Option::Option):
781         (JSC::Options::Option::operator!=):
782
783 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
784
785         JavaScriptCore API should support type checking for Array and Date
786         https://bugs.webkit.org/show_bug.cgi?id=143324
787
788         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
789
790         * API/JSValue.h:
791         * API/JSValue.mm:
792         (-[JSValue isArray]):
793         (-[JSValue isDate]): Added an ObjC API.
794
795         * API/JSValueRef.cpp:
796         (JSValueIsArray):
797         (JSValueIsDate):
798         * API/JSValueRef.h: Added a C API.
799
800         * API/WebKitAvailability.h: Brought our availability macros up to date
801         and fixed a harmless bug where "10_10" translated to "10.0".
802
803         * API/tests/testapi.c:
804         (main): Added a test and corrected a pre-existing leak.
805
806         * API/tests/testapi.mm:
807         (testObjectiveCAPI): Added a test.
808
809 2015-04-02  Mark Lam  <mark.lam@apple.com>
810
811         Add Options::dumpSourceAtDFGTime().
812         <https://webkit.org/b/143349>
813
814         Reviewed by Oliver Hunt, and Michael Saboff.
815
816         Sometimes, we will want to see the JS source code that we're compiling, and it
817         would be nice to be able to do this without having to jump thru a lot of hoops.
818         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
819         Options::dumpBytecodeAtDFGTime() option.
820
821         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
822         that explicitly take no arguments (instead of relying on the version that takes
823         the default argument).  These versions are friendlier to use when we want to call
824         them from an interactive debugging session.
825
826         * bytecode/CodeBlock.cpp:
827         (JSC::CodeBlock::dumpSource):
828         (JSC::CodeBlock::dumpBytecode):
829         * bytecode/CodeBlock.h:
830         * dfg/DFGByteCodeParser.cpp:
831         (JSC::DFG::ByteCodeParser::parseCodeBlock):
832         * runtime/Options.h:
833
834 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
835
836         Clean up EnumerationMode to easily extend
837         https://bugs.webkit.org/show_bug.cgi?id=143276
838
839         Reviewed by Geoffrey Garen.
840
841         To make the followings easily,
842         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
843         2. Make ExcludeSymbols implicitly default for the existing flags
844         we encapsulate EnumerationMode flags into EnumerationMode class.
845
846         And this class manages 2 flags. Later it will be extended to 3.
847         1. DontEnumPropertiesMode (default is Exclude)
848         2. JSObjectPropertiesMode (default is Include)
849         3. SymbolPropertiesMode (default is Exclude)
850             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
851
852         This patch replaces places using ExcludeDontEnumProperties
853         to EnumerationMode() value which represents default mode.
854
855         * API/JSCallbackObjectFunctions.h:
856         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
857         * API/JSObjectRef.cpp:
858         (JSObjectCopyPropertyNames):
859         * bindings/ScriptValue.cpp:
860         (Deprecated::jsToInspectorValue):
861         * bytecode/ObjectAllocationProfile.h:
862         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
863         * runtime/ArrayPrototype.cpp:
864         (JSC::arrayProtoFuncSort):
865         * runtime/EnumerationMode.h:
866         (JSC::EnumerationMode::EnumerationMode):
867         (JSC::EnumerationMode::includeDontEnumProperties):
868         (JSC::EnumerationMode::includeJSObjectProperties):
869         (JSC::shouldIncludeDontEnumProperties): Deleted.
870         (JSC::shouldExcludeDontEnumProperties): Deleted.
871         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
872         (JSC::modeThatSkipsJSObject): Deleted.
873         * runtime/GenericArgumentsInlines.h:
874         (JSC::GenericArguments<Type>::getOwnPropertyNames):
875         * runtime/JSArray.cpp:
876         (JSC::JSArray::getOwnNonIndexPropertyNames):
877         * runtime/JSArrayBuffer.cpp:
878         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
879         * runtime/JSArrayBufferView.cpp:
880         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
881         * runtime/JSFunction.cpp:
882         (JSC::JSFunction::getOwnNonIndexPropertyNames):
883         * runtime/JSFunction.h:
884         * runtime/JSGenericTypedArrayViewInlines.h:
885         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
886         * runtime/JSLexicalEnvironment.cpp:
887         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
888         * runtime/JSONObject.cpp:
889         (JSC::Stringifier::Holder::appendNextProperty):
890         (JSC::Walker::walk):
891         * runtime/JSObject.cpp:
892         (JSC::getClassPropertyNames):
893         (JSC::JSObject::getOwnPropertyNames):
894         (JSC::JSObject::getOwnNonIndexPropertyNames):
895         (JSC::JSObject::getGenericPropertyNames):
896         * runtime/JSPropertyNameEnumerator.h:
897         (JSC::propertyNameEnumerator):
898         * runtime/JSSymbolTableObject.cpp:
899         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
900         * runtime/ObjectConstructor.cpp:
901         (JSC::objectConstructorGetOwnPropertyNames):
902         (JSC::objectConstructorKeys):
903         (JSC::defineProperties):
904         (JSC::objectConstructorSeal):
905         (JSC::objectConstructorFreeze):
906         (JSC::objectConstructorIsSealed):
907         (JSC::objectConstructorIsFrozen):
908         * runtime/RegExpObject.cpp:
909         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
910         (JSC::RegExpObject::getPropertyNames):
911         (JSC::RegExpObject::getGenericPropertyNames):
912         * runtime/StringObject.cpp:
913         (JSC::StringObject::getOwnPropertyNames):
914         * runtime/Structure.cpp:
915         (JSC::Structure::getPropertyNamesFromStructure):
916
917 2015-04-01  Alex Christensen  <achristensen@webkit.org>
918
919         Progress towards CMake on Windows and Mac.
920         https://bugs.webkit.org/show_bug.cgi?id=143293
921
922         Reviewed by Filip Pizlo.
923
924         * CMakeLists.txt:
925         Enabled using assembly on Windows.
926         Replaced unix commands with CMake commands.
927         * PlatformMac.cmake:
928         Tell open source builders where to find unicode headers.
929
930 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
931
932         IteratorClose should be called when jumping over the target for-of loop
933         https://bugs.webkit.org/show_bug.cgi?id=143140
934
935         Reviewed by Geoffrey Garen.
936
937         This patch fixes labeled break/continue behaviors with for-of and iterators.
938
939         1. Support IteratorClose beyond multiple loop contexts
940         Previously, IteratorClose is only executed in for-of's breakTarget().
941         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
942         For example,
943         outer: for (var e1 of outer) {
944             inner: for (var e2 of inner) {
945                 break outer;
946             }
947         }
948         In this case, return method of inner should be called.
949         We leverage the existing system for `finally` to execute inner.return method correctly.
950         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
951         `throw` case is already supported by emitting try-catch handlers in for-of.
952
953         2. Incorrect LabelScope creation is done in ForOfNode
954         ForOfNode creates duplicated LabelScope.
955         It causes infinite loop when executing the following program that contains
956         explicitly labeled for-of loop.
957         For example,
958         inner: for (var elm of array) {
959             continue inner;
960         }
961
962         * bytecompiler/BytecodeGenerator.cpp:
963         (JSC::BytecodeGenerator::pushFinallyContext):
964         (JSC::BytecodeGenerator::pushIteratorCloseContext):
965         (JSC::BytecodeGenerator::popFinallyContext):
966         (JSC::BytecodeGenerator::popIteratorCloseContext):
967         (JSC::BytecodeGenerator::emitComplexPopScopes):
968         (JSC::BytecodeGenerator::emitEnumeration):
969         (JSC::BytecodeGenerator::emitIteratorClose):
970         * bytecompiler/BytecodeGenerator.h:
971         * bytecompiler/NodesCodegen.cpp:
972         (JSC::ForOfNode::emitBytecode):
973         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
974         (createIterator.iterator.return):
975         (createIterator):
976         * tests/stress/raise-error-in-iterator-close.js: Added.
977         (createIterator.iterator.return):
978         (createIterator):
979
980 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
981
982         [ES6] Implement Symbol.unscopables
983         https://bugs.webkit.org/show_bug.cgi?id=142829
984
985         Reviewed by Geoffrey Garen.
986
987         This patch introduces Symbol.unscopables functionality.
988         In ES6, some generic names (like keys, values) are introduced
989         as Array's method name. And this breaks the web since some web sites
990         use like the following code.
991
992         var values = ...;
993         with (array) {
994             values;  // This values is trapped by array's method "values".
995         }
996
997         To fix this, Symbol.unscopables introduces blacklist
998         for with scope's trapping. When resolving scope,
999         if name is found in the target scope and the target scope is with scope,
1000         we check Symbol.unscopables object to filter generic names.
1001
1002         This functionality is only active for with scopes.
1003         Global scope does not have unscopables functionality.
1004
1005         And since
1006         1) op_resolve_scope for with scope always return Dynamic resolve type,
1007         2) in that case, JSScope::resolve is always used in JIT and LLInt,
1008         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
1009         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
1010         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
1011
1012         * runtime/ArrayPrototype.cpp:
1013         (JSC::ArrayPrototype::finishCreation):
1014         * runtime/CommonIdentifiers.h:
1015         * runtime/JSGlobalObject.h:
1016         (JSC::JSGlobalObject::runtimeFlags):
1017         * runtime/JSScope.cpp:
1018         (JSC::isUnscopable):
1019         (JSC::JSScope::resolve):
1020         * runtime/JSScope.h:
1021         (JSC::ScopeChainIterator::scope):
1022         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
1023         (test):
1024         * tests/stress/unscopables.js: Added.
1025         (test):
1026         (.):
1027
1028 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1029
1030         ES6 class syntax should allow static setters and getters
1031         https://bugs.webkit.org/show_bug.cgi?id=143180
1032
1033         Reviewed by Filip Pizlo
1034
1035         Apparently I misread the spec when I initially implemented parseClass.
1036         ES6 class syntax allows static getters and setters so just allow that.
1037
1038         * parser/Parser.cpp:
1039         (JSC::Parser<LexerType>::parseClass):
1040
1041 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
1042
1043         PutClosureVar CSE def() rule has a wrong base
1044         https://bugs.webkit.org/show_bug.cgi?id=143280
1045
1046         Reviewed by Michael Saboff.
1047         
1048         I think that this code was incorrect in a benign way, since the base of a
1049         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
1050
1051         * dfg/DFGClobberize.h:
1052         (JSC::DFG::clobberize):
1053
1054 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1055
1056         Unreviewed, rolling out r182200.
1057         https://bugs.webkit.org/show_bug.cgi?id=143279
1058
1059         Probably causing assertion extravaganza on bots. (Requested by
1060         kling on #webkit).
1061
1062         Reverted changeset:
1063
1064         "Logically empty WeakBlocks should not pin down their
1065         MarkedBlocks indefinitely."
1066         https://bugs.webkit.org/show_bug.cgi?id=143210
1067         http://trac.webkit.org/changeset/182200
1068
1069 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1070
1071         Clean up Identifier factories to clarify the meaning of StringImpl*
1072         https://bugs.webkit.org/show_bug.cgi?id=143146
1073
1074         Reviewed by Filip Pizlo.
1075
1076         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
1077         However, it's ambiguous because `StringImpl*` has 2 different meanings.
1078         1) normal string, it is replacable with `WTFString` and
1079         2) `uid`, which holds `isSymbol` information to represent Symbols.
1080         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
1081         + `Identifier::fromString(VM*/ExecState*, const String&)`.
