bce72e6b36900622b60d81305fef6bc1989a86ab
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
2
3         JSArray::sortNumeric should handle ArrayWithUndecided
4         https://bugs.webkit.org/show_bug.cgi?id=143535
5
6         Reviewed by Geoffrey Garen.
7         
8         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
9
10         * runtime/JSArray.cpp:
11         (JSC::JSArray::sortNumeric):
12         * tests/stress/sort-array-with-undecided.js: Added.
13
14 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
15
16         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
17         https://bugs.webkit.org/show_bug.cgi?id=143532
18
19         Reviewed by Gavin Barraclough.
20         
21         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
22         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
23         would think that there never was wrap-around.
24         
25         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
26
27         * dfg/DFGIntegerCheckCombiningPhase.cpp:
28         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
29
30 2015-04-07  Michael Saboff  <msaboff@apple.com>
31
32         Lazily initialize LogToSystemConsole flag to reduce memory usage
33         https://bugs.webkit.org/show_bug.cgi?id=143506
34
35         Reviewed by Mark Lam.
36
37         Only call into CF preferences code when we need to in order to reduce memory usage.
38
39         * inspector/JSGlobalObjectConsoleClient.cpp:
40         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
41         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
42         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
43         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
44
45 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
46
47         Get the features.json files ready for open contributions
48         https://bugs.webkit.org/show_bug.cgi?id=143436
49
50         Reviewed by Darin Adler.
51
52         * features.json:
53
54 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
55
56         Constant folding of typed array properties should be handled by AI rather than strength reduction
57         https://bugs.webkit.org/show_bug.cgi?id=143496
58
59         Reviewed by Geoffrey Garen.
60         
61         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
62         phase and whatever other phase did the folding in order to find all constants.
63         
64         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
65         directly.
66         
67         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
68         found because all of the tests for it involved the property getting constant folded. I found that
69         the codegen was bad because an earlier version of the patch broke that constant folding. This
70         adds a new test for that node type, which makes constant folding impossible by allocating a new
71         typed array every type. The lesson here is: if you write a test for something, run the test with
72         full IR dumps to make sure it's actually testing the thing you want it to test.
73
74         * dfg/DFGAbstractInterpreterInlines.h:
75         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
76         * dfg/DFGClobberize.h:
77         (JSC::DFG::clobberize):
78         * dfg/DFGConstantFoldingPhase.cpp:
79         (JSC::DFG::ConstantFoldingPhase::foldConstants):
80         * dfg/DFGDoesGC.cpp:
81         (JSC::DFG::doesGC):
82         * dfg/DFGFixupPhase.cpp:
83         (JSC::DFG::FixupPhase::fixupNode):
84         * dfg/DFGGraph.cpp:
85         (JSC::DFG::Graph::dump):
86         (JSC::DFG::Graph::tryGetFoldableView):
87         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
88         * dfg/DFGGraph.h:
89         * dfg/DFGNode.h:
90         (JSC::DFG::Node::hasTypedArray): Deleted.
91         (JSC::DFG::Node::typedArray): Deleted.
92         * dfg/DFGNodeType.h:
93         * dfg/DFGPredictionPropagationPhase.cpp:
94         (JSC::DFG::PredictionPropagationPhase::propagate):
95         * dfg/DFGSafeToExecute.h:
96         (JSC::DFG::safeToExecute):
97         * dfg/DFGSpeculativeJIT.cpp:
98         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
99         * dfg/DFGSpeculativeJIT32_64.cpp:
100         (JSC::DFG::SpeculativeJIT::compile):
101         * dfg/DFGSpeculativeJIT64.cpp:
102         (JSC::DFG::SpeculativeJIT::compile):
103         * dfg/DFGStrengthReductionPhase.cpp:
104         (JSC::DFG::StrengthReductionPhase::handleNode):
105         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
106         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
107         * dfg/DFGWatchpointCollectionPhase.cpp:
108         (JSC::DFG::WatchpointCollectionPhase::handle):
109         (JSC::DFG::WatchpointCollectionPhase::addLazily):
110         * ftl/FTLCapabilities.cpp:
111         (JSC::FTL::canCompile):
112         * ftl/FTLLowerDFGToLLVM.cpp:
113         (JSC::FTL::LowerDFGToLLVM::compileNode):
114         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
115         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
116         * tests/stress/fold-typed-array-properties.js:
117         (foo):
118         * tests/stress/typed-array-byte-offset.js: Added.
119         (foo):
120
121 2015-04-07  Matthew Mirman  <mmirman@apple.com>
122
123         Source and stack information should get appended only to native errors
124         and should be added directly after construction rather than when thrown. 
125         This fixes frozen objects being unfrozen when thrown while conforming to 
126         ecma script standard and other browser behavior.
127         rdar://problem/19927293
128         https://bugs.webkit.org/show_bug.cgi?id=141871
129         
130         Reviewed by Geoffrey Garen.
131
132         Appending stack, source, line, and column information to an object whenever that object is thrown 
133         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
134         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
135         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
136         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
137         a control flow construct rather than just an error reporting mechanism.  
138         
139         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
140         appending the error properties as a seperate call after construction of the error is required 
141         to avoid having to manually truncate the stack and gather local source information due to 
142         the stack being extended by a nested call to construct one of the native jsc error.
143         
144         * interpreter/Interpreter.cpp:
145         (JSC::Interpreter::execute):
146         * interpreter/Interpreter.h:
147         * parser/ParserError.h:
148         (JSC::ParserError::toErrorObject):
149         * runtime/CommonIdentifiers.h:
150         * runtime/Error.cpp:
151         (JSC::createError):
152         (JSC::createEvalError):
153         (JSC::createRangeError):
154         (JSC::createReferenceError):
155         (JSC::createSyntaxError):
156         (JSC::createTypeError):
157         (JSC::createNotEnoughArgumentsError):
158         (JSC::createURIError):
159         (JSC::createOutOfMemoryError):
160         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
161         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
162         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
163         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
164         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
165         (JSC::addErrorInfo): Added special case for appending complete error info 
166         to a newly constructed error object.
167         * runtime/Error.h:
168         * runtime/ErrorConstructor.cpp:
169         (JSC::Interpreter::constructWithErrorConstructor):
170         (JSC::Interpreter::callErrorConstructor):
171         * runtime/ErrorInstance.cpp:
172         (JSC::appendSourceToError): Moved from VM.cpp
173         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
174         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
175         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
176         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
177         (JSC::addErrorInfoAndGetBytecodeOffset):
178         (JSC::ErrorInstance::finishCreation):
179         * runtime/ErrorInstance.h:
180         (JSC::ErrorInstance::create):
181         * runtime/ErrorPrototype.cpp:
182         (JSC::ErrorPrototype::finishCreation):
183         * runtime/ExceptionFuzz.cpp:
184         (JSC::doExceptionFuzzing):
185         * runtime/ExceptionHelpers.cpp:
186         (JSC::createError):
187         (JSC::createInvalidFunctionApplyParameterError):
188         (JSC::createInvalidInParameterError):
189         (JSC::createInvalidInstanceofParameterError):
190         (JSC::createNotAConstructorError):
191         (JSC::createNotAFunctionError):
192         (JSC::createNotAnObjectError):
193         (JSC::throwOutOfMemoryError):
194         (JSC::createStackOverflowError): Deleted.
195         (JSC::createOutOfMemoryError): Deleted.
196         * runtime/ExceptionHelpers.h:
197         * runtime/JSArrayBufferConstructor.cpp:
198         (JSC::constructArrayBuffer):
199         * runtime/JSArrayBufferPrototype.cpp:
200         (JSC::arrayBufferProtoFuncSlice):
201         * runtime/JSGenericTypedArrayViewInlines.h:
202         (JSC::JSGenericTypedArrayView<Adaptor>::create):
203         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
204         * runtime/NativeErrorConstructor.cpp:
205         (JSC::Interpreter::constructWithNativeErrorConstructor):
206         (JSC::Interpreter::callNativeErrorConstructor):
207         * runtime/VM.cpp:
208         (JSC::VM::throwException):
209         (JSC::appendSourceToError): Moved to Error.cpp
210         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
211         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
212         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
213         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
214         * tests/stress/freeze_leek.js: Added.
215
216 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
217
218         Web Inspector: ES6: Show Symbol properties on Objects
219         https://bugs.webkit.org/show_bug.cgi?id=141279
220
221         Reviewed by Timothy Hatcher.
222
223         * inspector/protocol/Runtime.json:
224         Give PropertyDescriptor a reference to the Symbol RemoteObject
225         if the property is a symbol property.
226
227         * inspector/InjectedScriptSource.js:
228         Enumerate symbol properties on objects.
229
230 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
231
232         Make it possible to enable LLVM FastISel
233         https://bugs.webkit.org/show_bug.cgi?id=143489
234
235         Reviewed by Michael Saboff.
236
237         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
238         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
239         if we should enable it.
240
241         * ftl/FTLCompile.cpp:
242         (JSC::FTL::mmAllocateDataSection):
243         * llvm/InitializeLLVM.cpp:
244         (JSC::initializeLLVMImpl):
245         * llvm/InitializeLLVM.h:
246         * llvm/InitializeLLVMLinux.cpp:
247         (JSC::getLLVMInitializerFunction):
248         (JSC::initializeLLVMImpl): Deleted.
249         * llvm/InitializeLLVMMac.cpp:
250         (JSC::getLLVMInitializerFunction):
251         (JSC::initializeLLVMImpl): Deleted.
252         * llvm/InitializeLLVMPOSIX.cpp:
253         (JSC::getLLVMInitializerFunctionPOSIX):
254         (JSC::initializeLLVMPOSIX): Deleted.
255         * llvm/InitializeLLVMPOSIX.h:
256         * llvm/InitializeLLVMWin.cpp:
257         (JSC::getLLVMInitializerFunction):
258         (JSC::initializeLLVMImpl): Deleted.
259         * llvm/LLVMAPI.cpp:
260         * llvm/LLVMAPI.h:
261         * llvm/library/LLVMExports.cpp:
262         (initCommandLine):
263         (initializeAndGetJSCLLVMAPI):
264         * runtime/Options.cpp:
265         (JSC::Options::initialize):
266
267 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
268
269         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
270         https://bugs.webkit.org/show_bug.cgi?id=140426
271
272         Reviewed by Darin Adler.
273
274         In the put_by_val_direct operation, we use JSObject::putDirect.
275         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
276         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
277
278         * dfg/DFGOperations.cpp:
279         (JSC::DFG::putByVal):
280         (JSC::DFG::operationPutByValInternal):
281         * jit/JITOperations.cpp:
282         * llint/LLIntSlowPaths.cpp:
283         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
284         * runtime/Identifier.h:
285         (JSC::isIndex):
286         (JSC::parseIndex):
287         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
288         (lookupWithKey):
289         (toStringThrowsError.toString):
290
291 2015-04-06  Alberto Garcia  <berto@igalia.com>
292
293         [GTK] Fix HPPA build
294         https://bugs.webkit.org/show_bug.cgi?id=143453
295
296         Reviewed by Darin Adler.
297
298         Add HPPA to the list of supported CPUs.
299
300         * CMakeLists.txt:
301
302 2015-04-06  Mark Lam  <mark.lam@apple.com>
303
304         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
305         <https://webkit.org/b/143396>
306
307         Reviewed by Filip Pizlo.
308
309         The DFG was neglecting to set the result boolean.  The FTL was setting it with
310         an inverted value.  Both of these are now resolved.
311
312         * dfg/DFGSpeculativeJIT64.cpp:
313         (JSC::DFG::SpeculativeJIT::compile):
314         * ftl/FTLLowerDFGToLLVM.cpp:
315         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
316         * tests/stress/for-in-array-mode.js: Added.
317         (.):
318         (test):
319
320 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
321
322         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
323         https://bugs.webkit.org/show_bug.cgi?id=143424
324
325         Reviewed by Geoffrey Garen.
326
327         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
328
329         ToString(symbol) throws a type error.
330         However, String(symbol) produces SymbolDescriptiveString(symbol).
331
332         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
333
334         Now, in the template literals patch, ToString DFG operation is planned to be used.
335         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
336         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
337         In CallStringConstructor, all behavior in DFG analysis is the same.
338         Only the difference from ToString is, when calling DFG operation functions, it calls
339         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
340         operationToStringOnCell and operationToString.
