Gardening: fix CLOOP build after r182927.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-16  Mark Lam  <mark.lam@apple.com>
2
3         Gardening: fix CLOOP build after r182927.
4
5         Not reviewed.
6
7         * interpreter/StackVisitor.cpp:
8         (JSC::StackVisitor::Frame::print):
9
10 2015-04-16  Basile Clement  <basile_clement@apple.com>
11
12         Inline JSFunction allocation in FTL
13         https://bugs.webkit.org/show_bug.cgi?id=143851
14
15         Reviewed by Filip Pizlo.
16
17         JSFunction allocation is a simple operation that should be inlined when possible.
18
19         * ftl/FTLAbstractHeapRepository.h:
20         * ftl/FTLLowerDFGToLLVM.cpp:
21         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
22         * runtime/JSFunction.h:
23         (JSC::JSFunction::allocationSize):
24
25 2015-04-16  Mark Lam  <mark.lam@apple.com>
26
27         Add $vm debugging tool.
28         https://bugs.webkit.org/show_bug.cgi?id=143809
29
30         Reviewed by Geoffrey Garen.
31
32         For debugging VM bugs, it would be useful to be able to dump VM data structures
33         from JS code that we instrument.  To this end, let's introduce a
34         JS_enableDollarVM option that, if true, installs an $vm property into each JS
35         global object at creation time.  The $vm property refers to an object that
36         provides a collection of useful utility functions.  For this initial
37         implementation, $vm will have the following:
38
39             crash() - trigger an intentional crash.
40
41             dfgTrue() - returns true if the current function is DFG compiled, else returns false.
42             jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
43             llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
44
45             gc() - runs a full GC.
46             edenGC() - runs an eden GC.
47
48             codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
49             printSourceFor(codeBlock) - prints the source code for the codeBlock.
50             printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
51
52             print(str) - prints a string to dataLog output.
53             printCallFrame() - prints the current CallFrame.
54             printStack() - prints the JS stack.
55             printInternal(value) - prints the JSC internal info for the specified value.
56
57         With JS_enableDollarVM=true, JS code can use the above functions like so:
58
59             $vm.print("Using $vm features\n");
60
61         * CMakeLists.txt:
62         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
63         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
64         * JavaScriptCore.xcodeproj/project.pbxproj:
65         * bytecode/CodeBlock.cpp:
66         (JSC::CodeBlock::printCallOp):
67         - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
68           Hence, we skip this step if we're dumping an FTL codeBlock.
69
70         * heap/Heap.cpp:
71         (JSC::Heap::collectAndSweep):
72         (JSC::Heap::collectAllGarbage): Deleted.
73         * heap/Heap.h:
74         (JSC::Heap::collectAllGarbage):
75         - Add ability to do an Eden collection and sweep.
76
77         * interpreter/StackVisitor.cpp:
78         (JSC::printIndents):
79         (JSC::log):
80         (JSC::logF):
81         (JSC::StackVisitor::Frame::print):
82         (JSC::jitTypeName): Deleted.
83         (JSC::printif): Deleted.
84         - Modernize the implementation of StackVisitor::Frame::print(), and remove some
85           now redundant code.
86         - Also fix it so that it downgrades gracefully when encountering inlined DFG
87           and compiled FTL functions.
88
89         (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
90         (DebugPrintFrameFunctor::operator()): Deleted.
91         (debugPrintCallFrame): Deleted.
92         (debugPrintStack): Deleted.
93         - these have been moved into JSDollarVMPrototype.cpp. 
94
95         * interpreter/StackVisitor.h:
96         - StackVisitor::Frame::print() is now enabled for release builds as well so that
97           we can call it from $vm.
98
99         * runtime/JSGlobalObject.cpp:
100         (JSC::JSGlobalObject::init):
101         (JSC::JSGlobalObject::visitChildren):
102         * runtime/JSGlobalObject.h:
103         - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
104           option.
105
106         * runtime/Options.h:
107         - Added the JSC_enableDollarVM option.
108
109         * tools/JSDollarVM.cpp: Added.
110         * tools/JSDollarVM.h: Added.
111         (JSC::JSDollarVM::createStructure):
112         (JSC::JSDollarVM::create):
113         (JSC::JSDollarVM::JSDollarVM):
114
115         * tools/JSDollarVMPrototype.cpp: Added.
116         - This file contains 2 sets of functions:
117
118           a. a C++ implementation of debugging utility functions that are callable when
119              doing debugging from lldb.  To the extent possible, these functions try to
120              be cautious and not cause unintended crashes should the user call them with
121              the wrong info.  Hence, they are designed to be robust rather than speedy.
122
123           b. the native implementations of JS functions in the $vm object.  Where there
124              is overlapping functionality, these are built on top of the C++ functions
125              above to do the work.
126
127           Note: it does not make sense for all of the $vm functions to have a C++
128           counterpart for lldb debugging.  For example, the $vm.dfgTrue() function is
129           only useful for JS code, and works via the DFG intrinsics mechanism.
130           When doing debugging via lldb, the optimization level of the currently
131           executing JS function can be gotten by dumping the current CallFrame instead.
132
133         (JSC::currentThreadOwnsJSLock):
134         (JSC::ensureCurrentThreadOwnsJSLock):
135         (JSC::JSDollarVMPrototype::addFunction):
136         (JSC::functionCrash): - $vm.crash()
137         (JSC::functionDFGTrue): - $vm.dfgTrue()
138         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
139         (JSC::CallerFrameJITTypeFunctor::operator()):
140         (JSC::CallerFrameJITTypeFunctor::jitType):
141         (JSC::functionLLintTrue): - $vm.llintTrue()
142         (JSC::functionJITTrue): - $vm.jitTrue()
143         (JSC::gc):
144         (JSC::functionGC): - $vm.gc()
145         (JSC::edenGC):
146         (JSC::functionEdenGC): - $vm.edenGC()
147         (JSC::isValidCodeBlock):
148         (JSC::codeBlockForFrame):
149         (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
150         (JSC::codeBlockFromArg):
151         (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
152         (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
153         (JSC::functionPrint): - $vm.print(str)
154         (JSC::PrintFrameFunctor::PrintFrameFunctor):
155         (JSC::PrintFrameFunctor::operator()):
156         (JSC::printCallFrame):
157         (JSC::printStack):
158         (JSC::functionPrintCallFrame): - $vm.printCallFrame()
159         (JSC::functionPrintStack): - $vm.printStack()
160         (JSC::printValue):
161         (JSC::functionPrintValue): - $vm.printValue()
162         (JSC::JSDollarVMPrototype::finishCreation):
163         * tools/JSDollarVMPrototype.h: Added.
164         (JSC::JSDollarVMPrototype::create):
165         (JSC::JSDollarVMPrototype::createStructure):
166         (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
167
168 2015-04-16  Geoffrey Garen  <ggaren@apple.com>
169
170         Speculative fix after r182915
171         https://bugs.webkit.org/show_bug.cgi?id=143404
172
173         Reviewed by Alexey Proskuryakov.
174
175         * runtime/SymbolConstructor.h:
176
177 2015-04-16  Mark Lam  <mark.lam@apple.com>
178
179         Fixed some typos in a comment.
180
181         Not reviewed.
182
183         * dfg/DFGGenerationInfo.h:
184
185 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
186
187         [ES6] Implement Symbol.for and Symbol.keyFor
188         https://bugs.webkit.org/show_bug.cgi?id=143404
189
190         Reviewed by Geoffrey Garen.
191
192         This patch implements Symbol.for and Symbol.keyFor.
193         SymbolRegistry maintains registered StringImpl* symbols.
194         And to make this mapping enabled over realms,
195         VM owns this mapping (not JSGlobalObject).
196
197         While there's Default AtomicStringTable per thread,
198         SymbolRegistry should not exist over VMs.
199         So everytime VM is created, SymbolRegistry is also created.
200
201         In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
202         Theres are several reasons.
203         1. StringImpl* which represents identity of Symbols is not GC-managed object.
204            So we cannot use WeakGCMap directly.
205            While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
206            because distinct Symbol* can exist.
207            Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
208
209         2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
210            However there's problem about when we prune staled entries in SymbolRegistry.
211            Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
212            and it is not in GC-heap.
213            While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
214            So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
215            As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
216
217         So instead of using Weak reference, we take relatively easy design.
218         When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
219         And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
220
221         * CMakeLists.txt:
222         * DerivedSources.make:
223         * runtime/SymbolConstructor.cpp:
224         (JSC::SymbolConstructor::getOwnPropertySlot):
225         (JSC::symbolConstructorFor):
226         (JSC::symbolConstructorKeyFor):
227         * runtime/SymbolConstructor.h:
228         * runtime/VM.cpp:
229         * runtime/VM.h:
230         (JSC::VM::symbolRegistry):
231         * tests/stress/symbol-registry.js: Added.
232         (test):
233
234 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
235
236         [ES6] Use specific functions for @@iterator functions
237         https://bugs.webkit.org/show_bug.cgi?id=143838
238
239         Reviewed by Geoffrey Garen.
240
241         In ES6, some methods are defined with the different names.
242
243         For example,
244
245         Map.prototype[Symbol.iterator] === Map.prototype.entries
246         Set.prototype[Symbol.iterator] === Set.prototype.values
247         Array.prototype[Symbol.iterator] === Array.prototype.values
248         %Arguments%[Symbol.iterator] === Array.prototype.values
249
250         However, current implementation creates different function objects per name.
251         This patch fixes it by setting the object that is used for the other method to @@iterator.
252         e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
253
254         And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
255         with Array.prototype.values to conform to the spec.
256
257         * CMakeLists.txt:
258         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
259         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
260         * JavaScriptCore.xcodeproj/project.pbxproj:
261         * inspector/JSInjectedScriptHost.cpp:
262         (Inspector::JSInjectedScriptHost::subtype):
263         (Inspector::JSInjectedScriptHost::getInternalProperties):
264         (Inspector::JSInjectedScriptHost::iteratorEntries):
265         * runtime/ArgumentsIteratorConstructor.cpp: Removed.
266         * runtime/ArgumentsIteratorConstructor.h: Removed.
267         * runtime/ArgumentsIteratorPrototype.cpp: Removed.
268         * runtime/ArgumentsIteratorPrototype.h: Removed.
269         * runtime/ArrayPrototype.cpp:
270         (JSC::ArrayPrototype::finishCreation):
271         * runtime/ArrayPrototype.h:
272         * runtime/ClonedArguments.cpp:
273         (JSC::ClonedArguments::getOwnPropertySlot):
274         (JSC::ClonedArguments::put):
275         (JSC::ClonedArguments::deleteProperty):
276         (JSC::ClonedArguments::defineOwnProperty):
277         (JSC::ClonedArguments::materializeSpecials):
278         * runtime/ClonedArguments.h:
279         * runtime/CommonIdentifiers.h:
280         * runtime/DirectArguments.cpp:
281         (JSC::DirectArguments::overrideThings):
282         * runtime/GenericArgumentsInlines.h:
283         (JSC::GenericArguments<Type>::getOwnPropertySlot):
284         (JSC::GenericArguments<Type>::getOwnPropertyNames):
285         (JSC::GenericArguments<Type>::put):
286         (JSC::GenericArguments<Type>::deleteProperty):
287         (JSC::GenericArguments<Type>::defineOwnProperty):
288         * runtime/JSArgumentsIterator.cpp: Removed.
289         * runtime/JSArgumentsIterator.h: Removed.
290         * runtime/JSGlobalObject.cpp:
291         (JSC::JSGlobalObject::init):
292         (JSC::JSGlobalObject::visitChildren):
293         * runtime/JSGlobalObject.h:
294         (JSC::JSGlobalObject::arrayProtoValuesFunction):
295         * runtime/MapPrototype.cpp:
296         (JSC::MapPrototype::finishCreation):
297         * runtime/ScopedArguments.cpp:
298         (JSC::ScopedArguments::overrideThings):
299         * runtime/SetPrototype.cpp:
300         (JSC::SetPrototype::finishCreation):
301         * tests/stress/arguments-iterator.js: Added.
302         (test):
303         (testArguments):
304         * tests/stress/iterator-functions.js: Added.
305         (test):
306         (argumentsTests):
307
308 2015-04-14  Mark Lam  <mark.lam@apple.com>
309
310         Add JSC_functionOverrides=<overrides file> debugging tool.
311         https://bugs.webkit.org/show_bug.cgi?id=143717
312
313         Reviewed by Geoffrey Garen.
314
315         This tool allows us to do runtime replacement of function bodies with alternatives
316         for debugging purposes.  For example, this is useful when we need to debug VM bugs
317         which manifest in scripts executing in webpages downloaded from remote servers
318         that we don't control.  The tool allows us to augment those scripts with logging
319         or test code to help isolate the bugs.
320
321         This tool works by substituting the SourceCode at FunctionExecutable creation
322         time.  It identifies which SourceCode to substitute by comparing the source
323         string against keys in a set of key value pairs.
324
325         The keys are function body strings defined by 'override' clauses in the overrides
326         file specified by in the JSC_functionOverrides option.  The values are function
327         body strings defines by 'with' clauses in the overrides file.
328         See comment blob at top of FunctionOverrides.cpp on the formatting
329         of the overrides file.
330
331         At FunctionExecutable creation time, if the SourceCode string matches one of the
332         'override' keys from the overrides file, the tool will replace the SourceCode with
333         a new one based on the corresponding 'with' value string.  The FunctionExecutable
334         will then be created with the new SourceCode instead.
335
336         Some design decisions:
337         1. We opted to require that the 'with' clause appear on a separate line than the
338            'override' clause because this makes it easier to read and write when the
339            'override' clause's function body is single lined and long.
340
341         2. The user can use any sequence of characters for the delimiter (except for '{',
342            '}' and white space characters) because this ensures that there can always be
343            some delimiter pattern that does not appear in the function body in the clause
344            e.g. in the body of strings in the JS code.
345
346            '{' and '}' are disallowed because they are used to mark the boundaries of the
347            function body string.  White space characters are disallowed because they can
348            be error prone (the user may not be able to tell between spaces and tabs).
349
350         3. The start and end delimiter must be an identical sequence of characters.
351
352            I had considered allowing the use of complementary characters like <>, [], and
353            () for making delimiter pairs like:
354                [[[[ ... ]]]]
355                <[([( ... )])]>
356
357            But in the end, decided against it because:
358            a. These sequences of complementary characters can exists in JS code.
359               In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
360               code.
361            b. It can be error prone for the user to have to type the exact complement
362               character for the end delimiter in reverse order.
363               In contrast, a repeating delimiter like %%%% is much easier to type and
364               less error prone.  Even a sequence like @#$%^ is less error prone than
365               a complementary sequence because it can be copy-pasted, and need not be
366               typed in reverse order.
367            c. It is easier to parse for the same delimiter string for both start and end.
368
369         4. The tool does a lot of checks for syntax errors in the overrides file because
370            we don't want any overrides to fail silently.  If a syntax error is detected,
371            the tool will print an error message and call exit().  This avoids the user
372            wasting time doing debugging only to be surprised later that their specified
373            overrides did not take effect because of some unnoticed typo.
374
375         * CMakeLists.txt:
376         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
377         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
378         * JavaScriptCore.xcodeproj/project.pbxproj:
379         * bytecode/UnlinkedCodeBlock.cpp:
380         (JSC::UnlinkedFunctionExecutable::link):
381         * runtime/Executable.h:
382         * runtime/Options.h:
383         * tools/FunctionOverrides.cpp: Added.
384         (JSC::FunctionOverrides::overrides):
385         (JSC::FunctionOverrides::FunctionOverrides):
386         (JSC::initializeOverrideInfo):
387         (JSC::FunctionOverrides::initializeOverrideFor):
388         (JSC::hasDisallowedCharacters):
389         (JSC::parseClause):
390         (JSC::FunctionOverrides::parseOverridesInFile):
391         * tools/FunctionOverrides.h: Added.
392
393 2015-04-16  Basile Clement  <basile_clement@apple.com>
394  
395         Extract the allocation profile from JSFunction into a rare object
396         https://bugs.webkit.org/show_bug.cgi?id=143807
397  
398         Reviewed by Filip Pizlo.
399  
400         The allocation profile is only needed for those functions that are used
401         to create objects with [new].