1082         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
1083         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
1084         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
1085
1086         And to clean up `StringImpl` which is used as uid,
1087         we introduce `StringKind` into `StringImpl`. There's 3 kinds
1088         1. StringNormal (non-atomic, non-symbol)
1089         2. StringAtomic (atomic, non-symbol)
1090         3. StringSymbol (non-atomic, symbol)
1091         They are mutually exclusive. And (atomic, symbol) case should not exist.
1092
1093         * API/JSCallbackObjectFunctions.h:
1094         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1095         * API/JSObjectRef.cpp:
1096         (JSObjectMakeFunction):
1097         * API/OpaqueJSString.cpp:
1098         (OpaqueJSString::identifier):
1099         * bindings/ScriptFunctionCall.cpp:
1100         (Deprecated::ScriptFunctionCall::call):
1101         * builtins/BuiltinExecutables.cpp:
1102         (JSC::BuiltinExecutables::createExecutableInternal):
1103         * builtins/BuiltinNames.h:
1104         (JSC::BuiltinNames::BuiltinNames):
1105         * bytecompiler/BytecodeGenerator.cpp:
1106         (JSC::BytecodeGenerator::BytecodeGenerator):
1107         (JSC::BytecodeGenerator::emitThrowReferenceError):
1108         (JSC::BytecodeGenerator::emitThrowTypeError):
1109         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1110         (JSC::BytecodeGenerator::emitEnumeration):
1111         * dfg/DFGDesiredIdentifiers.cpp:
1112         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1113         * inspector/JSInjectedScriptHost.cpp:
1114         (Inspector::JSInjectedScriptHost::functionDetails):
1115         (Inspector::constructInternalProperty):
1116         (Inspector::JSInjectedScriptHost::weakMapEntries):
1117         (Inspector::JSInjectedScriptHost::iteratorEntries):
1118         * inspector/JSInjectedScriptHostPrototype.cpp:
1119         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1120         * inspector/JSJavaScriptCallFramePrototype.cpp:
1121         * inspector/ScriptCallStackFactory.cpp:
1122         (Inspector::extractSourceInformationFromException):
1123         * jit/JITOperations.cpp:
1124         * jsc.cpp:
1125         (GlobalObject::finishCreation):
1126         (GlobalObject::addFunction):
1127         (GlobalObject::addConstructableFunction):
1128         (functionRun):
1129         (runWithScripts):
1130         * llint/LLIntData.cpp:
1131         (JSC::LLInt::Data::performAssertions):
1132         * llint/LowLevelInterpreter.asm:
1133         * parser/ASTBuilder.h:
1134         (JSC::ASTBuilder::addVar):
1135         * parser/Parser.cpp:
1136         (JSC::Parser<LexerType>::parseInner):
1137         (JSC::Parser<LexerType>::createBindingPattern):
1138         * parser/ParserArena.h:
1139         (JSC::IdentifierArena::makeIdentifier):
1140         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
1141         (JSC::IdentifierArena::makeNumericIdentifier):
1142         * runtime/ArgumentsIteratorPrototype.cpp:
1143         (JSC::ArgumentsIteratorPrototype::finishCreation):
1144         * runtime/ArrayIteratorPrototype.cpp:
1145         (JSC::ArrayIteratorPrototype::finishCreation):
1146         * runtime/ArrayPrototype.cpp:
1147         (JSC::ArrayPrototype::finishCreation):
1148         (JSC::arrayProtoFuncPush):
1149         * runtime/ClonedArguments.cpp:
1150         (JSC::ClonedArguments::getOwnPropertySlot):
1151         * runtime/CommonIdentifiers.cpp:
1152         (JSC::CommonIdentifiers::CommonIdentifiers):
1153         * runtime/CommonIdentifiers.h:
1154         * runtime/Error.cpp:
1155         (JSC::addErrorInfo):
1156         (JSC::hasErrorInfo):
1157         * runtime/ExceptionHelpers.cpp:
1158         (JSC::createUndefinedVariableError):
1159         * runtime/GenericArgumentsInlines.h:
1160         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1161         * runtime/Identifier.h:
1162         (JSC::Identifier::isSymbol):
1163         (JSC::Identifier::Identifier):
1164         (JSC::Identifier::from): Deleted.
1165         * runtime/IdentifierInlines.h:
1166         (JSC::Identifier::Identifier):
1167         (JSC::Identifier::fromUid):
1168         (JSC::Identifier::fromString):
1169         * runtime/JSCJSValue.cpp:
1170         (JSC::JSValue::dumpInContextAssumingStructure):
1171         * runtime/JSCJSValueInlines.h:
1172         (JSC::JSValue::toPropertyKey):
1173         * runtime/JSGlobalObject.cpp:
1174         (JSC::JSGlobalObject::init):
1175         * runtime/JSLexicalEnvironment.cpp:
1176         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1177         * runtime/JSObject.cpp:
1178         (JSC::getClassPropertyNames):
1179         (JSC::JSObject::reifyStaticFunctionsForDelete):
1180         * runtime/JSObject.h:
1181         (JSC::makeIdentifier):
1182         * runtime/JSPromiseConstructor.cpp:
1183         (JSC::JSPromiseConstructorFuncRace):
1184         (JSC::JSPromiseConstructorFuncAll):
1185         * runtime/JSString.h:
1186         (JSC::JSString::toIdentifier):
1187         * runtime/JSSymbolTableObject.cpp:
1188         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1189         * runtime/LiteralParser.cpp:
1190         (JSC::LiteralParser<CharType>::tryJSONPParse):
1191         (JSC::LiteralParser<CharType>::makeIdentifier):
1192         * runtime/Lookup.h:
1193         (JSC::reifyStaticProperties):
1194         * runtime/MapConstructor.cpp:
1195         (JSC::constructMap):
1196         * runtime/MapIteratorPrototype.cpp:
1197         (JSC::MapIteratorPrototype::finishCreation):
1198         * runtime/MapPrototype.cpp:
1199         (JSC::MapPrototype::finishCreation):
1200         * runtime/MathObject.cpp:
1201         (JSC::MathObject::finishCreation):
1202         * runtime/NumberConstructor.cpp:
1203         (JSC::NumberConstructor::finishCreation):
1204         * runtime/ObjectConstructor.cpp:
1205         (JSC::ObjectConstructor::finishCreation):
1206         * runtime/PrivateName.h:
1207         (JSC::PrivateName::PrivateName):
1208         * runtime/PropertyMapHashTable.h:
1209         (JSC::PropertyTable::find):
1210         (JSC::PropertyTable::get):
1211         * runtime/PropertyName.h:
1212         (JSC::PropertyName::PropertyName):
1213         (JSC::PropertyName::publicName):
1214         (JSC::PropertyName::asIndex):
1215         * runtime/PropertyNameArray.cpp:
1216         (JSC::PropertyNameArray::add):
1217         * runtime/PropertyNameArray.h:
1218         (JSC::PropertyNameArray::addKnownUnique):
1219         * runtime/RegExpConstructor.cpp:
1220         (JSC::RegExpConstructor::finishCreation):
1221         * runtime/SetConstructor.cpp:
1222         (JSC::constructSet):
1223         * runtime/SetIteratorPrototype.cpp:
1224         (JSC::SetIteratorPrototype::finishCreation):
1225         * runtime/SetPrototype.cpp:
1226         (JSC::SetPrototype::finishCreation):
1227         * runtime/StringIteratorPrototype.cpp:
1228         (JSC::StringIteratorPrototype::finishCreation):
1229         * runtime/StringPrototype.cpp:
1230         (JSC::StringPrototype::finishCreation):
1231         * runtime/Structure.cpp:
1232         (JSC::Structure::getPropertyNamesFromStructure):
1233         * runtime/SymbolConstructor.cpp:
1234         * runtime/VM.cpp:
1235         (JSC::VM::throwException):
1236         * runtime/WeakMapConstructor.cpp:
1237         (JSC::constructWeakMap):
1238
1239 2015-03-31  Andreas Kling  <akling@apple.com>
1240
1241         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1242         <https://webkit.org/b/143210>
1243
1244         Reviewed by Geoffrey Garen.
1245
1246         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1247         we had a little problem where WeakBlocks with only null pointers would still keep their
1248         MarkedBlock alive.
1249
1250         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1251         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1252         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1253         destroying them once they're fully dead.
1254
1255         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1256         a mysterious issue where doing two full garbage collections back-to-back would free additional
1257         memory in the second collection.
1258
1259         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1260         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1261         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1262
1263         * heap/Heap.h:
1264         * heap/Heap.cpp:
1265         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1266         owned by Heap, after everything else has been swept.
1267
1268         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1269         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1270         they are unlikely to cause entire WeakBlocks to go empty.
1271
1272         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1273         to the Heap when it's detached from a WeakSet.
1274
1275         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1276         of the logically empty WeakBlocks owned by Heap.
1277
1278         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1279         and updates the next-logically-empty-weak-block-to-sweep index.
1280
1281         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1282         won't be another chance after this.
1283
1284         * heap/IncrementalSweeper.h:
1285         (JSC::IncrementalSweeper::hasWork): Deleted.
1286
1287         * heap/IncrementalSweeper.cpp:
1288         (JSC::IncrementalSweeper::fullSweep):
1289         (JSC::IncrementalSweeper::doSweep):
1290         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1291         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1292         changed to return a bool (true if there's more work to be done.)
1293
1294         * heap/WeakBlock.cpp:
1295         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1296         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1297
1298         * heap/WeakBlock.h:
1299         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1300         if the WeakBlock could be detached from the MarkedBlock.
1301
1302         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1303         when declaring them.
1304
1305 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1306
1307         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
1308         https://bugs.webkit.org/show_bug.cgi?id=142883
1309
1310         Reviewed by Filip Pizlo.
1311
1312         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
1313
1314         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
1315         in eval inside a derived class' constructor.
1316
1317         * bytecode/EvalCodeCache.h:
1318         (JSC::EvalCodeCache::getSlow):
1319         * bytecompiler/NodesCodegen.cpp:
1320         (JSC::ThisNode::emitBytecode):
1321         * debugger/DebuggerCallFrame.cpp:
1322         (JSC::DebuggerCallFrame::evaluate):
1323         * interpreter/Interpreter.cpp:
1324         (JSC::eval):
1325         * parser/ASTBuilder.h:
1326         (JSC::ASTBuilder::thisExpr):
1327         * parser/NodeConstructors.h:
1328         (JSC::ThisNode::ThisNode):
1329         * parser/Nodes.h:
1330         * parser/Parser.cpp:
1331         (JSC::Parser<LexerType>::Parser):
1332         (JSC::Parser<LexerType>::parsePrimaryExpression):
1333         * parser/Parser.h:
1334         (JSC::parse):
1335         * parser/ParserModes.h:
1336         * parser/SyntaxChecker.h:
1337         (JSC::SyntaxChecker::thisExpr):
1338         * runtime/CodeCache.cpp:
1339         (JSC::CodeCache::getGlobalCodeBlock):
1340         (JSC::CodeCache::getProgramCodeBlock):
1341         (JSC::CodeCache::getEvalCodeBlock):
1342         * runtime/CodeCache.h:
1343         (JSC::SourceCodeKey::SourceCodeKey):
1344         * runtime/Executable.cpp:
1345         (JSC::EvalExecutable::create):
1346         * runtime/Executable.h:
1347         * runtime/JSGlobalObject.cpp:
1348         (JSC::JSGlobalObject::createEvalCodeBlock):
1349         * runtime/JSGlobalObject.h:
1350         * runtime/JSGlobalObjectFunctions.cpp:
1351         (JSC::globalFuncEval):
1352         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
1353         * tests/stress/class-syntax-tdz-in-eval.js: Added.
1354
1355 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1356
1357         Unreviewed, rolling out r182186.
1358         https://bugs.webkit.org/show_bug.cgi?id=143270
1359
1360         it crashes all the WebGL tests on the Debug bots (Requested by
1361         dino on #webkit).
1362
1363         Reverted changeset:
1364
1365         "Web Inspector: add 2D/WebGL canvas instrumentation
1366         infrastructure"
1367         https://bugs.webkit.org/show_bug.cgi?id=137278
1368         http://trac.webkit.org/changeset/182186
1369
1370 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1371
1372         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
1373         https://bugs.webkit.org/show_bug.cgi?id=142937
1374
1375         Reviewed by Darin Adler.
1376
1377         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
1378         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
1379         But now, several functions perform ToObject onto a non-object parameter.
1380         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
1381         It is described in ES6 Annex E.
1382         Functions different from ES5 are following.
1383
1384         1. An attempt is make to coerce the argument using ToObject.
1385             Object.getOwnPropertyDescriptor
1386             Object.getOwnPropertyNames
1387             Object.getPrototypeOf
1388             Object.keys
1389
1390         2. Treated as if it was a non-extensible ordinary object with no own properties.
1391             Object.freeze
1392             Object.isExtensible
1393             Object.isFrozen
1394             Object.isSealed
1395             Object.preventExtensions
1396             Object.seal
1397
1398         * runtime/ObjectConstructor.cpp:
1399         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1400         (JSC::objectConstructorGetPrototypeOf):
1401         (JSC::objectConstructorGetOwnPropertyDescriptor):
1402         (JSC::objectConstructorGetOwnPropertyNames):
1403         (JSC::objectConstructorKeys):
1404         (JSC::objectConstructorSeal):
1405         (JSC::objectConstructorFreeze):
1406         (JSC::objectConstructorPreventExtensions):
1407         (JSC::objectConstructorIsSealed):
1408         (JSC::objectConstructorIsFrozen):
1409         (JSC::objectConstructorIsExtensible):
1410         * tests/stress/object-freeze-accept-non-object.js: Added.
1411         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
1412         (canary):
1413         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
1414         (compare):
1415         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
1416         * tests/stress/object-is-extensible-accept-non-object.js: Added.
1417         * tests/stress/object-is-frozen-accept-non-object.js: Added.
1418         * tests/stress/object-is-sealed-accept-non-object.js: Added.
1419         * tests/stress/object-keys-perform-to-object.js: Added.
1420         (compare):
1421         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
1422         * tests/stress/object-seal-accept-non-object.js: Added.
1423
1424 2015-03-31  Matt Baker  <mattbaker@apple.com>
1425
1426         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
1427         https://bugs.webkit.org/show_bug.cgi?id=137278
1428
1429         Reviewed by Timothy Hatcher.
1430
1431         Added Canvas protocol which defines types used by InspectorCanvasAgent.
1432
1433         * CMakeLists.txt:
1434         * DerivedSources.make:
1435         * inspector/protocol/Canvas.json: Added.