341
342         * dfg/DFGAbstractInterpreterInlines.h:
343         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
344         * dfg/DFGBackwardsPropagationPhase.cpp:
345         (JSC::DFG::BackwardsPropagationPhase::propagate):
346         * dfg/DFGByteCodeParser.cpp:
347         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
348         * dfg/DFGClobberize.h:
349         (JSC::DFG::clobberize):
350         * dfg/DFGDoesGC.cpp:
351         (JSC::DFG::doesGC):
352         * dfg/DFGFixupPhase.cpp:
353         (JSC::DFG::FixupPhase::fixupNode):
354         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
355         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
356         (JSC::DFG::FixupPhase::fixupToString): Deleted.
357         * dfg/DFGNodeType.h:
358         * dfg/DFGOperations.cpp:
359         * dfg/DFGOperations.h:
360         * dfg/DFGPredictionPropagationPhase.cpp:
361         (JSC::DFG::PredictionPropagationPhase::propagate):
362         * dfg/DFGSafeToExecute.h:
363         (JSC::DFG::safeToExecute):
364         * dfg/DFGSpeculativeJIT.cpp:
365         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
366         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
367         * dfg/DFGSpeculativeJIT.h:
368         * dfg/DFGSpeculativeJIT32_64.cpp:
369         (JSC::DFG::SpeculativeJIT::compile):
370         * dfg/DFGSpeculativeJIT64.cpp:
371         (JSC::DFG::SpeculativeJIT::compile):
372         * dfg/DFGStructureRegistrationPhase.cpp:
373         (JSC::DFG::StructureRegistrationPhase::run):
374         * ftl/FTLCapabilities.cpp:
375         (JSC::FTL::canCompile):
376         * ftl/FTLLowerDFGToLLVM.cpp:
377         (JSC::FTL::LowerDFGToLLVM::compileNode):
378         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
379         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
380         * runtime/StringConstructor.cpp:
381         (JSC::stringConstructor):
382         (JSC::callStringConstructor):
383         * runtime/StringConstructor.h:
384         * tests/stress/symbol-and-string-constructor.js: Added.
385         (performString):
386
387 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
388
389         Return Optional<uint32_t> from PropertyName::asIndex
390         https://bugs.webkit.org/show_bug.cgi?id=143422
391
392         Reviewed by Darin Adler.
393
394         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
395         But it's not obvious to callers.
396
397         This patch changes
398         1. PropertyName::asIndex() to return Optional<uint32_t> and
399         2. function name `asIndex()` to `parseIndex()`.
400         It forces callers to check the value is index or not explicitly.
401
402         * bytecode/GetByIdStatus.cpp:
403         (JSC::GetByIdStatus::computeFor):
404         * bytecode/PutByIdStatus.cpp:
405         (JSC::PutByIdStatus::computeFor):
406         * bytecompiler/BytecodeGenerator.cpp:
407         (JSC::BytecodeGenerator::emitDirectPutById):
408         * jit/Repatch.cpp:
409         (JSC::emitPutTransitionStubAndGetOldStructure):
410         * jsc.cpp:
411         * runtime/ArrayPrototype.cpp:
412         (JSC::arrayProtoFuncSort):
413         * runtime/GenericArgumentsInlines.h:
414         (JSC::GenericArguments<Type>::getOwnPropertySlot):
415         (JSC::GenericArguments<Type>::put):
416         (JSC::GenericArguments<Type>::deleteProperty):
417         (JSC::GenericArguments<Type>::defineOwnProperty):
418         * runtime/Identifier.h:
419         (JSC::parseIndex):
420         (JSC::Identifier::isSymbol):
421         * runtime/JSArray.cpp:
422         (JSC::JSArray::defineOwnProperty):
423         * runtime/JSCJSValue.cpp:
424         (JSC::JSValue::putToPrimitive):
425         * runtime/JSGenericTypedArrayViewInlines.h:
426         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
427         (JSC::JSGenericTypedArrayView<Adaptor>::put):
428         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
429         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
430         * runtime/JSObject.cpp:
431         (JSC::JSObject::put):
432         (JSC::JSObject::putDirectAccessor):
433         (JSC::JSObject::putDirectCustomAccessor):
434         (JSC::JSObject::deleteProperty):
435         (JSC::JSObject::putDirectMayBeIndex):
436         (JSC::JSObject::defineOwnProperty):
437         * runtime/JSObject.h:
438         (JSC::JSObject::getOwnPropertySlot):
439         (JSC::JSObject::getPropertySlot):
440         (JSC::JSObject::putDirectInternal):
441         * runtime/JSString.cpp:
442         (JSC::JSString::getStringPropertyDescriptor):
443         * runtime/JSString.h:
444         (JSC::JSString::getStringPropertySlot):
445         * runtime/LiteralParser.cpp:
446         (JSC::LiteralParser<CharType>::parse):
447         * runtime/PropertyName.h:
448         (JSC::parseIndex):
449         (JSC::toUInt32FromCharacters): Deleted.
450         (JSC::toUInt32FromStringImpl): Deleted.
451         (JSC::PropertyName::asIndex): Deleted.
452         * runtime/PropertyNameArray.cpp:
453         (JSC::PropertyNameArray::add):
454         * runtime/StringObject.cpp:
455         (JSC::StringObject::deleteProperty):
456         * runtime/Structure.cpp:
457         (JSC::Structure::prototypeChainMayInterceptStoreTo):
458
459 2015-04-05  Andreas Kling  <akling@apple.com>
460
461         URI encoding/escaping should use efficient string building instead of calling snprintf().
462         <https://webkit.org/b/143426>
463
464         Reviewed by Gavin Barraclough.
465
466         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
467         which seemed pretty silly. This change gets that down to nothing in favor of using our
468         existing JSStringBuilder and HexNumber.h facilities.
469
470         These APIs are well-exercised by our existing test suite.
471
472         * runtime/JSGlobalObjectFunctions.cpp:
473         (JSC::encode):
474         (JSC::globalFuncEscape):
475
476 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
477
478         documentation for ES Promises points to the wrong one
479         https://bugs.webkit.org/show_bug.cgi?id=143263
480
481         Reviewed by Darin Adler.
482
483         * features.json:
484
485 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
486
487         Remove "go ahead and" from comments
488         https://bugs.webkit.org/show_bug.cgi?id=143421
489
490         Reviewed by Darin Adler, Benjamin Poulain.
491
492         Remove the phrase "go ahead and" from comments where it doesn't add
493         anything (which is almost all of them).
494
495         * interpreter/JSStack.cpp:
496         (JSC::JSStack::growSlowCase):
497
498 2015-04-04  Andreas Kling  <akling@apple.com>
499
500         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
501         <https://webkit.org/b/143210>
502
503         Reviewed by Geoffrey Garen.
504
505         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
506         we had a little problem where WeakBlocks with only null pointers would still keep their
507         MarkedBlock alive.
508
509         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
510         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
511         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
512         destroying them once they're fully dead.
513
514         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
515         a mysterious issue where doing two full garbage collections back-to-back would free additional
516         memory in the second collection.
517
518         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
519         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
520         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
521
522         * heap/Heap.h:
523         * heap/Heap.cpp:
524         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
525         owned by Heap, after everything else has been swept.
526
527         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
528         after a full garbage collection ends. Note that we don't do this after Eden collections, since
529         they are unlikely to cause entire WeakBlocks to go empty.
530
531         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
532         to the Heap when it's detached from a WeakSet.
533
534         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
535         of the logically empty WeakBlocks owned by Heap.
536
537         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
538         and updates the next-logically-empty-weak-block-to-sweep index.
539
540         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
541         won't be another chance after this.
542
543         * heap/IncrementalSweeper.h:
544         (JSC::IncrementalSweeper::hasWork): Deleted.
545
546         * heap/IncrementalSweeper.cpp:
547         (JSC::IncrementalSweeper::fullSweep):
548         (JSC::IncrementalSweeper::doSweep):
549         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
550         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
551         changed to return a bool (true if there's more work to be done.)
552
553         * heap/WeakBlock.cpp:
554         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
555         contain any pointers to live objects. The answer is stored in a new SweepResult member.
556
557         * heap/WeakBlock.h:
558         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
559         if the WeakBlock could be detached from the MarkedBlock.
560
561         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
562         when declaring them.
563
564 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
565
566         Implement ES6 Object.getOwnPropertySymbols
567         https://bugs.webkit.org/show_bug.cgi?id=141106
568
569         Reviewed by Geoffrey Garen.
570
571         This patch implements `Object.getOwnPropertySymbols`.
572         One technical issue is that, since we use private symbols (such as `@Object`) in the
573         privileged JS code in `builtins/`, they should not be exposed.
574         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
575         before adding it into PropertyNameArray.
576
577         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
578         since all private symbols are held in this map.
579
580         * builtins/BuiltinExecutables.cpp:
581         (JSC::BuiltinExecutables::createExecutableInternal):
582         * builtins/BuiltinNames.h:
583         (JSC::BuiltinNames::isPrivateName):
584         * runtime/CommonIdentifiers.cpp:
585         (JSC::CommonIdentifiers::isPrivateName):
586         * runtime/CommonIdentifiers.h:
587         * runtime/EnumerationMode.h:
588         (JSC::EnumerationMode::EnumerationMode):
589         (JSC::EnumerationMode::includeSymbolProperties):
590         * runtime/ExceptionHelpers.cpp:
591         (JSC::createUndefinedVariableError):
592         * runtime/JSGlobalObject.cpp:
593         (JSC::JSGlobalObject::init):
594         * runtime/JSLexicalEnvironment.cpp:
595         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
596         * runtime/JSSymbolTableObject.cpp:
597         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
598         * runtime/ObjectConstructor.cpp:
599         (JSC::ObjectConstructor::finishCreation):
600         (JSC::objectConstructorGetOwnPropertySymbols):
601         (JSC::defineProperties):
602         (JSC::objectConstructorSeal):
603         (JSC::objectConstructorFreeze):
604         (JSC::objectConstructorIsSealed):
605         (JSC::objectConstructorIsFrozen):
606         * runtime/ObjectConstructor.h:
607         (JSC::ObjectConstructor::create):
608         * runtime/Structure.cpp:
609         (JSC::Structure::getPropertyNamesFromStructure):
610         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
611         (compare):
612         * tests/stress/object-get-own-property-symbols.js: Added.
613         (forIn):
614         * tests/stress/symbol-define-property.js: Added.
615         (testSymbol):
616         * tests/stress/symbol-seal-and-freeze.js: Added.
617         * tests/stress/symbol-with-json.js: Added.
618
619 2015-04-03  Mark Lam  <mark.lam@apple.com>
620
621         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
622         <https://webkit.org/b/143385>
623
624         Reviewed by Geoffrey Garen.
625
626         For debugging purposes, sometimes, we want to be able to make compilation happen
627         sooner to see if we can accelerate the manifestation of certain events / bugs.
628         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
629         which make up the compilation policy.  Let's add a single knob that can tune all
630         the thresholds up / down in one go proportionately so that we can easily tweak
631         how soon compilation occurs.
632
633         * runtime/Options.cpp:
634         (JSC::scaleJITPolicy):
635         (JSC::recomputeDependentOptions):
636         * runtime/Options.h:
637
638 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
639
640         is* API methods should be @properties
641         https://bugs.webkit.org/show_bug.cgi?id=143388
642
643         Reviewed by Mark Lam.
644
645         This appears to be the preferred idiom in WebKit, CA, AppKit, and
646         Foundation.
647
648         * API/JSValue.h: Be @properties.
649
650         * API/tests/testapi.mm:
651         (testObjectiveCAPI): Use the @properties.
652
653 2015-04-03  Mark Lam  <mark.lam@apple.com>
654
655         Some JSC Options refactoring and enhancements.
656         <https://webkit.org/b/143384>
657
658         Rubber stamped by Benjamin Poulain.
659
660         Create a better encapsulated Option class to make working with options easier.  This
661         is a building block towards a JIT policy scaling debugging option I will introduce later.
662
663         This work entails:
664         1. Convert Options::Option into a public class Option (who works closely with Options).
665         2. Convert Options::EntryType into an enum class Options::Type and make it public.
666         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
667         4. Add misc methods to class Option to make it more useable.
668
669         * runtime/Options.cpp:
670         (JSC::Options::dumpOption):
671         (JSC::Option::dump):
672         (JSC::Option::operator==):
673         (JSC::Options::Option::dump): Deleted.