402         Extracting it into its own JSCell removes the need for JSFunction and
403         JSCallee to be JSDestructibleObjects, which should improve performances in most
404         cases at the cost of an extra pointer dereference when the allocation profile
405         is actually needed.
406  
407         * CMakeLists.txt:
408         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
409         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
410         * JavaScriptCore.xcodeproj/project.pbxproj:
411         * dfg/DFGOperations.cpp:
412         * dfg/DFGSpeculativeJIT32_64.cpp:
413         (JSC::DFG::SpeculativeJIT::compile):
414         * dfg/DFGSpeculativeJIT64.cpp:
415         (JSC::DFG::SpeculativeJIT::compile):
416         * jit/JITOpcodes.cpp:
417         (JSC::JIT::emit_op_create_this):
418         * jit/JITOpcodes32_64.cpp:
419         (JSC::JIT::emit_op_create_this):
420         * llint/LowLevelInterpreter32_64.asm:
421         * llint/LowLevelInterpreter64.asm:
422         * runtime/CommonSlowPaths.cpp:
423         (JSC::SLOW_PATH_DECL):
424         * runtime/FunctionRareData.cpp: Added.
425         (JSC::FunctionRareData::create):
426         (JSC::FunctionRareData::destroy):
427         (JSC::FunctionRareData::createStructure):
428         (JSC::FunctionRareData::visitChildren):
429         (JSC::FunctionRareData::FunctionRareData):
430         (JSC::FunctionRareData::~FunctionRareData):
431         (JSC::FunctionRareData::finishCreation):
432         * runtime/FunctionRareData.h: Added.
433         (JSC::FunctionRareData::offsetOfAllocationProfile):
434         (JSC::FunctionRareData::allocationProfile):
435         (JSC::FunctionRareData::allocationStructure):
436         (JSC::FunctionRareData::allocationProfileWatchpointSet):
437         * runtime/JSBoundFunction.cpp:
438         (JSC::JSBoundFunction::destroy): Deleted.
439         * runtime/JSBoundFunction.h:
440         * runtime/JSCallee.cpp:
441         (JSC::JSCallee::destroy): Deleted.
442         * runtime/JSCallee.h:
443         * runtime/JSFunction.cpp:
444         (JSC::JSFunction::JSFunction):
445         (JSC::JSFunction::createRareData):
446         (JSC::JSFunction::visitChildren):
447         (JSC::JSFunction::put):
448         (JSC::JSFunction::defineOwnProperty):
449         (JSC::JSFunction::destroy): Deleted.
450         (JSC::JSFunction::createAllocationProfile): Deleted.
451         * runtime/JSFunction.h:
452         (JSC::JSFunction::offsetOfRareData):
453         (JSC::JSFunction::rareData):
454         (JSC::JSFunction::allocationStructure):
455         (JSC::JSFunction::allocationProfileWatchpointSet):
456         (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
457         (JSC::JSFunction::allocationProfile): Deleted.
458         * runtime/JSFunctionInlines.h:
459         (JSC::JSFunction::JSFunction):
460         * runtime/VM.cpp:
461         (JSC::VM::VM):
462         * runtime/VM.h:
463  
464 2015-04-16  Csaba Osztrogonác  <ossy@webkit.org>
465
466         Remove the unnecessary WTF_CHANGES define
467         https://bugs.webkit.org/show_bug.cgi?id=143825
468
469         Reviewed by Andreas Kling.
470
471         * config.h:
472
473 2015-04-15  Andreas Kling  <akling@apple.com>
474
475         Make MarkedBlock and WeakBlock 4x smaller.
476         <https://webkit.org/b/143802>
477
478         Reviewed by Mark Hahnenberg.
479
480         To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
481         and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
482
483         In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
484         Some examples:
485
486                    apple.com:  6.3MB ->  5.5MB (14.5% smaller)
487                   reddit.com:  4.5MB ->  4.1MB ( 9.7% smaller)
488                  twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
489             cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
490
491         Benchmarks look mostly neutral.
492         Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
493
494         * heap/MarkedBlock.h:
495         * heap/WeakBlock.h:
496         * llint/LLIntData.cpp:
497         (JSC::LLInt::Data::performAssertions):
498         * llint/LowLevelInterpreter.asm:
499
500 2015-04-15  Jordan Harband  <ljharb@gmail.com>
501
502         String.prototype.startsWith/endsWith/includes have wrong length in r182673
503         https://bugs.webkit.org/show_bug.cgi?id=143659
504
505         Reviewed by Benjamin Poulain.
506
507         Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
508         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
509         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
510         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
511
512         * runtime/StringPrototype.cpp:
513         (JSC::StringPrototype::finishCreation):
514
515 2015-04-15  Mark Lam  <mark.lam@apple.com>
516
517         Remove obsolete VMInspector debugging tool.
518         https://bugs.webkit.org/show_bug.cgi?id=143798
519
520         Reviewed by Michael Saboff.
521
522         I added the VMInspector tool 3 years ago to aid in VM hacking work.  Some of it
523         has bit rotted, and now the VM also has better ways to achieve its functionality.
524         Hence this code is now obsolete and should be removed.
525
526         * CMakeLists.txt:
527         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
528         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
529         * JavaScriptCore.xcodeproj/project.pbxproj:
530         * interpreter/CallFrame.h:
531         * interpreter/VMInspector.cpp: Removed.
532         * interpreter/VMInspector.h: Removed.
533         * llint/LowLevelInterpreter.cpp:
534
535 2015-04-15  Jordan Harband  <ljharb@gmail.com>
536
537         Math.imul has wrong length in Safari 8.0.4
538         https://bugs.webkit.org/show_bug.cgi?id=143658
539
540         Reviewed by Benjamin Poulain.
541
542         Correcting function length from 1, to 2, to match spec
543         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
544
545         * runtime/MathObject.cpp:
546         (JSC::MathObject::finishCreation):
547
548 2015-04-15  Jordan Harband  <ljharb@gmail.com>
549
550         Number.parseInt in nightly r182673 has wrong length
551         https://bugs.webkit.org/show_bug.cgi?id=143657
552
553         Reviewed by Benjamin Poulain.
554
555         Correcting function length from 1, to 2, to match spec
556         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
557
558         * runtime/NumberConstructor.cpp:
559         (JSC::NumberConstructor::finishCreation):
560
561 2015-04-15  Filip Pizlo  <fpizlo@apple.com>
562
563         Harden DFGForAllKills
564         https://bugs.webkit.org/show_bug.cgi?id=143792
565
566         Reviewed by Geoffrey Garen.
567         
568         Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
569         bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
570         
571         Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
572         that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
573         
574         - It looks for kill sites at forExit origin boundaries. But, something might have been killed
575           by an operation that was logically in between the forExit origins at the boundary, but was
576           removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
577           gaps.
578         
579         - It overlooked the fact that a MovHint that addresses a local that is always live kills that
580           local. For example, storing to an argument means that the prior value of the argument is
581           killed.
582         
583         This fixes the analysis by making it handle MovHints directly, and making it define kills in
584         the most conservative way possible: it asks if you were live before but dead after. If we
585         have the compile time budget to afford this more direct approach, then it's definitel a good
586         idea since it's so fool-proof.
587
588         * dfg/DFGArgumentsEliminationPhase.cpp:
589         * dfg/DFGForAllKills.h:
590         (JSC::DFG::forAllKilledOperands):
591         (JSC::DFG::forAllKilledNodesAtNodeIndex):
592         (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
593
594 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
595
596         Provide SPI to allow changing whether JSContexts are remote debuggable by default
597         https://bugs.webkit.org/show_bug.cgi?id=143681
598
599         Reviewed by Darin Adler.
600
601         * API/JSRemoteInspector.h:
602         * API/JSRemoteInspector.cpp:
603         (JSRemoteInspectorGetInspectionEnabledByDefault):
604         (JSRemoteInspectorSetInspectionEnabledByDefault):
605         Provide SPI to toggle the default enabled inspection state of debuggables.
606
607         * API/JSContextRef.cpp:
608         (JSGlobalContextCreateInGroup):
609         Respect the default setting.
610
611 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
612
613         JavaScriptCore: Use kCFAllocatorDefault where possible
614         https://bugs.webkit.org/show_bug.cgi?id=143747
615
616         Reviewed by Darin Adler.
617
618         * heap/HeapTimer.cpp:
619         (JSC::HeapTimer::HeapTimer):
620         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
621         (Inspector::RemoteInspectorInitializeGlobalQueue):
622         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
623         For consistency and readability use the constant instead of
624         different representations of null.
625
626 2015-04-14  Michael Saboff  <msaboff@apple.com>
627
628         Remove JavaScriptCoreUseJIT default from JavaScriptCore
629         https://bugs.webkit.org/show_bug.cgi?id=143746
630
631         Reviewed by Mark Lam.
632
633         * runtime/VM.cpp:
634         (JSC::enableAssembler):
635
636 2015-04-14  Chris Dumez  <cdumez@apple.com>
637
638         Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
639         https://bugs.webkit.org/show_bug.cgi?id=143745
640         <rdar://problem/20243916>
641
642         Reviewed by Joseph Pecoraro.
643
644         Add assertion in ContentSearchUtilities::findMagicComment() to make
645         sure the content String is not null or we would crash in
646         JSC::Yarr::interpret() later.
647
648         * inspector/ContentSearchUtilities.cpp:
649         (Inspector::ContentSearchUtilities::findMagicComment):
650
651 2015-04-14  Michael Saboff  <msaboff@apple.com>
652
653         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
654         https://bugs.webkit.org/show_bug.cgi?id=143727
655
656         Reviewed by Geoffrey Garen.
657
658         Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
659         with the requested fill format.  If filter() reports a contradiction, then we force an OSR exit.
660         Removed individual checks made redundant by the new check.
661
662         * dfg/DFGSpeculativeJIT32_64.cpp:
663         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
664         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
665         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
666         * dfg/DFGSpeculativeJIT64.cpp:
667         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
668         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
669         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
670         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
671
672 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
673
674         Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
675         https://bugs.webkit.org/show_bug.cgi?id=143691
676
677         Reviewed by Geoffrey Garen.
678
679         * API/JSRemoteInspector.h:
680         * API/JSRemoteInspector.cpp:
681         (JSRemoteInspectorSetLogToSystemConsole):
682         Add SPI to enable/disable logging to the system console.
683         This only affects JSContext `console` logs and warnings.
684
685         * inspector/JSGlobalObjectConsoleClient.h:
686         * inspector/JSGlobalObjectConsoleClient.cpp:
687         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
688         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
689         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
690         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
691         Simplify access to the setting now that it doesn't need to
692         initialize its value from preferences.
693
694 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
695
696         Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
697         https://bugs.webkit.org/show_bug.cgi?id=143682
698
699         Reviewed by Timothy Hatcher.
700
701         * inspector/remote/RemoteInspector.mm:
702         (Inspector::RemoteInspector::singleton):
703         If we are on the main thread, run the initialization immediately.
704         Otherwise dispatch to the main thread. This way if the first JSContext
705         was created on the main thread it can get auto-attached if applicable.
706
707 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
708
709         Unreviewed build fix for Mavericks.
710
711         Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
712         so the Inspector namespace is not available when compiling this file.
713
714         * API/JSRemoteInspector.cpp:
715
716 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
717
718         Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
719         https://bugs.webkit.org/show_bug.cgi?id=143729
720
721         Reviewed by Timothy Hatcher.
722
723         * API/JSRemoteInspector.h: Added.
724         * API/JSRemoteInspector.cpp: Added.
725         (JSRemoteInspectorDisableAutoStart):
726         (JSRemoteInspectorStart):
727         (JSRemoteInspectorSetParentProcessInformation):
728         Add the new SPIs for basic remote inspection behavior.
729
730         * JavaScriptCore.xcodeproj/project.pbxproj:
731         Add the new files to Mac only, since remote inspection is only
732         enabled there anyways.
733
734 2015-04-14  Mark Lam  <mark.lam@apple.com>
735
736         Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
737         https://bugs.webkit.org/show_bug.cgi?id=143722
738
739         Reviewed by Michael Saboff.
740
741         Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
742         shorter, and easier to remember (without having to look it up) and to
743         type.  JSC options now support descriptions, and one can always look up
744         the description if the option's purpose is not already obvious.
745
746         * dfg/DFGFunctionWhitelist.cpp:
747         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
748         (JSC::DFG::FunctionWhitelist::contains):
749         * runtime/Options.h:
750
751 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
752
753         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
754
755         * runtime/InferredValue.h:
756
757 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
758
759         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
760
761         * runtime/InferredValue.h:
762
763 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
764
765         JSC should detect singleton functions
766         https://bugs.webkit.org/show_bug.cgi?id=143232
767
768         Reviewed by Geoffrey Garen.
769         
770         This started out as an attempt to make constructors faster by detecting when a constructor is a
771         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
772         along with an inferred value - that detects if only one JSFunction has been allocated for that
773         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
774         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
775         we can constant-fold GetCallee.
776         
777         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
778         process I realized a bunch of things:
779         
780         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
781           had even in code where our singleton-closure detection worked. That's because singleton-closure
782           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
783           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
784           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
785           values.
786           
787         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
788           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
789           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
790         
791         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
792           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
793           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
794           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
795           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
796           scope. Ths saves compile times and it allows prediction propagation to benefit from the
797           constant folding. Second, it means that we will detect a singleton scope even if it is
798           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
799           allows us to eliminate the function reentry watchpoint.
800         
801         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
802           constant values in scopes. Previously when the DFG inferred that a closure variable was
803           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
804           value. But now we are first inferring that the function is a singleton, which means that we
805           know exactly what scope it points to, and we can load the value from the scope. Using a
806           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
807           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
808           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
809           FunctionExecutable wants.
810         
811         This also has the effect of simplifying the implementation of block scoping. Prior to this
812         change, block scoping would have needed to have some story for the function reentry watchpoint on
813         any nested symbol table. That's totally weird to think about; it's not really a function reentry
814         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
815         will "just work": if we prove that we know the constant value of the scope then the machinery
816         kicks in, otherwise it doesn't.
817         
818         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
819
820         * CMakeLists.txt:
821         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
822         * JavaScriptCore.xcodeproj/project.pbxproj:
823         * bytecode/BytecodeList.json:
824         * bytecode/BytecodeUseDef.h:
825         (JSC::computeUsesForBytecodeOffset):
826         (JSC::computeDefsForBytecodeOffset):
827         * bytecode/CodeBlock.cpp:
828         (JSC::CodeBlock::dumpBytecode):
829         (JSC::CodeBlock::CodeBlock):
830         (JSC::CodeBlock::finalizeUnconditionally):
831         (JSC::CodeBlock::valueProfileForBytecodeOffset):
832         * bytecode/CodeBlock.h:
833         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
834         * bytecode/CodeOrigin.cpp:
835         (JSC::InlineCallFrame::calleeConstant):
836         (JSC::InlineCallFrame::visitAggregate):
837         * bytecode/CodeOrigin.h:
838         (JSC::InlineCallFrame::calleeConstant): Deleted.
839         (JSC::InlineCallFrame::visitAggregate): Deleted.
840         * bytecode/Instruction.h:
841         * bytecode/VariableWatchpointSet.cpp: Removed.
842         * bytecode/VariableWatchpointSet.h: Removed.
843         * bytecode/VariableWatchpointSetInlines.h: Removed.
844         * bytecode/VariableWriteFireDetail.cpp: Added.
845         (JSC::VariableWriteFireDetail::dump):
846         (JSC::VariableWriteFireDetail::touch):
847         * bytecode/VariableWriteFireDetail.h: Added.