1436
1437         * inspector/scripts/codegen/generator.py:
1438         (Generator.stylized_name_for_enum_value):
1439         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
1440
1441 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
1442
1443         Extending null should set __proto__ to null
1444         https://bugs.webkit.org/show_bug.cgi?id=142882
1445
1446         Reviewed by Geoffrey Garen and Benjamin Poulain.
1447
1448         Set Derived.prototype.__proto__ to null when extending null.
1449
1450         * bytecompiler/NodesCodegen.cpp:
1451         (JSC::ClassExprNode::emitBytecode):
1452
1453 2015-03-30  Mark Lam  <mark.lam@apple.com>
1454
1455         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
1456         <https://webkit.org/b/143105>
1457
1458         Reviewed by Filip Pizlo.
1459
1460         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
1461         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
1462         JIT frames that may have its scope register not set.  The Debugger's current implementation
1463         which relies on the scope register is not happy about this.  For example, this results in a
1464         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
1465
1466         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
1467         ensure that the scope register value is flushed to the register in the stack frame.
1468
1469         * dfg/DFGByteCodeParser.cpp:
1470         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1471         (JSC::DFG::ByteCodeParser::setLocal):
1472         (JSC::DFG::ByteCodeParser::flush):
1473         - Add code to flush the scope register.
1474         (JSC::DFG::ByteCodeParser::inliningCost):
1475         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
1476           disabling inlining whenever the debugger is in use.
1477         * dfg/DFGGraph.cpp:
1478         (JSC::DFG::Graph::Graph):
1479         * dfg/DFGGraph.h:
1480         (JSC::DFG::Graph::hasDebuggerEnabled):
1481         * dfg/DFGStackLayoutPhase.cpp:
1482         (JSC::DFG::StackLayoutPhase::run):
1483         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
1484         * ftl/FTLCompile.cpp:
1485         (JSC::FTL::mmAllocateDataSection):
1486         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
1487
1488 2015-03-30  Michael Saboff  <msaboff@apple.com>
1489
1490         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
1491         https://bugs.webkit.org/show_bug.cgi?id=138391
1492
1493         Reviewed by Mark Lam.
1494
1495         Re-enabling these tests as I can't get them to fail on local iOS test devices.
1496         There have been many changes since these tests were disabled.
1497         I'll watch automated test results for failures.  If there are failures running automated
1498         testing, it might be due to the device's relative CPU performance.
1499         
1500         * tests/stress/float32-repeat-out-of-bounds.js:
1501         * tests/stress/int8-repeat-out-of-bounds.js:
1502
1503 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
1504
1505         Web Inspector: Regression: Preview for [[null]] shouldn't be []
1506         https://bugs.webkit.org/show_bug.cgi?id=143208
1507
1508         Reviewed by Mark Lam.
1509
1510         * inspector/InjectedScriptSource.js:
1511         Handle null when generating simple object previews.
1512
1513 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
1514
1515         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
1516         https://bugs.webkit.org/show_bug.cgi?id=143134
1517
1518         Reviewed by Geoffrey Garen.
1519
1520         * jit/JSInterfaceJIT.h:
1521         * jit/Repatch.cpp:
1522         (JSC::tryCacheGetByID):
1523
1524 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
1525
1526         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
1527         https://bugs.webkit.org/show_bug.cgi?id=143104
1528
1529         Reviewed by Geoffrey Garen.
1530         
1531         Created a test that is a 100% repro of the flaky failure. This test is called
1532         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
1533         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
1534         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
1535         
1536         Also created three more tests for three similar, but not identical, failures.
1537         
1538         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
1539         only reading those parts of the stack that are relevant to the current semantic code origin.
1540         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
1541         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
1542         read parts of the stack associated with the inline call frame for the phantom arguments. This
1543         may not be subsumed by the current semantic origin's stack area in cases that the arguments
1544         were allowed to "locally" escape.
1545         
1546         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
1547         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
1548         the stack due to function.arguments, but there are a bunch of other ways that we could also
1549         read the stack and those operations may read any stack slot. I believe that this change makes
1550         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
1551         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
1552         readTop() in PreciseLocalClobberize does the right thing.
1553
1554         * dfg/DFGClobberize.h:
1555         (JSC::DFG::clobberize):
1556         * dfg/DFGPreciseLocalClobberize.h:
1557         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1558         * dfg/DFGPutStackSinkingPhase.cpp:
1559         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
1560         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
1561         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
1562         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
1563         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
1564
1565 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
1566
1567         Start the features.json files
1568         https://bugs.webkit.org/show_bug.cgi?id=143207
1569
1570         Reviewed by Darin Adler.
1571
1572         Start the features.json files to have something to experiment
1573         with for the UI.
1574
1575         * features.json: Added.
1576
1577 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1578
1579         [Win] Addresing post-review comment after r182122
1580         https://bugs.webkit.org/show_bug.cgi?id=143189
1581
1582         Unreviewed.
1583
1584 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1585
1586         [Win] Allow building JavaScriptCore without Cygwin
1587         https://bugs.webkit.org/show_bug.cgi?id=143189
1588
1589         Reviewed by Brent Fulgham.
1590
1591         Paths like /usr/bin/ don't exist on Windows.
1592         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
1593         Prefixing commands with environment variables doesn't work on Windows.
1594         Windows doesn't have 'cmp'
1595         Windows uses 'del' instead of 'rm'
1596         Windows uses 'type NUL' intead of 'touch'
1597
1598         * DerivedSources.make:
1599         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1600         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1601         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
1602         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1603         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
1604         * JavaScriptCore.vcxproj/build-generated-files.pl:
1605         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
1606
1607 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
1608
1609         Clean up JavaScriptCore/builtins
1610         https://bugs.webkit.org/show_bug.cgi?id=143177
1611
1612         Reviewed by Ryosuke Niwa.
1613
1614         * builtins/ArrayConstructor.js:
1615         (from):
1616         - We can compare to undefined instead of using a typeof undefined check.
1617         - Converge on double quoted strings everywhere.
1618
1619         * builtins/ArrayIterator.prototype.js:
1620         (next):
1621         * builtins/StringIterator.prototype.js:
1622         (next):
1623         - Use shorthand object construction to avoid duplication.
1624         - Improve grammar in error messages.
1625
1626         * tests/stress/array-iterators-next-with-call.js:
1627         * tests/stress/string-iterators.js:
1628         - Update for new error message strings.
1629
1630 2015-03-28  Saam Barati  <saambarati1@gmail.com>
1631
1632         Web Inspector: ES6: Better support for Symbol types in Type Profiler
1633         https://bugs.webkit.org/show_bug.cgi?id=141257
1634
1635         Reviewed by Joseph Pecoraro.
1636
1637         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
1638         type profiler support this new primitive type.
1639
1640         * dfg/DFGFixupPhase.cpp:
1641         (JSC::DFG::FixupPhase::fixupNode):
1642         * inspector/protocol/Runtime.json:
1643         * runtime/RuntimeType.cpp:
1644         (JSC::runtimeTypeForValue):
1645         * runtime/RuntimeType.h:
1646         (JSC::runtimeTypeIsPrimitive):
1647         * runtime/TypeSet.cpp:
1648         (JSC::TypeSet::addTypeInformation):
1649         (JSC::TypeSet::dumpTypes):
1650         (JSC::TypeSet::doesTypeConformTo):
1651         (JSC::TypeSet::displayName):
1652         (JSC::TypeSet::inspectorTypeSet):
1653         (JSC::TypeSet::toJSONString):
1654         * runtime/TypeSet.h:
1655         (JSC::TypeSet::seenTypes):
1656         * tests/typeProfiler/driver/driver.js:
1657         * tests/typeProfiler/symbol.js: Added.
1658         (wrapper.foo):
1659         (wrapper.bar):
1660         (wrapper.bar.bar.baz):
1661         (wrapper):
1662
1663 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1664
1665         Deconstruction parameters are bound too late
1666         https://bugs.webkit.org/show_bug.cgi?id=143148
1667
1668         Reviewed by Filip Pizlo.
1669
1670         Currently, a deconstruction pattern named with the same
1671         name as a function will shadow the function. This is
1672         wrong. It should be the other way around.
1673
1674         * bytecompiler/BytecodeGenerator.cpp:
1675         (JSC::BytecodeGenerator::generate):
1676
1677 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1678
1679         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
1680         https://bugs.webkit.org/show_bug.cgi?id=143170
1681
1682         Reviewed by Benjamin Poulain.
1683
1684         Assert that we never use 16-bit version of the parser to parse a default constructor
1685         since both base and derived default constructors should be using a 8-bit string.
1686
1687         * parser/Parser.h:
1688         (JSC::parse):
1689
1690 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1691
1692         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
1693         https://bugs.webkit.org/show_bug.cgi?id=142862
1694
1695         Reviewed by Benjamin Poulain.
1696
1697         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
1698
1699         * tests/stress/class-syntax-derived-default-constructor.js: Added.
1700
1701 2015-03-27  Michael Saboff  <msaboff@apple.com>
1702
1703         load8Signed() and load16Signed() should be renamed to avoid confusion
1704         https://bugs.webkit.org/show_bug.cgi?id=143168
1705
1706         Reviewed by Benjamin Poulain.
1707
1708         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
1709
1710         * assembler/MacroAssemblerARM.h:
1711         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
1712         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
1713         (JSC::MacroAssemblerARM::load8Signed): Deleted.
1714         (JSC::MacroAssemblerARM::load16Signed): Deleted.
1715         * assembler/MacroAssemblerARM64.h:
1716         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1717         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1718         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
1719         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
1720         * assembler/MacroAssemblerARMv7.h:
1721         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
1722         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
1723         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
1724         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
1725         * assembler/MacroAssemblerMIPS.h:
1726         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1727         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1728         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
1729         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
1730         * assembler/MacroAssemblerSH4.h:
1731         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
1732         (JSC::MacroAssemblerSH4::load8):
1733         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
1734         (JSC::MacroAssemblerSH4::load16):
1735         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
1736         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
1737         * assembler/MacroAssemblerX86Common.h:
1738         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1739         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1740         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
1741         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
1742         * dfg/DFGSpeculativeJIT.cpp:
1743         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1744         * jit/JITPropertyAccess.cpp:
1745         (JSC::JIT::emitIntTypedArrayGetByVal):
1746
1747 2015-03-27  Michael Saboff  <msaboff@apple.com>
1748
1749         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
1750         https://bugs.webkit.org/show_bug.cgi?id=138390
1751
1752         Reviewed by Mark Lam.
1753
1754         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
1755         instead of 64 bits.  This is what X86-64 does.
1756
1757         * assembler/MacroAssemblerARM64.h:
1758         (JSC::MacroAssemblerARM64::load16Signed):
1759         (JSC::MacroAssemblerARM64::load8Signed):
1760
1761 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1762
1763         Add back previously broken assert from bug 141869
1764         https://bugs.webkit.org/show_bug.cgi?id=143005
1765
1766         Reviewed by Michael Saboff.
1767
1768         * runtime/ExceptionHelpers.cpp:
1769         (JSC::invalidParameterInSourceAppender):
1770
1771 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1772
1773         Make some more objects use FastMalloc
1774         https://bugs.webkit.org/show_bug.cgi?id=143122
1775
1776         Reviewed by Csaba Osztrogonác.
1777
1778         * API/JSCallbackObject.h:
1779         * heap/IncrementalSweeper.h:
1780         * jit/JITThunks.h:
1781         * runtime/JSGlobalObjectDebuggable.h:
1782         * runtime/RegExpCache.h:
1783
1784 2015-03-27  Michael Saboff  <msaboff@apple.com>
1785
1786         Objects with numeric properties intermittently get a phantom 'length' property
1787         https://bugs.webkit.org/show_bug.cgi?id=142792
1788
1789         Reviewed by Csaba Osztrogonác.
1790
1791         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
1792         test and branch instructions.  This function is used for linking tbz/tbnz branches between
1793         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
1794         the failure case checks in the GetById array length stub created for "obj.length" access.
1795         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
1796         being set when we should have been looking for bit 0.
1797
1798         * assembler/ARM64Assembler.h:
1799         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
1800
1801 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1802
1803         Insert exception check around toPropertyKey call
1804         https://bugs.webkit.org/show_bug.cgi?id=142922
1805
1806         Reviewed by Geoffrey Garen.
1807
1808         In some places, exception check is missing after/before toPropertyKey.
1809         However, since it calls toString, it's observable to users,
1810
1811         Missing exception checks in Object.prototype methods can be
1812         observed since it would be overridden with toObject(null/undefined) errors.
1813         We inserted exception checks after toPropertyKey.
1814
1815         Missing exception checks in GetById related code can be
1816         observed since it would be overridden with toObject(null/undefined) errors.
1817         In this case, we need to insert exception checks before/after toPropertyKey
1818         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
1819
1820         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
1821         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
1822         According to the spec, we first perform RequireObjectCoercible and check the exception.
1823         And second, we perform ToPropertyKey and check the exception.
1824         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
1825         For example, if the target is not object coercible,
1826         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
1827         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
1828
1829         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
1830
1831         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
1832
1833         toObject converts primitive types into wrapper objects.
1834         But it is not efficient since wrapper objects are not necessary
1835         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
1836
1837         2. Using the result of toObject is not correct to the spec.
1838
1839         To align to the spec correctly, we cannot use JSObject::get
1840         by using the wrapper object produced by the toObject suggested in (1).