674         (JSC::Options::Option::operator==): Deleted.
675         * runtime/Options.h:
676         (JSC::Option::Option):
677         (JSC::Option::operator!=):
678         (JSC::Option::name):
679         (JSC::Option::description):
680         (JSC::Option::type):
681         (JSC::Option::isOverridden):
682         (JSC::Option::defaultOption):
683         (JSC::Option::boolVal):
684         (JSC::Option::unsignedVal):
685         (JSC::Option::doubleVal):
686         (JSC::Option::int32Val):
687         (JSC::Option::optionRangeVal):
688         (JSC::Option::optionStringVal):
689         (JSC::Option::gcLogLevelVal):
690         (JSC::Options::Option::Option): Deleted.
691         (JSC::Options::Option::operator!=): Deleted.
692
693 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
694
695         JavaScriptCore API should support type checking for Array and Date
696         https://bugs.webkit.org/show_bug.cgi?id=143324
697
698         Follow-up to address a comment by Dan.
699
700         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
701         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
702         is equal to 101100.
703
704 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
705
706         JavaScriptCore API should support type checking for Array and Date
707         https://bugs.webkit.org/show_bug.cgi?id=143324
708
709         Follow-up to address a comment by Dan.
710
711         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
712         Added a comment explaining why.
713
714 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
715
716         FTL JIT tests should fail if LLVM library isn't available
717         https://bugs.webkit.org/show_bug.cgi?id=143374
718
719         Reviewed by Mark Lam.
720
721         * dfg/DFGPlan.cpp:
722         (JSC::DFG::Plan::compileInThreadImpl):
723         * runtime/Options.h:
724
725 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
726
727         Fix the EFL and GTK build after r182243
728         https://bugs.webkit.org/show_bug.cgi?id=143361
729
730         Reviewed by Csaba Osztrogonác.
731
732         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
733         DerivedSources/JavaScriptCore/inspector/ directory.
734
735 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
736
737         Unreviewed, fixing Clang builds of the GTK port on Linux.
738
739         * runtime/Options.cpp:
740         Include the <math.h> header for isnan().
741
742 2015-04-02  Mark Lam  <mark.lam@apple.com>
743
744         Enhance ability to dump JSC Options.
745         <https://webkit.org/b/143357>
746
747         Reviewed by Benjamin Poulain.
748
749         Some enhancements to how the JSC options work:
750
751         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
752            2 = All, 3 = Verbose.
753
754            The default is 0 (None).  This dumps nothing.
755            With the Overridden setting, at VM initialization time, we will dump all
756            option values that have been changed from their default.
757            With the All setting, at VM initialization time, we will dump all option values.
758            With the Verbose setting, at VM initialization time, we will dump all option
759            values along with their descriptions (if available).
760
761         2. We now store a copy of the default option values.
762
763            We later use this for comparison to tell if an option has been overridden, and
764            print the default value for reference.  As a result, we no longer need the
765            didOverride flag since we can compute whether the option is overridden at any time.
766
767         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
768
769            This will come in handy later when we want to rename some of the options to more sane
770            names that are easier to remember.  For example, we can change
771            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
772            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
773            of the description, we can afford to use shorter and less descriptive option names,
774            but they will be easier to remember and use for day to day debugging work.
775
776            In this patch, I did not change the names of any of the options yet.  I only added
777            description strings for options that I know about, and where I think the option name
778            isn't already descriptive enough.
779
780         4. Also deleted some unused code.
781
782         * jsc.cpp:
783         (CommandLine::parseArguments):
784         * runtime/Options.cpp:
785         (JSC::Options::initialize):
786         (JSC::Options::setOption):
787         (JSC::Options::dumpAllOptions):
788         (JSC::Options::dumpOption):
789         (JSC::Options::Option::dump):
790         (JSC::Options::Option::operator==):
791         * runtime/Options.h:
792         (JSC::OptionRange::rangeString):
793         (JSC::Options::Option::Option):
794         (JSC::Options::Option::operator!=):
795
796 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
797
798         JavaScriptCore API should support type checking for Array and Date
799         https://bugs.webkit.org/show_bug.cgi?id=143324
800
801         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
802
803         * API/JSValue.h:
804         * API/JSValue.mm:
805         (-[JSValue isArray]):
806         (-[JSValue isDate]): Added an ObjC API.
807
808         * API/JSValueRef.cpp:
809         (JSValueIsArray):
810         (JSValueIsDate):
811         * API/JSValueRef.h: Added a C API.
812
813         * API/WebKitAvailability.h: Brought our availability macros up to date
814         and fixed a harmless bug where "10_10" translated to "10.0".
815
816         * API/tests/testapi.c:
817         (main): Added a test and corrected a pre-existing leak.
818
819         * API/tests/testapi.mm:
820         (testObjectiveCAPI): Added a test.
821
822 2015-04-02  Mark Lam  <mark.lam@apple.com>
823
824         Add Options::dumpSourceAtDFGTime().
825         <https://webkit.org/b/143349>
826
827         Reviewed by Oliver Hunt, and Michael Saboff.
828
829         Sometimes, we will want to see the JS source code that we're compiling, and it
830         would be nice to be able to do this without having to jump thru a lot of hoops.
831         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
832         Options::dumpBytecodeAtDFGTime() option.
833
834         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
835         that explicitly take no arguments (instead of relying on the version that takes
836         the default argument).  These versions are friendlier to use when we want to call
837         them from an interactive debugging session.
838
839         * bytecode/CodeBlock.cpp:
840         (JSC::CodeBlock::dumpSource):
841         (JSC::CodeBlock::dumpBytecode):
842         * bytecode/CodeBlock.h:
843         * dfg/DFGByteCodeParser.cpp:
844         (JSC::DFG::ByteCodeParser::parseCodeBlock):
845         * runtime/Options.h:
846
847 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
848
849         Clean up EnumerationMode to easily extend
850         https://bugs.webkit.org/show_bug.cgi?id=143276
851
852         Reviewed by Geoffrey Garen.
853
854         To make the followings easily,
855         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
856         2. Make ExcludeSymbols implicitly default for the existing flags
857         we encapsulate EnumerationMode flags into EnumerationMode class.
858
859         And this class manages 2 flags. Later it will be extended to 3.
860         1. DontEnumPropertiesMode (default is Exclude)
861         2. JSObjectPropertiesMode (default is Include)
862         3. SymbolPropertiesMode (default is Exclude)
863             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
864
865         This patch replaces places using ExcludeDontEnumProperties
866         to EnumerationMode() value which represents default mode.
867
868         * API/JSCallbackObjectFunctions.h:
869         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
870         * API/JSObjectRef.cpp:
871         (JSObjectCopyPropertyNames):
872         * bindings/ScriptValue.cpp:
873         (Deprecated::jsToInspectorValue):
874         * bytecode/ObjectAllocationProfile.h:
875         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
876         * runtime/ArrayPrototype.cpp:
877         (JSC::arrayProtoFuncSort):
878         * runtime/EnumerationMode.h:
879         (JSC::EnumerationMode::EnumerationMode):
880         (JSC::EnumerationMode::includeDontEnumProperties):
881         (JSC::EnumerationMode::includeJSObjectProperties):
882         (JSC::shouldIncludeDontEnumProperties): Deleted.
883         (JSC::shouldExcludeDontEnumProperties): Deleted.
884         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
885         (JSC::modeThatSkipsJSObject): Deleted.
886         * runtime/GenericArgumentsInlines.h:
887         (JSC::GenericArguments<Type>::getOwnPropertyNames):
888         * runtime/JSArray.cpp:
889         (JSC::JSArray::getOwnNonIndexPropertyNames):
890         * runtime/JSArrayBuffer.cpp:
891         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
892         * runtime/JSArrayBufferView.cpp:
893         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
894         * runtime/JSFunction.cpp:
895         (JSC::JSFunction::getOwnNonIndexPropertyNames):
896         * runtime/JSFunction.h:
897         * runtime/JSGenericTypedArrayViewInlines.h:
898         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
899         * runtime/JSLexicalEnvironment.cpp:
900         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
901         * runtime/JSONObject.cpp:
902         (JSC::Stringifier::Holder::appendNextProperty):
903         (JSC::Walker::walk):
904         * runtime/JSObject.cpp:
905         (JSC::getClassPropertyNames):
906         (JSC::JSObject::getOwnPropertyNames):
907         (JSC::JSObject::getOwnNonIndexPropertyNames):
908         (JSC::JSObject::getGenericPropertyNames):
909         * runtime/JSPropertyNameEnumerator.h:
910         (JSC::propertyNameEnumerator):
911         * runtime/JSSymbolTableObject.cpp:
912         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
913         * runtime/ObjectConstructor.cpp:
914         (JSC::objectConstructorGetOwnPropertyNames):
915         (JSC::objectConstructorKeys):
916         (JSC::defineProperties):
917         (JSC::objectConstructorSeal):
918         (JSC::objectConstructorFreeze):
919         (JSC::objectConstructorIsSealed):
920         (JSC::objectConstructorIsFrozen):
921         * runtime/RegExpObject.cpp:
922         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
923         (JSC::RegExpObject::getPropertyNames):
924         (JSC::RegExpObject::getGenericPropertyNames):
925         * runtime/StringObject.cpp:
926         (JSC::StringObject::getOwnPropertyNames):
927         * runtime/Structure.cpp:
928         (JSC::Structure::getPropertyNamesFromStructure):
929
930 2015-04-01  Alex Christensen  <achristensen@webkit.org>
931
932         Progress towards CMake on Windows and Mac.
933         https://bugs.webkit.org/show_bug.cgi?id=143293
934
935         Reviewed by Filip Pizlo.
936
937         * CMakeLists.txt:
938         Enabled using assembly on Windows.
939         Replaced unix commands with CMake commands.
940         * PlatformMac.cmake:
941         Tell open source builders where to find unicode headers.
942
943 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
944
945         IteratorClose should be called when jumping over the target for-of loop
946         https://bugs.webkit.org/show_bug.cgi?id=143140
947
948         Reviewed by Geoffrey Garen.
949
950         This patch fixes labeled break/continue behaviors with for-of and iterators.
951
952         1. Support IteratorClose beyond multiple loop contexts
953         Previously, IteratorClose is only executed in for-of's breakTarget().
954         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
955         For example,
956         outer: for (var e1 of outer) {
957             inner: for (var e2 of inner) {
958                 break outer;
959             }
960         }
961         In this case, return method of inner should be called.
962         We leverage the existing system for `finally` to execute inner.return method correctly.
963         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
964         `throw` case is already supported by emitting try-catch handlers in for-of.
965
966         2. Incorrect LabelScope creation is done in ForOfNode
967         ForOfNode creates duplicated LabelScope.
968         It causes infinite loop when executing the following program that contains
969         explicitly labeled for-of loop.
970         For example,
971         inner: for (var elm of array) {
972             continue inner;
973         }
974
975         * bytecompiler/BytecodeGenerator.cpp:
976         (JSC::BytecodeGenerator::pushFinallyContext):
977         (JSC::BytecodeGenerator::pushIteratorCloseContext):
978         (JSC::BytecodeGenerator::popFinallyContext):
979         (JSC::BytecodeGenerator::popIteratorCloseContext):
980         (JSC::BytecodeGenerator::emitComplexPopScopes):
981         (JSC::BytecodeGenerator::emitEnumeration):
982         (JSC::BytecodeGenerator::emitIteratorClose):
983         * bytecompiler/BytecodeGenerator.h:
984         * bytecompiler/NodesCodegen.cpp:
985         (JSC::ForOfNode::emitBytecode):
986         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
987         (createIterator.iterator.return):
988         (createIterator):
989         * tests/stress/raise-error-in-iterator-close.js: Added.
990         (createIterator.iterator.return):
991         (createIterator):
992
993 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
994
995         [ES6] Implement Symbol.unscopables
996         https://bugs.webkit.org/show_bug.cgi?id=142829
997
998         Reviewed by Geoffrey Garen.
999
1000         This patch introduces Symbol.unscopables functionality.
1001         In ES6, some generic names (like keys, values) are introduced
1002         as Array's method name. And this breaks the web since some web sites
1003         use like the following code.
1004
1005         var values = ...;
1006         with (array) {
1007             values;  // This values is trapped by array's method "values".