848         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
849         * bytecode/Watchpoint.h:
850         (JSC::WatchpointSet::stateOnJSThread):
851         (JSC::WatchpointSet::startWatching):
852         (JSC::WatchpointSet::fireAll):
853         (JSC::WatchpointSet::touch):
854         (JSC::WatchpointSet::invalidate):
855         (JSC::InlineWatchpointSet::stateOnJSThread):
856         (JSC::InlineWatchpointSet::state):
857         (JSC::InlineWatchpointSet::hasBeenInvalidated):
858         (JSC::InlineWatchpointSet::invalidate):
859         (JSC::InlineWatchpointSet::touch):
860         * bytecompiler/BytecodeGenerator.cpp:
861         (JSC::BytecodeGenerator::BytecodeGenerator):
862         * dfg/DFGAbstractInterpreterInlines.h:
863         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
864         * dfg/DFGByteCodeParser.cpp:
865         (JSC::DFG::ByteCodeParser::get):
866         (JSC::DFG::ByteCodeParser::parseBlock):
867         (JSC::DFG::ByteCodeParser::getScope): Deleted.
868         * dfg/DFGCapabilities.cpp:
869         (JSC::DFG::capabilityLevel):
870         * dfg/DFGClobberize.h:
871         (JSC::DFG::clobberize):
872         * dfg/DFGDesiredWatchpoints.cpp:
873         (JSC::DFG::InferredValueAdaptor::add):
874         (JSC::DFG::DesiredWatchpoints::addLazily):
875         (JSC::DFG::DesiredWatchpoints::reallyAdd):
876         (JSC::DFG::DesiredWatchpoints::areStillValid):
877         * dfg/DFGDesiredWatchpoints.h:
878         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
879         (JSC::DFG::DesiredWatchpoints::isWatched):
880         * dfg/DFGGraph.cpp:
881         (JSC::DFG::Graph::dump):
882         (JSC::DFG::Graph::tryGetConstantClosureVar):
883         * dfg/DFGNode.h:
884         (JSC::DFG::Node::hasWatchpointSet):
885         (JSC::DFG::Node::watchpointSet):
886         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
887         (JSC::DFG::Node::variableWatchpointSet): Deleted.
888         * dfg/DFGOperations.cpp:
889         * dfg/DFGOperations.h:
890         * dfg/DFGSpeculativeJIT.cpp:
891         (JSC::DFG::SpeculativeJIT::compileNewFunction):
892         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
893         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
894         * dfg/DFGSpeculativeJIT.h:
895         (JSC::DFG::SpeculativeJIT::callOperation):
896         * dfg/DFGSpeculativeJIT32_64.cpp:
897         (JSC::DFG::SpeculativeJIT::compile):
898         * dfg/DFGSpeculativeJIT64.cpp:
899         (JSC::DFG::SpeculativeJIT::compile):
900         * dfg/DFGVarargsForwardingPhase.cpp:
901         * ftl/FTLIntrinsicRepository.h:
902         * ftl/FTLLowerDFGToLLVM.cpp:
903         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
904         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
905         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
906         * interpreter/Interpreter.cpp:
907         (JSC::StackFrame::friendlySourceURL):
908         (JSC::StackFrame::friendlyFunctionName):
909         * interpreter/Interpreter.h:
910         (JSC::StackFrame::friendlySourceURL): Deleted.
911         (JSC::StackFrame::friendlyFunctionName): Deleted.
912         * jit/JIT.cpp:
913         (JSC::JIT::emitNotifyWrite):
914         (JSC::JIT::privateCompileMainPass):
915         * jit/JIT.h:
916         * jit/JITOpcodes.cpp:
917         (JSC::JIT::emit_op_touch_entry): Deleted.
918         * jit/JITOperations.cpp:
919         * jit/JITOperations.h:
920         * jit/JITPropertyAccess.cpp:
921         (JSC::JIT::emitPutGlobalVar):
922         (JSC::JIT::emitPutClosureVar):
923         (JSC::JIT::emitNotifyWrite): Deleted.
924         * jit/JITPropertyAccess32_64.cpp:
925         (JSC::JIT::emitPutGlobalVar):
926         (JSC::JIT::emitPutClosureVar):
927         (JSC::JIT::emitNotifyWrite): Deleted.
928         * llint/LLIntSlowPaths.cpp:
929         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
930         * llint/LowLevelInterpreter.asm:
931         * llint/LowLevelInterpreter32_64.asm:
932         * llint/LowLevelInterpreter64.asm:
933         * runtime/CommonSlowPaths.cpp:
934         (JSC::SLOW_PATH_DECL): Deleted.
935         * runtime/CommonSlowPaths.h:
936         * runtime/Executable.cpp:
937         (JSC::FunctionExecutable::finishCreation):
938         (JSC::FunctionExecutable::visitChildren):
939         * runtime/Executable.h:
940         (JSC::FunctionExecutable::singletonFunction):
941         * runtime/InferredValue.cpp: Added.
942         (JSC::InferredValue::create):
943         (JSC::InferredValue::destroy):
944         (JSC::InferredValue::createStructure):
945         (JSC::InferredValue::visitChildren):
946         (JSC::InferredValue::InferredValue):
947         (JSC::InferredValue::~InferredValue):
948         (JSC::InferredValue::notifyWriteSlow):
949         (JSC::InferredValue::ValueCleanup::ValueCleanup):
950         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
951         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
952         * runtime/InferredValue.h: Added.
953         (JSC::InferredValue::inferredValue):
954         (JSC::InferredValue::state):
955         (JSC::InferredValue::isStillValid):
956         (JSC::InferredValue::hasBeenInvalidated):
957         (JSC::InferredValue::add):
958         (JSC::InferredValue::notifyWrite):
959         (JSC::InferredValue::invalidate):
960         * runtime/JSEnvironmentRecord.cpp:
961         (JSC::JSEnvironmentRecord::visitChildren):
962         * runtime/JSEnvironmentRecord.h:
963         (JSC::JSEnvironmentRecord::isValid):
964         (JSC::JSEnvironmentRecord::finishCreation):
965         * runtime/JSFunction.cpp:
966         (JSC::JSFunction::create):
967         * runtime/JSFunction.h:
968         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
969         (JSC::JSFunction::createImpl):
970         (JSC::JSFunction::create): Deleted.
971         * runtime/JSGlobalObject.cpp:
972         (JSC::JSGlobalObject::addGlobalVar):
973         (JSC::JSGlobalObject::addFunction):
974         * runtime/JSGlobalObject.h:
975         * runtime/JSLexicalEnvironment.cpp:
976         (JSC::JSLexicalEnvironment::symbolTablePut):
977         * runtime/JSScope.h:
978         (JSC::ResolveOp::ResolveOp):
979         * runtime/JSSegmentedVariableObject.h:
980         (JSC::JSSegmentedVariableObject::finishCreation):
981         * runtime/JSSymbolTableObject.h:
982         (JSC::JSSymbolTableObject::JSSymbolTableObject):
983         (JSC::JSSymbolTableObject::setSymbolTable):
984         (JSC::symbolTablePut):
985         (JSC::symbolTablePutWithAttributes):
986         * runtime/PutPropertySlot.h:
987         * runtime/SymbolTable.cpp:
988         (JSC::SymbolTableEntry::prepareToWatch):
989         (JSC::SymbolTable::SymbolTable):
990         (JSC::SymbolTable::finishCreation):
991         (JSC::SymbolTable::visitChildren):
992         (JSC::SymbolTableEntry::inferredValue): Deleted.
993         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
994         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
995         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
996         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
997         * runtime/SymbolTable.h:
998         (JSC::SymbolTableEntry::disableWatching):
999         (JSC::SymbolTableEntry::watchpointSet):
1000         (JSC::SymbolTable::singletonScope):
1001         (JSC::SymbolTableEntry::notifyWrite): Deleted.
1002         * runtime/TypeProfiler.cpp:
1003         * runtime/VM.cpp:
1004         (JSC::VM::VM):
1005         * runtime/VM.h:
1006         * tests/stress/infer-uninitialized-closure-var.js: Added.
1007         (foo.f):
1008         (foo):
1009         * tests/stress/singleton-scope-then-overwrite.js: Added.
1010         (foo.f):
1011         (foo):
1012         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
1013         (foo):
1014         * tests/stress/singleton-scope-then-realloc.js: Added.
1015         (foo):
1016
1017 2015-04-13  Andreas Kling  <akling@apple.com>
1018
1019         Don't segregate heap objects based on Structure immortality.
1020         <https://webkit.org/b/143638>
1021
1022         Reviewed by Darin Adler.
1023
1024         Put all objects that need a destructor call into the same MarkedBlock.
1025         This reduces memory consumption in many situations, while improving locality,
1026         since much more of the MarkedBlock space can be shared.
1027
1028         Instead of branching on the MarkedBlock type, we now check a bit in the
1029         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
1030         to access the cell's Structure during destruction or not.
1031
1032         Performance benchmarks look mostly neutral. Maybe a small regression on
1033         SunSpider's date objects.
1034
1035         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
1036         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
1037         end of savings we can get from this, but still a very real improvement.
1038
1039         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
1040         derived classes and passing that responsibility to the StructureIsImmortal flag.
1041         StructureFlags is made public so that it's accessible from non-member functions.
1042         I made sure to declare it everywhere and make classes final to try to make it
1043         explicit what each class is doing to its inherited flags.
1044
1045         * API/JSCallbackConstructor.h:
1046         * API/JSCallbackObject.h:
1047         * bytecode/UnlinkedCodeBlock.h:
1048         * debugger/DebuggerScope.h:
1049         * dfg/DFGSpeculativeJIT.cpp:
1050         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1051         * ftl/FTLLowerDFGToLLVM.cpp:
1052         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1053         * heap/Heap.h:
1054         (JSC::Heap::subspaceForObjectDestructor):
1055         (JSC::Heap::allocatorForObjectWithDestructor):
1056         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
1057         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
1058         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
1059         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
1060         * heap/HeapInlines.h:
1061         (JSC::Heap::allocateWithDestructor):
1062         (JSC::Heap::allocateObjectOfType):
1063         (JSC::Heap::subspaceForObjectOfType):
1064         (JSC::Heap::allocatorForObjectOfType):
1065         (JSC::Heap::allocateWithNormalDestructor): Deleted.
1066         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
1067         * heap/MarkedAllocator.cpp:
1068         (JSC::MarkedAllocator::allocateBlock):
1069         * heap/MarkedAllocator.h:
1070         (JSC::MarkedAllocator::needsDestruction):
1071         (JSC::MarkedAllocator::MarkedAllocator):
1072         (JSC::MarkedAllocator::init):
1073         (JSC::MarkedAllocator::destructorType): Deleted.
1074         * heap/MarkedBlock.cpp:
1075         (JSC::MarkedBlock::create):
1076         (JSC::MarkedBlock::MarkedBlock):
1077         (JSC::MarkedBlock::callDestructor):
1078         (JSC::MarkedBlock::specializedSweep):
1079         (JSC::MarkedBlock::sweep):
1080         (JSC::MarkedBlock::sweepHelper):
1081         * heap/MarkedBlock.h:
1082         (JSC::MarkedBlock::needsDestruction):
1083         (JSC::MarkedBlock::destructorType): Deleted.
1084         * heap/MarkedSpace.cpp:
1085         (JSC::MarkedSpace::MarkedSpace):
1086         (JSC::MarkedSpace::resetAllocators):
1087         (JSC::MarkedSpace::forEachAllocator):
1088         (JSC::MarkedSpace::isPagedOut):
1089         (JSC::MarkedSpace::clearNewlyAllocated):
1090         * heap/MarkedSpace.h:
1091         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1092         (JSC::MarkedSpace::destructorAllocatorFor):
1093         (JSC::MarkedSpace::allocateWithDestructor):
1094         (JSC::MarkedSpace::forEachBlock):
1095         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
1096         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
1097         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
1098         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
1099         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
1100         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
1101         * inspector/JSInjectedScriptHost.h:
1102         * inspector/JSInjectedScriptHostPrototype.h:
1103         * inspector/JSJavaScriptCallFrame.h:
1104         * inspector/JSJavaScriptCallFramePrototype.h:
1105         * jsc.cpp:
1106         * runtime/ArrayBufferNeuteringWatchpoint.h:
1107         * runtime/ArrayConstructor.h:
1108         * runtime/ArrayIteratorPrototype.h:
1109         * runtime/BooleanPrototype.h:
1110         * runtime/ClonedArguments.h:
1111         * runtime/CustomGetterSetter.h:
1112         * runtime/DateConstructor.h:
1113         * runtime/DatePrototype.h:
1114         * runtime/ErrorPrototype.h:
1115         * runtime/ExceptionHelpers.h:
1116         * runtime/Executable.h:
1117         * runtime/GenericArguments.h:
1118         * runtime/GetterSetter.h:
1119         * runtime/InternalFunction.h:
1120         * runtime/JSAPIValueWrapper.h:
1121         * runtime/JSArgumentsIterator.h:
1122         * runtime/JSArray.h:
1123         * runtime/JSArrayBuffer.h:
1124         * runtime/JSArrayBufferView.h:
1125         * runtime/JSBoundFunction.h:
1126         * runtime/JSCallee.h:
1127         * runtime/JSCell.h:
1128         * runtime/JSCellInlines.h:
1129         (JSC::JSCell::classInfo):
1130         * runtime/JSDataViewPrototype.h:
1131         * runtime/JSEnvironmentRecord.h:
1132         * runtime/JSFunction.h:
1133         * runtime/JSGenericTypedArrayView.h:
1134         * runtime/JSGlobalObject.h:
1135         * runtime/JSLexicalEnvironment.h:
1136         * runtime/JSNameScope.h:
1137         * runtime/JSNotAnObject.h:
1138         * runtime/JSONObject.h:
1139         * runtime/JSObject.h:
1140         (JSC::JSFinalObject::JSFinalObject):
1141         * runtime/JSPromiseConstructor.h:
1142         * runtime/JSPromiseDeferred.h:
1143         * runtime/JSPromisePrototype.h:
1144         * runtime/JSPromiseReaction.h:
1145         * runtime/JSPropertyNameEnumerator.h:
1146         * runtime/JSProxy.h:
1147         * runtime/JSScope.h:
1148         * runtime/JSString.h:
1149         * runtime/JSSymbolTableObject.h:
1150         * runtime/JSTypeInfo.h:
1151         (JSC::TypeInfo::structureIsImmortal):
1152         * runtime/MathObject.h:
1153         * runtime/NumberConstructor.h:
1154         * runtime/NumberPrototype.h:
1155         * runtime/ObjectConstructor.h:
1156         * runtime/PropertyMapHashTable.h:
1157         * runtime/RegExp.h:
1158         * runtime/RegExpConstructor.h:
1159         * runtime/RegExpObject.h:
1160         * runtime/RegExpPrototype.h:
1161         * runtime/ScopedArgumentsTable.h:
1162         * runtime/SparseArrayValueMap.h:
1163         * runtime/StrictEvalActivation.h:
1164         * runtime/StringConstructor.h:
1165         * runtime/StringIteratorPrototype.h:
1166         * runtime/StringObject.h:
1167         * runtime/StringPrototype.h:
1168         * runtime/Structure.cpp:
1169         (JSC::Structure::Structure):
1170         * runtime/Structure.h:
1171         * runtime/StructureChain.h:
1172         * runtime/StructureRareData.h:
1173         * runtime/Symbol.h:
1174         * runtime/SymbolPrototype.h:
1175         * runtime/SymbolTable.h:
1176         * runtime/WeakMapData.h:
1177
1178 2015-04-13  Mark Lam  <mark.lam@apple.com>
1179
1180         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
1181         https://bugs.webkit.org/show_bug.cgi?id=143407
1182
1183         Reviewed by Filip Pizlo.
1184
1185         DFG inlining of a varargs call / construct needs to keep the local
1186         containing the callee alive with a Phantom node because the LoadVarargs
1187         node may OSR exit.  After the OSR exit, the baseline JIT executes the
1188         op_call_varargs with that callee in the local.
1189
1190         Previously, because that callee local was not explicitly kept alive,
1191         the op_call_varargs case can OSR exit a DFG function and leave an
1192         undefined value in that local.  As a result, the baseline observes the
1193         side effect of an op_call_varargs on an undefined value instead of the
1194         function it expected.
1195
1196         Note: this issue does not manifest with op_construct_varargs because
1197         the inlined constructor will have an op_create_this which operates on
1198         the incoming callee value, thereby keeping it alive.