1841         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
1842         It is not correct since getter should be called with the original |this| value that may be primitive types.
1843
1844         So in this patch, we use JSValue::requireObjectCoercible
1845         to check the target is object coercible and raise an error if it's not.
1846
1847         * dfg/DFGOperations.cpp:
1848         * jit/JITOperations.cpp:
1849         (JSC::getByVal):
1850         * llint/LLIntSlowPaths.cpp:
1851         (JSC::LLInt::getByVal):
1852         * runtime/CommonSlowPaths.cpp:
1853         (JSC::SLOW_PATH_DECL):
1854         * runtime/JSCJSValue.h:
1855         * runtime/JSCJSValueInlines.h:
1856         (JSC::JSValue::requireObjectCoercible):
1857         * runtime/ObjectPrototype.cpp:
1858         (JSC::objectProtoFuncHasOwnProperty):
1859         (JSC::objectProtoFuncDefineGetter):
1860         (JSC::objectProtoFuncDefineSetter):
1861         (JSC::objectProtoFuncLookupGetter):
1862         (JSC::objectProtoFuncLookupSetter):
1863         (JSC::objectProtoFuncPropertyIsEnumerable):
1864         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
1865         (shouldThrow):
1866         (if):
1867         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
1868         (shouldThrow):
1869         (.):
1870
1871 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1872
1873         WebContent Crash when instantiating class with Type Profiling enabled
1874         https://bugs.webkit.org/show_bug.cgi?id=143037
1875
1876         Reviewed by Ryosuke Niwa.
1877
1878         * bytecompiler/BytecodeGenerator.h:
1879         * bytecompiler/BytecodeGenerator.cpp:
1880         (JSC::BytecodeGenerator::BytecodeGenerator):
1881         (JSC::BytecodeGenerator::emitMoveEmptyValue):
1882         We cannot profile the type of an uninitialized empty JSValue.
1883         Nor do we expect this to be necessary, since it is effectively
1884         an unseen undefined value. So add a way to put the empty value
1885         without profiling.
1886
1887         (JSC::BytecodeGenerator::emitMove):
1888         Add an assert to try to catch this issue early on, and force
1889         callers to explicitly use emitMoveEmptyValue instead.
1890
1891         * tests/typeProfiler/classes.js: Added.
1892         (wrapper.Base):
1893         (wrapper.Derived):
1894         (wrapper):
1895         Add test coverage both for this case and classes in general.
1896
1897 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1898
1899         Web Inspector: ES6: Provide a better view for Classes in the console
1900         https://bugs.webkit.org/show_bug.cgi?id=142999
1901
1902         Reviewed by Timothy Hatcher.
1903
1904         * inspector/protocol/Runtime.json:
1905         Provide a new `subtype` enum "class". This is a subtype of `type`
1906         "function", all other subtypes are subtypes of `object` types.
1907         For a class, the frontend will immediately want to get the prototype
1908         to enumerate its methods, so include the `classPrototype`.
1909
1910         * inspector/JSInjectedScriptHost.cpp:
1911         (Inspector::JSInjectedScriptHost::subtype):
1912         Denote class construction functions as "class" subtypes.
1913
1914         * inspector/InjectedScriptSource.js:
1915         Handling for the new "class" type.
1916
1917         * bytecode/UnlinkedCodeBlock.h:
1918         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1919         * runtime/Executable.h:
1920         (JSC::FunctionExecutable::isClassConstructorFunction):
1921         * runtime/JSFunction.h:
1922         * runtime/JSFunctionInlines.h:
1923         (JSC::JSFunction::isClassConstructorFunction):
1924         Check if this function is a class constructor function. That information
1925         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1926
1927 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1928
1929         Function.prototype.toString should not decompile the AST
1930         https://bugs.webkit.org/show_bug.cgi?id=142853
1931
1932         Reviewed by Darin Adler.
1933
1934         Following up on Darin's review comments.
1935
1936         * runtime/FunctionConstructor.cpp:
1937         (JSC::constructFunctionSkippingEvalEnabledCheck):
1938
1939 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1940
1941         "lineNo" does not match WebKit coding style guidelines
1942         https://bugs.webkit.org/show_bug.cgi?id=143119
1943
1944         Reviewed by Michael Saboff.
1945
1946         We can afford to use whole words.
1947
1948         * bytecode/CodeBlock.cpp:
1949         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1950         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1951         * bytecode/UnlinkedCodeBlock.cpp:
1952         (JSC::UnlinkedFunctionExecutable::link):
1953         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1954         * bytecode/UnlinkedCodeBlock.h:
1955         * bytecompiler/NodesCodegen.cpp:
1956         (JSC::WhileNode::emitBytecode):
1957         * debugger/Debugger.cpp:
1958         (JSC::Debugger::toggleBreakpoint):
1959         * interpreter/Interpreter.cpp:
1960         (JSC::StackFrame::computeLineAndColumn):
1961         (JSC::GetStackTraceFunctor::operator()):
1962         (JSC::Interpreter::execute):
1963         * interpreter/StackVisitor.cpp:
1964         (JSC::StackVisitor::Frame::computeLineAndColumn):
1965         * parser/Nodes.h:
1966         (JSC::Node::firstLine):
1967         (JSC::Node::lineNo): Deleted.
1968         (JSC::StatementNode::firstLine): Deleted.
1969         * parser/ParserError.h:
1970         (JSC::ParserError::toErrorObject):
1971         * profiler/LegacyProfiler.cpp:
1972         (JSC::createCallIdentifierFromFunctionImp):
1973         * runtime/CodeCache.cpp:
1974         (JSC::CodeCache::getGlobalCodeBlock):
1975         * runtime/Executable.cpp:
1976         (JSC::ScriptExecutable::ScriptExecutable):
1977         (JSC::ScriptExecutable::newCodeBlockFor):
1978         (JSC::FunctionExecutable::fromGlobalCode):
1979         * runtime/Executable.h:
1980         (JSC::ScriptExecutable::firstLine):
1981         (JSC::ScriptExecutable::setOverrideLineNumber):
1982         (JSC::ScriptExecutable::hasOverrideLineNumber):
1983         (JSC::ScriptExecutable::overrideLineNumber):
1984         (JSC::ScriptExecutable::lineNo): Deleted.
1985         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1986         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
1987         (JSC::ScriptExecutable::overrideLineNo): Deleted.
1988         * runtime/FunctionConstructor.cpp:
1989         (JSC::constructFunctionSkippingEvalEnabledCheck):
1990         * runtime/FunctionConstructor.h:
1991         * tools/CodeProfile.cpp:
1992         (JSC::CodeProfile::report):
1993         * tools/CodeProfile.h:
1994         (JSC::CodeProfile::CodeProfile):
1995
1996 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1997
1998         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
1999         https://bugs.webkit.org/show_bug.cgi?id=142974
2000
2001         Reviewed by Joseph Pecoraro.
2002
2003         This patch does two things:
2004
2005         (1) Restore JavaScriptCore's sanitization of line and column numbers to
2006         one-based values.
2007
2008         We need this because WebCore sometimes provides huge negative column
2009         numbers.
2010
2011         (2) Solve the attribute event listener line numbering problem a different
2012         way: Rather than offseting all line numbers by -1 in an attribute event
2013         listener in order to arrange for a custom result, instead use an explicit
2014         feature for saying "all errors in this code should map to this line number".
2015
2016         * bytecode/UnlinkedCodeBlock.cpp:
2017         (JSC::UnlinkedFunctionExecutable::link):
2018         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2019         * bytecode/UnlinkedCodeBlock.h:
2020         * interpreter/Interpreter.cpp:
2021         (JSC::StackFrame::computeLineAndColumn):
2022         (JSC::GetStackTraceFunctor::operator()):
2023         * interpreter/Interpreter.h:
2024         * interpreter/StackVisitor.cpp:
2025         (JSC::StackVisitor::Frame::computeLineAndColumn):
2026         * parser/ParserError.h:
2027         (JSC::ParserError::toErrorObject): Plumb through an override line number.
2028         When a function has an override line number, all syntax and runtime
2029         errors in the function will map to it. This is useful for attribute event
2030         listeners.
2031  
2032         * parser/SourceCode.h:
2033         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
2034         column numbers to one-based integers. It was kind of a hack to remove this.
2035
2036         * runtime/Executable.cpp:
2037         (JSC::ScriptExecutable::ScriptExecutable):
2038         (JSC::FunctionExecutable::fromGlobalCode):
2039         * runtime/Executable.h:
2040         (JSC::ScriptExecutable::setOverrideLineNo):
2041         (JSC::ScriptExecutable::hasOverrideLineNo):
2042         (JSC::ScriptExecutable::overrideLineNo):
2043         * runtime/FunctionConstructor.cpp:
2044         (JSC::constructFunctionSkippingEvalEnabledCheck):
2045         * runtime/FunctionConstructor.h: Plumb through an override line number.
2046
2047 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2048
2049         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
2050
2051         Reviewed by Michael Saboff.
2052
2053         * jit/JITPropertyAccess.cpp:
2054         (JSC::JIT::emitScopedArgumentsGetByVal):
2055         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
2056
2057 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2058
2059         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
2060         https://bugs.webkit.org/show_bug.cgi?id=143098
2061
2062         Reviewed by Csaba Osztrogonác.
2063
2064         * ftl/FTLLowerDFGToLLVM.cpp:
2065         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
2066         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
2067
2068 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
2069
2070         Unreviewed gardening, skip failing tests on AArch64 Linux.
2071
2072         * tests/mozilla/mozilla-tests.yaml:
2073         * tests/stress/cached-prototype-setter.js:
2074
2075 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2076
2077         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
2078
2079         * dfg/DFGConstantFoldingPhase.cpp:
2080         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
2081         * ftl/FTLCompile.cpp:
2082         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
2083         * ftl/FTLState.cpp:
2084         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
2085         * ftl/FTLState.h:
2086
2087 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2088
2089         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
2090         right, so this just makes 32-bit do the same.
2091
2092         * dfg/DFGSpeculativeJIT32_64.cpp:
2093         (JSC::DFG::SpeculativeJIT::emitCall):
2094
2095 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2096
2097         Fix a typo that ggaren found but that I didn't fix before.
2098
2099         * runtime/DirectArgumentsOffset.h:
2100
2101 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2102
2103         Unreviewed, VC found a bug. This fixes the bug.
2104
2105         * dfg/DFGConstantFoldingPhase.cpp:
2106         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2107
2108 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2109
2110         Unreviewed, try to fix Windows build.
2111
2112         * runtime/ClonedArguments.cpp:
2113         (JSC::ClonedArguments::createWithInlineFrame):
2114
2115 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2116
2117         Unreviewed, fix debug build.
2118
2119         * bytecompiler/NodesCodegen.cpp:
2120         (JSC::ConstDeclNode::emitCodeSingle):
2121
2122 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2123
2124         Unreviewed, fix CLOOP build.
2125
2126         * dfg/DFGMinifiedID.h:
2127
2128 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2129
2130         Heap variables shouldn't end up in the stack frame
2131         https://bugs.webkit.org/show_bug.cgi?id=141174
2132
2133         Reviewed by Geoffrey Garen.
2134         
2135         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
2136         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
2137         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
2138         simplifications:
2139         
2140         - Accesses to variables no longer need checks or indirections to determine where the variable is
2141           at that moment in time. For example, loading a closure variable now takes just one load instead
2142           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
2143           (when no arguments object allocation is required) while previously that same operation required
2144           a "did I allocate arguments yet" check, a bounds check, and then the load.
2145         
2146         - Reasoning about the allocation of an activation or arguments object now follows the same simple
2147           logic as the allocation of any other kind of object. Previously, those objects were lazily
2148           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
2149           allocate anything at all. This made the implementation of traditional escape analyses really
2150           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
2151           arguments object using the usual SSA tricks which allows for more comprehensive removal.
2152         
2153         - The allocations of arguments objects, functions, and activations are now much faster. While
2154           this patch generally expands our ability to eliminate arguments object allocations, an earlier
2155           version of the patch - which lacked that functionality - was a progression on some arguments-
2156           and closure-happy benchmarks because although no allocations were eliminated, all allocations
2157           were faster.
2158         
2159         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
2160           its arguments objects or activations. The runtime doesn't have to do things to the arguments
2161           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
2162           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
2163           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
2164           now gone. This also enables implementing block-scoping. Without this change, block-scope
2165           support would require telling CodeBlock and all of the rest of the runtime about all of the
2166           variables that store currently-live scopes. That would have been so disastrously hard that it
2167           might as well be impossible. With this change, it's fair game for the bytecode generator to
2168           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
2169           however long it wants. This all works, because after bytecode generation, an activation is just
2170           an object and variables that refer to it are just normal variables.
2171         
2172         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
2173           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
2174           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
2175           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
2176           an arguments object.
2177         
2178         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
2179           using activations used to prevent inlining; now functions that use activations can be inlined
2180           just fine.