1008         }
1009
1010         To fix this, Symbol.unscopables introduces blacklist
1011         for with scope's trapping. When resolving scope,
1012         if name is found in the target scope and the target scope is with scope,
1013         we check Symbol.unscopables object to filter generic names.
1014
1015         This functionality is only active for with scopes.
1016         Global scope does not have unscopables functionality.
1017
1018         And since
1019         1) op_resolve_scope for with scope always return Dynamic resolve type,
1020         2) in that case, JSScope::resolve is always used in JIT and LLInt,
1021         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
1022         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
1023         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
1024
1025         * runtime/ArrayPrototype.cpp:
1026         (JSC::ArrayPrototype::finishCreation):
1027         * runtime/CommonIdentifiers.h:
1028         * runtime/JSGlobalObject.h:
1029         (JSC::JSGlobalObject::runtimeFlags):
1030         * runtime/JSScope.cpp:
1031         (JSC::isUnscopable):
1032         (JSC::JSScope::resolve):
1033         * runtime/JSScope.h:
1034         (JSC::ScopeChainIterator::scope):
1035         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
1036         (test):
1037         * tests/stress/unscopables.js: Added.
1038         (test):
1039         (.):
1040
1041 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1042
1043         ES6 class syntax should allow static setters and getters
1044         https://bugs.webkit.org/show_bug.cgi?id=143180
1045
1046         Reviewed by Filip Pizlo
1047
1048         Apparently I misread the spec when I initially implemented parseClass.
1049         ES6 class syntax allows static getters and setters so just allow that.
1050
1051         * parser/Parser.cpp:
1052         (JSC::Parser<LexerType>::parseClass):
1053
1054 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
1055
1056         PutClosureVar CSE def() rule has a wrong base
1057         https://bugs.webkit.org/show_bug.cgi?id=143280
1058
1059         Reviewed by Michael Saboff.
1060         
1061         I think that this code was incorrect in a benign way, since the base of a
1062         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
1063
1064         * dfg/DFGClobberize.h:
1065         (JSC::DFG::clobberize):
1066
1067 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1068
1069         Unreviewed, rolling out r182200.
1070         https://bugs.webkit.org/show_bug.cgi?id=143279
1071
1072         Probably causing assertion extravaganza on bots. (Requested by
1073         kling on #webkit).
1074
1075         Reverted changeset:
1076
1077         "Logically empty WeakBlocks should not pin down their
1078         MarkedBlocks indefinitely."
1079         https://bugs.webkit.org/show_bug.cgi?id=143210
1080         http://trac.webkit.org/changeset/182200
1081
1082 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1083
1084         Clean up Identifier factories to clarify the meaning of StringImpl*
1085         https://bugs.webkit.org/show_bug.cgi?id=143146
1086
1087         Reviewed by Filip Pizlo.
1088
1089         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
1090         However, it's ambiguous because `StringImpl*` has 2 different meanings.
1091         1) normal string, it is replacable with `WTFString` and
1092         2) `uid`, which holds `isSymbol` information to represent Symbols.
1093         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
1094         + `Identifier::fromString(VM*/ExecState*, const String&)`.
1095         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
1096         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
1097         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
1098
1099         And to clean up `StringImpl` which is used as uid,
1100         we introduce `StringKind` into `StringImpl`. There's 3 kinds
1101         1. StringNormal (non-atomic, non-symbol)
1102         2. StringAtomic (atomic, non-symbol)
1103         3. StringSymbol (non-atomic, symbol)
1104         They are mutually exclusive. And (atomic, symbol) case should not exist.
1105
1106         * API/JSCallbackObjectFunctions.h:
1107         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1108         * API/JSObjectRef.cpp:
1109         (JSObjectMakeFunction):
1110         * API/OpaqueJSString.cpp:
1111         (OpaqueJSString::identifier):
1112         * bindings/ScriptFunctionCall.cpp:
1113         (Deprecated::ScriptFunctionCall::call):
1114         * builtins/BuiltinExecutables.cpp:
1115         (JSC::BuiltinExecutables::createExecutableInternal):
1116         * builtins/BuiltinNames.h:
1117         (JSC::BuiltinNames::BuiltinNames):
1118         * bytecompiler/BytecodeGenerator.cpp:
1119         (JSC::BytecodeGenerator::BytecodeGenerator):
1120         (JSC::BytecodeGenerator::emitThrowReferenceError):
1121         (JSC::BytecodeGenerator::emitThrowTypeError):
1122         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1123         (JSC::BytecodeGenerator::emitEnumeration):
1124         * dfg/DFGDesiredIdentifiers.cpp:
1125         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1126         * inspector/JSInjectedScriptHost.cpp:
1127         (Inspector::JSInjectedScriptHost::functionDetails):
1128         (Inspector::constructInternalProperty):
1129         (Inspector::JSInjectedScriptHost::weakMapEntries):
1130         (Inspector::JSInjectedScriptHost::iteratorEntries):
1131         * inspector/JSInjectedScriptHostPrototype.cpp:
1132         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1133         * inspector/JSJavaScriptCallFramePrototype.cpp:
1134         * inspector/ScriptCallStackFactory.cpp:
1135         (Inspector::extractSourceInformationFromException):
1136         * jit/JITOperations.cpp:
1137         * jsc.cpp:
1138         (GlobalObject::finishCreation):
1139         (GlobalObject::addFunction):
1140         (GlobalObject::addConstructableFunction):
1141         (functionRun):
1142         (runWithScripts):
1143         * llint/LLIntData.cpp:
1144         (JSC::LLInt::Data::performAssertions):
1145         * llint/LowLevelInterpreter.asm:
1146         * parser/ASTBuilder.h:
1147         (JSC::ASTBuilder::addVar):
1148         * parser/Parser.cpp:
1149         (JSC::Parser<LexerType>::parseInner):
1150         (JSC::Parser<LexerType>::createBindingPattern):
1151         * parser/ParserArena.h:
1152         (JSC::IdentifierArena::makeIdentifier):
1153         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
1154         (JSC::IdentifierArena::makeNumericIdentifier):
1155         * runtime/ArgumentsIteratorPrototype.cpp:
1156         (JSC::ArgumentsIteratorPrototype::finishCreation):
1157         * runtime/ArrayIteratorPrototype.cpp:
1158         (JSC::ArrayIteratorPrototype::finishCreation):
1159         * runtime/ArrayPrototype.cpp:
1160         (JSC::ArrayPrototype::finishCreation):
1161         (JSC::arrayProtoFuncPush):
1162         * runtime/ClonedArguments.cpp:
1163         (JSC::ClonedArguments::getOwnPropertySlot):
1164         * runtime/CommonIdentifiers.cpp:
1165         (JSC::CommonIdentifiers::CommonIdentifiers):
1166         * runtime/CommonIdentifiers.h:
1167         * runtime/Error.cpp:
1168         (JSC::addErrorInfo):
1169         (JSC::hasErrorInfo):
1170         * runtime/ExceptionHelpers.cpp:
1171         (JSC::createUndefinedVariableError):
1172         * runtime/GenericArgumentsInlines.h:
1173         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1174         * runtime/Identifier.h:
1175         (JSC::Identifier::isSymbol):
1176         (JSC::Identifier::Identifier):
1177         (JSC::Identifier::from): Deleted.
1178         * runtime/IdentifierInlines.h:
1179         (JSC::Identifier::Identifier):
1180         (JSC::Identifier::fromUid):
1181         (JSC::Identifier::fromString):
1182         * runtime/JSCJSValue.cpp:
1183         (JSC::JSValue::dumpInContextAssumingStructure):
1184         * runtime/JSCJSValueInlines.h:
1185         (JSC::JSValue::toPropertyKey):
1186         * runtime/JSGlobalObject.cpp:
1187         (JSC::JSGlobalObject::init):
1188         * runtime/JSLexicalEnvironment.cpp:
1189         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1190         * runtime/JSObject.cpp:
1191         (JSC::getClassPropertyNames):
1192         (JSC::JSObject::reifyStaticFunctionsForDelete):
1193         * runtime/JSObject.h:
1194         (JSC::makeIdentifier):
1195         * runtime/JSPromiseConstructor.cpp:
1196         (JSC::JSPromiseConstructorFuncRace):
1197         (JSC::JSPromiseConstructorFuncAll):
1198         * runtime/JSString.h:
1199         (JSC::JSString::toIdentifier):
1200         * runtime/JSSymbolTableObject.cpp:
1201         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1202         * runtime/LiteralParser.cpp:
1203         (JSC::LiteralParser<CharType>::tryJSONPParse):
1204         (JSC::LiteralParser<CharType>::makeIdentifier):
1205         * runtime/Lookup.h:
1206         (JSC::reifyStaticProperties):
1207         * runtime/MapConstructor.cpp:
1208         (JSC::constructMap):
1209         * runtime/MapIteratorPrototype.cpp:
1210         (JSC::MapIteratorPrototype::finishCreation):
1211         * runtime/MapPrototype.cpp:
1212         (JSC::MapPrototype::finishCreation):
1213         * runtime/MathObject.cpp:
1214         (JSC::MathObject::finishCreation):
1215         * runtime/NumberConstructor.cpp:
1216         (JSC::NumberConstructor::finishCreation):
1217         * runtime/ObjectConstructor.cpp:
1218         (JSC::ObjectConstructor::finishCreation):
1219         * runtime/PrivateName.h:
1220         (JSC::PrivateName::PrivateName):
1221         * runtime/PropertyMapHashTable.h:
1222         (JSC::PropertyTable::find):
1223         (JSC::PropertyTable::get):
1224         * runtime/PropertyName.h:
1225         (JSC::PropertyName::PropertyName):
1226         (JSC::PropertyName::publicName):
1227         (JSC::PropertyName::asIndex):
1228         * runtime/PropertyNameArray.cpp:
1229         (JSC::PropertyNameArray::add):
1230         * runtime/PropertyNameArray.h:
1231         (JSC::PropertyNameArray::addKnownUnique):
1232         * runtime/RegExpConstructor.cpp:
1233         (JSC::RegExpConstructor::finishCreation):
1234         * runtime/SetConstructor.cpp:
1235         (JSC::constructSet):
1236         * runtime/SetIteratorPrototype.cpp:
1237         (JSC::SetIteratorPrototype::finishCreation):
1238         * runtime/SetPrototype.cpp:
1239         (JSC::SetPrototype::finishCreation):
1240         * runtime/StringIteratorPrototype.cpp:
1241         (JSC::StringIteratorPrototype::finishCreation):
1242         * runtime/StringPrototype.cpp:
1243         (JSC::StringPrototype::finishCreation):
1244         * runtime/Structure.cpp:
1245         (JSC::Structure::getPropertyNamesFromStructure):
1246         * runtime/SymbolConstructor.cpp:
1247         * runtime/VM.cpp:
1248         (JSC::VM::throwException):
1249         * runtime/WeakMapConstructor.cpp:
1250         (JSC::constructWeakMap):
1251
1252 2015-03-31  Andreas Kling  <akling@apple.com>
1253
1254         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1255         <https://webkit.org/b/143210>
1256
1257         Reviewed by Geoffrey Garen.
1258
1259         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1260         we had a little problem where WeakBlocks with only null pointers would still keep their
1261         MarkedBlock alive.
1262
1263         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1264         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1265         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1266         destroying them once they're fully dead.
1267
1268         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1269         a mysterious issue where doing two full garbage collections back-to-back would free additional
1270         memory in the second collection.
1271
1272         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1273         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1274         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1275
1276         * heap/Heap.h:
1277         * heap/Heap.cpp:
1278         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1279         owned by Heap, after everything else has been swept.
1280
1281         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1282         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1283         they are unlikely to cause entire WeakBlocks to go empty.
1284
1285         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1286         to the Heap when it's detached from a WeakSet.
1287
1288         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1289         of the logically empty WeakBlocks owned by Heap.
1290
1291         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1292         and updates the next-logically-empty-weak-block-to-sweep index.
1293
1294         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1295         won't be another chance after this.
1296
1297         * heap/IncrementalSweeper.h:
1298         (JSC::IncrementalSweeper::hasWork): Deleted.
1299
1300         * heap/IncrementalSweeper.cpp:
1301         (JSC::IncrementalSweeper::fullSweep):
1302         (JSC::IncrementalSweeper::doSweep):
1303         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1304         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1305         changed to return a bool (true if there's more work to be done.)