1199
1200         * dfg/DFGByteCodeParser.cpp:
1201         (JSC::DFG::ByteCodeParser::handleInlining):
1202         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
1203         (foo):
1204         (Foo):
1205         (doTest):
1206
1207 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1208
1209         [ES6] Implement Array.prototype.values
1210         https://bugs.webkit.org/show_bug.cgi?id=143633
1211
1212         Reviewed by Darin Adler.
1213
1214         Symbol.unscopables is implemented, so we can implement Array.prototype.values
1215         without largely breaking the web. The following script passes.
1216
1217         var array = [];
1218         var values = 42;
1219         with (array) {
1220             assert(values, 42);
1221         }
1222
1223         * runtime/ArrayPrototype.cpp:
1224         * tests/stress/array-iterators-next.js:
1225         * tests/stress/map-iterators-next.js:
1226         * tests/stress/set-iterators-next.js:
1227         * tests/stress/values-unscopables.js: Added.
1228         (test):
1229
1230 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1231
1232         Run flaky conservative GC related test first before polluting stack and registers
1233         https://bugs.webkit.org/show_bug.cgi?id=143634
1234
1235         Reviewed by Ryosuke Niwa.
1236
1237         After r182653, JSC API tests fail. However, it's not related to the change.
1238         After investigating the cause of this failure, I've found that the failed test is flaky
1239         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
1240         due to conservative roots in C stack and registers, this test fails.
1241
1242         Since GC marks C stack and registers as roots conservatively,
1243         objects not referenced logically can be accidentally marked and alive.
1244         To avoid this situation as possible as we can,
1245         1. run this test first before stack is polluted,
1246         2. extract this test as a function to suppress stack height.
1247
1248         * API/tests/testapi.mm:
1249         (testWeakValue):
1250         (testObjectiveCAPIMain):
1251         (testObjectiveCAPI):
1252
1253 2015-04-11  Matt Baker  <mattbaker@apple.com>
1254
1255         Web Inspector: create content view and details sidebar for Frames timeline
1256         https://bugs.webkit.org/show_bug.cgi?id=143533
1257
1258         Reviewed by Timothy Hatcher.
1259
1260         Refactoring: RunLoop prefix changed to RenderingFrame.
1261
1262         * inspector/protocol/Timeline.json:
1263
1264 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1265
1266         [ES6] Enable Symbol in web pages
1267         https://bugs.webkit.org/show_bug.cgi?id=143375
1268
1269         Reviewed by Ryosuke Niwa.
1270
1271         Expose Symbol to web pages.
1272         Symbol was exposed, but it was hidden since it breaks Facebook comments.
1273         This is because at that time Symbol is implemented,
1274         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
1275         and it breaks React.js and immutable.js.
1276
1277         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
1278         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
1279
1280         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
1281         and makes enabling symbols by default.
1282
1283         * runtime/ArrayPrototype.cpp:
1284         (JSC::ArrayPrototype::finishCreation):
1285         * runtime/CommonIdentifiers.h:
1286         * runtime/JSGlobalObject.cpp:
1287         (JSC::JSGlobalObject::init):
1288         * runtime/ObjectConstructor.cpp:
1289         (JSC::ObjectConstructor::finishCreation):
1290         * runtime/RuntimeFlags.h:
1291
1292 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1293
1294         ES6: Iterator toString names should be consistent
1295         https://bugs.webkit.org/show_bug.cgi?id=142424
1296
1297         Reviewed by Geoffrey Garen.
1298
1299         Iterator Object Names in the spec right now have spaces.
1300         In our implementation some do and some don't.
1301         This patch aligns JSC to the spec.
1302
1303         * runtime/JSArrayIterator.cpp:
1304         * runtime/JSStringIterator.cpp:
1305         * tests/stress/iterator-names.js: Added.
1306         (test):
1307         (iter):
1308         (check):
1309
1310 2015-04-10  Michael Saboff  <msaboff@apple.com>
1311
1312         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
1313         https://bugs.webkit.org/show_bug.cgi?id=143582
1314
1315         Reviewed by Mark Lam.
1316
1317         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
1318         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
1319         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
1320         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
1321         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
1322         we would still OSR exit after the speculation check.
1323
1324         * dfg/DFGFixupPhase.cpp:
1325         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
1326         * dfg/DFGSpeculativeJIT32_64.cpp:
1327         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1328
1329 2015-04-10  Milan Crha  <mcrha@redhat.com>
1330
1331         Disable Linux-specific code in a Windows build
1332         https://bugs.webkit.org/show_bug.cgi?id=137973
1333
1334         Reviewed by Joseph Pecoraro.
1335
1336         * inspector/JSGlobalObjectInspectorController.cpp:
1337         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1338
1339 2015-04-10  Csaba Osztrogonác  <ossy@webkit.org>
1340
1341         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
1342         https://bugs.webkit.org/show_bug.cgi?id=143368
1343
1344         Reviewed by Michael Saboff.
1345
1346         * jit/RegisterSet.cpp:
1347         (JSC::RegisterSet::calleeSaveRegisters):
1348
1349 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
1350
1351         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
1352         https://bugs.webkit.org/show_bug.cgi?id=143430
1353
1354         Reviewed by Darin Adler.
1355
1356         * runtime/ExceptionHelpers.cpp:
1357         (JSC::errorDescriptionForValue):
1358         * runtime/NumberPrototype.cpp:
1359         (JSC::numberProtoFuncToExponential):
1360         (JSC::numberProtoFuncToPrecision):
1361         (JSC::numberProtoFuncToString):
1362         * runtime/SymbolPrototype.cpp:
1363         (JSC::symbolProtoFuncToString):
1364
1365 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1366
1367         JSArray::sortNumeric should handle ArrayWithUndecided
1368         https://bugs.webkit.org/show_bug.cgi?id=143535
1369
1370         Reviewed by Geoffrey Garen.
1371         
1372         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
1373
1374         * runtime/JSArray.cpp:
1375         (JSC::JSArray::sortNumeric):
1376         * tests/stress/sort-array-with-undecided.js: Added.
1377
1378 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1379
1380         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
1381         https://bugs.webkit.org/show_bug.cgi?id=143532
1382
1383         Reviewed by Gavin Barraclough.
1384         
1385         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
1386         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
1387         would think that there never was wrap-around.
1388         
1389         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
1390
1391         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1392         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
1393
1394 2015-04-07  Michael Saboff  <msaboff@apple.com>
1395
1396         Lazily initialize LogToSystemConsole flag to reduce memory usage
1397         https://bugs.webkit.org/show_bug.cgi?id=143506
1398
1399         Reviewed by Mark Lam.
1400
1401         Only call into CF preferences code when we need to in order to reduce memory usage.
1402
1403         * inspector/JSGlobalObjectConsoleClient.cpp:
1404         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
1405         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
1406         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
1407         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
1408
1409 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
1410
1411         Get the features.json files ready for open contributions
1412         https://bugs.webkit.org/show_bug.cgi?id=143436
1413
1414         Reviewed by Darin Adler.
1415
1416         * features.json:
1417
1418 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
1419
1420         Constant folding of typed array properties should be handled by AI rather than strength reduction
1421         https://bugs.webkit.org/show_bug.cgi?id=143496
1422
1423         Reviewed by Geoffrey Garen.
1424         
1425         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
1426         phase and whatever other phase did the folding in order to find all constants.
1427         
1428         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
1429         directly.
1430         
1431         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
1432         found because all of the tests for it involved the property getting constant folded. I found that
1433         the codegen was bad because an earlier version of the patch broke that constant folding. This
1434         adds a new test for that node type, which makes constant folding impossible by allocating a new
1435         typed array every type. The lesson here is: if you write a test for something, run the test with
1436         full IR dumps to make sure it's actually testing the thing you want it to test.
1437
1438         * dfg/DFGAbstractInterpreterInlines.h:
1439         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1440         * dfg/DFGClobberize.h:
1441         (JSC::DFG::clobberize):
1442         * dfg/DFGConstantFoldingPhase.cpp:
1443         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1444         * dfg/DFGDoesGC.cpp:
1445         (JSC::DFG::doesGC):
1446         * dfg/DFGFixupPhase.cpp:
1447         (JSC::DFG::FixupPhase::fixupNode):
1448         * dfg/DFGGraph.cpp:
1449         (JSC::DFG::Graph::dump):
1450         (JSC::DFG::Graph::tryGetFoldableView):
1451         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
1452         * dfg/DFGGraph.h:
1453         * dfg/DFGNode.h:
1454         (JSC::DFG::Node::hasTypedArray): Deleted.
1455         (JSC::DFG::Node::typedArray): Deleted.
1456         * dfg/DFGNodeType.h:
1457         * dfg/DFGPredictionPropagationPhase.cpp:
1458         (JSC::DFG::PredictionPropagationPhase::propagate):
1459         * dfg/DFGSafeToExecute.h:
1460         (JSC::DFG::safeToExecute):
1461         * dfg/DFGSpeculativeJIT.cpp:
1462         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
1463         * dfg/DFGSpeculativeJIT32_64.cpp:
1464         (JSC::DFG::SpeculativeJIT::compile):
1465         * dfg/DFGSpeculativeJIT64.cpp:
1466         (JSC::DFG::SpeculativeJIT::compile):
1467         * dfg/DFGStrengthReductionPhase.cpp:
1468         (JSC::DFG::StrengthReductionPhase::handleNode):
1469         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
1470         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
1471         * dfg/DFGWatchpointCollectionPhase.cpp:
1472         (JSC::DFG::WatchpointCollectionPhase::handle):
1473         (JSC::DFG::WatchpointCollectionPhase::addLazily):
1474         * ftl/FTLCapabilities.cpp:
1475         (JSC::FTL::canCompile):
1476         * ftl/FTLLowerDFGToLLVM.cpp:
1477         (JSC::FTL::LowerDFGToLLVM::compileNode):
1478         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
1479         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
1480         * tests/stress/fold-typed-array-properties.js:
1481         (foo):
1482         * tests/stress/typed-array-byte-offset.js: Added.
1483         (foo):
1484
1485 2015-04-07  Matthew Mirman  <mmirman@apple.com>
1486
1487         Source and stack information should get appended only to native errors
1488         and should be added directly after construction rather than when thrown. 
1489         This fixes frozen objects being unfrozen when thrown while conforming to 
1490         ecma script standard and other browser behavior.
1491         rdar://problem/19927293
1492         https://bugs.webkit.org/show_bug.cgi?id=141871
1493         
1494         Reviewed by Geoffrey Garen.
1495
1496         Appending stack, source, line, and column information to an object whenever that object is thrown 
1497         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
1498         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
1499         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
1500         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
1501         a control flow construct rather than just an error reporting mechanism.  
1502         
1503         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
1504         appending the error properties as a seperate call after construction of the error is required 
1505         to avoid having to manually truncate the stack and gather local source information due to 
1506         the stack being extended by a nested call to construct one of the native jsc error.
1507         
1508         * interpreter/Interpreter.cpp:
1509         (JSC::Interpreter::execute):
1510         * interpreter/Interpreter.h:
1511         * parser/ParserError.h:
1512         (JSC::ParserError::toErrorObject):
1513         * runtime/CommonIdentifiers.h:
1514         * runtime/Error.cpp:
1515         (JSC::createError):
1516         (JSC::createEvalError):
1517         (JSC::createRangeError):
1518         (JSC::createReferenceError):
1519         (JSC::createSyntaxError):
1520         (JSC::createTypeError):
1521         (JSC::createNotEnoughArgumentsError):
1522         (JSC::createURIError):
1523         (JSC::createOutOfMemoryError):
1524         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1525         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1526         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
1527         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
1528         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
1529         (JSC::addErrorInfo): Added special case for appending complete error info 
1530         to a newly constructed error object.
1531         * runtime/Error.h:
1532         * runtime/ErrorConstructor.cpp:
1533         (JSC::Interpreter::constructWithErrorConstructor):
1534         (JSC::Interpreter::callErrorConstructor):
1535         * runtime/ErrorInstance.cpp:
1536         (JSC::appendSourceToError): Moved from VM.cpp
1537         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1538         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1539         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
1540         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
1541         (JSC::addErrorInfoAndGetBytecodeOffset):
1542         (JSC::ErrorInstance::finishCreation):
1543         * runtime/ErrorInstance.h:
1544         (JSC::ErrorInstance::create):
1545         * runtime/ErrorPrototype.cpp:
1546         (JSC::ErrorPrototype::finishCreation):
1547         * runtime/ExceptionFuzz.cpp:
1548         (JSC::doExceptionFuzzing):
1549         * runtime/ExceptionHelpers.cpp:
1550         (JSC::createError):
1551         (JSC::createInvalidFunctionApplyParameterError):
1552         (JSC::createInvalidInParameterError):
1553         (JSC::createInvalidInstanceofParameterError):
1554         (JSC::createNotAConstructorError):
1555         (JSC::createNotAFunctionError):
1556         (JSC::createNotAnObjectError):
1557         (JSC::throwOutOfMemoryError):
1558         (JSC::createStackOverflowError): Deleted.
1559         (JSC::createOutOfMemoryError): Deleted.
1560         * runtime/ExceptionHelpers.h:
1561         * runtime/JSArrayBufferConstructor.cpp:
1562         (JSC::constructArrayBuffer):
1563         * runtime/JSArrayBufferPrototype.cpp:
1564         (JSC::arrayBufferProtoFuncSlice):
1565         * runtime/JSGenericTypedArrayViewInlines.h:
1566         (JSC::JSGenericTypedArrayView<Adaptor>::create):
1567         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
1568         * runtime/NativeErrorConstructor.cpp:
1569         (JSC::Interpreter::constructWithNativeErrorConstructor):
1570         (JSC::Interpreter::callNativeErrorConstructor):
1571         * runtime/VM.cpp:
1572         (JSC::VM::throwException):
1573         (JSC::appendSourceToError): Moved to Error.cpp
1574         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
1575         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
1576         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
1577         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
1578         * tests/stress/freeze_leek.js: Added.
1579
1580 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
1581
1582         Web Inspector: ES6: Show Symbol properties on Objects
1583         https://bugs.webkit.org/show_bug.cgi?id=141279
1584
1585         Reviewed by Timothy Hatcher.
1586
1587         * inspector/protocol/Runtime.json:
1588         Give PropertyDescriptor a reference to the Symbol RemoteObject
1589         if the property is a symbol property.
1590
1591         * inspector/InjectedScriptSource.js:
1592         Enumerate symbol properties on objects.
1593
1594 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
1595
1596         Make it possible to enable LLVM FastISel
1597         https://bugs.webkit.org/show_bug.cgi?id=143489
1598
1599         Reviewed by Michael Saboff.
1600
1601         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
1602         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
1603         if we should enable it.
1604
1605         * ftl/FTLCompile.cpp:
1606         (JSC::FTL::mmAllocateDataSection):
1607         * llvm/InitializeLLVM.cpp:
1608         (JSC::initializeLLVMImpl):
1609         * llvm/InitializeLLVM.h:
1610         * llvm/InitializeLLVMLinux.cpp:
1611         (JSC::getLLVMInitializerFunction):
1612         (JSC::initializeLLVMImpl): Deleted.
1613         * llvm/InitializeLLVMMac.cpp:
1614         (JSC::getLLVMInitializerFunction):
1615         (JSC::initializeLLVMImpl): Deleted.
1616         * llvm/InitializeLLVMPOSIX.cpp:
1617         (JSC::getLLVMInitializerFunctionPOSIX):
1618         (JSC::initializeLLVMPOSIX): Deleted.
1619         * llvm/InitializeLLVMPOSIX.h:
1620         * llvm/InitializeLLVMWin.cpp:
1621         (JSC::getLLVMInitializerFunction):
1622         (JSC::initializeLLVMImpl): Deleted.