2181         
2182         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
2183         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
2184         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
2185         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
2186         
2187         The easiest way of understanding this change is to start by looking at the changes in runtime/,
2188         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
2189
2190         * CMakeLists.txt:
2191         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2192         * JavaScriptCore.xcodeproj/project.pbxproj:
2193         * assembler/AbortReason.h:
2194         * assembler/AbstractMacroAssembler.h:
2195         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
2196         * bytecode/ByValInfo.h:
2197         (JSC::hasOptimizableIndexingForJSType):
2198         (JSC::hasOptimizableIndexing):
2199         (JSC::jitArrayModeForJSType):
2200         (JSC::jitArrayModePermitsPut):
2201         (JSC::jitArrayModeForStructure):
2202         * bytecode/BytecodeKills.h: Added.
2203         (JSC::BytecodeKills::BytecodeKills):
2204         (JSC::BytecodeKills::operandIsKilled):
2205         (JSC::BytecodeKills::forEachOperandKilledAt):
2206         (JSC::BytecodeKills::KillSet::KillSet):
2207         (JSC::BytecodeKills::KillSet::add):
2208         (JSC::BytecodeKills::KillSet::forEachLocal):
2209         (JSC::BytecodeKills::KillSet::contains):
2210         * bytecode/BytecodeList.json:
2211         * bytecode/BytecodeLivenessAnalysis.cpp:
2212         (JSC::isValidRegisterForLiveness):
2213         (JSC::stepOverInstruction):
2214         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
2215         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2216         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
2217         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2218         (JSC::BytecodeLivenessAnalysis::computeKills):
2219         (JSC::indexForOperand): Deleted.
2220         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
2221         (JSC::getLivenessInfo): Deleted.
2222         * bytecode/BytecodeLivenessAnalysis.h:
2223         * bytecode/BytecodeLivenessAnalysisInlines.h:
2224         (JSC::operandIsAlwaysLive):
2225         (JSC::operandThatIsNotAlwaysLiveIsLive):
2226         (JSC::operandIsLive):
2227         * bytecode/BytecodeUseDef.h:
2228         (JSC::computeUsesForBytecodeOffset):
2229         (JSC::computeDefsForBytecodeOffset):
2230         * bytecode/CodeBlock.cpp:
2231         (JSC::CodeBlock::dumpBytecode):
2232         (JSC::CodeBlock::CodeBlock):
2233         (JSC::CodeBlock::nameForRegister):
2234         (JSC::CodeBlock::validate):
2235         (JSC::CodeBlock::isCaptured): Deleted.
2236         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
2237         (JSC::CodeBlock::machineSlowArguments): Deleted.
2238         * bytecode/CodeBlock.h:
2239         (JSC::unmodifiedArgumentsRegister): Deleted.
2240         (JSC::CodeBlock::setArgumentsRegister): Deleted.
2241         (JSC::CodeBlock::argumentsRegister): Deleted.
2242         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
2243         (JSC::CodeBlock::usesArguments): Deleted.
2244         (JSC::CodeBlock::captureCount): Deleted.
2245         (JSC::CodeBlock::captureStart): Deleted.
2246         (JSC::CodeBlock::captureEnd): Deleted.
2247         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
2248         (JSC::CodeBlock::hasSlowArguments): Deleted.
2249         (JSC::ExecState::argumentAfterCapture): Deleted.
2250         * bytecode/CodeOrigin.h:
2251         * bytecode/DataFormat.h:
2252         (JSC::dataFormatToString):
2253         * bytecode/FullBytecodeLiveness.h:
2254         (JSC::FullBytecodeLiveness::getLiveness):
2255         (JSC::FullBytecodeLiveness::operandIsLive):
2256         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
2257         (JSC::FullBytecodeLiveness::getOut): Deleted.
2258         * bytecode/Instruction.h:
2259         (JSC::Instruction::Instruction):
2260         * bytecode/Operands.h:
2261         (JSC::Operands::virtualRegisterForIndex):
2262         * bytecode/SpeculatedType.cpp:
2263         (JSC::dumpSpeculation):
2264         (JSC::speculationToAbbreviatedString):
2265         (JSC::speculationFromClassInfo):
2266         * bytecode/SpeculatedType.h:
2267         (JSC::isDirectArgumentsSpeculation):
2268         (JSC::isScopedArgumentsSpeculation):
2269         (JSC::isActionableMutableArraySpeculation):
2270         (JSC::isActionableArraySpeculation):
2271         (JSC::isArgumentsSpeculation): Deleted.
2272         * bytecode/UnlinkedCodeBlock.cpp:
2273         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2274         * bytecode/UnlinkedCodeBlock.h:
2275         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
2276         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
2277         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
2278         * bytecode/ValueRecovery.cpp:
2279         (JSC::ValueRecovery::dumpInContext):
2280         * bytecode/ValueRecovery.h:
2281         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
2282         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
2283         (JSC::ValueRecovery::nodeID):
2284         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
2285         * bytecode/VirtualRegister.h:
2286         (JSC::VirtualRegister::operator==):
2287         (JSC::VirtualRegister::operator!=):
2288         (JSC::VirtualRegister::operator<):
2289         (JSC::VirtualRegister::operator>):
2290         (JSC::VirtualRegister::operator<=):
2291         (JSC::VirtualRegister::operator>=):
2292         * bytecompiler/BytecodeGenerator.cpp:
2293         (JSC::BytecodeGenerator::generate):
2294         (JSC::BytecodeGenerator::BytecodeGenerator):
2295         (JSC::BytecodeGenerator::initializeNextParameter):
2296         (JSC::BytecodeGenerator::visibleNameForParameter):
2297         (JSC::BytecodeGenerator::emitMove):
2298         (JSC::BytecodeGenerator::variable):
2299         (JSC::BytecodeGenerator::createVariable):
2300         (JSC::BytecodeGenerator::emitResolveScope):
2301         (JSC::BytecodeGenerator::emitGetFromScope):
2302         (JSC::BytecodeGenerator::emitPutToScope):
2303         (JSC::BytecodeGenerator::initializeVariable):
2304         (JSC::BytecodeGenerator::emitInstanceOf):
2305         (JSC::BytecodeGenerator::emitNewFunction):
2306         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2307         (JSC::BytecodeGenerator::emitCall):
2308         (JSC::BytecodeGenerator::emitReturn):
2309         (JSC::BytecodeGenerator::emitConstruct):
2310         (JSC::BytecodeGenerator::isArgumentNumber):
2311         (JSC::BytecodeGenerator::emitEnumeration):
2312         (JSC::BytecodeGenerator::addVar): Deleted.
2313         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
2314         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
2315         (JSC::BytecodeGenerator::resolveCallee): Deleted.
2316         (JSC::BytecodeGenerator::addCallee): Deleted.
2317         (JSC::BytecodeGenerator::addParameter): Deleted.
2318         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
2319         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
2320         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
2321         (JSC::BytecodeGenerator::isCaptured): Deleted.
2322         (JSC::BytecodeGenerator::local): Deleted.
2323         (JSC::BytecodeGenerator::constLocal): Deleted.
2324         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
2325         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
2326         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
2327         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
2328         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
2329         * bytecompiler/BytecodeGenerator.h:
2330         (JSC::Variable::Variable):
2331         (JSC::Variable::isResolved):
2332         (JSC::Variable::ident):
2333         (JSC::Variable::offset):
2334         (JSC::Variable::isLocal):
2335         (JSC::Variable::local):
2336         (JSC::Variable::isSpecial):
2337         (JSC::BytecodeGenerator::argumentsRegister):
2338         (JSC::BytecodeGenerator::emitNode):
2339         (JSC::BytecodeGenerator::registerFor):
2340         (JSC::Local::Local): Deleted.
2341         (JSC::Local::operator bool): Deleted.
2342         (JSC::Local::get): Deleted.
2343         (JSC::Local::isSpecial): Deleted.
2344         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
2345         (JSC::ResolveScopeInfo::isLocal): Deleted.
2346         (JSC::ResolveScopeInfo::localIndex): Deleted.
2347         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
2348         (JSC::BytecodeGenerator::captureMode): Deleted.
2349         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
2350         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
2351         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
2352         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
2353         * bytecompiler/NodesCodegen.cpp:
2354         (JSC::ResolveNode::isPure):
2355         (JSC::ResolveNode::emitBytecode):
2356         (JSC::BracketAccessorNode::emitBytecode):
2357         (JSC::DotAccessorNode::emitBytecode):
2358         (JSC::EvalFunctionCallNode::emitBytecode):
2359         (JSC::FunctionCallResolveNode::emitBytecode):
2360         (JSC::CallFunctionCallDotNode::emitBytecode):
2361         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2362         (JSC::PostfixNode::emitResolve):
2363         (JSC::DeleteResolveNode::emitBytecode):
2364         (JSC::TypeOfResolveNode::emitBytecode):
2365         (JSC::PrefixNode::emitResolve):
2366         (JSC::ReadModifyResolveNode::emitBytecode):
2367         (JSC::AssignResolveNode::emitBytecode):
2368         (JSC::ConstDeclNode::emitCodeSingle):
2369         (JSC::EmptyVarExpression::emitBytecode):
2370         (JSC::ForInNode::tryGetBoundLocal):
2371         (JSC::ForInNode::emitLoopHeader):
2372         (JSC::ForOfNode::emitBytecode):
2373         (JSC::ArrayPatternNode::emitDirectBinding):
2374         (JSC::BindingNode::bindValue):
2375         (JSC::getArgumentByVal): Deleted.
2376         * dfg/DFGAbstractHeap.h:
2377         * dfg/DFGAbstractInterpreter.h:
2378         * dfg/DFGAbstractInterpreterInlines.h:
2379         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2380         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
2381         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
2382         * dfg/DFGAbstractValue.h:
2383         * dfg/DFGArgumentPosition.h:
2384         (JSC::DFG::ArgumentPosition::addVariable):
2385         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
2386         (JSC::DFG::performArgumentsElimination):
2387         * dfg/DFGArgumentsEliminationPhase.h: Added.
2388         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
2389         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
2390         * dfg/DFGArgumentsUtilities.cpp: Added.
2391         (JSC::DFG::argumentsInvolveStackSlot):
2392         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2393         * dfg/DFGArgumentsUtilities.h: Added.
2394         * dfg/DFGArrayMode.cpp:
2395         (JSC::DFG::ArrayMode::refine):
2396         (JSC::DFG::ArrayMode::alreadyChecked):
2397         (JSC::DFG::arrayTypeToString):
2398         * dfg/DFGArrayMode.h:
2399         (JSC::DFG::ArrayMode::canCSEStorage):
2400         (JSC::DFG::ArrayMode::modeForPut):
2401         * dfg/DFGAvailabilityMap.cpp:
2402         (JSC::DFG::AvailabilityMap::prune):
2403         * dfg/DFGAvailabilityMap.h:
2404         (JSC::DFG::AvailabilityMap::closeOverNodes):
2405         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
2406         * dfg/DFGBackwardsPropagationPhase.cpp:
2407         (JSC::DFG::BackwardsPropagationPhase::propagate):
2408         * dfg/DFGByteCodeParser.cpp:
2409         (JSC::DFG::ByteCodeParser::newVariableAccessData):
2410         (JSC::DFG::ByteCodeParser::getLocal):
2411         (JSC::DFG::ByteCodeParser::setLocal):
2412         (JSC::DFG::ByteCodeParser::getArgument):
2413         (JSC::DFG::ByteCodeParser::setArgument):
2414         (JSC::DFG::ByteCodeParser::flushDirect):
2415         (JSC::DFG::ByteCodeParser::flush):
2416         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2417         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2418         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2419         (JSC::DFG::ByteCodeParser::handleInlining):
2420         (JSC::DFG::ByteCodeParser::parseBlock):
2421         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2422         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2423         * dfg/DFGCPSRethreadingPhase.cpp:
2424         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2425         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2426         * dfg/DFGCSEPhase.cpp:
2427         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
2428         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2429         * dfg/DFGCapabilities.cpp:
2430         (JSC::DFG::isSupportedForInlining):
2431         (JSC::DFG::capabilityLevel):
2432         * dfg/DFGClobberize.h:
2433         (JSC::DFG::clobberize):
2434         * dfg/DFGCommon.h:
2435         * dfg/DFGCommonData.h:
2436         (JSC::DFG::CommonData::CommonData):
2437         * dfg/DFGConstantFoldingPhase.cpp:
2438         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2439         * dfg/DFGDCEPhase.cpp:
2440         (JSC::DFG::DCEPhase::cleanVariables):
2441         * dfg/DFGDisassembler.h:
2442         * dfg/DFGDoesGC.cpp:
2443         (JSC::DFG::doesGC):
2444         * dfg/DFGFixupPhase.cpp:
2445         (JSC::DFG::FixupPhase::fixupNode):
2446         * dfg/DFGFlushFormat.cpp:
2447         (WTF::printInternal):
2448         * dfg/DFGFlushFormat.h:
2449         (JSC::DFG::resultFor):
2450         (JSC::DFG::useKindFor):
2451         (JSC::DFG::dataFormatFor):
2452         * dfg/DFGForAllKills.h: Added.