1306
1307         * heap/WeakBlock.cpp:
1308         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1309         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1310
1311         * heap/WeakBlock.h:
1312         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1313         if the WeakBlock could be detached from the MarkedBlock.
1314
1315         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1316         when declaring them.
1317
1318 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1319
1320         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
1321         https://bugs.webkit.org/show_bug.cgi?id=142883
1322
1323         Reviewed by Filip Pizlo.
1324
1325         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
1326
1327         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
1328         in eval inside a derived class' constructor.
1329
1330         * bytecode/EvalCodeCache.h:
1331         (JSC::EvalCodeCache::getSlow):
1332         * bytecompiler/NodesCodegen.cpp:
1333         (JSC::ThisNode::emitBytecode):
1334         * debugger/DebuggerCallFrame.cpp:
1335         (JSC::DebuggerCallFrame::evaluate):
1336         * interpreter/Interpreter.cpp:
1337         (JSC::eval):
1338         * parser/ASTBuilder.h:
1339         (JSC::ASTBuilder::thisExpr):
1340         * parser/NodeConstructors.h:
1341         (JSC::ThisNode::ThisNode):
1342         * parser/Nodes.h:
1343         * parser/Parser.cpp:
1344         (JSC::Parser<LexerType>::Parser):
1345         (JSC::Parser<LexerType>::parsePrimaryExpression):
1346         * parser/Parser.h:
1347         (JSC::parse):
1348         * parser/ParserModes.h:
1349         * parser/SyntaxChecker.h:
1350         (JSC::SyntaxChecker::thisExpr):
1351         * runtime/CodeCache.cpp:
1352         (JSC::CodeCache::getGlobalCodeBlock):
1353         (JSC::CodeCache::getProgramCodeBlock):
1354         (JSC::CodeCache::getEvalCodeBlock):
1355         * runtime/CodeCache.h:
1356         (JSC::SourceCodeKey::SourceCodeKey):
1357         * runtime/Executable.cpp:
1358         (JSC::EvalExecutable::create):
1359         * runtime/Executable.h:
1360         * runtime/JSGlobalObject.cpp:
1361         (JSC::JSGlobalObject::createEvalCodeBlock):
1362         * runtime/JSGlobalObject.h:
1363         * runtime/JSGlobalObjectFunctions.cpp:
1364         (JSC::globalFuncEval):
1365         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
1366         * tests/stress/class-syntax-tdz-in-eval.js: Added.
1367
1368 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1369
1370         Unreviewed, rolling out r182186.
1371         https://bugs.webkit.org/show_bug.cgi?id=143270
1372
1373         it crashes all the WebGL tests on the Debug bots (Requested by
1374         dino on #webkit).
1375
1376         Reverted changeset:
1377
1378         "Web Inspector: add 2D/WebGL canvas instrumentation
1379         infrastructure"
1380         https://bugs.webkit.org/show_bug.cgi?id=137278
1381         http://trac.webkit.org/changeset/182186
1382
1383 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1384
1385         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
1386         https://bugs.webkit.org/show_bug.cgi?id=142937
1387
1388         Reviewed by Darin Adler.
1389
1390         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
1391         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
1392         But now, several functions perform ToObject onto a non-object parameter.
1393         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
1394         It is described in ES6 Annex E.
1395         Functions different from ES5 are following.
1396
1397         1. An attempt is make to coerce the argument using ToObject.
1398             Object.getOwnPropertyDescriptor
1399             Object.getOwnPropertyNames
1400             Object.getPrototypeOf
1401             Object.keys
1402
1403         2. Treated as if it was a non-extensible ordinary object with no own properties.
1404             Object.freeze
1405             Object.isExtensible
1406             Object.isFrozen
1407             Object.isSealed
1408             Object.preventExtensions
1409             Object.seal
1410
1411         * runtime/ObjectConstructor.cpp:
1412         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1413         (JSC::objectConstructorGetPrototypeOf):
1414         (JSC::objectConstructorGetOwnPropertyDescriptor):
1415         (JSC::objectConstructorGetOwnPropertyNames):
1416         (JSC::objectConstructorKeys):
1417         (JSC::objectConstructorSeal):
1418         (JSC::objectConstructorFreeze):
1419         (JSC::objectConstructorPreventExtensions):
1420         (JSC::objectConstructorIsSealed):
1421         (JSC::objectConstructorIsFrozen):
1422         (JSC::objectConstructorIsExtensible):
1423         * tests/stress/object-freeze-accept-non-object.js: Added.
1424         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
1425         (canary):
1426         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
1427         (compare):
1428         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
1429         * tests/stress/object-is-extensible-accept-non-object.js: Added.
1430         * tests/stress/object-is-frozen-accept-non-object.js: Added.
1431         * tests/stress/object-is-sealed-accept-non-object.js: Added.
1432         * tests/stress/object-keys-perform-to-object.js: Added.
1433         (compare):
1434         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
1435         * tests/stress/object-seal-accept-non-object.js: Added.
1436
1437 2015-03-31  Matt Baker  <mattbaker@apple.com>
1438
1439         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
1440         https://bugs.webkit.org/show_bug.cgi?id=137278
1441
1442         Reviewed by Timothy Hatcher.
1443
1444         Added Canvas protocol which defines types used by InspectorCanvasAgent.
1445
1446         * CMakeLists.txt:
1447         * DerivedSources.make:
1448         * inspector/protocol/Canvas.json: Added.
1449
1450         * inspector/scripts/codegen/generator.py:
1451         (Generator.stylized_name_for_enum_value):
1452         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
1453
1454 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
1455
1456         Extending null should set __proto__ to null
1457         https://bugs.webkit.org/show_bug.cgi?id=142882
1458
1459         Reviewed by Geoffrey Garen and Benjamin Poulain.
1460
1461         Set Derived.prototype.__proto__ to null when extending null.
1462
1463         * bytecompiler/NodesCodegen.cpp:
1464         (JSC::ClassExprNode::emitBytecode):
1465
1466 2015-03-30  Mark Lam  <mark.lam@apple.com>
1467
1468         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
1469         <https://webkit.org/b/143105>
1470
1471         Reviewed by Filip Pizlo.
1472
1473         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
1474         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
1475         JIT frames that may have its scope register not set.  The Debugger's current implementation
1476         which relies on the scope register is not happy about this.  For example, this results in a
1477         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
1478
1479         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
1480         ensure that the scope register value is flushed to the register in the stack frame.
1481
1482         * dfg/DFGByteCodeParser.cpp:
1483         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1484         (JSC::DFG::ByteCodeParser::setLocal):
1485         (JSC::DFG::ByteCodeParser::flush):
1486         - Add code to flush the scope register.
1487         (JSC::DFG::ByteCodeParser::inliningCost):
1488         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
1489           disabling inlining whenever the debugger is in use.
1490         * dfg/DFGGraph.cpp:
1491         (JSC::DFG::Graph::Graph):
1492         * dfg/DFGGraph.h:
1493         (JSC::DFG::Graph::hasDebuggerEnabled):
1494         * dfg/DFGStackLayoutPhase.cpp:
1495         (JSC::DFG::StackLayoutPhase::run):
1496         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
1497         * ftl/FTLCompile.cpp:
1498         (JSC::FTL::mmAllocateDataSection):
1499         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
1500
1501 2015-03-30  Michael Saboff  <msaboff@apple.com>
1502
1503         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
1504         https://bugs.webkit.org/show_bug.cgi?id=138391
1505
1506         Reviewed by Mark Lam.
1507
1508         Re-enabling these tests as I can't get them to fail on local iOS test devices.
1509         There have been many changes since these tests were disabled.
1510         I'll watch automated test results for failures.  If there are failures running automated
1511         testing, it might be due to the device's relative CPU performance.
1512         
1513         * tests/stress/float32-repeat-out-of-bounds.js:
1514         * tests/stress/int8-repeat-out-of-bounds.js:
1515
1516 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
1517
1518         Web Inspector: Regression: Preview for [[null]] shouldn't be []
1519         https://bugs.webkit.org/show_bug.cgi?id=143208
1520
1521         Reviewed by Mark Lam.
1522
1523         * inspector/InjectedScriptSource.js:
1524         Handle null when generating simple object previews.
1525
1526 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
1527
1528         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
1529         https://bugs.webkit.org/show_bug.cgi?id=143134
1530
1531         Reviewed by Geoffrey Garen.
1532
1533         * jit/JSInterfaceJIT.h:
1534         * jit/Repatch.cpp:
1535         (JSC::tryCacheGetByID):
1536
1537 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
1538
1539         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
1540         https://bugs.webkit.org/show_bug.cgi?id=143104
1541
1542         Reviewed by Geoffrey Garen.
1543         
1544         Created a test that is a 100% repro of the flaky failure. This test is called
1545         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
1546         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
1547         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
1548         
1549         Also created three more tests for three similar, but not identical, failures.
1550         
1551         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
1552         only reading those parts of the stack that are relevant to the current semantic code origin.
1553         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
1554         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
1555         read parts of the stack associated with the inline call frame for the phantom arguments. This
1556         may not be subsumed by the current semantic origin's stack area in cases that the arguments
1557         were allowed to "locally" escape.
1558         
1559         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
1560         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
1561         the stack due to function.arguments, but there are a bunch of other ways that we could also
1562         read the stack and those operations may read any stack slot. I believe that this change makes
1563         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
1564         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
1565         readTop() in PreciseLocalClobberize does the right thing.
1566
1567         * dfg/DFGClobberize.h:
1568         (JSC::DFG::clobberize):
1569         * dfg/DFGPreciseLocalClobberize.h:
1570         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1571         * dfg/DFGPutStackSinkingPhase.cpp:
1572         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
1573         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
1574         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
1575         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
1576         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
1577
1578 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
1579
1580         Start the features.json files
1581         https://bugs.webkit.org/show_bug.cgi?id=143207
1582
1583         Reviewed by Darin Adler.
1584
1585         Start the features.json files to have something to experiment
1586         with for the UI.
1587
1588         * features.json: Added.
1589
1590 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1591
1592         [Win] Addresing post-review comment after r182122
1593         https://bugs.webkit.org/show_bug.cgi?id=143189
1594
1595         Unreviewed.
1596
1597 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1598
1599         [Win] Allow building JavaScriptCore without Cygwin
1600         https://bugs.webkit.org/show_bug.cgi?id=143189
1601
1602         Reviewed by Brent Fulgham.
1603
1604         Paths like /usr/bin/ don't exist on Windows.
1605         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
1606         Prefixing commands with environment variables doesn't work on Windows.
1607         Windows doesn't have 'cmp'
1608         Windows uses 'del' instead of 'rm'
1609         Windows uses 'type NUL' intead of 'touch'
1610
1611         * DerivedSources.make:
1612         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1613         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1614         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
1615         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1616         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
1617         * JavaScriptCore.vcxproj/build-generated-files.pl:
1618         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
1619
1620 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
1621
1622         Clean up JavaScriptCore/builtins
1623         https://bugs.webkit.org/show_bug.cgi?id=143177
1624
1625         Reviewed by Ryosuke Niwa.
1626
1627         * builtins/ArrayConstructor.js:
1628         (from):
1629         - We can compare to undefined instead of using a typeof undefined check.
1630         - Converge on double quoted strings everywhere.
1631
1632         * builtins/ArrayIterator.prototype.js:
1633         (next):
1634         * builtins/StringIterator.prototype.js:
1635         (next):
1636         - Use shorthand object construction to avoid duplication.
1637         - Improve grammar in error messages.
1638
1639         * tests/stress/array-iterators-next-with-call.js:
1640         * tests/stress/string-iterators.js:
1641         - Update for new error message strings.
1642
1643 2015-03-28  Saam Barati  <saambarati1@gmail.com>
1644
1645         Web Inspector: ES6: Better support for Symbol types in Type Profiler
1646         https://bugs.webkit.org/show_bug.cgi?id=141257
1647
1648         Reviewed by Joseph Pecoraro.
1649
1650         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
1651         type profiler support this new primitive type.