1623         * llvm/LLVMAPI.cpp:
1624         * llvm/LLVMAPI.h:
1625         * llvm/library/LLVMExports.cpp:
1626         (initCommandLine):
1627         (initializeAndGetJSCLLVMAPI):
1628         * runtime/Options.cpp:
1629         (JSC::Options::initialize):
1630
1631 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1632
1633         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1634         https://bugs.webkit.org/show_bug.cgi?id=140426
1635
1636         Reviewed by Darin Adler.
1637
1638         In the put_by_val_direct operation, we use JSObject::putDirect.
1639         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
1640         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
1641
1642         * dfg/DFGOperations.cpp:
1643         (JSC::DFG::putByVal):
1644         (JSC::DFG::operationPutByValInternal):
1645         * jit/JITOperations.cpp:
1646         * llint/LLIntSlowPaths.cpp:
1647         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1648         * runtime/Identifier.h:
1649         (JSC::isIndex):
1650         (JSC::parseIndex):
1651         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
1652         (lookupWithKey):
1653         (toStringThrowsError.toString):
1654
1655 2015-04-06  Alberto Garcia  <berto@igalia.com>
1656
1657         [GTK] Fix HPPA build
1658         https://bugs.webkit.org/show_bug.cgi?id=143453
1659
1660         Reviewed by Darin Adler.
1661
1662         Add HPPA to the list of supported CPUs.
1663
1664         * CMakeLists.txt:
1665
1666 2015-04-06  Mark Lam  <mark.lam@apple.com>
1667
1668         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
1669         <https://webkit.org/b/143396>
1670
1671         Reviewed by Filip Pizlo.
1672
1673         The DFG was neglecting to set the result boolean.  The FTL was setting it with
1674         an inverted value.  Both of these are now resolved.
1675
1676         * dfg/DFGSpeculativeJIT64.cpp:
1677         (JSC::DFG::SpeculativeJIT::compile):
1678         * ftl/FTLLowerDFGToLLVM.cpp:
1679         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
1680         * tests/stress/for-in-array-mode.js: Added.
1681         (.):
1682         (test):
1683
1684 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1685
1686         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
1687         https://bugs.webkit.org/show_bug.cgi?id=143424
1688
1689         Reviewed by Geoffrey Garen.
1690
1691         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
1692
1693         ToString(symbol) throws a type error.
1694         However, String(symbol) produces SymbolDescriptiveString(symbol).
1695
1696         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
1697
1698         Now, in the template literals patch, ToString DFG operation is planned to be used.
1699         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
1700         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
1701         In CallStringConstructor, all behavior in DFG analysis is the same.
1702         Only the difference from ToString is, when calling DFG operation functions, it calls
1703         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
1704         operationToStringOnCell and operationToString.
1705
1706         * dfg/DFGAbstractInterpreterInlines.h:
1707         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1708         * dfg/DFGBackwardsPropagationPhase.cpp:
1709         (JSC::DFG::BackwardsPropagationPhase::propagate):
1710         * dfg/DFGByteCodeParser.cpp:
1711         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1712         * dfg/DFGClobberize.h:
1713         (JSC::DFG::clobberize):
1714         * dfg/DFGDoesGC.cpp:
1715         (JSC::DFG::doesGC):
1716         * dfg/DFGFixupPhase.cpp:
1717         (JSC::DFG::FixupPhase::fixupNode):
1718         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1719         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1720         (JSC::DFG::FixupPhase::fixupToString): Deleted.
1721         * dfg/DFGNodeType.h:
1722         * dfg/DFGOperations.cpp:
1723         * dfg/DFGOperations.h:
1724         * dfg/DFGPredictionPropagationPhase.cpp:
1725         (JSC::DFG::PredictionPropagationPhase::propagate):
1726         * dfg/DFGSafeToExecute.h:
1727         (JSC::DFG::safeToExecute):
1728         * dfg/DFGSpeculativeJIT.cpp:
1729         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1730         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
1731         * dfg/DFGSpeculativeJIT.h:
1732         * dfg/DFGSpeculativeJIT32_64.cpp:
1733         (JSC::DFG::SpeculativeJIT::compile):
1734         * dfg/DFGSpeculativeJIT64.cpp:
1735         (JSC::DFG::SpeculativeJIT::compile):
1736         * dfg/DFGStructureRegistrationPhase.cpp:
1737         (JSC::DFG::StructureRegistrationPhase::run):
1738         * ftl/FTLCapabilities.cpp:
1739         (JSC::FTL::canCompile):
1740         * ftl/FTLLowerDFGToLLVM.cpp:
1741         (JSC::FTL::LowerDFGToLLVM::compileNode):
1742         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
1743         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
1744         * runtime/StringConstructor.cpp:
1745         (JSC::stringConstructor):
1746         (JSC::callStringConstructor):
1747         * runtime/StringConstructor.h:
1748         * tests/stress/symbol-and-string-constructor.js: Added.
1749         (performString):
1750
1751 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1752
1753         Return Optional<uint32_t> from PropertyName::asIndex
1754         https://bugs.webkit.org/show_bug.cgi?id=143422
1755
1756         Reviewed by Darin Adler.
1757
1758         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
1759         But it's not obvious to callers.
1760
1761         This patch changes
1762         1. PropertyName::asIndex() to return Optional<uint32_t> and
1763         2. function name `asIndex()` to `parseIndex()`.
1764         It forces callers to check the value is index or not explicitly.
1765
1766         * bytecode/GetByIdStatus.cpp:
1767         (JSC::GetByIdStatus::computeFor):
1768         * bytecode/PutByIdStatus.cpp:
1769         (JSC::PutByIdStatus::computeFor):
1770         * bytecompiler/BytecodeGenerator.cpp:
1771         (JSC::BytecodeGenerator::emitDirectPutById):
1772         * jit/Repatch.cpp:
1773         (JSC::emitPutTransitionStubAndGetOldStructure):
1774         * jsc.cpp:
1775         * runtime/ArrayPrototype.cpp:
1776         (JSC::arrayProtoFuncSort):
1777         * runtime/GenericArgumentsInlines.h:
1778         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1779         (JSC::GenericArguments<Type>::put):
1780         (JSC::GenericArguments<Type>::deleteProperty):
1781         (JSC::GenericArguments<Type>::defineOwnProperty):
1782         * runtime/Identifier.h:
1783         (JSC::parseIndex):
1784         (JSC::Identifier::isSymbol):
1785         * runtime/JSArray.cpp:
1786         (JSC::JSArray::defineOwnProperty):
1787         * runtime/JSCJSValue.cpp:
1788         (JSC::JSValue::putToPrimitive):
1789         * runtime/JSGenericTypedArrayViewInlines.h:
1790         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1791         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1792         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1793         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1794         * runtime/JSObject.cpp:
1795         (JSC::JSObject::put):
1796         (JSC::JSObject::putDirectAccessor):
1797         (JSC::JSObject::putDirectCustomAccessor):
1798         (JSC::JSObject::deleteProperty):
1799         (JSC::JSObject::putDirectMayBeIndex):
1800         (JSC::JSObject::defineOwnProperty):
1801         * runtime/JSObject.h:
1802         (JSC::JSObject::getOwnPropertySlot):
1803         (JSC::JSObject::getPropertySlot):
1804         (JSC::JSObject::putDirectInternal):
1805         * runtime/JSString.cpp:
1806         (JSC::JSString::getStringPropertyDescriptor):
1807         * runtime/JSString.h:
1808         (JSC::JSString::getStringPropertySlot):
1809         * runtime/LiteralParser.cpp:
1810         (JSC::LiteralParser<CharType>::parse):
1811         * runtime/PropertyName.h:
1812         (JSC::parseIndex):
1813         (JSC::toUInt32FromCharacters): Deleted.
1814         (JSC::toUInt32FromStringImpl): Deleted.
1815         (JSC::PropertyName::asIndex): Deleted.
1816         * runtime/PropertyNameArray.cpp:
1817         (JSC::PropertyNameArray::add):
1818         * runtime/StringObject.cpp:
1819         (JSC::StringObject::deleteProperty):
1820         * runtime/Structure.cpp:
1821         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1822
1823 2015-04-05  Andreas Kling  <akling@apple.com>
1824
1825         URI encoding/escaping should use efficient string building instead of calling snprintf().
1826         <https://webkit.org/b/143426>
1827
1828         Reviewed by Gavin Barraclough.
1829
1830         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
1831         which seemed pretty silly. This change gets that down to nothing in favor of using our
1832         existing JSStringBuilder and HexNumber.h facilities.
1833
1834         These APIs are well-exercised by our existing test suite.
1835
1836         * runtime/JSGlobalObjectFunctions.cpp:
1837         (JSC::encode):
1838         (JSC::globalFuncEscape):
1839
1840 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
1841
1842         documentation for ES Promises points to the wrong one
1843         https://bugs.webkit.org/show_bug.cgi?id=143263
1844
1845         Reviewed by Darin Adler.
1846
1847         * features.json:
1848
1849 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
1850
1851         Remove "go ahead and" from comments
1852         https://bugs.webkit.org/show_bug.cgi?id=143421
1853
1854         Reviewed by Darin Adler, Benjamin Poulain.
1855
1856         Remove the phrase "go ahead and" from comments where it doesn't add
1857         anything (which is almost all of them).
1858
1859         * interpreter/JSStack.cpp:
1860         (JSC::JSStack::growSlowCase):
1861
1862 2015-04-04  Andreas Kling  <akling@apple.com>
1863
1864         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1865         <https://webkit.org/b/143210>
1866
1867         Reviewed by Geoffrey Garen.
1868
1869         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1870         we had a little problem where WeakBlocks with only null pointers would still keep their
1871         MarkedBlock alive.
1872
1873         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1874         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1875         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1876         destroying them once they're fully dead.
1877
1878         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1879         a mysterious issue where doing two full garbage collections back-to-back would free additional
1880         memory in the second collection.
1881
1882         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1883         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1884         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1885
1886         * heap/Heap.h:
1887         * heap/Heap.cpp:
1888         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1889         owned by Heap, after everything else has been swept.
1890
1891         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1892         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1893         they are unlikely to cause entire WeakBlocks to go empty.
1894
1895         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1896         to the Heap when it's detached from a WeakSet.
1897
1898         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1899         of the logically empty WeakBlocks owned by Heap.
1900
1901         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1902         and updates the next-logically-empty-weak-block-to-sweep index.
1903
1904         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1905         won't be another chance after this.
1906
1907         * heap/IncrementalSweeper.h:
1908         (JSC::IncrementalSweeper::hasWork): Deleted.
1909
1910         * heap/IncrementalSweeper.cpp:
1911         (JSC::IncrementalSweeper::fullSweep):
1912         (JSC::IncrementalSweeper::doSweep):
1913         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1914         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1915         changed to return a bool (true if there's more work to be done.)
1916
1917         * heap/WeakBlock.cpp:
1918         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1919         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1920
1921         * heap/WeakBlock.h:
1922         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1923         if the WeakBlock could be detached from the MarkedBlock.
1924
1925         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1926         when declaring them.
1927
1928 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1929
1930         Implement ES6 Object.getOwnPropertySymbols
1931         https://bugs.webkit.org/show_bug.cgi?id=141106
1932
1933         Reviewed by Geoffrey Garen.
1934
1935         This patch implements `Object.getOwnPropertySymbols`.
1936         One technical issue is that, since we use private symbols (such as `@Object`) in the
1937         privileged JS code in `builtins/`, they should not be exposed.
1938         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
1939         before adding it into PropertyNameArray.
1940
1941         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
1942         since all private symbols are held in this map.
1943
1944         * builtins/BuiltinExecutables.cpp:
1945         (JSC::BuiltinExecutables::createExecutableInternal):
1946         * builtins/BuiltinNames.h:
1947         (JSC::BuiltinNames::isPrivateName):
1948         * runtime/CommonIdentifiers.cpp:
1949         (JSC::CommonIdentifiers::isPrivateName):
1950         * runtime/CommonIdentifiers.h:
1951         * runtime/EnumerationMode.h:
1952         (JSC::EnumerationMode::EnumerationMode):
1953         (JSC::EnumerationMode::includeSymbolProperties):
1954         * runtime/ExceptionHelpers.cpp:
1955         (JSC::createUndefinedVariableError):
1956         * runtime/JSGlobalObject.cpp:
1957         (JSC::JSGlobalObject::init):
1958         * runtime/JSLexicalEnvironment.cpp:
1959         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1960         * runtime/JSSymbolTableObject.cpp:
1961         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1962         * runtime/ObjectConstructor.cpp:
1963         (JSC::ObjectConstructor::finishCreation):
1964         (JSC::objectConstructorGetOwnPropertySymbols):
1965         (JSC::defineProperties):
1966         (JSC::objectConstructorSeal):
1967         (JSC::objectConstructorFreeze):
1968         (JSC::objectConstructorIsSealed):
1969         (JSC::objectConstructorIsFrozen):
1970         * runtime/ObjectConstructor.h:
1971         (JSC::ObjectConstructor::create):
1972         * runtime/Structure.cpp:
1973         (JSC::Structure::getPropertyNamesFromStructure):
1974         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
1975         (compare):
1976         * tests/stress/object-get-own-property-symbols.js: Added.
1977         (forIn):
1978         * tests/stress/symbol-define-property.js: Added.
1979         (testSymbol):
1980         * tests/stress/symbol-seal-and-freeze.js: Added.
1981         * tests/stress/symbol-with-json.js: Added.
1982
1983 2015-04-03  Mark Lam  <mark.lam@apple.com>
1984
1985         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
1986         <https://webkit.org/b/143385>
1987
1988         Reviewed by Geoffrey Garen.
1989
1990         For debugging purposes, sometimes, we want to be able to make compilation happen
1991         sooner to see if we can accelerate the manifestation of certain events / bugs.
1992         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
1993         which make up the compilation policy.  Let's add a single knob that can tune all
1994         the thresholds up / down in one go proportionately so that we can easily tweak
1995         how soon compilation occurs.
1996
1997         * runtime/Options.cpp:
1998         (JSC::scaleJITPolicy):
1999         (JSC::recomputeDependentOptions):
2000         * runtime/Options.h:
2001
2002 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2003
2004         is* API methods should be @properties
2005         https://bugs.webkit.org/show_bug.cgi?id=143388
2006
2007         Reviewed by Mark Lam.
2008
2009         This appears to be the preferred idiom in WebKit, CA, AppKit, and
2010         Foundation.
2011
2012         * API/JSValue.h: Be @properties.
2013
2014         * API/tests/testapi.mm:
2015         (testObjectiveCAPI): Use the @properties.
2016
2017 2015-04-03  Mark Lam  <mark.lam@apple.com>
2018
2019         Some JSC Options refactoring and enhancements.
2020         <https://webkit.org/b/143384>
2021
2022         Rubber stamped by Benjamin Poulain.
2023
2024         Create a better encapsulated Option class to make working with options easier.  This
2025         is a building block towards a JIT policy scaling debugging option I will introduce later.
2026
2027         This work entails:
2028         1. Convert Options::Option into a public class Option (who works closely with Options).
2029         2. Convert Options::EntryType into an enum class Options::Type and make it public.
2030         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
2031         4. Add misc methods to class Option to make it more useable.
2032
2033         * runtime/Options.cpp:
2034         (JSC::Options::dumpOption):
2035         (JSC::Option::dump):
2036         (JSC::Option::operator==):
2037         (JSC::Options::Option::dump): Deleted.
2038         (JSC::Options::Option::operator==): Deleted.
2039         * runtime/Options.h:
2040         (JSC::Option::Option):
2041         (JSC::Option::operator!=):
2042         (JSC::Option::name):
2043         (JSC::Option::description):
2044         (JSC::Option::type):
2045         (JSC::Option::isOverridden):
2046         (JSC::Option::defaultOption):
2047         (JSC::Option::boolVal):
2048         (JSC::Option::unsignedVal):
2049         (JSC::Option::doubleVal):
2050         (JSC::Option::int32Val):
2051         (JSC::Option::optionRangeVal):
2052         (JSC::Option::optionStringVal):
2053         (JSC::Option::gcLogLevelVal):
2054         (JSC::Options::Option::Option): Deleted.
2055         (JSC::Options::Option::operator!=): Deleted.
2056
2057 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2058
2059         JavaScriptCore API should support type checking for Array and Date
2060         https://bugs.webkit.org/show_bug.cgi?id=143324
2061
2062         Follow-up to address a comment by Dan.
2063
2064         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
2065         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
2066         is equal to 101100.