2453         (JSC::DFG::forAllLiveNodesAtTail):
2454         (JSC::DFG::forAllDirectlyKilledOperands):
2455         (JSC::DFG::forAllKilledOperands):
2456         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2457         (JSC::DFG::forAllKillsInBlock):
2458         * dfg/DFGGraph.cpp:
2459         (JSC::DFG::Graph::Graph):
2460         (JSC::DFG::Graph::dump):
2461         (JSC::DFG::Graph::substituteGetLocal):
2462         (JSC::DFG::Graph::livenessFor):
2463         (JSC::DFG::Graph::killsFor):
2464         (JSC::DFG::Graph::tryGetConstantClosureVar):
2465         (JSC::DFG::Graph::tryGetRegisters): Deleted.
2466         * dfg/DFGGraph.h:
2467         (JSC::DFG::Graph::symbolTableFor):
2468         (JSC::DFG::Graph::uses):
2469         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
2470         (JSC::DFG::Graph::capturedVarsFor): Deleted.
2471         (JSC::DFG::Graph::usesArguments): Deleted.
2472         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
2473         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
2474         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
2475         * dfg/DFGHeapLocation.cpp:
2476         (WTF::printInternal):
2477         * dfg/DFGHeapLocation.h:
2478         * dfg/DFGInPlaceAbstractState.cpp:
2479         (JSC::DFG::InPlaceAbstractState::initialize):
2480         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2481         * dfg/DFGJITCompiler.cpp:
2482         (JSC::DFG::JITCompiler::link):
2483         * dfg/DFGMayExit.cpp:
2484         (JSC::DFG::mayExit):
2485         * dfg/DFGMinifiedID.h:
2486         * dfg/DFGMinifiedNode.cpp:
2487         (JSC::DFG::MinifiedNode::fromNode):
2488         * dfg/DFGMinifiedNode.h:
2489         (JSC::DFG::belongsInMinifiedGraph):
2490         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
2491         (JSC::DFG::MinifiedNode::inlineCallFrame):
2492         * dfg/DFGNode.cpp:
2493         (JSC::DFG::Node::convertToIdentityOn):
2494         * dfg/DFGNode.h:
2495         (JSC::DFG::Node::hasConstant):
2496         (JSC::DFG::Node::constant):
2497         (JSC::DFG::Node::hasScopeOffset):
2498         (JSC::DFG::Node::scopeOffset):
2499         (JSC::DFG::Node::hasDirectArgumentsOffset):
2500         (JSC::DFG::Node::capturedArgumentsOffset):
2501         (JSC::DFG::Node::variablePointer):
2502         (JSC::DFG::Node::hasCallVarargsData):
2503         (JSC::DFG::Node::hasLoadVarargsData):
2504         (JSC::DFG::Node::hasHeapPrediction):
2505         (JSC::DFG::Node::hasCellOperand):
2506         (JSC::DFG::Node::objectMaterializationData):
2507         (JSC::DFG::Node::isPhantomAllocation):
2508         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2509         (JSC::DFG::Node::shouldSpeculateDirectArguments):
2510         (JSC::DFG::Node::shouldSpeculateScopedArguments):
2511         (JSC::DFG::Node::isPhantomArguments): Deleted.
2512         (JSC::DFG::Node::hasVarNumber): Deleted.
2513         (JSC::DFG::Node::varNumber): Deleted.
2514         (JSC::DFG::Node::registerPointer): Deleted.
2515         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
2516         * dfg/DFGNodeType.h:
2517         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2518         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2519         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2520         * dfg/DFGOSRExitCompiler.cpp:
2521         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
2522         * dfg/DFGOSRExitCompiler.h:
2523         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
2524         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
2525         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
2526         * dfg/DFGOSRExitCompiler32_64.cpp:
2527         (JSC::DFG::OSRExitCompiler::compileExit):
2528         * dfg/DFGOSRExitCompiler64.cpp:
2529         (JSC::DFG::OSRExitCompiler::compileExit):
2530         * dfg/DFGOSRExitCompilerCommon.cpp:
2531         (JSC::DFG::reifyInlinedCallFrames):
2532         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
2533         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
2534         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
2535         * dfg/DFGOSRExitCompilerCommon.h:
2536         * dfg/DFGOperations.cpp:
2537         * dfg/DFGOperations.h:
2538         * dfg/DFGPlan.cpp:
2539         (JSC::DFG::Plan::compileInThreadImpl):
2540         * dfg/DFGPreciseLocalClobberize.h:
2541         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
2542         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
2543         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
2544         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2545         (JSC::DFG::preciseLocalClobberize):
2546         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
2547         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
2548         * dfg/DFGPredictionPropagationPhase.cpp:
2549         (JSC::DFG::PredictionPropagationPhase::run):
2550         (JSC::DFG::PredictionPropagationPhase::propagate):
2551         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2552         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
2553         * dfg/DFGPromoteHeapAccess.h:
2554         (JSC::DFG::promoteHeapAccess):
2555         * dfg/DFGPromotedHeapLocation.cpp:
2556         (WTF::printInternal):
2557         * dfg/DFGPromotedHeapLocation.h:
2558         * dfg/DFGSSAConversionPhase.cpp:
2559         (JSC::DFG::SSAConversionPhase::run):
2560         * dfg/DFGSafeToExecute.h:
2561         (JSC::DFG::safeToExecute):
2562         * dfg/DFGSpeculativeJIT.cpp:
2563         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2564         (JSC::DFG::SpeculativeJIT::emitGetLength):
2565         (JSC::DFG::SpeculativeJIT::emitGetCallee):
2566         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2567         (JSC::DFG::SpeculativeJIT::checkArray):
2568         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2569         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2570         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2571         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2572         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
2573         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2574         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2575         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2576         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2577         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
2578         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
2579         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
2580         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
2581         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
2582         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
2583         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
2584         * dfg/DFGSpeculativeJIT.h:
2585         (JSC::DFG::SpeculativeJIT::callOperation):
2586         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2587         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2588         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
2589         * dfg/DFGSpeculativeJIT32_64.cpp:
2590         (JSC::DFG::SpeculativeJIT::emitCall):
2591         (JSC::DFG::SpeculativeJIT::compile):
2592         * dfg/DFGSpeculativeJIT64.cpp:
2593         (JSC::DFG::SpeculativeJIT::emitCall):
2594         (JSC::DFG::SpeculativeJIT::compile):
2595         * dfg/DFGStackLayoutPhase.cpp:
2596         (JSC::DFG::StackLayoutPhase::run):
2597         * dfg/DFGStrengthReductionPhase.cpp:
2598         (JSC::DFG::StrengthReductionPhase::handleNode):
2599         * dfg/DFGStructureRegistrationPhase.cpp:
2600         (JSC::DFG::StructureRegistrationPhase::run):
2601         * dfg/DFGUnificationPhase.cpp:
2602         (JSC::DFG::UnificationPhase::run):
2603         * dfg/DFGValidate.cpp:
2604         (JSC::DFG::Validate::validateCPS):
2605         * dfg/DFGValueSource.cpp:
2606         (JSC::DFG::ValueSource::dump):
2607         * dfg/DFGValueSource.h:
2608         (JSC::DFG::dataFormatToValueSourceKind):
2609         (JSC::DFG::valueSourceKindToDataFormat):
2610         (JSC::DFG::ValueSource::ValueSource):
2611         (JSC::DFG::ValueSource::forFlushFormat):
2612         (JSC::DFG::ValueSource::valueRecovery):
2613         * dfg/DFGVarargsForwardingPhase.cpp: Added.
2614         (JSC::DFG::performVarargsForwarding):
2615         * dfg/DFGVarargsForwardingPhase.h: Added.
2616         * dfg/DFGVariableAccessData.cpp:
2617         (JSC::DFG::VariableAccessData::VariableAccessData):
2618         (JSC::DFG::VariableAccessData::flushFormat):
2619         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2620         * dfg/DFGVariableAccessData.h:
2621         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
2622         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
2623         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
2624         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
2625         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
2626         * dfg/DFGVariableAccessDataDump.cpp:
2627         (JSC::DFG::VariableAccessDataDump::dump):
2628         * dfg/DFGVariableAccessDataDump.h:
2629         * dfg/DFGVariableEventStream.cpp:
2630         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2631         * dfg/DFGVariableEventStream.h:
2632         * ftl/FTLAbstractHeap.cpp:
2633         (JSC::FTL::AbstractHeap::dump):
2634         (JSC::FTL::AbstractField::dump):
2635         (JSC::FTL::IndexedAbstractHeap::dump):
2636         (JSC::FTL::NumberedAbstractHeap::dump):
2637         (JSC::FTL::AbsoluteAbstractHeap::dump):
2638         * ftl/FTLAbstractHeap.h:
2639         * ftl/FTLAbstractHeapRepository.cpp:
2640         * ftl/FTLAbstractHeapRepository.h:
2641         * ftl/FTLCapabilities.cpp:
2642         (JSC::FTL::canCompile):
2643         * ftl/FTLCompile.cpp:
2644         (JSC::FTL::mmAllocateDataSection):
2645         * ftl/FTLExitArgument.cpp:
2646         (JSC::FTL::ExitArgument::dump):
2647         * ftl/FTLExitPropertyValue.cpp:
2648         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
2649         * ftl/FTLExitPropertyValue.h:
2650         * ftl/FTLExitTimeObjectMaterialization.cpp:
2651         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
2652         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
2653         * ftl/FTLExitTimeObjectMaterialization.h:
2654         (JSC::FTL::ExitTimeObjectMaterialization::origin):
2655         * ftl/FTLExitValue.cpp:
2656         (JSC::FTL::ExitValue::withLocalsOffset):
2657         (JSC::FTL::ExitValue::valueFormat):
2658         (JSC::FTL::ExitValue::dumpInContext):
2659         * ftl/FTLExitValue.h:
2660         (JSC::FTL::ExitValue::isArgument):
2661         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
2662         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
2663         (JSC::FTL::ExitValue::valueFormat): Deleted.
2664         * ftl/FTLInlineCacheSize.cpp:
2665         (JSC::FTL::sizeOfCallForwardVarargs):
2666         (JSC::FTL::sizeOfConstructForwardVarargs):
2667         (JSC::FTL::sizeOfICFor):
2668         * ftl/FTLInlineCacheSize.h:
2669         * ftl/FTLIntrinsicRepository.h:
2670         * ftl/FTLJSCallVarargs.cpp:
2671         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2672         (JSC::FTL::JSCallVarargs::emit):
2673         * ftl/FTLJSCallVarargs.h:
2674         * ftl/FTLLowerDFGToLLVM.cpp:
2675         (JSC::FTL::LowerDFGToLLVM::lower):
2676         (JSC::FTL::LowerDFGToLLVM::compileNode):
2677         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2678         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2679         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2680         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2681         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2682         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2683         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2684         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2685         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2686         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
2687         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
2688         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
2689         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2690         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
2691         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
2692         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
2693         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
2694         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
2695         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
2696         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
2697         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
2698         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2699         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
2700         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2701         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
2702         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
2703         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
2704         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
2705         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2706         (JSC::FTL::LowerDFGToLLVM::allocateObject):
2707         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
2708         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2709         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2710         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2711         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2712         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2713         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2714         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
2715         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
2716         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
2717         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
2718         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
2719         * ftl/FTLOSRExitCompiler.cpp:
2720         (JSC::FTL::compileRecovery):
2721         (JSC::FTL::compileStub):
2722         * ftl/FTLOperations.cpp:
2723         (JSC::FTL::operationMaterializeObjectInOSR):
2724         * ftl/FTLOutput.h:
2725         (JSC::FTL::Output::aShr):
2726         (JSC::FTL::Output::lShr):
2727         (JSC::FTL::Output::zeroExtPtr):
2728         * heap/CopyToken.h:
2729         * interpreter/CallFrame.h:
2730         (JSC::ExecState::getArgumentUnsafe):
2731         * interpreter/Interpreter.cpp:
2732         (JSC::sizeOfVarargs):
2733         (JSC::sizeFrameForVarargs):
2734         (JSC::loadVarargs):
2735         (JSC::unwindCallFrame):
2736         * interpreter/Interpreter.h:
2737         * interpreter/StackVisitor.cpp:
2738         (JSC::StackVisitor::Frame::createArguments):
2739         (JSC::StackVisitor::Frame::existingArguments): Deleted.
2740         * interpreter/StackVisitor.h:
2741         * jit/AssemblyHelpers.h:
2742         (JSC::AssemblyHelpers::storeValue):
2743         (JSC::AssemblyHelpers::loadValue):
2744         (JSC::AssemblyHelpers::storeTrustedValue):
2745         (JSC::AssemblyHelpers::branchIfNotCell):
2746         (JSC::AssemblyHelpers::branchIsEmpty):
2747         (JSC::AssemblyHelpers::argumentsStart):
2748         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
2749         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
2750         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
2751         * jit/CCallHelpers.h:
2752         (JSC::CCallHelpers::setupArgument):
2753         * jit/GPRInfo.h:
2754         (JSC::JSValueRegs::withTwoAvailableRegs):
2755         * jit/JIT.cpp:
2756         (JSC::JIT::privateCompileMainPass):
2757         (JSC::JIT::privateCompileSlowCases):
2758         * jit/JIT.h:
2759         * jit/JITCall.cpp:
2760         (JSC::JIT::compileSetupVarargsFrame):
2761         * jit/JITCall32_64.cpp:
2762         (JSC::JIT::compileSetupVarargsFrame):
2763         * jit/JITInlines.h:
2764         (JSC::JIT::callOperation):
2765         * jit/JITOpcodes.cpp:
2766         (JSC::JIT::emit_op_create_lexical_environment):
2767         (JSC::JIT::emit_op_new_func):
2768         (JSC::JIT::emit_op_create_direct_arguments):
2769         (JSC::JIT::emit_op_create_scoped_arguments):
2770         (JSC::JIT::emit_op_create_out_of_band_arguments):
2771         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2772         (JSC::JIT::emit_op_create_arguments): Deleted.