1652
1653         * dfg/DFGFixupPhase.cpp:
1654         (JSC::DFG::FixupPhase::fixupNode):
1655         * inspector/protocol/Runtime.json:
1656         * runtime/RuntimeType.cpp:
1657         (JSC::runtimeTypeForValue):
1658         * runtime/RuntimeType.h:
1659         (JSC::runtimeTypeIsPrimitive):
1660         * runtime/TypeSet.cpp:
1661         (JSC::TypeSet::addTypeInformation):
1662         (JSC::TypeSet::dumpTypes):
1663         (JSC::TypeSet::doesTypeConformTo):
1664         (JSC::TypeSet::displayName):
1665         (JSC::TypeSet::inspectorTypeSet):
1666         (JSC::TypeSet::toJSONString):
1667         * runtime/TypeSet.h:
1668         (JSC::TypeSet::seenTypes):
1669         * tests/typeProfiler/driver/driver.js:
1670         * tests/typeProfiler/symbol.js: Added.
1671         (wrapper.foo):
1672         (wrapper.bar):
1673         (wrapper.bar.bar.baz):
1674         (wrapper):
1675
1676 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1677
1678         Deconstruction parameters are bound too late
1679         https://bugs.webkit.org/show_bug.cgi?id=143148
1680
1681         Reviewed by Filip Pizlo.
1682
1683         Currently, a deconstruction pattern named with the same
1684         name as a function will shadow the function. This is
1685         wrong. It should be the other way around.
1686
1687         * bytecompiler/BytecodeGenerator.cpp:
1688         (JSC::BytecodeGenerator::generate):
1689
1690 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1691
1692         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
1693         https://bugs.webkit.org/show_bug.cgi?id=143170
1694
1695         Reviewed by Benjamin Poulain.
1696
1697         Assert that we never use 16-bit version of the parser to parse a default constructor
1698         since both base and derived default constructors should be using a 8-bit string.
1699
1700         * parser/Parser.h:
1701         (JSC::parse):
1702
1703 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1704
1705         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
1706         https://bugs.webkit.org/show_bug.cgi?id=142862
1707
1708         Reviewed by Benjamin Poulain.
1709
1710         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
1711
1712         * tests/stress/class-syntax-derived-default-constructor.js: Added.
1713
1714 2015-03-27  Michael Saboff  <msaboff@apple.com>
1715
1716         load8Signed() and load16Signed() should be renamed to avoid confusion
1717         https://bugs.webkit.org/show_bug.cgi?id=143168
1718
1719         Reviewed by Benjamin Poulain.
1720
1721         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
1722
1723         * assembler/MacroAssemblerARM.h:
1724         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
1725         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
1726         (JSC::MacroAssemblerARM::load8Signed): Deleted.
1727         (JSC::MacroAssemblerARM::load16Signed): Deleted.
1728         * assembler/MacroAssemblerARM64.h:
1729         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1730         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1731         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
1732         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
1733         * assembler/MacroAssemblerARMv7.h:
1734         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
1735         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
1736         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
1737         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
1738         * assembler/MacroAssemblerMIPS.h:
1739         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1740         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1741         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
1742         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
1743         * assembler/MacroAssemblerSH4.h:
1744         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
1745         (JSC::MacroAssemblerSH4::load8):
1746         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
1747         (JSC::MacroAssemblerSH4::load16):
1748         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
1749         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
1750         * assembler/MacroAssemblerX86Common.h:
1751         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1752         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1753         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
1754         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
1755         * dfg/DFGSpeculativeJIT.cpp:
1756         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1757         * jit/JITPropertyAccess.cpp:
1758         (JSC::JIT::emitIntTypedArrayGetByVal):
1759
1760 2015-03-27  Michael Saboff  <msaboff@apple.com>
1761
1762         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
1763         https://bugs.webkit.org/show_bug.cgi?id=138390
1764
1765         Reviewed by Mark Lam.
1766
1767         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
1768         instead of 64 bits.  This is what X86-64 does.
1769
1770         * assembler/MacroAssemblerARM64.h:
1771         (JSC::MacroAssemblerARM64::load16Signed):
1772         (JSC::MacroAssemblerARM64::load8Signed):
1773
1774 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1775
1776         Add back previously broken assert from bug 141869
1777         https://bugs.webkit.org/show_bug.cgi?id=143005
1778
1779         Reviewed by Michael Saboff.
1780
1781         * runtime/ExceptionHelpers.cpp:
1782         (JSC::invalidParameterInSourceAppender):
1783
1784 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1785
1786         Make some more objects use FastMalloc
1787         https://bugs.webkit.org/show_bug.cgi?id=143122
1788
1789         Reviewed by Csaba Osztrogonác.
1790
1791         * API/JSCallbackObject.h:
1792         * heap/IncrementalSweeper.h:
1793         * jit/JITThunks.h:
1794         * runtime/JSGlobalObjectDebuggable.h:
1795         * runtime/RegExpCache.h:
1796
1797 2015-03-27  Michael Saboff  <msaboff@apple.com>
1798
1799         Objects with numeric properties intermittently get a phantom 'length' property
1800         https://bugs.webkit.org/show_bug.cgi?id=142792
1801
1802         Reviewed by Csaba Osztrogonác.
1803
1804         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
1805         test and branch instructions.  This function is used for linking tbz/tbnz branches between
1806         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
1807         the failure case checks in the GetById array length stub created for "obj.length" access.
1808         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
1809         being set when we should have been looking for bit 0.
1810
1811         * assembler/ARM64Assembler.h:
1812         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
1813
1814 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1815
1816         Insert exception check around toPropertyKey call
1817         https://bugs.webkit.org/show_bug.cgi?id=142922
1818
1819         Reviewed by Geoffrey Garen.
1820
1821         In some places, exception check is missing after/before toPropertyKey.
1822         However, since it calls toString, it's observable to users,
1823
1824         Missing exception checks in Object.prototype methods can be
1825         observed since it would be overridden with toObject(null/undefined) errors.
1826         We inserted exception checks after toPropertyKey.
1827
1828         Missing exception checks in GetById related code can be
1829         observed since it would be overridden with toObject(null/undefined) errors.
1830         In this case, we need to insert exception checks before/after toPropertyKey
1831         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
1832
1833         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
1834         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
1835         According to the spec, we first perform RequireObjectCoercible and check the exception.
1836         And second, we perform ToPropertyKey and check the exception.
1837         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
1838         For example, if the target is not object coercible,
1839         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
1840         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
1841
1842         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
1843
1844         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
1845
1846         toObject converts primitive types into wrapper objects.
1847         But it is not efficient since wrapper objects are not necessary
1848         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
1849
1850         2. Using the result of toObject is not correct to the spec.
1851
1852         To align to the spec correctly, we cannot use JSObject::get
1853         by using the wrapper object produced by the toObject suggested in (1).
1854         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
1855         It is not correct since getter should be called with the original |this| value that may be primitive types.
1856
1857         So in this patch, we use JSValue::requireObjectCoercible
1858         to check the target is object coercible and raise an error if it's not.
1859
1860         * dfg/DFGOperations.cpp:
1861         * jit/JITOperations.cpp:
1862         (JSC::getByVal):
1863         * llint/LLIntSlowPaths.cpp:
1864         (JSC::LLInt::getByVal):
1865         * runtime/CommonSlowPaths.cpp:
1866         (JSC::SLOW_PATH_DECL):
1867         * runtime/JSCJSValue.h:
1868         * runtime/JSCJSValueInlines.h:
1869         (JSC::JSValue::requireObjectCoercible):
1870         * runtime/ObjectPrototype.cpp:
1871         (JSC::objectProtoFuncHasOwnProperty):
1872         (JSC::objectProtoFuncDefineGetter):
1873         (JSC::objectProtoFuncDefineSetter):
1874         (JSC::objectProtoFuncLookupGetter):
1875         (JSC::objectProtoFuncLookupSetter):
1876         (JSC::objectProtoFuncPropertyIsEnumerable):
1877         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
1878         (shouldThrow):
1879         (if):
1880         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
1881         (shouldThrow):
1882         (.):
1883
1884 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1885
1886         WebContent Crash when instantiating class with Type Profiling enabled
1887         https://bugs.webkit.org/show_bug.cgi?id=143037
1888
1889         Reviewed by Ryosuke Niwa.
1890
1891         * bytecompiler/BytecodeGenerator.h:
1892         * bytecompiler/BytecodeGenerator.cpp:
1893         (JSC::BytecodeGenerator::BytecodeGenerator):
1894         (JSC::BytecodeGenerator::emitMoveEmptyValue):
1895         We cannot profile the type of an uninitialized empty JSValue.
1896         Nor do we expect this to be necessary, since it is effectively
1897         an unseen undefined value. So add a way to put the empty value
1898         without profiling.
1899
1900         (JSC::BytecodeGenerator::emitMove):
1901         Add an assert to try to catch this issue early on, and force
1902         callers to explicitly use emitMoveEmptyValue instead.
1903
1904         * tests/typeProfiler/classes.js: Added.
1905         (wrapper.Base):
1906         (wrapper.Derived):
1907         (wrapper):
1908         Add test coverage both for this case and classes in general.
1909
1910 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1911
1912         Web Inspector: ES6: Provide a better view for Classes in the console
1913         https://bugs.webkit.org/show_bug.cgi?id=142999
1914
1915         Reviewed by Timothy Hatcher.
1916
1917         * inspector/protocol/Runtime.json:
1918         Provide a new `subtype` enum "class". This is a subtype of `type`
1919         "function", all other subtypes are subtypes of `object` types.
1920         For a class, the frontend will immediately want to get the prototype
1921         to enumerate its methods, so include the `classPrototype`.
1922
1923         * inspector/JSInjectedScriptHost.cpp:
1924         (Inspector::JSInjectedScriptHost::subtype):
1925         Denote class construction functions as "class" subtypes.
1926
1927         * inspector/InjectedScriptSource.js:
1928         Handling for the new "class" type.
1929
1930         * bytecode/UnlinkedCodeBlock.h:
1931         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1932         * runtime/Executable.h:
1933         (JSC::FunctionExecutable::isClassConstructorFunction):
1934         * runtime/JSFunction.h:
1935         * runtime/JSFunctionInlines.h:
1936         (JSC::JSFunction::isClassConstructorFunction):
1937         Check if this function is a class constructor function. That information
1938         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1939
1940 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1941
1942         Function.prototype.toString should not decompile the AST
1943         https://bugs.webkit.org/show_bug.cgi?id=142853
1944
1945         Reviewed by Darin Adler.
1946
1947         Following up on Darin's review comments.
1948
1949         * runtime/FunctionConstructor.cpp:
1950         (JSC::constructFunctionSkippingEvalEnabledCheck):
1951
1952 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1953
1954         "lineNo" does not match WebKit coding style guidelines
1955         https://bugs.webkit.org/show_bug.cgi?id=143119
1956
1957         Reviewed by Michael Saboff.
1958
1959         We can afford to use whole words.
1960
1961         * bytecode/CodeBlock.cpp:
1962         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1963         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1964         * bytecode/UnlinkedCodeBlock.cpp:
1965         (JSC::UnlinkedFunctionExecutable::link):
1966         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1967         * bytecode/UnlinkedCodeBlock.h:
1968         * bytecompiler/NodesCodegen.cpp:
1969         (JSC::WhileNode::emitBytecode):
1970         * debugger/Debugger.cpp:
1971         (JSC::Debugger::toggleBreakpoint):
1972         * interpreter/Interpreter.cpp:
1973         (JSC::StackFrame::computeLineAndColumn):
1974         (JSC::GetStackTraceFunctor::operator()):
1975         (JSC::Interpreter::execute):
1976         * interpreter/StackVisitor.cpp:
1977         (JSC::StackVisitor::Frame::computeLineAndColumn):
1978         * parser/Nodes.h:
1979         (JSC::Node::firstLine):
1980         (JSC::Node::lineNo): Deleted.
1981         (JSC::StatementNode::firstLine): Deleted.
1982         * parser/ParserError.h:
1983         (JSC::ParserError::toErrorObject):
1984         * profiler/LegacyProfiler.cpp:
1985         (JSC::createCallIdentifierFromFunctionImp):
1986         * runtime/CodeCache.cpp:
1987         (JSC::CodeCache::getGlobalCodeBlock):
1988         * runtime/Executable.cpp:
1989         (JSC::ScriptExecutable::ScriptExecutable):
1990         (JSC::ScriptExecutable::newCodeBlockFor):
1991         (JSC::FunctionExecutable::fromGlobalCode):
1992         * runtime/Executable.h:
1993         (JSC::ScriptExecutable::firstLine):
1994         (JSC::ScriptExecutable::setOverrideLineNumber):
1995         (JSC::ScriptExecutable::hasOverrideLineNumber):
1996         (JSC::ScriptExecutable::overrideLineNumber):
1997         (JSC::ScriptExecutable::lineNo): Deleted.