2067
2068 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2069
2070         JavaScriptCore API should support type checking for Array and Date
2071         https://bugs.webkit.org/show_bug.cgi?id=143324
2072
2073         Follow-up to address a comment by Dan.
2074
2075         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
2076         Added a comment explaining why.
2077
2078 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
2079
2080         FTL JIT tests should fail if LLVM library isn't available
2081         https://bugs.webkit.org/show_bug.cgi?id=143374
2082
2083         Reviewed by Mark Lam.
2084
2085         * dfg/DFGPlan.cpp:
2086         (JSC::DFG::Plan::compileInThreadImpl):
2087         * runtime/Options.h:
2088
2089 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2090
2091         Fix the EFL and GTK build after r182243
2092         https://bugs.webkit.org/show_bug.cgi?id=143361
2093
2094         Reviewed by Csaba Osztrogonác.
2095
2096         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
2097         DerivedSources/JavaScriptCore/inspector/ directory.
2098
2099 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2100
2101         Unreviewed, fixing Clang builds of the GTK port on Linux.
2102
2103         * runtime/Options.cpp:
2104         Include the <math.h> header for isnan().
2105
2106 2015-04-02  Mark Lam  <mark.lam@apple.com>
2107
2108         Enhance ability to dump JSC Options.
2109         <https://webkit.org/b/143357>
2110
2111         Reviewed by Benjamin Poulain.
2112
2113         Some enhancements to how the JSC options work:
2114
2115         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
2116            2 = All, 3 = Verbose.
2117
2118            The default is 0 (None).  This dumps nothing.
2119            With the Overridden setting, at VM initialization time, we will dump all
2120            option values that have been changed from their default.
2121            With the All setting, at VM initialization time, we will dump all option values.
2122            With the Verbose setting, at VM initialization time, we will dump all option
2123            values along with their descriptions (if available).
2124
2125         2. We now store a copy of the default option values.
2126
2127            We later use this for comparison to tell if an option has been overridden, and
2128            print the default value for reference.  As a result, we no longer need the
2129            didOverride flag since we can compute whether the option is overridden at any time.
2130
2131         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
2132
2133            This will come in handy later when we want to rename some of the options to more sane
2134            names that are easier to remember.  For example, we can change
2135            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
2136            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
2137            of the description, we can afford to use shorter and less descriptive option names,
2138            but they will be easier to remember and use for day to day debugging work.
2139
2140            In this patch, I did not change the names of any of the options yet.  I only added
2141            description strings for options that I know about, and where I think the option name
2142            isn't already descriptive enough.
2143
2144         4. Also deleted some unused code.
2145
2146         * jsc.cpp:
2147         (CommandLine::parseArguments):
2148         * runtime/Options.cpp:
2149         (JSC::Options::initialize):
2150         (JSC::Options::setOption):
2151         (JSC::Options::dumpAllOptions):
2152         (JSC::Options::dumpOption):
2153         (JSC::Options::Option::dump):
2154         (JSC::Options::Option::operator==):
2155         * runtime/Options.h:
2156         (JSC::OptionRange::rangeString):
2157         (JSC::Options::Option::Option):
2158         (JSC::Options::Option::operator!=):
2159
2160 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
2161
2162         JavaScriptCore API should support type checking for Array and Date
2163         https://bugs.webkit.org/show_bug.cgi?id=143324
2164
2165         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
2166
2167         * API/JSValue.h:
2168         * API/JSValue.mm:
2169         (-[JSValue isArray]):
2170         (-[JSValue isDate]): Added an ObjC API.
2171
2172         * API/JSValueRef.cpp:
2173         (JSValueIsArray):
2174         (JSValueIsDate):
2175         * API/JSValueRef.h: Added a C API.
2176
2177         * API/WebKitAvailability.h: Brought our availability macros up to date
2178         and fixed a harmless bug where "10_10" translated to "10.0".
2179
2180         * API/tests/testapi.c:
2181         (main): Added a test and corrected a pre-existing leak.
2182
2183         * API/tests/testapi.mm:
2184         (testObjectiveCAPI): Added a test.
2185
2186 2015-04-02  Mark Lam  <mark.lam@apple.com>
2187
2188         Add Options::dumpSourceAtDFGTime().
2189         <https://webkit.org/b/143349>
2190
2191         Reviewed by Oliver Hunt, and Michael Saboff.
2192
2193         Sometimes, we will want to see the JS source code that we're compiling, and it
2194         would be nice to be able to do this without having to jump thru a lot of hoops.
2195         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
2196         Options::dumpBytecodeAtDFGTime() option.
2197
2198         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
2199         that explicitly take no arguments (instead of relying on the version that takes
2200         the default argument).  These versions are friendlier to use when we want to call
2201         them from an interactive debugging session.
2202
2203         * bytecode/CodeBlock.cpp:
2204         (JSC::CodeBlock::dumpSource):
2205         (JSC::CodeBlock::dumpBytecode):
2206         * bytecode/CodeBlock.h:
2207         * dfg/DFGByteCodeParser.cpp:
2208         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2209         * runtime/Options.h:
2210
2211 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2212
2213         Clean up EnumerationMode to easily extend
2214         https://bugs.webkit.org/show_bug.cgi?id=143276
2215
2216         Reviewed by Geoffrey Garen.
2217
2218         To make the followings easily,
2219         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
2220         2. Make ExcludeSymbols implicitly default for the existing flags
2221         we encapsulate EnumerationMode flags into EnumerationMode class.
2222
2223         And this class manages 2 flags. Later it will be extended to 3.
2224         1. DontEnumPropertiesMode (default is Exclude)
2225         2. JSObjectPropertiesMode (default is Include)
2226         3. SymbolPropertiesMode (default is Exclude)
2227             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
2228
2229         This patch replaces places using ExcludeDontEnumProperties
2230         to EnumerationMode() value which represents default mode.
2231
2232         * API/JSCallbackObjectFunctions.h:
2233         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2234         * API/JSObjectRef.cpp:
2235         (JSObjectCopyPropertyNames):
2236         * bindings/ScriptValue.cpp:
2237         (Deprecated::jsToInspectorValue):
2238         * bytecode/ObjectAllocationProfile.h:
2239         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2240         * runtime/ArrayPrototype.cpp:
2241         (JSC::arrayProtoFuncSort):
2242         * runtime/EnumerationMode.h:
2243         (JSC::EnumerationMode::EnumerationMode):
2244         (JSC::EnumerationMode::includeDontEnumProperties):
2245         (JSC::EnumerationMode::includeJSObjectProperties):
2246         (JSC::shouldIncludeDontEnumProperties): Deleted.
2247         (JSC::shouldExcludeDontEnumProperties): Deleted.
2248         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
2249         (JSC::modeThatSkipsJSObject): Deleted.
2250         * runtime/GenericArgumentsInlines.h:
2251         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2252         * runtime/JSArray.cpp:
2253         (JSC::JSArray::getOwnNonIndexPropertyNames):
2254         * runtime/JSArrayBuffer.cpp:
2255         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2256         * runtime/JSArrayBufferView.cpp:
2257         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2258         * runtime/JSFunction.cpp:
2259         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2260         * runtime/JSFunction.h:
2261         * runtime/JSGenericTypedArrayViewInlines.h:
2262         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
2263         * runtime/JSLexicalEnvironment.cpp:
2264         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2265         * runtime/JSONObject.cpp:
2266         (JSC::Stringifier::Holder::appendNextProperty):
2267         (JSC::Walker::walk):
2268         * runtime/JSObject.cpp:
2269         (JSC::getClassPropertyNames):
2270         (JSC::JSObject::getOwnPropertyNames):
2271         (JSC::JSObject::getOwnNonIndexPropertyNames):
2272         (JSC::JSObject::getGenericPropertyNames):
2273         * runtime/JSPropertyNameEnumerator.h:
2274         (JSC::propertyNameEnumerator):
2275         * runtime/JSSymbolTableObject.cpp:
2276         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2277         * runtime/ObjectConstructor.cpp:
2278         (JSC::objectConstructorGetOwnPropertyNames):
2279         (JSC::objectConstructorKeys):
2280         (JSC::defineProperties):
2281         (JSC::objectConstructorSeal):
2282         (JSC::objectConstructorFreeze):
2283         (JSC::objectConstructorIsSealed):
2284         (JSC::objectConstructorIsFrozen):
2285         * runtime/RegExpObject.cpp:
2286         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2287         (JSC::RegExpObject::getPropertyNames):
2288         (JSC::RegExpObject::getGenericPropertyNames):
2289         * runtime/StringObject.cpp:
2290         (JSC::StringObject::getOwnPropertyNames):
2291         * runtime/Structure.cpp:
2292         (JSC::Structure::getPropertyNamesFromStructure):
2293
2294 2015-04-01  Alex Christensen  <achristensen@webkit.org>
2295
2296         Progress towards CMake on Windows and Mac.
2297         https://bugs.webkit.org/show_bug.cgi?id=143293
2298
2299         Reviewed by Filip Pizlo.
2300
2301         * CMakeLists.txt:
2302         Enabled using assembly on Windows.
2303         Replaced unix commands with CMake commands.
2304         * PlatformMac.cmake:
2305         Tell open source builders where to find unicode headers.
2306
2307 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2308
2309         IteratorClose should be called when jumping over the target for-of loop
2310         https://bugs.webkit.org/show_bug.cgi?id=143140
2311
2312         Reviewed by Geoffrey Garen.
2313
2314         This patch fixes labeled break/continue behaviors with for-of and iterators.
2315
2316         1. Support IteratorClose beyond multiple loop contexts
2317         Previously, IteratorClose is only executed in for-of's breakTarget().
2318         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
2319         For example,
2320         outer: for (var e1 of outer) {
2321             inner: for (var e2 of inner) {
2322                 break outer;
2323             }
2324         }
2325         In this case, return method of inner should be called.
2326         We leverage the existing system for `finally` to execute inner.return method correctly.
2327         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
2328         `throw` case is already supported by emitting try-catch handlers in for-of.
2329
2330         2. Incorrect LabelScope creation is done in ForOfNode
2331         ForOfNode creates duplicated LabelScope.
2332         It causes infinite loop when executing the following program that contains
2333         explicitly labeled for-of loop.
2334         For example,
2335         inner: for (var elm of array) {
2336             continue inner;
2337         }
2338
2339         * bytecompiler/BytecodeGenerator.cpp:
2340         (JSC::BytecodeGenerator::pushFinallyContext):
2341         (JSC::BytecodeGenerator::pushIteratorCloseContext):
2342         (JSC::BytecodeGenerator::popFinallyContext):
2343         (JSC::BytecodeGenerator::popIteratorCloseContext):
2344         (JSC::BytecodeGenerator::emitComplexPopScopes):
2345         (JSC::BytecodeGenerator::emitEnumeration):
2346         (JSC::BytecodeGenerator::emitIteratorClose):
2347         * bytecompiler/BytecodeGenerator.h:
2348         * bytecompiler/NodesCodegen.cpp:
2349         (JSC::ForOfNode::emitBytecode):
2350         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
2351         (createIterator.iterator.return):
2352         (createIterator):
2353         * tests/stress/raise-error-in-iterator-close.js: Added.
2354         (createIterator.iterator.return):
2355         (createIterator):
2356
2357 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2358
2359         [ES6] Implement Symbol.unscopables
2360         https://bugs.webkit.org/show_bug.cgi?id=142829
2361
2362         Reviewed by Geoffrey Garen.
2363
2364         This patch introduces Symbol.unscopables functionality.
2365         In ES6, some generic names (like keys, values) are introduced
2366         as Array's method name. And this breaks the web since some web sites
2367         use like the following code.
2368
2369         var values = ...;
2370         with (array) {
2371             values;  // This values is trapped by array's method "values".
2372         }
2373
2374         To fix this, Symbol.unscopables introduces blacklist
2375         for with scope's trapping. When resolving scope,
2376         if name is found in the target scope and the target scope is with scope,
2377         we check Symbol.unscopables object to filter generic names.
2378
2379         This functionality is only active for with scopes.
2380         Global scope does not have unscopables functionality.
2381
2382         And since
2383         1) op_resolve_scope for with scope always return Dynamic resolve type,
2384         2) in that case, JSScope::resolve is always used in JIT and LLInt,
2385         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
2386         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
2387         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
2388
2389         * runtime/ArrayPrototype.cpp:
2390         (JSC::ArrayPrototype::finishCreation):
2391         * runtime/CommonIdentifiers.h:
2392         * runtime/JSGlobalObject.h:
2393         (JSC::JSGlobalObject::runtimeFlags):
2394         * runtime/JSScope.cpp:
2395         (JSC::isUnscopable):
2396         (JSC::JSScope::resolve):
2397         * runtime/JSScope.h:
2398         (JSC::ScopeChainIterator::scope):
2399         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
2400         (test):
2401         * tests/stress/unscopables.js: Added.
2402         (test):
2403         (.):
2404
2405 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2406
2407         ES6 class syntax should allow static setters and getters
2408         https://bugs.webkit.org/show_bug.cgi?id=143180
2409
2410         Reviewed by Filip Pizlo
2411
2412         Apparently I misread the spec when I initially implemented parseClass.
2413         ES6 class syntax allows static getters and setters so just allow that.
2414
2415         * parser/Parser.cpp:
2416         (JSC::Parser<LexerType>::parseClass):
2417
2418 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
2419
2420         PutClosureVar CSE def() rule has a wrong base
2421         https://bugs.webkit.org/show_bug.cgi?id=143280
2422
2423         Reviewed by Michael Saboff.
2424         
2425         I think that this code was incorrect in a benign way, since the base of a
2426         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
2427
2428         * dfg/DFGClobberize.h:
2429         (JSC::DFG::clobberize):
2430
2431 2015-03-31  Commit Queue  <commit-queue@webkit.org>
2432
2433         Unreviewed, rolling out r182200.
2434         https://bugs.webkit.org/show_bug.cgi?id=143279
2435
2436         Probably causing assertion extravaganza on bots. (Requested by
2437         kling on #webkit).
2438
2439         Reverted changeset:
2440
2441         "Logically empty WeakBlocks should not pin down their
2442         MarkedBlocks indefinitely."
2443         https://bugs.webkit.org/show_bug.cgi?id=143210
2444         http://trac.webkit.org/changeset/182200
2445
2446 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2447
2448         Clean up Identifier factories to clarify the meaning of StringImpl*
2449         https://bugs.webkit.org/show_bug.cgi?id=143146
2450
2451         Reviewed by Filip Pizlo.
2452
2453         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
2454         However, it's ambiguous because `StringImpl*` has 2 different meanings.
2455         1) normal string, it is replacable with `WTFString` and
2456         2) `uid`, which holds `isSymbol` information to represent Symbols.
2457         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
2458         + `Identifier::fromString(VM*/ExecState*, const String&)`.