2773         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2774         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2775         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2776         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2777         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2778         * jit/JITOpcodes32_64.cpp:
2779         (JSC::JIT::emit_op_create_lexical_environment):
2780         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2781         (JSC::JIT::emit_op_create_arguments): Deleted.
2782         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2783         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2784         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2785         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2786         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2787         * jit/JITOperations.cpp:
2788         * jit/JITOperations.h:
2789         * jit/JITPropertyAccess.cpp:
2790         (JSC::JIT::emitGetClosureVar):
2791         (JSC::JIT::emitPutClosureVar):
2792         (JSC::JIT::emit_op_get_from_arguments):
2793         (JSC::JIT::emit_op_put_to_arguments):
2794         (JSC::JIT::emit_op_init_global_const):
2795         (JSC::JIT::privateCompileGetByVal):
2796         (JSC::JIT::emitDirectArgumentsGetByVal):
2797         (JSC::JIT::emitScopedArgumentsGetByVal):
2798         * jit/JITPropertyAccess32_64.cpp:
2799         (JSC::JIT::emitGetClosureVar):
2800         (JSC::JIT::emitPutClosureVar):
2801         (JSC::JIT::emit_op_get_from_arguments):
2802         (JSC::JIT::emit_op_put_to_arguments):
2803         (JSC::JIT::emit_op_init_global_const):
2804         * jit/SetupVarargsFrame.cpp:
2805         (JSC::emitSetupVarargsFrameFastCase):
2806         * llint/LLIntOffsetsExtractor.cpp:
2807         * llint/LLIntSlowPaths.cpp:
2808         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2809         * llint/LowLevelInterpreter.asm:
2810         * llint/LowLevelInterpreter32_64.asm:
2811         * llint/LowLevelInterpreter64.asm:
2812         * parser/Nodes.h:
2813         (JSC::ScopeNode::captures):
2814         * runtime/Arguments.cpp: Removed.
2815         * runtime/Arguments.h: Removed.
2816         * runtime/ArgumentsMode.h: Added.
2817         * runtime/DirectArgumentsOffset.cpp: Added.
2818         (JSC::DirectArgumentsOffset::dump):
2819         * runtime/DirectArgumentsOffset.h: Added.
2820         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
2821         * runtime/CommonSlowPaths.cpp:
2822         (JSC::SLOW_PATH_DECL):
2823         * runtime/CommonSlowPaths.h:
2824         * runtime/ConstantMode.cpp: Added.
2825         (WTF::printInternal):
2826         * runtime/ConstantMode.h:
2827         (JSC::modeForIsConstant):
2828         * runtime/DirectArguments.cpp: Added.
2829         (JSC::DirectArguments::DirectArguments):
2830         (JSC::DirectArguments::createUninitialized):
2831         (JSC::DirectArguments::create):
2832         (JSC::DirectArguments::createByCopying):
2833         (JSC::DirectArguments::visitChildren):
2834         (JSC::DirectArguments::copyBackingStore):
2835         (JSC::DirectArguments::createStructure):
2836         (JSC::DirectArguments::overrideThings):
2837         (JSC::DirectArguments::overrideThingsIfNecessary):
2838         (JSC::DirectArguments::overrideArgument):
2839         (JSC::DirectArguments::copyToArguments):
2840         (JSC::DirectArguments::overridesSize):
2841         * runtime/DirectArguments.h: Added.
2842         (JSC::DirectArguments::internalLength):
2843         (JSC::DirectArguments::length):
2844         (JSC::DirectArguments::canAccessIndexQuickly):
2845         (JSC::DirectArguments::getIndexQuickly):
2846         (JSC::DirectArguments::setIndexQuickly):
2847         (JSC::DirectArguments::callee):
2848         (JSC::DirectArguments::argument):
2849         (JSC::DirectArguments::overrodeThings):
2850         (JSC::DirectArguments::offsetOfCallee):
2851         (JSC::DirectArguments::offsetOfLength):
2852         (JSC::DirectArguments::offsetOfMinCapacity):
2853         (JSC::DirectArguments::offsetOfOverrides):
2854         (JSC::DirectArguments::storageOffset):
2855         (JSC::DirectArguments::offsetOfSlot):
2856         (JSC::DirectArguments::allocationSize):
2857         (JSC::DirectArguments::storage):
2858         * runtime/FunctionPrototype.cpp:
2859         * runtime/GenericArguments.h: Added.
2860         (JSC::GenericArguments::GenericArguments):
2861         * runtime/GenericArgumentsInlines.h: Added.
2862         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2863         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2864         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2865         (JSC::GenericArguments<Type>::put):
2866         (JSC::GenericArguments<Type>::putByIndex):
2867         (JSC::GenericArguments<Type>::deleteProperty):
2868         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2869         (JSC::GenericArguments<Type>::defineOwnProperty):
2870         (JSC::GenericArguments<Type>::copyToArguments):
2871         * runtime/GenericOffset.h: Added.
2872         (JSC::GenericOffset::GenericOffset):
2873         (JSC::GenericOffset::operator!):
2874         (JSC::GenericOffset::offsetUnchecked):
2875         (JSC::GenericOffset::offset):
2876         (JSC::GenericOffset::operator==):
2877         (JSC::GenericOffset::operator!=):
2878         (JSC::GenericOffset::operator<):
2879         (JSC::GenericOffset::operator>):
2880         (JSC::GenericOffset::operator<=):
2881         (JSC::GenericOffset::operator>=):
2882         (JSC::GenericOffset::operator+):
2883         (JSC::GenericOffset::operator-):
2884         (JSC::GenericOffset::operator+=):
2885         (JSC::GenericOffset::operator-=):
2886         * runtime/JSArgumentsIterator.cpp:
2887         (JSC::JSArgumentsIterator::finishCreation):
2888         (JSC::argumentsFuncIterator):
2889         * runtime/JSArgumentsIterator.h:
2890         (JSC::JSArgumentsIterator::create):
2891         (JSC::JSArgumentsIterator::next):
2892         * runtime/JSEnvironmentRecord.cpp:
2893         (JSC::JSEnvironmentRecord::visitChildren):
2894         * runtime/JSEnvironmentRecord.h:
2895         (JSC::JSEnvironmentRecord::variables):
2896         (JSC::JSEnvironmentRecord::isValid):
2897         (JSC::JSEnvironmentRecord::variableAt):
2898         (JSC::JSEnvironmentRecord::offsetOfVariables):
2899         (JSC::JSEnvironmentRecord::offsetOfVariable):
2900         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
2901         (JSC::JSEnvironmentRecord::allocationSize):
2902         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2903         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2904         (JSC::JSEnvironmentRecord::finishCreation):
2905         (JSC::JSEnvironmentRecord::registers): Deleted.
2906         (JSC::JSEnvironmentRecord::registerAt): Deleted.
2907         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
2908         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
2909         * runtime/JSFunction.cpp:
2910         * runtime/JSGlobalObject.cpp:
2911         (JSC::JSGlobalObject::init):
2912         (JSC::JSGlobalObject::addGlobalVar):
2913         (JSC::JSGlobalObject::addFunction):
2914         (JSC::JSGlobalObject::visitChildren):
2915         (JSC::JSGlobalObject::addStaticGlobals):
2916         * runtime/JSGlobalObject.h:
2917         (JSC::JSGlobalObject::directArgumentsStructure):
2918         (JSC::JSGlobalObject::scopedArgumentsStructure):
2919         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2920         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2921         * runtime/JSLexicalEnvironment.cpp:
2922         (JSC::JSLexicalEnvironment::symbolTableGet):
2923         (JSC::JSLexicalEnvironment::symbolTablePut):
2924         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2925         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2926         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2927         * runtime/JSLexicalEnvironment.h:
2928         (JSC::JSLexicalEnvironment::create):
2929         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2930         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2931         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2932         (JSC::JSLexicalEnvironment::storage): Deleted.
2933         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2934         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2935         (JSC::JSLexicalEnvironment::isValid): Deleted.
2936         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2937         * runtime/JSNameScope.cpp:
2938         (JSC::JSNameScope::visitChildren): Deleted.
2939         * runtime/JSNameScope.h:
2940         (JSC::JSNameScope::create):
2941         (JSC::JSNameScope::value):
2942         (JSC::JSNameScope::finishCreation):
2943         (JSC::JSNameScope::JSNameScope):
2944         * runtime/JSScope.cpp:
2945         (JSC::abstractAccess):
2946         * runtime/JSSegmentedVariableObject.cpp:
2947         (JSC::JSSegmentedVariableObject::findVariableIndex):
2948         (JSC::JSSegmentedVariableObject::addVariables):
2949         (JSC::JSSegmentedVariableObject::visitChildren):
2950         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2951         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2952         * runtime/JSSegmentedVariableObject.h:
2953         (JSC::JSSegmentedVariableObject::variableAt):
2954         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2955         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2956         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2957         * runtime/JSSymbolTableObject.h:
2958         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2959         (JSC::symbolTableGet):
2960         (JSC::symbolTablePut):
2961         (JSC::symbolTablePutWithAttributes):
2962         * runtime/JSType.h:
2963         * runtime/Options.h:
2964         * runtime/ClonedArguments.cpp: Added.
2965         (JSC::ClonedArguments::ClonedArguments):
2966         (JSC::ClonedArguments::createEmpty):
2967         (JSC::ClonedArguments::createWithInlineFrame):
2968         (JSC::ClonedArguments::createWithMachineFrame):
2969         (JSC::ClonedArguments::createByCopyingFrom):
2970         (JSC::ClonedArguments::createStructure):
2971         (JSC::ClonedArguments::getOwnPropertySlot):
2972         (JSC::ClonedArguments::getOwnPropertyNames):
2973         (JSC::ClonedArguments::put):
2974         (JSC::ClonedArguments::deleteProperty):
2975         (JSC::ClonedArguments::defineOwnProperty):
2976         (JSC::ClonedArguments::materializeSpecials):
2977         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2978         * runtime/ClonedArguments.h: Added.
2979         (JSC::ClonedArguments::specialsMaterialized):
2980         * runtime/ScopeOffset.cpp: Added.
2981         (JSC::ScopeOffset::dump):
2982         * runtime/ScopeOffset.h: Added.
2983         (JSC::ScopeOffset::ScopeOffset):
2984         * runtime/ScopedArguments.cpp: Added.
2985         (JSC::ScopedArguments::ScopedArguments):
2986         (JSC::ScopedArguments::finishCreation):
2987         (JSC::ScopedArguments::createUninitialized):
2988         (JSC::ScopedArguments::create):
2989         (JSC::ScopedArguments::createByCopying):
2990         (JSC::ScopedArguments::createByCopyingFrom):
2991         (JSC::ScopedArguments::visitChildren):
2992         (JSC::ScopedArguments::createStructure):
2993         (JSC::ScopedArguments::overrideThings):
2994         (JSC::ScopedArguments::overrideThingsIfNecessary):
2995         (JSC::ScopedArguments::overrideArgument):
2996         (JSC::ScopedArguments::copyToArguments):
2997         * runtime/ScopedArguments.h: Added.
2998         (JSC::ScopedArguments::internalLength):
2999         (JSC::ScopedArguments::length):
3000         (JSC::ScopedArguments::canAccessIndexQuickly):
3001         (JSC::ScopedArguments::getIndexQuickly):
3002         (JSC::ScopedArguments::setIndexQuickly):
3003         (JSC::ScopedArguments::callee):
3004         (JSC::ScopedArguments::overrodeThings):
3005         (JSC::ScopedArguments::offsetOfOverrodeThings):
3006         (JSC::ScopedArguments::offsetOfTotalLength):
3007         (JSC::ScopedArguments::offsetOfTable):
3008         (JSC::ScopedArguments::offsetOfScope):
3009         (JSC::ScopedArguments::overflowStorageOffset):
3010         (JSC::ScopedArguments::allocationSize):
3011         (JSC::ScopedArguments::overflowStorage):
3012         * runtime/ScopedArgumentsTable.cpp: Added.
3013         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
3014         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
3015         (JSC::ScopedArgumentsTable::destroy):
3016         (JSC::ScopedArgumentsTable::create):
3017         (JSC::ScopedArgumentsTable::clone):
3018         (JSC::ScopedArgumentsTable::setLength):
3019         (JSC::ScopedArgumentsTable::set):
3020         (JSC::ScopedArgumentsTable::createStructure):
3021         * runtime/ScopedArgumentsTable.h: Added.