1998         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1999         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
2000         (JSC::ScriptExecutable::overrideLineNo): Deleted.
2001         * runtime/FunctionConstructor.cpp:
2002         (JSC::constructFunctionSkippingEvalEnabledCheck):
2003         * runtime/FunctionConstructor.h:
2004         * tools/CodeProfile.cpp:
2005         (JSC::CodeProfile::report):
2006         * tools/CodeProfile.h:
2007         (JSC::CodeProfile::CodeProfile):
2008
2009 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
2010
2011         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
2012         https://bugs.webkit.org/show_bug.cgi?id=142974
2013
2014         Reviewed by Joseph Pecoraro.
2015
2016         This patch does two things:
2017
2018         (1) Restore JavaScriptCore's sanitization of line and column numbers to
2019         one-based values.
2020
2021         We need this because WebCore sometimes provides huge negative column
2022         numbers.
2023
2024         (2) Solve the attribute event listener line numbering problem a different
2025         way: Rather than offseting all line numbers by -1 in an attribute event
2026         listener in order to arrange for a custom result, instead use an explicit
2027         feature for saying "all errors in this code should map to this line number".
2028
2029         * bytecode/UnlinkedCodeBlock.cpp:
2030         (JSC::UnlinkedFunctionExecutable::link):
2031         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2032         * bytecode/UnlinkedCodeBlock.h:
2033         * interpreter/Interpreter.cpp:
2034         (JSC::StackFrame::computeLineAndColumn):
2035         (JSC::GetStackTraceFunctor::operator()):
2036         * interpreter/Interpreter.h:
2037         * interpreter/StackVisitor.cpp:
2038         (JSC::StackVisitor::Frame::computeLineAndColumn):
2039         * parser/ParserError.h:
2040         (JSC::ParserError::toErrorObject): Plumb through an override line number.
2041         When a function has an override line number, all syntax and runtime
2042         errors in the function will map to it. This is useful for attribute event
2043         listeners.
2044  
2045         * parser/SourceCode.h:
2046         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
2047         column numbers to one-based integers. It was kind of a hack to remove this.
2048
2049         * runtime/Executable.cpp:
2050         (JSC::ScriptExecutable::ScriptExecutable):
2051         (JSC::FunctionExecutable::fromGlobalCode):
2052         * runtime/Executable.h:
2053         (JSC::ScriptExecutable::setOverrideLineNo):
2054         (JSC::ScriptExecutable::hasOverrideLineNo):
2055         (JSC::ScriptExecutable::overrideLineNo):
2056         * runtime/FunctionConstructor.cpp:
2057         (JSC::constructFunctionSkippingEvalEnabledCheck):
2058         * runtime/FunctionConstructor.h: Plumb through an override line number.
2059
2060 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2061
2062         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
2063
2064         Reviewed by Michael Saboff.
2065
2066         * jit/JITPropertyAccess.cpp:
2067         (JSC::JIT::emitScopedArgumentsGetByVal):
2068         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
2069
2070 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2071
2072         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
2073         https://bugs.webkit.org/show_bug.cgi?id=143098
2074
2075         Reviewed by Csaba Osztrogonác.
2076
2077         * ftl/FTLLowerDFGToLLVM.cpp:
2078         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
2079         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
2080
2081 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
2082
2083         Unreviewed gardening, skip failing tests on AArch64 Linux.
2084
2085         * tests/mozilla/mozilla-tests.yaml:
2086         * tests/stress/cached-prototype-setter.js:
2087
2088 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2089
2090         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
2091
2092         * dfg/DFGConstantFoldingPhase.cpp:
2093         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
2094         * ftl/FTLCompile.cpp:
2095         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
2096         * ftl/FTLState.cpp:
2097         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
2098         * ftl/FTLState.h:
2099
2100 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2101
2102         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
2103         right, so this just makes 32-bit do the same.
2104
2105         * dfg/DFGSpeculativeJIT32_64.cpp:
2106         (JSC::DFG::SpeculativeJIT::emitCall):
2107
2108 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2109
2110         Fix a typo that ggaren found but that I didn't fix before.
2111
2112         * runtime/DirectArgumentsOffset.h:
2113
2114 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2115
2116         Unreviewed, VC found a bug. This fixes the bug.
2117
2118         * dfg/DFGConstantFoldingPhase.cpp:
2119         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2120
2121 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2122
2123         Unreviewed, try to fix Windows build.
2124
2125         * runtime/ClonedArguments.cpp:
2126         (JSC::ClonedArguments::createWithInlineFrame):
2127
2128 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2129
2130         Unreviewed, fix debug build.
2131
2132         * bytecompiler/NodesCodegen.cpp:
2133         (JSC::ConstDeclNode::emitCodeSingle):
2134
2135 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2136
2137         Unreviewed, fix CLOOP build.
2138
2139         * dfg/DFGMinifiedID.h:
2140
2141 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2142
2143         Heap variables shouldn't end up in the stack frame
2144         https://bugs.webkit.org/show_bug.cgi?id=141174
2145
2146         Reviewed by Geoffrey Garen.
2147         
2148         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
2149         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
2150         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
2151         simplifications:
2152         
2153         - Accesses to variables no longer need checks or indirections to determine where the variable is
2154           at that moment in time. For example, loading a closure variable now takes just one load instead
2155           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
2156           (when no arguments object allocation is required) while previously that same operation required
2157           a "did I allocate arguments yet" check, a bounds check, and then the load.
2158         
2159         - Reasoning about the allocation of an activation or arguments object now follows the same simple
2160           logic as the allocation of any other kind of object. Previously, those objects were lazily
2161           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
2162           allocate anything at all. This made the implementation of traditional escape analyses really
2163           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
2164           arguments object using the usual SSA tricks which allows for more comprehensive removal.
2165         
2166         - The allocations of arguments objects, functions, and activations are now much faster. While
2167           this patch generally expands our ability to eliminate arguments object allocations, an earlier
2168           version of the patch - which lacked that functionality - was a progression on some arguments-
2169           and closure-happy benchmarks because although no allocations were eliminated, all allocations
2170           were faster.
2171         
2172         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
2173           its arguments objects or activations. The runtime doesn't have to do things to the arguments
2174           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
2175           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
2176           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
2177           now gone. This also enables implementing block-scoping. Without this change, block-scope
2178           support would require telling CodeBlock and all of the rest of the runtime about all of the
2179           variables that store currently-live scopes. That would have been so disastrously hard that it
2180           might as well be impossible. With this change, it's fair game for the bytecode generator to
2181           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
2182           however long it wants. This all works, because after bytecode generation, an activation is just
2183           an object and variables that refer to it are just normal variables.
2184         
2185         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
2186           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
2187           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
2188           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
2189           an arguments object.
2190         
2191         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
2192           using activations used to prevent inlining; now functions that use activations can be inlined
2193           just fine.
2194         
2195         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
2196         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
2197         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
2198         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
2199         
2200         The easiest way of understanding this change is to start by looking at the changes in runtime/,
2201         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
2202
2203         * CMakeLists.txt:
2204         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2205         * JavaScriptCore.xcodeproj/project.pbxproj:
2206         * assembler/AbortReason.h:
2207         * assembler/AbstractMacroAssembler.h:
2208         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
2209         * bytecode/ByValInfo.h:
2210         (JSC::hasOptimizableIndexingForJSType):
2211         (JSC::hasOptimizableIndexing):
2212         (JSC::jitArrayModeForJSType):
2213         (JSC::jitArrayModePermitsPut):
2214         (JSC::jitArrayModeForStructure):
2215         * bytecode/BytecodeKills.h: Added.
2216         (JSC::BytecodeKills::BytecodeKills):
2217         (JSC::BytecodeKills::operandIsKilled):
2218         (JSC::BytecodeKills::forEachOperandKilledAt):
2219         (JSC::BytecodeKills::KillSet::KillSet):
2220         (JSC::BytecodeKills::KillSet::add):
2221         (JSC::BytecodeKills::KillSet::forEachLocal):
2222         (JSC::BytecodeKills::KillSet::contains):
2223         * bytecode/BytecodeList.json:
2224         * bytecode/BytecodeLivenessAnalysis.cpp:
2225         (JSC::isValidRegisterForLiveness):
2226         (JSC::stepOverInstruction):
2227         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
2228         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2229         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
2230         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2231         (JSC::BytecodeLivenessAnalysis::computeKills):
2232         (JSC::indexForOperand): Deleted.
2233         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
2234         (JSC::getLivenessInfo): Deleted.
2235         * bytecode/BytecodeLivenessAnalysis.h:
2236         * bytecode/BytecodeLivenessAnalysisInlines.h:
2237         (JSC::operandIsAlwaysLive):
2238         (JSC::operandThatIsNotAlwaysLiveIsLive):
2239         (JSC::operandIsLive):
2240         * bytecode/BytecodeUseDef.h:
2241         (JSC::computeUsesForBytecodeOffset):
2242         (JSC::computeDefsForBytecodeOffset):
2243         * bytecode/CodeBlock.cpp:
2244         (JSC::CodeBlock::dumpBytecode):
2245         (JSC::CodeBlock::CodeBlock):
2246         (JSC::CodeBlock::nameForRegister):
2247         (JSC::CodeBlock::validate):
2248         (JSC::CodeBlock::isCaptured): Deleted.
2249         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
2250         (JSC::CodeBlock::machineSlowArguments): Deleted.
2251         * bytecode/CodeBlock.h:
2252         (JSC::unmodifiedArgumentsRegister): Deleted.
2253         (JSC::CodeBlock::setArgumentsRegister): Deleted.
2254         (JSC::CodeBlock::argumentsRegister): Deleted.
2255         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
2256         (JSC::CodeBlock::usesArguments): Deleted.
2257         (JSC::CodeBlock::captureCount): Deleted.
2258         (JSC::CodeBlock::captureStart): Deleted.
2259         (JSC::CodeBlock::captureEnd): Deleted.
2260         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
2261         (JSC::CodeBlock::hasSlowArguments): Deleted.
2262         (JSC::ExecState::argumentAfterCapture): Deleted.
2263         * bytecode/CodeOrigin.h:
2264         * bytecode/DataFormat.h:
2265         (JSC::dataFormatToString):
2266         * bytecode/FullBytecodeLiveness.h:
2267         (JSC::FullBytecodeLiveness::getLiveness):
2268         (JSC::FullBytecodeLiveness::operandIsLive):
2269         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
2270         (JSC::FullBytecodeLiveness::getOut): Deleted.
2271         * bytecode/Instruction.h:
2272         (JSC::Instruction::Instruction):
2273         * bytecode/Operands.h:
2274         (JSC::Operands::virtualRegisterForIndex):
2275         * bytecode/SpeculatedType.cpp:
2276         (JSC::dumpSpeculation):
2277         (JSC::speculationToAbbreviatedString):
2278         (JSC::speculationFromClassInfo):
2279         * bytecode/SpeculatedType.h:
2280         (JSC::isDirectArgumentsSpeculation):
2281         (JSC::isScopedArgumentsSpeculation):
2282         (JSC::isActionableMutableArraySpeculation):
2283         (JSC::isActionableArraySpeculation):
2284         (JSC::isArgumentsSpeculation): Deleted.