2459         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
2460         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
2461         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
2462
2463         And to clean up `StringImpl` which is used as uid,
2464         we introduce `StringKind` into `StringImpl`. There's 3 kinds
2465         1. StringNormal (non-atomic, non-symbol)
2466         2. StringAtomic (atomic, non-symbol)
2467         3. StringSymbol (non-atomic, symbol)
2468         They are mutually exclusive. And (atomic, symbol) case should not exist.
2469
2470         * API/JSCallbackObjectFunctions.h:
2471         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2472         * API/JSObjectRef.cpp:
2473         (JSObjectMakeFunction):
2474         * API/OpaqueJSString.cpp:
2475         (OpaqueJSString::identifier):
2476         * bindings/ScriptFunctionCall.cpp:
2477         (Deprecated::ScriptFunctionCall::call):
2478         * builtins/BuiltinExecutables.cpp:
2479         (JSC::BuiltinExecutables::createExecutableInternal):
2480         * builtins/BuiltinNames.h:
2481         (JSC::BuiltinNames::BuiltinNames):
2482         * bytecompiler/BytecodeGenerator.cpp:
2483         (JSC::BytecodeGenerator::BytecodeGenerator):
2484         (JSC::BytecodeGenerator::emitThrowReferenceError):
2485         (JSC::BytecodeGenerator::emitThrowTypeError):
2486         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2487         (JSC::BytecodeGenerator::emitEnumeration):
2488         * dfg/DFGDesiredIdentifiers.cpp:
2489         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2490         * inspector/JSInjectedScriptHost.cpp:
2491         (Inspector::JSInjectedScriptHost::functionDetails):
2492         (Inspector::constructInternalProperty):
2493         (Inspector::JSInjectedScriptHost::weakMapEntries):
2494         (Inspector::JSInjectedScriptHost::iteratorEntries):
2495         * inspector/JSInjectedScriptHostPrototype.cpp:
2496         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2497         * inspector/JSJavaScriptCallFramePrototype.cpp:
2498         * inspector/ScriptCallStackFactory.cpp:
2499         (Inspector::extractSourceInformationFromException):
2500         * jit/JITOperations.cpp:
2501         * jsc.cpp:
2502         (GlobalObject::finishCreation):
2503         (GlobalObject::addFunction):
2504         (GlobalObject::addConstructableFunction):
2505         (functionRun):
2506         (runWithScripts):
2507         * llint/LLIntData.cpp:
2508         (JSC::LLInt::Data::performAssertions):
2509         * llint/LowLevelInterpreter.asm:
2510         * parser/ASTBuilder.h:
2511         (JSC::ASTBuilder::addVar):
2512         * parser/Parser.cpp:
2513         (JSC::Parser<LexerType>::parseInner):
2514         (JSC::Parser<LexerType>::createBindingPattern):
2515         * parser/ParserArena.h:
2516         (JSC::IdentifierArena::makeIdentifier):
2517         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
2518         (JSC::IdentifierArena::makeNumericIdentifier):
2519         * runtime/ArgumentsIteratorPrototype.cpp:
2520         (JSC::ArgumentsIteratorPrototype::finishCreation):
2521         * runtime/ArrayIteratorPrototype.cpp:
2522         (JSC::ArrayIteratorPrototype::finishCreation):
2523         * runtime/ArrayPrototype.cpp:
2524         (JSC::ArrayPrototype::finishCreation):
2525         (JSC::arrayProtoFuncPush):
2526         * runtime/ClonedArguments.cpp:
2527         (JSC::ClonedArguments::getOwnPropertySlot):
2528         * runtime/CommonIdentifiers.cpp:
2529         (JSC::CommonIdentifiers::CommonIdentifiers):
2530         * runtime/CommonIdentifiers.h:
2531         * runtime/Error.cpp:
2532         (JSC::addErrorInfo):
2533         (JSC::hasErrorInfo):
2534         * runtime/ExceptionHelpers.cpp:
2535         (JSC::createUndefinedVariableError):
2536         * runtime/GenericArgumentsInlines.h:
2537         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2538         * runtime/Identifier.h:
2539         (JSC::Identifier::isSymbol):
2540         (JSC::Identifier::Identifier):
2541         (JSC::Identifier::from): Deleted.
2542         * runtime/IdentifierInlines.h:
2543         (JSC::Identifier::Identifier):
2544         (JSC::Identifier::fromUid):
2545         (JSC::Identifier::fromString):
2546         * runtime/JSCJSValue.cpp:
2547         (JSC::JSValue::dumpInContextAssumingStructure):
2548         * runtime/JSCJSValueInlines.h:
2549         (JSC::JSValue::toPropertyKey):
2550         * runtime/JSGlobalObject.cpp:
2551         (JSC::JSGlobalObject::init):
2552         * runtime/JSLexicalEnvironment.cpp:
2553         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2554         * runtime/JSObject.cpp:
2555         (JSC::getClassPropertyNames):
2556         (JSC::JSObject::reifyStaticFunctionsForDelete):
2557         * runtime/JSObject.h:
2558         (JSC::makeIdentifier):
2559         * runtime/JSPromiseConstructor.cpp:
2560         (JSC::JSPromiseConstructorFuncRace):
2561         (JSC::JSPromiseConstructorFuncAll):
2562         * runtime/JSString.h:
2563         (JSC::JSString::toIdentifier):
2564         * runtime/JSSymbolTableObject.cpp:
2565         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2566         * runtime/LiteralParser.cpp:
2567         (JSC::LiteralParser<CharType>::tryJSONPParse):
2568         (JSC::LiteralParser<CharType>::makeIdentifier):
2569         * runtime/Lookup.h:
2570         (JSC::reifyStaticProperties):
2571         * runtime/MapConstructor.cpp:
2572         (JSC::constructMap):
2573         * runtime/MapIteratorPrototype.cpp:
2574         (JSC::MapIteratorPrototype::finishCreation):
2575         * runtime/MapPrototype.cpp:
2576         (JSC::MapPrototype::finishCreation):
2577         * runtime/MathObject.cpp:
2578         (JSC::MathObject::finishCreation):
2579         * runtime/NumberConstructor.cpp:
2580         (JSC::NumberConstructor::finishCreation):
2581         * runtime/ObjectConstructor.cpp:
2582         (JSC::ObjectConstructor::finishCreation):
2583         * runtime/PrivateName.h:
2584         (JSC::PrivateName::PrivateName):
2585         * runtime/PropertyMapHashTable.h:
2586         (JSC::PropertyTable::find):
2587         (JSC::PropertyTable::get):
2588         * runtime/PropertyName.h:
2589         (JSC::PropertyName::PropertyName):
2590         (JSC::PropertyName::publicName):
2591         (JSC::PropertyName::asIndex):
2592         * runtime/PropertyNameArray.cpp:
2593         (JSC::PropertyNameArray::add):
2594         * runtime/PropertyNameArray.h:
2595         (JSC::PropertyNameArray::addKnownUnique):
2596         * runtime/RegExpConstructor.cpp:
2597         (JSC::RegExpConstructor::finishCreation):
2598         * runtime/SetConstructor.cpp:
2599         (JSC::constructSet):
2600         * runtime/SetIteratorPrototype.cpp:
2601         (JSC::SetIteratorPrototype::finishCreation):
2602         * runtime/SetPrototype.cpp:
2603         (JSC::SetPrototype::finishCreation):
2604         * runtime/StringIteratorPrototype.cpp:
2605         (JSC::StringIteratorPrototype::finishCreation):
2606         * runtime/StringPrototype.cpp:
2607         (JSC::StringPrototype::finishCreation):
2608         * runtime/Structure.cpp:
2609         (JSC::Structure::getPropertyNamesFromStructure):
2610         * runtime/SymbolConstructor.cpp:
2611         * runtime/VM.cpp:
2612         (JSC::VM::throwException):
2613         * runtime/WeakMapConstructor.cpp:
2614         (JSC::constructWeakMap):
2615
2616 2015-03-31  Andreas Kling  <akling@apple.com>
2617
2618         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
2619         <https://webkit.org/b/143210>
2620
2621         Reviewed by Geoffrey Garen.
2622
2623         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
2624         we had a little problem where WeakBlocks with only null pointers would still keep their
2625         MarkedBlock alive.
2626
2627         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
2628         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
2629         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
2630         destroying them once they're fully dead.
2631
2632         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
2633         a mysterious issue where doing two full garbage collections back-to-back would free additional
2634         memory in the second collection.
2635
2636         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
2637         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
2638         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
2639
2640         * heap/Heap.h:
2641         * heap/Heap.cpp:
2642         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
2643         owned by Heap, after everything else has been swept.
2644
2645         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
2646         after a full garbage collection ends. Note that we don't do this after Eden collections, since
2647         they are unlikely to cause entire WeakBlocks to go empty.
2648
2649         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
2650         to the Heap when it's detached from a WeakSet.
2651
2652         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
2653         of the logically empty WeakBlocks owned by Heap.
2654
2655         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
2656         and updates the next-logically-empty-weak-block-to-sweep index.
2657
2658         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
2659         won't be another chance after this.
2660
2661         * heap/IncrementalSweeper.h:
2662         (JSC::IncrementalSweeper::hasWork): Deleted.
2663
2664         * heap/IncrementalSweeper.cpp:
2665         (JSC::IncrementalSweeper::fullSweep):
2666         (JSC::IncrementalSweeper::doSweep):
2667         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
2668         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
2669         changed to return a bool (true if there's more work to be done.)
2670
2671         * heap/WeakBlock.cpp:
2672         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
2673         contain any pointers to live objects. The answer is stored in a new SweepResult member.
2674
2675         * heap/WeakBlock.h:
2676         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
2677         if the WeakBlock could be detached from the MarkedBlock.
2678
2679         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
2680         when declaring them.
2681
2682 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2683
2684         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
2685         https://bugs.webkit.org/show_bug.cgi?id=142883
2686
2687         Reviewed by Filip Pizlo.
2688
2689         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
2690
2691         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
2692         in eval inside a derived class' constructor.
2693
2694         * bytecode/EvalCodeCache.h:
2695         (JSC::EvalCodeCache::getSlow):
2696         * bytecompiler/NodesCodegen.cpp:
2697         (JSC::ThisNode::emitBytecode):
2698         * debugger/DebuggerCallFrame.cpp:
2699         (JSC::DebuggerCallFrame::evaluate):
2700         * interpreter/Interpreter.cpp:
2701         (JSC::eval):
2702         * parser/ASTBuilder.h:
2703         (JSC::ASTBuilder::thisExpr):
2704         * parser/NodeConstructors.h:
2705         (JSC::ThisNode::ThisNode):
2706         * parser/Nodes.h:
2707         * parser/Parser.cpp:
2708         (JSC::Parser<LexerType>::Parser):
2709         (JSC::Parser<LexerType>::parsePrimaryExpression):
2710         * parser/Parser.h:
2711         (JSC::parse):
2712         * parser/ParserModes.h:
2713         * parser/SyntaxChecker.h:
2714         (JSC::SyntaxChecker::thisExpr):
2715         * runtime/CodeCache.cpp:
2716         (JSC::CodeCache::getGlobalCodeBlock):
2717         (JSC::CodeCache::getProgramCodeBlock):
2718         (JSC::CodeCache::getEvalCodeBlock):
2719         * runtime/CodeCache.h:
2720         (JSC::SourceCodeKey::SourceCodeKey):
2721         * runtime/Executable.cpp:
2722         (JSC::EvalExecutable::create):
2723         * runtime/Executable.h:
2724         * runtime/JSGlobalObject.cpp:
2725         (JSC::JSGlobalObject::createEvalCodeBlock):
2726         * runtime/JSGlobalObject.h:
2727         * runtime/JSGlobalObjectFunctions.cpp:
2728         (JSC::globalFuncEval):
2729         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
2730         * tests/stress/class-syntax-tdz-in-eval.js: Added.
2731
2732 2015-03-31  Commit Queue  <commit-queue@webkit.org>
2733
2734         Unreviewed, rolling out r182186.
2735         https://bugs.webkit.org/show_bug.cgi?id=143270
2736
2737         it crashes all the WebGL tests on the Debug bots (Requested by
2738         dino on #webkit).
2739
2740         Reverted changeset:
2741
2742         "Web Inspector: add 2D/WebGL canvas instrumentation
2743         infrastructure"
2744         https://bugs.webkit.org/show_bug.cgi?id=137278
2745         http://trac.webkit.org/changeset/182186
2746
2747 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2748
2749         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
2750         https://bugs.webkit.org/show_bug.cgi?id=142937
2751
2752         Reviewed by Darin Adler.
2753
2754         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
2755         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
2756         But now, several functions perform ToObject onto a non-object parameter.
2757         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
2758         It is described in ES6 Annex E.
2759         Functions different from ES5 are following.
2760
2761         1. An attempt is make to coerce the argument using ToObject.
2762             Object.getOwnPropertyDescriptor
2763             Object.getOwnPropertyNames
2764             Object.getPrototypeOf
2765             Object.keys
2766
2767         2. Treated as if it was a non-extensible ordinary object with no own properties.
2768             Object.freeze
2769             Object.isExtensible
2770             Object.isFrozen
2771             Object.isSealed
2772             Object.preventExtensions
2773             Object.seal
2774
2775         * runtime/ObjectConstructor.cpp:
2776         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2777         (JSC::objectConstructorGetPrototypeOf):
2778         (JSC::objectConstructorGetOwnPropertyDescriptor):
2779         (JSC::objectConstructorGetOwnPropertyNames):
2780         (JSC::objectConstructorKeys):
2781         (JSC::objectConstructorSeal):
2782         (JSC::objectConstructorFreeze):
2783         (JSC::objectConstructorPreventExtensions):
2784         (JSC::objectConstructorIsSealed):
2785         (JSC::objectConstructorIsFrozen):
2786         (JSC::objectConstructorIsExtensible):
2787         * tests/stress/object-freeze-accept-non-object.js: Added.
2788         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
2789         (canary):
2790         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
2791         (compare):
2792         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
2793         * tests/stress/object-is-extensible-accept-non-object.js: Added.
2794         * tests/stress/object-is-frozen-accept-non-object.js: Added.
2795         * tests/stress/object-is-sealed-accept-non-object.js: Added.
2796         * tests/stress/object-keys-perform-to-object.js: Added.
2797         (compare):
2798         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
2799         * tests/stress/object-seal-accept-non-object.js: Added.
2800
2801 2015-03-31  Matt Baker  <mattbaker@apple.com>
2802
2803         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
2804         https://bugs.webkit.org/show_bug.cgi?id=137278
2805
2806         Reviewed by Timothy Hatcher.
2807
2808         Added Canvas protocol which defines types used by InspectorCanvasAgent.
2809
2810         * CMakeLists.txt:
2811         * DerivedSources.make:
2812         * inspector/protocol/Canvas.json: Added.
2813
2814         * inspector/scripts/codegen/generator.py:
2815         (Generator.stylized_name_for_enum_value):
2816         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
2817
2818 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
2819
2820         Extending null should set __proto__ to null
2821         https://bugs.webkit.org/show_bug.cgi?id=142882
2822
2823         Reviewed by Geoffrey Garen and Benjamin Poulain.
2824
2825         Set Derived.prototype.__proto__ to null when extending null.
2826
2827         * bytecompiler/NodesCodegen.cpp:
2828         (JSC::ClassExprNode::emitBytecode):
2829
2830 2015-03-30  Mark Lam  <mark.lam@apple.com>
2831
2832         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
2833         <https://webkit.org/b/143105>
2834
2835         Reviewed by Filip Pizlo.
2836
2837         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
2838         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
2839         JIT frames that may have its scope register not set.  The Debugger's current implementation
2840         which relies on the scope register is not happy about this.  For example, this results in a
2841         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
2842
2843         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
2844         ensure that the scope register value is flushed to the register in the stack frame.
2845
2846         * dfg/DFGByteCodeParser.cpp:
2847         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2848         (JSC::DFG::ByteCodeParser::setLocal):
2849         (JSC::DFG::ByteCodeParser::flush):
2850         - Add code to flush the scope register.
2851         (JSC::DFG::ByteCodeParser::inliningCost):
2852         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
2853           disabling inlining whenever the debugger is in use.
2854         * dfg/DFGGraph.cpp:
2855         (JSC::DFG::Graph::Graph):
2856         * dfg/DFGGraph.h:
2857         (JSC::DFG::Graph::hasDebuggerEnabled):
2858         * dfg/DFGStackLayoutPhase.cpp:
2859         (JSC::DFG::StackLayoutPhase::run):
2860         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
2861         * ftl/FTLCompile.cpp:
2862         (JSC::FTL::mmAllocateDataSection):
2863         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
2864
2865 2015-03-30  Michael Saboff  <msaboff@apple.com>
2866
2867         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
2868         https://bugs.webkit.org/show_bug.cgi?id=138391
2869
2870         Reviewed by Mark Lam.
2871
2872         Re-enabling these tests as I can't get them to fail on local iOS test devices.
2873         There have been many changes since these tests were disabled.
2874         I'll watch automated test results for failures.  If there are failures running automated
2875         testing, it might be due to the device's relative CPU performance.