3022         (JSC::ScopedArgumentsTable::length):
3023         (JSC::ScopedArgumentsTable::get):
3024         (JSC::ScopedArgumentsTable::lock):
3025         (JSC::ScopedArgumentsTable::offsetOfLength):
3026         (JSC::ScopedArgumentsTable::offsetOfArguments):
3027         (JSC::ScopedArgumentsTable::at):
3028         * runtime/SymbolTable.cpp:
3029         (JSC::SymbolTableEntry::prepareToWatch):
3030         (JSC::SymbolTable::SymbolTable):
3031         (JSC::SymbolTable::visitChildren):
3032         (JSC::SymbolTable::localToEntry):
3033         (JSC::SymbolTable::entryFor):
3034         (JSC::SymbolTable::cloneScopePart):
3035         (JSC::SymbolTable::prepareForTypeProfiling):
3036         (JSC::SymbolTable::uniqueIDForOffset):
3037         (JSC::SymbolTable::globalTypeSetForOffset):
3038         (JSC::SymbolTable::cloneCapturedNames): Deleted.
3039         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
3040         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
3041         * runtime/SymbolTable.h:
3042         (JSC::SymbolTableEntry::varOffsetFromBits):
3043         (JSC::SymbolTableEntry::scopeOffsetFromBits):
3044         (JSC::SymbolTableEntry::Fast::varOffset):
3045         (JSC::SymbolTableEntry::Fast::scopeOffset):
3046         (JSC::SymbolTableEntry::Fast::isDontEnum):
3047         (JSC::SymbolTableEntry::Fast::getAttributes):
3048         (JSC::SymbolTableEntry::SymbolTableEntry):
3049         (JSC::SymbolTableEntry::varOffset):
3050         (JSC::SymbolTableEntry::isWatchable):
3051         (JSC::SymbolTableEntry::scopeOffset):
3052         (JSC::SymbolTableEntry::setAttributes):
3053         (JSC::SymbolTableEntry::constantMode):
3054         (JSC::SymbolTableEntry::isDontEnum):
3055         (JSC::SymbolTableEntry::disableWatching):
3056         (JSC::SymbolTableEntry::pack):
3057         (JSC::SymbolTableEntry::isValidVarOffset):
3058         (JSC::SymbolTable::createNameScopeTable):
3059         (JSC::SymbolTable::maxScopeOffset):
3060         (JSC::SymbolTable::didUseScopeOffset):
3061         (JSC::SymbolTable::didUseVarOffset):
3062         (JSC::SymbolTable::scopeSize):
3063         (JSC::SymbolTable::nextScopeOffset):
3064         (JSC::SymbolTable::takeNextScopeOffset):
3065         (JSC::SymbolTable::add):
3066         (JSC::SymbolTable::set):
3067         (JSC::SymbolTable::argumentsLength):
3068         (JSC::SymbolTable::setArgumentsLength):
3069         (JSC::SymbolTable::argumentOffset):
3070         (JSC::SymbolTable::setArgumentOffset):
3071         (JSC::SymbolTable::arguments):
3072         (JSC::SlowArgument::SlowArgument): Deleted.
3073         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
3074         (JSC::SymbolTableEntry::getIndex): Deleted.
3075         (JSC::SymbolTableEntry::isValidIndex): Deleted.
3076         (JSC::SymbolTable::captureStart): Deleted.
3077         (JSC::SymbolTable::setCaptureStart): Deleted.
3078         (JSC::SymbolTable::captureEnd): Deleted.
3079         (JSC::SymbolTable::setCaptureEnd): Deleted.
3080         (JSC::SymbolTable::captureCount): Deleted.
3081         (JSC::SymbolTable::isCaptured): Deleted.
3082         (JSC::SymbolTable::parameterCount): Deleted.
3083         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
3084         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
3085         (JSC::SymbolTable::slowArguments): Deleted.
3086         (JSC::SymbolTable::setSlowArguments): Deleted.
3087         * runtime/VM.cpp:
3088         (JSC::VM::VM):
3089         * runtime/VM.h:
3090         * runtime/VarOffset.cpp: Added.
3091         (JSC::VarOffset::dump):
3092         (WTF::printInternal):
3093         * runtime/VarOffset.h: Added.
3094         (JSC::VarOffset::VarOffset):
3095         (JSC::VarOffset::assemble):
3096         (JSC::VarOffset::isValid):
3097         (JSC::VarOffset::operator!):
3098         (JSC::VarOffset::kind):
3099         (JSC::VarOffset::isStack):
3100         (JSC::VarOffset::isScope):
3101         (JSC::VarOffset::isDirectArgument):
3102         (JSC::VarOffset::stackOffsetUnchecked):
3103         (JSC::VarOffset::scopeOffsetUnchecked):
3104         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
3105         (JSC::VarOffset::stackOffset):
3106         (JSC::VarOffset::scopeOffset):
3107         (JSC::VarOffset::capturedArgumentsOffset):
3108         (JSC::VarOffset::rawOffset):
3109         (JSC::VarOffset::checkSanity):
3110         (JSC::VarOffset::operator==):
3111         (JSC::VarOffset::operator!=):
3112         (JSC::VarOffset::hash):
3113         (JSC::VarOffset::isHashTableDeletedValue):
3114         (JSC::VarOffsetHash::hash):
3115         (JSC::VarOffsetHash::equal):
3116         * tests/stress/arguments-exit-strict-mode.js: Added.
3117         * tests/stress/arguments-exit.js: Added.
3118         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
3119         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
3120         * tests/stress/arguments-inlined-exit.js: Added.
3121         * tests/stress/arguments-interference.js: Added.
3122         * tests/stress/arguments-interference-cfg.js: Added.
3123         * tests/stress/dead-get-closure-var.js: Added.
3124         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
3125         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
3126         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
3127         * tests/stress/varargs-closure-inlined-exit.js: Added.
3128         * tests/stress/varargs-exit.js: Added.
3129         * tests/stress/varargs-inlined-exit.js: Added.
3130         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
3131         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
3132         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
3133         * tests/stress/varargs-inlined-simple-exit.js: Added.
3134         * tests/stress/varargs-too-few-arguments.js: Added.
3135         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
3136         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
3137         * tests/stress/varargs-varargs-inlined-exit.js: Added.
3138
3139 2015-03-25  Andy Estes  <aestes@apple.com>
3140
3141         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
3142         https://bugs.webkit.org/show_bug.cgi?id=143068
3143
3144         Reviewed by Dan Bernstein.
3145
3146         * inspector/remote/RemoteInspectorXPCConnection.mm:
3147         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
3148
3149 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3150
3151         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
3152         https://bugs.webkit.org/show_bug.cgi?id=142993
3153
3154         Reviewed by Geoffrey Garen and Mark Lam.
3155         
3156         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
3157         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
3158         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
3159         failure, but also involves adding the same kind of thing to the stub generators in
3160         Repatch.
3161         
3162         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
3163         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
3164         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
3165         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
3166         printout.
3167         
3168         Also add a way of inducing executable allocation failure, so that we can test this.
3169
3170         * CMakeLists.txt:
3171         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3172         * JavaScriptCore.xcodeproj/project.pbxproj:
3173         * dfg/DFGJITCompiler.cpp:
3174         (JSC::DFG::JITCompiler::compile):
3175         (JSC::DFG::JITCompiler::compileFunction):
3176         (JSC::DFG::JITCompiler::link): Deleted.
3177         (JSC::DFG::JITCompiler::linkFunction): Deleted.
3178         * dfg/DFGJITCompiler.h:
3179         * dfg/DFGPlan.cpp:
3180         (JSC::DFG::Plan::compileInThreadImpl):
3181         * ftl/FTLCompile.cpp:
3182         (JSC::FTL::mmAllocateCodeSection):
3183         (JSC::FTL::mmAllocateDataSection):
3184         * ftl/FTLLink.cpp:
3185         (JSC::FTL::link):
3186         * ftl/FTLState.h:
3187         * jit/ArityCheckFailReturnThunks.cpp:
3188         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
3189         * jit/ExecutableAllocationFuzz.cpp: Added.
3190         (JSC::numberOfExecutableAllocationFuzzChecks):
3191         (JSC::doExecutableAllocationFuzzing):
3192         * jit/ExecutableAllocationFuzz.h: Added.
3193         (JSC::doExecutableAllocationFuzzingIfEnabled):
3194         * jit/ExecutableAllocatorFixedVMPool.cpp:
3195         (JSC::ExecutableAllocator::allocate):
3196         * jit/JIT.cpp:
3197         (JSC::JIT::privateCompile):
3198         * jit/JITCompilationEffort.h:
3199         * jit/Repatch.cpp:
3200         (JSC::generateByIdStub):
3201         (JSC::tryCacheGetByID):
3202         (JSC::tryBuildGetByIDList):
3203         (JSC::emitPutReplaceStub):
3204         (JSC::emitPutTransitionStubAndGetOldStructure):
3205         (JSC::tryCachePutByID):
3206         (JSC::tryBuildPutByIdList):
3207         (JSC::tryRepatchIn):
3208         (JSC::linkPolymorphicCall):
3209         * jsc.cpp:
3210         (jscmain):
3211         * runtime/Options.h:
3212         * runtime/TestRunnerUtils.h:
3213         * runtime/VM.cpp:
3214         * tests/executableAllocationFuzz: Added.
3215         * tests/executableAllocationFuzz.yaml: Added.
3216         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
3217
3218 2015-03-25  Mark Lam  <mark.lam@apple.com>
3219
3220         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
3221         <https://webkit.org/b/135719>
3222
3223         Reviewed by Geoffrey Garen.
3224
3225         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
3226         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
3227         update the LLINT to access it as such.
3228
3229         The issue has only manifested so far on the CLoop tests because those are LLINT
3230         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
3231         hiding the bug in the LLINT.
3232
3233         * API/JSContextRef.cpp:
3234         (createWatchdogIfNeeded):
3235         (JSContextGroupSetExecutionTimeLimit):
3236         (JSContextGroupClearExecutionTimeLimit):
3237         * llint/LowLevelInterpreter.asm:
3238
3239 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3240
3241         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
3242
3243         Rubber stamped by Geoffrey Garen.
3244
3245         * bytecode/CodeBlock.cpp:
3246         (JSC::CodeBlock::visitAggregate):
3247
3248 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3249
3250         Fix formatting in BuiltinExecutables
3251         https://bugs.webkit.org/show_bug.cgi?id=143061
3252
3253         Reviewed by Ryosuke Niwa.
3254
3255         * builtins/BuiltinExecutables.cpp:
3256         (JSC::BuiltinExecutables::createExecutableInternal):
3257
3258 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3259
3260         ES6: Classes: Program level class statement throws exception in strict mode
3261         https://bugs.webkit.org/show_bug.cgi?id=143038
3262
3263         Reviewed by Ryosuke Niwa.
3264
3265         Classes expose a name to the current lexical environment. This treats
3266         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
3267         Also, improve error messages for class statements where the class is missing a name.
3268
3269         * parser/Parser.h:
3270         * parser/Parser.cpp:
3271         (JSC::Parser<LexerType>::parseClass):
3272         Fill name in info parameter if needed. Better error message if name is needed and missing.
3273
3274         (JSC::Parser<LexerType>::parseClassDeclaration):
3275         Pass info parameter to get name, and expose the name as a variable name.
3276
3277         (JSC::Parser<LexerType>::parsePrimaryExpression):
3278         Pass info parameter that is ignored.
3279
3280         * parser/ParserFunctionInfo.h:
3281         Add a parser info for class, to extract the name.
3282
3283 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3284
3285         New map and set modification tests in r181922 fails
3286         https://bugs.webkit.org/show_bug.cgi?id=143031
3287
3288         Reviewed and tweaked by Geoffrey Garen.
3289
3290         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
3291         to adjust for the packed backing store.
3292
3293         Consider the following map data.
3294
3295         x: deleted, o: exists
3296         0 1 2 3 4
3297         x x x x o
3298
3299         And iterator with m_index 3.
3300
3301         When packing the map data, map data will become,
3302
3303         0
3304         o
3305
3306         At that time, we perfom didRemoveEntry 4 times on iterators.
3307         times => m_index/index/result
3308         1 => 3/0/dec
3309         2 => 2/1/dec
3310         3 => 1/2/nothing
3311         4 => 1/3/nothing
3312
3313         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
3314         This is because if we use decremented m_index for comparison,
3315         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
3316
3317         In this patch, we compare against the packed index instead.
3318         times => m_index/packedIndex/result
3319         1 => 3/0/dec
3320         2 => 2/0/dec
3321         3 => 1/0/dec
3322         4 => 0/0/nothing
3323
3324         So m_index becomes 0 as expected.
3325
3326         And according to the spec, once the iterator is closed (becomes done: true),
3327         its internal [[Map]]/[[Set]] is set to undefined.
3328         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
3329
3330         In this patch, we change 2 things.
3331         1.
3332         Compare an iterator's index against the packed index when removing an entry.
3333
3334         2.
3335         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
3336
3337         * runtime/MapData.h:
3338         (JSC::MapDataImpl::IteratorData::finish):
3339         (JSC::MapDataImpl::IteratorData::isFinished):
3340         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
3341         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
3342         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
3343         * runtime/MapDataInlines.h:
3344         (JSC::JSIterator>::replaceAndPackBackingStore):