2876         
2877         * tests/stress/float32-repeat-out-of-bounds.js:
2878         * tests/stress/int8-repeat-out-of-bounds.js:
2879
2880 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2881
2882         Web Inspector: Regression: Preview for [[null]] shouldn't be []
2883         https://bugs.webkit.org/show_bug.cgi?id=143208
2884
2885         Reviewed by Mark Lam.
2886
2887         * inspector/InjectedScriptSource.js:
2888         Handle null when generating simple object previews.
2889
2890 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
2891
2892         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
2893         https://bugs.webkit.org/show_bug.cgi?id=143134
2894
2895         Reviewed by Geoffrey Garen.
2896
2897         * jit/JSInterfaceJIT.h:
2898         * jit/Repatch.cpp:
2899         (JSC::tryCacheGetByID):
2900
2901 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
2902
2903         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
2904         https://bugs.webkit.org/show_bug.cgi?id=143104
2905
2906         Reviewed by Geoffrey Garen.
2907         
2908         Created a test that is a 100% repro of the flaky failure. This test is called
2909         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
2910         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
2911         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
2912         
2913         Also created three more tests for three similar, but not identical, failures.
2914         
2915         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
2916         only reading those parts of the stack that are relevant to the current semantic code origin.
2917         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
2918         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
2919         read parts of the stack associated with the inline call frame for the phantom arguments. This
2920         may not be subsumed by the current semantic origin's stack area in cases that the arguments
2921         were allowed to "locally" escape.
2922         
2923         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
2924         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
2925         the stack due to function.arguments, but there are a bunch of other ways that we could also
2926         read the stack and those operations may read any stack slot. I believe that this change makes
2927         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
2928         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
2929         readTop() in PreciseLocalClobberize does the right thing.
2930
2931         * dfg/DFGClobberize.h:
2932         (JSC::DFG::clobberize):
2933         * dfg/DFGPreciseLocalClobberize.h:
2934         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2935         * dfg/DFGPutStackSinkingPhase.cpp:
2936         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
2937         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
2938         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
2939         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
2940         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
2941
2942 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
2943
2944         Start the features.json files
2945         https://bugs.webkit.org/show_bug.cgi?id=143207
2946
2947         Reviewed by Darin Adler.
2948
2949         Start the features.json files to have something to experiment
2950         with for the UI.
2951
2952         * features.json: Added.
2953
2954 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2955
2956         [Win] Addresing post-review comment after r182122
2957         https://bugs.webkit.org/show_bug.cgi?id=143189
2958
2959         Unreviewed.
2960
2961 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2962
2963         [Win] Allow building JavaScriptCore without Cygwin
2964         https://bugs.webkit.org/show_bug.cgi?id=143189
2965
2966         Reviewed by Brent Fulgham.
2967
2968         Paths like /usr/bin/ don't exist on Windows.
2969         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
2970         Prefixing commands with environment variables doesn't work on Windows.
2971         Windows doesn't have 'cmp'
2972         Windows uses 'del' instead of 'rm'
2973         Windows uses 'type NUL' intead of 'touch'
2974
2975         * DerivedSources.make:
2976         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2977         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2978         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
2979         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2980         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
2981         * JavaScriptCore.vcxproj/build-generated-files.pl:
2982         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
2983
2984 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
2985
2986         Clean up JavaScriptCore/builtins
2987         https://bugs.webkit.org/show_bug.cgi?id=143177
2988
2989         Reviewed by Ryosuke Niwa.
2990
2991         * builtins/ArrayConstructor.js:
2992         (from):
2993         - We can compare to undefined instead of using a typeof undefined check.
2994         - Converge on double quoted strings everywhere.
2995
2996         * builtins/ArrayIterator.prototype.js:
2997         (next):
2998         * builtins/StringIterator.prototype.js:
2999         (next):
3000         - Use shorthand object construction to avoid duplication.
3001         - Improve grammar in error messages.
3002
3003         * tests/stress/array-iterators-next-with-call.js:
3004         * tests/stress/string-iterators.js:
3005         - Update for new error message strings.
3006
3007 2015-03-28  Saam Barati  <saambarati1@gmail.com>
3008
3009         Web Inspector: ES6: Better support for Symbol types in Type Profiler
3010         https://bugs.webkit.org/show_bug.cgi?id=141257
3011
3012         Reviewed by Joseph Pecoraro.
3013
3014         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
3015         type profiler support this new primitive type.
3016
3017         * dfg/DFGFixupPhase.cpp:
3018         (JSC::DFG::FixupPhase::fixupNode):
3019         * inspector/protocol/Runtime.json:
3020         * runtime/RuntimeType.cpp:
3021         (JSC::runtimeTypeForValue):
3022         * runtime/RuntimeType.h:
3023         (JSC::runtimeTypeIsPrimitive):
3024         * runtime/TypeSet.cpp:
3025         (JSC::TypeSet::addTypeInformation):
3026         (JSC::TypeSet::dumpTypes):
3027         (JSC::TypeSet::doesTypeConformTo):
3028         (JSC::TypeSet::displayName):
3029         (JSC::TypeSet::inspectorTypeSet):
3030         (JSC::TypeSet::toJSONString):
3031         * runtime/TypeSet.h:
3032         (JSC::TypeSet::seenTypes):
3033         * tests/typeProfiler/driver/driver.js:
3034         * tests/typeProfiler/symbol.js: Added.
3035         (wrapper.foo):
3036         (wrapper.bar):
3037         (wrapper.bar.bar.baz):
3038         (wrapper):
3039
3040 2015-03-27  Saam Barati  <saambarati1@gmail.com>
3041
3042         Deconstruction parameters are bound too late
3043         https://bugs.webkit.org/show_bug.cgi?id=143148
3044
3045         Reviewed by Filip Pizlo.
3046
3047         Currently, a deconstruction pattern named with the same
3048         name as a function will shadow the function. This is
3049         wrong. It should be the other way around.
3050
3051         * bytecompiler/BytecodeGenerator.cpp:
3052         (JSC::BytecodeGenerator::generate):
3053
3054 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
3055
3056         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
3057         https://bugs.webkit.org/show_bug.cgi?id=143170
3058
3059         Reviewed by Benjamin Poulain.
3060
3061         Assert that we never use 16-bit version of the parser to parse a default constructor
3062         since both base and derived default constructors should be using a 8-bit string.
3063
3064         * parser/Parser.h:
3065         (JSC::parse):
3066
3067 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
3068
3069         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
3070         https://bugs.webkit.org/show_bug.cgi?id=142862
3071
3072         Reviewed by Benjamin Poulain.
3073
3074         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
3075
3076         * tests/stress/class-syntax-derived-default-constructor.js: Added.
3077
3078 2015-03-27  Michael Saboff  <msaboff@apple.com>
3079
3080         load8Signed() and load16Signed() should be renamed to avoid confusion
3081         https://bugs.webkit.org/show_bug.cgi?id=143168
3082
3083         Reviewed by Benjamin Poulain.
3084
3085         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
3086
3087         * assembler/MacroAssemblerARM.h:
3088         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
3089         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
3090         (JSC::MacroAssemblerARM::load8Signed): Deleted.
3091         (JSC::MacroAssemblerARM::load16Signed): Deleted.
3092         * assembler/MacroAssemblerARM64.h:
3093         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
3094         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
3095         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
3096         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
3097         * assembler/MacroAssemblerARMv7.h:
3098         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
3099         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
3100         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
3101         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
3102         * assembler/MacroAssemblerMIPS.h:
3103         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
3104         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
3105         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
3106         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
3107         * assembler/MacroAssemblerSH4.h:
3108         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
3109         (JSC::MacroAssemblerSH4::load8):
3110         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
3111         (JSC::MacroAssemblerSH4::load16):
3112         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
3113         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
3114         * assembler/MacroAssemblerX86Common.h:
3115         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
3116         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
3117         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
3118         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
3119         * dfg/DFGSpeculativeJIT.cpp:
3120         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3121         * jit/JITPropertyAccess.cpp:
3122         (JSC::JIT::emitIntTypedArrayGetByVal):
3123
3124 2015-03-27  Michael Saboff  <msaboff@apple.com>
3125
3126         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
3127         https://bugs.webkit.org/show_bug.cgi?id=138390
3128
3129         Reviewed by Mark Lam.
3130
3131         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
3132         instead of 64 bits.  This is what X86-64 does.
3133
3134         * assembler/MacroAssemblerARM64.h:
3135         (JSC::MacroAssemblerARM64::load16Signed):
3136         (JSC::MacroAssemblerARM64::load8Signed):
3137
3138 2015-03-27  Saam Barati  <saambarati1@gmail.com>
3139
3140         Add back previously broken assert from bug 141869
3141         https://bugs.webkit.org/show_bug.cgi?id=143005
3142
3143         Reviewed by Michael Saboff.
3144
3145         * runtime/ExceptionHelpers.cpp:
3146         (JSC::invalidParameterInSourceAppender):
3147
3148 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3149
3150         Make some more objects use FastMalloc
3151         https://bugs.webkit.org/show_bug.cgi?id=143122
3152
3153         Reviewed by Csaba Osztrogonác.
3154
3155         * API/JSCallbackObject.h:
3156         * heap/IncrementalSweeper.h:
3157         * jit/JITThunks.h:
3158         * runtime/JSGlobalObjectDebuggable.h:
3159         * runtime/RegExpCache.h:
3160
3161 2015-03-27  Michael Saboff  <msaboff@apple.com>
3162
3163         Objects with numeric properties intermittently get a phantom 'length' property
3164         https://bugs.webkit.org/show_bug.cgi?id=142792
3165
3166         Reviewed by Csaba Osztrogonác.
3167
3168         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
3169         test and branch instructions.  This function is used for linking tbz/tbnz branches between
3170         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
3171         the failure case checks in the GetById array length stub created for "obj.length" access.
3172         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
3173         being set when we should have been looking for bit 0.
3174
3175         * assembler/ARM64Assembler.h:
3176         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
3177
3178 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3179
3180         Insert exception check around toPropertyKey call
3181         https://bugs.webkit.org/show_bug.cgi?id=142922
3182
3183         Reviewed by Geoffrey Garen.
3184
3185         In some places, exception check is missing after/before toPropertyKey.
3186         However, since it calls toString, it's observable to users,
3187
3188         Missing exception checks in Object.prototype methods can be
3189         observed since it would be overridden with toObject(null/undefined) errors.
3190         We inserted exception checks after toPropertyKey.
3191
3192         Missing exception checks in GetById related code can be
3193         observed since it would be overridden with toObject(null/undefined) errors.
3194         In this case, we need to insert exception checks before/after toPropertyKey
3195         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
3196
3197         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
3198         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
3199         According to the spec, we first perform RequireObjectCoercible and check the exception.
3200         And second, we perform ToPropertyKey and check the exception.
3201         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
3202         For example, if the target is not object coercible,
3203         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
3204         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
3205
3206         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
3207
3208         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
3209
3210         toObject converts primitive types into wrapper objects.
3211         But it is not efficient since wrapper objects are not necessary
3212         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
3213
3214         2. Using the result of toObject is not correct to the spec.
3215
3216         To align to the spec correctly, we cannot use JSObject::get
3217         by using the wrapper object produced by the toObject suggested in (1).
3218         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
3219         It is not correct since getter should be called with the original |this| value that may be primitive types.
3220
3221         So in this patch, we use JSValue::requireObjectCoercible
3222         to check the target is object coercible and raise an error if it's not.
3223
3224         * dfg/DFGOperations.cpp:
3225         * jit/JITOperations.cpp:
3226         (JSC::getByVal):
3227         * llint/LLIntSlowPaths.cpp:
3228         (JSC::LLInt::getByVal):
3229         * runtime/CommonSlowPaths.cpp:
3230         (JSC::SLOW_PATH_DECL):
3231         * runtime/JSCJSValue.h:
3232         * runtime/JSCJSValueInlines.h:
3233         (JSC::JSValue::requireObjectCoercible):
3234         * runtime/ObjectPrototype.cpp:
3235         (JSC::objectProtoFuncHasOwnProperty):
3236         (JSC::objectProtoFuncDefineGetter):
3237         (JSC::objectProtoFuncDefineSetter):
3238         (JSC::objectProtoFuncLookupGetter):
3239         (JSC::objectProtoFuncLookupSetter):
3240         (JSC::objectProtoFuncPropertyIsEnumerable):
3241         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
3242         (shouldThrow):
3243         (if):
3244         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
3245         (shouldThrow):
3246         (.):
3247
3248 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
3249
3250         WebContent Crash when instantiating class with Type Profiling enabled
3251         https://bugs.webkit.org/show_bug.cgi?id=143037
3252
3253         Reviewed by Ryosuke Niwa.
3254
3255         * bytecompiler/BytecodeGenerator.h:
3256         * bytecompiler/BytecodeGenerator.cpp:
3257         (JSC::BytecodeGenerator::BytecodeGenerator):
3258         (JSC::BytecodeGenerator::emitMoveEmptyValue):
3259         We cannot profile the type of an uninitialized empty JSValue.
3260         Nor do we expect this to be necessary, since it is effectively
3261         an unseen undefined value. So add a way to put the empty value
3262         without profiling.
3263
3264         (JSC::BytecodeGenerator::emitMove):
3265         Add an assert to try to catch this issue early on, and force
3266         callers to explicitly use emitMoveEmptyValue instead.
3267
3268         * tests/typeProfiler/classes.js: Added.
3269         (wrapper.Base):
3270         (wrapper.Derived):
3271         (wrapper):
3272         Add test coverage both for this case and classes in general.
3273
3274 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
3275
3276         Web Inspector: ES6: Provide a better view for Classes in the console
3277         https://bugs.webkit.org/show_bug.cgi?id=142999
3278
3279         Reviewed by Timothy Hatcher.
3280
3281         * inspector/protocol/Runtime.json:
3282         Provide a new `subtype` enum "class". This is a subtype of `type`
3283         "function", all other subtypes are subtypes of `object` types.
3284         For a class, the frontend will immediately want to get the prototype
3285         to enumerate its methods, so include the `classPrototype`.
3286
3287         * inspector/JSInjectedScriptHost.cpp:
3288         (Inspector::JSInjectedScriptHost::subtype):
3289         Denote class construction functions as "class" subtypes.
3290
3291         * inspector/InjectedScriptSource.js:
3292         Handling for the new "class" type.
3293
3294         * bytecode/UnlinkedCodeBlock.h:
3295         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
3296         * runtime/Executable.h:
3297         (JSC::FunctionExecutable::isClassConstructorFunction):
3298         * runtime/JSFunction.h:
3299         * runtime/JSFunctionInlines.h:
3300         (JSC::JSFunction::isClassConstructorFunction):
3301         Check if this function is a class constructor function. That information
3302         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
3303
3304 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3305
3306         Function.prototype.toString should not decompile the AST
3307         https://bugs.webkit.org/show_bug.cgi?id=142853
3308
3309         Reviewed by Darin Adler.
3310
3311         Following up on Darin's review comments.
3312
3313         * runtime/FunctionConstructor.cpp:
3314         (JSC::constructFunctionSkippingEvalEnabledCheck):
3315
3316 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3317
3318         "lineNo" does not match WebKit coding style guidelines
3319         https://bugs.webkit.org/show_bug.cgi?id=143119
3320
3321         Reviewed by Michael Saboff.
3322
3323         We can afford to use whole words.
3324
3325         * bytecode/CodeBlock.cpp:
3326         (JSC::CodeBlock::lineNumberForBytecodeOffset):
3327         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
3328         * bytecode/UnlinkedCodeBlock.cpp:
3329         (JSC::UnlinkedFunctionExecutable::link):
3330         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
3331         * bytecode/UnlinkedCodeBlock.h:
3332         * bytecompiler/NodesCodegen.cpp:
3333         (JSC::WhileNode::emitBytecode):
3334         * debugger/Debugger.cpp:
3335         (JSC::Debugger::toggleBreakpoint):
3336         * interpreter/Interpreter.cpp:
3337         (JSC::StackFrame::computeLineAndColumn):
3338         (JSC::GetStackTraceFunctor::operator()):
3339         (JSC::Interpreter::execute):
3340         * interpreter/StackVisitor.cpp:
3341         (JSC::StackVisitor::Frame::computeLineAndColumn):