2285         * bytecode/UnlinkedCodeBlock.cpp:
2286         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2287         * bytecode/UnlinkedCodeBlock.h:
2288         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
2289         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
2290         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
2291         * bytecode/ValueRecovery.cpp:
2292         (JSC::ValueRecovery::dumpInContext):
2293         * bytecode/ValueRecovery.h:
2294         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
2295         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
2296         (JSC::ValueRecovery::nodeID):
2297         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
2298         * bytecode/VirtualRegister.h:
2299         (JSC::VirtualRegister::operator==):
2300         (JSC::VirtualRegister::operator!=):
2301         (JSC::VirtualRegister::operator<):
2302         (JSC::VirtualRegister::operator>):
2303         (JSC::VirtualRegister::operator<=):
2304         (JSC::VirtualRegister::operator>=):
2305         * bytecompiler/BytecodeGenerator.cpp:
2306         (JSC::BytecodeGenerator::generate):
2307         (JSC::BytecodeGenerator::BytecodeGenerator):
2308         (JSC::BytecodeGenerator::initializeNextParameter):
2309         (JSC::BytecodeGenerator::visibleNameForParameter):
2310         (JSC::BytecodeGenerator::emitMove):
2311         (JSC::BytecodeGenerator::variable):
2312         (JSC::BytecodeGenerator::createVariable):
2313         (JSC::BytecodeGenerator::emitResolveScope):
2314         (JSC::BytecodeGenerator::emitGetFromScope):
2315         (JSC::BytecodeGenerator::emitPutToScope):
2316         (JSC::BytecodeGenerator::initializeVariable):
2317         (JSC::BytecodeGenerator::emitInstanceOf):
2318         (JSC::BytecodeGenerator::emitNewFunction):
2319         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2320         (JSC::BytecodeGenerator::emitCall):
2321         (JSC::BytecodeGenerator::emitReturn):
2322         (JSC::BytecodeGenerator::emitConstruct):
2323         (JSC::BytecodeGenerator::isArgumentNumber):
2324         (JSC::BytecodeGenerator::emitEnumeration):
2325         (JSC::BytecodeGenerator::addVar): Deleted.
2326         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
2327         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
2328         (JSC::BytecodeGenerator::resolveCallee): Deleted.
2329         (JSC::BytecodeGenerator::addCallee): Deleted.
2330         (JSC::BytecodeGenerator::addParameter): Deleted.
2331         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
2332         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
2333         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
2334         (JSC::BytecodeGenerator::isCaptured): Deleted.
2335         (JSC::BytecodeGenerator::local): Deleted.
2336         (JSC::BytecodeGenerator::constLocal): Deleted.
2337         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
2338         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
2339         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
2340         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
2341         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
2342         * bytecompiler/BytecodeGenerator.h:
2343         (JSC::Variable::Variable):
2344         (JSC::Variable::isResolved):
2345         (JSC::Variable::ident):
2346         (JSC::Variable::offset):
2347         (JSC::Variable::isLocal):
2348         (JSC::Variable::local):
2349         (JSC::Variable::isSpecial):
2350         (JSC::BytecodeGenerator::argumentsRegister):
2351         (JSC::BytecodeGenerator::emitNode):
2352         (JSC::BytecodeGenerator::registerFor):
2353         (JSC::Local::Local): Deleted.
2354         (JSC::Local::operator bool): Deleted.
2355         (JSC::Local::get): Deleted.
2356         (JSC::Local::isSpecial): Deleted.
2357         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
2358         (JSC::ResolveScopeInfo::isLocal): Deleted.
2359         (JSC::ResolveScopeInfo::localIndex): Deleted.
2360         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
2361         (JSC::BytecodeGenerator::captureMode): Deleted.
2362         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
2363         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
2364         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
2365         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
2366         * bytecompiler/NodesCodegen.cpp:
2367         (JSC::ResolveNode::isPure):
2368         (JSC::ResolveNode::emitBytecode):
2369         (JSC::BracketAccessorNode::emitBytecode):
2370         (JSC::DotAccessorNode::emitBytecode):
2371         (JSC::EvalFunctionCallNode::emitBytecode):
2372         (JSC::FunctionCallResolveNode::emitBytecode):
2373         (JSC::CallFunctionCallDotNode::emitBytecode):
2374         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2375         (JSC::PostfixNode::emitResolve):
2376         (JSC::DeleteResolveNode::emitBytecode):
2377         (JSC::TypeOfResolveNode::emitBytecode):
2378         (JSC::PrefixNode::emitResolve):
2379         (JSC::ReadModifyResolveNode::emitBytecode):
2380         (JSC::AssignResolveNode::emitBytecode):
2381         (JSC::ConstDeclNode::emitCodeSingle):
2382         (JSC::EmptyVarExpression::emitBytecode):
2383         (JSC::ForInNode::tryGetBoundLocal):
2384         (JSC::ForInNode::emitLoopHeader):
2385         (JSC::ForOfNode::emitBytecode):
2386         (JSC::ArrayPatternNode::emitDirectBinding):
2387         (JSC::BindingNode::bindValue):
2388         (JSC::getArgumentByVal): Deleted.
2389         * dfg/DFGAbstractHeap.h:
2390         * dfg/DFGAbstractInterpreter.h:
2391         * dfg/DFGAbstractInterpreterInlines.h:
2392         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2393         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
2394         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
2395         * dfg/DFGAbstractValue.h:
2396         * dfg/DFGArgumentPosition.h:
2397         (JSC::DFG::ArgumentPosition::addVariable):
2398         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
2399         (JSC::DFG::performArgumentsElimination):
2400         * dfg/DFGArgumentsEliminationPhase.h: Added.
2401         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
2402         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
2403         * dfg/DFGArgumentsUtilities.cpp: Added.
2404         (JSC::DFG::argumentsInvolveStackSlot):
2405         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2406         * dfg/DFGArgumentsUtilities.h: Added.
2407         * dfg/DFGArrayMode.cpp:
2408         (JSC::DFG::ArrayMode::refine):
2409         (JSC::DFG::ArrayMode::alreadyChecked):
2410         (JSC::DFG::arrayTypeToString):
2411         * dfg/DFGArrayMode.h:
2412         (JSC::DFG::ArrayMode::canCSEStorage):
2413         (JSC::DFG::ArrayMode::modeForPut):
2414         * dfg/DFGAvailabilityMap.cpp:
2415         (JSC::DFG::AvailabilityMap::prune):
2416         * dfg/DFGAvailabilityMap.h:
2417         (JSC::DFG::AvailabilityMap::closeOverNodes):
2418         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
2419         * dfg/DFGBackwardsPropagationPhase.cpp:
2420         (JSC::DFG::BackwardsPropagationPhase::propagate):
2421         * dfg/DFGByteCodeParser.cpp:
2422         (JSC::DFG::ByteCodeParser::newVariableAccessData):
2423         (JSC::DFG::ByteCodeParser::getLocal):
2424         (JSC::DFG::ByteCodeParser::setLocal):
2425         (JSC::DFG::ByteCodeParser::getArgument):
2426         (JSC::DFG::ByteCodeParser::setArgument):
2427         (JSC::DFG::ByteCodeParser::flushDirect):
2428         (JSC::DFG::ByteCodeParser::flush):
2429         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2430         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2431         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2432         (JSC::DFG::ByteCodeParser::handleInlining):
2433         (JSC::DFG::ByteCodeParser::parseBlock):
2434         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2435         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2436         * dfg/DFGCPSRethreadingPhase.cpp:
2437         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2438         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2439         * dfg/DFGCSEPhase.cpp:
2440         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
2441         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2442         * dfg/DFGCapabilities.cpp:
2443         (JSC::DFG::isSupportedForInlining):
2444         (JSC::DFG::capabilityLevel):
2445         * dfg/DFGClobberize.h:
2446         (JSC::DFG::clobberize):
2447         * dfg/DFGCommon.h:
2448         * dfg/DFGCommonData.h:
2449         (JSC::DFG::CommonData::CommonData):
2450         * dfg/DFGConstantFoldingPhase.cpp:
2451         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2452         * dfg/DFGDCEPhase.cpp:
2453         (JSC::DFG::DCEPhase::cleanVariables):
2454         * dfg/DFGDisassembler.h:
2455         * dfg/DFGDoesGC.cpp:
2456         (JSC::DFG::doesGC):
2457         * dfg/DFGFixupPhase.cpp:
2458         (JSC::DFG::FixupPhase::fixupNode):
2459         * dfg/DFGFlushFormat.cpp:
2460         (WTF::printInternal):
2461         * dfg/DFGFlushFormat.h:
2462         (JSC::DFG::resultFor):
2463         (JSC::DFG::useKindFor):
2464         (JSC::DFG::dataFormatFor):
2465         * dfg/DFGForAllKills.h: Added.
2466         (JSC::DFG::forAllLiveNodesAtTail):
2467         (JSC::DFG::forAllDirectlyKilledOperands):
2468         (JSC::DFG::forAllKilledOperands):
2469         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2470         (JSC::DFG::forAllKillsInBlock):
2471         * dfg/DFGGraph.cpp:
2472         (JSC::DFG::Graph::Graph):
2473         (JSC::DFG::Graph::dump):
2474         (JSC::DFG::Graph::substituteGetLocal):
2475         (JSC::DFG::Graph::livenessFor):
2476         (JSC::DFG::Graph::killsFor):
2477         (JSC::DFG::Graph::tryGetConstantClosureVar):
2478         (JSC::DFG::Graph::tryGetRegisters): Deleted.
2479         * dfg/DFGGraph.h:
2480         (JSC::DFG::Graph::symbolTableFor):
2481         (JSC::DFG::Graph::uses):
2482         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
2483         (JSC::DFG::Graph::capturedVarsFor): Deleted.
2484         (JSC::DFG::Graph::usesArguments): Deleted.
2485         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
2486         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
2487         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
2488         * dfg/DFGHeapLocation.cpp:
2489         (WTF::printInternal):
2490         * dfg/DFGHeapLocation.h:
2491         * dfg/DFGInPlaceAbstractState.cpp:
2492         (JSC::DFG::InPlaceAbstractState::initialize):
2493         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2494         * dfg/DFGJITCompiler.cpp:
2495         (JSC::DFG::JITCompiler::link):
2496         * dfg/DFGMayExit.cpp:
2497         (JSC::DFG::mayExit):
2498         * dfg/DFGMinifiedID.h:
2499         * dfg/DFGMinifiedNode.cpp:
2500         (JSC::DFG::MinifiedNode::fromNode):
2501         * dfg/DFGMinifiedNode.h:
2502         (JSC::DFG::belongsInMinifiedGraph):
2503         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
2504         (JSC::DFG::MinifiedNode::inlineCallFrame):
2505         * dfg/DFGNode.cpp:
2506         (JSC::DFG::Node::convertToIdentityOn):
2507         * dfg/DFGNode.h:
2508         (JSC::DFG::Node::hasConstant):
2509         (JSC::DFG::Node::constant):
2510         (JSC::DFG::Node::hasScopeOffset):
2511         (JSC::DFG::Node::scopeOffset):
2512         (JSC::DFG::Node::hasDirectArgumentsOffset):
2513         (JSC::DFG::Node::capturedArgumentsOffset):
2514         (JSC::DFG::Node::variablePointer):
2515         (JSC::DFG::Node::hasCallVarargsData):
2516         (JSC::DFG::Node::hasLoadVarargsData):
2517         (JSC::DFG::Node::hasHeapPrediction):
2518         (JSC::DFG::Node::hasCellOperand):
2519         (JSC::DFG::Node::objectMaterializationData):
2520         (JSC::DFG::Node::isPhantomAllocation):
2521         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2522         (JSC::DFG::Node::shouldSpeculateDirectArguments):
2523         (JSC::DFG::Node::shouldSpeculateScopedArguments):
2524         (JSC::DFG::Node::isPhantomArguments): Deleted.
2525         (JSC::DFG::Node::hasVarNumber): Deleted.
2526         (JSC::DFG::Node::varNumber): Deleted.
2527         (JSC::DFG::Node::registerPointer): Deleted.
2528         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
2529         * dfg/DFGNodeType.h:
2530         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2531         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2532         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2533         * dfg/DFGOSRExitCompiler.cpp:
2534         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
2535         * dfg/DFGOSRExitCompiler.h:
2536         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
2537         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
2538         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
2539         * dfg/DFGOSRExitCompiler32_64.cpp:
2540         (JSC::DFG::OSRExitCompiler::compileExit):
2541         * dfg/DFGOSRExitCompiler64.cpp:
2542         (JSC::DFG::OSRExitCompiler::compileExit):
2543         * dfg/DFGOSRExitCompilerCommon.cpp:
2544         (JSC::DFG::reifyInlinedCallFrames):
2545         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
2546         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
2547         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
2548         * dfg/DFGOSRExitCompilerCommon.h:
2549         * dfg/DFGOperations.cpp:
2550         * dfg/DFGOperations.h:
2551         * dfg/DFGPlan.cpp:
2552         (JSC::DFG::Plan::compileInThreadImpl):
2553         * dfg/DFGPreciseLocalClobberize.h:
2554         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
2555         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
2556         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
2557         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2558         (JSC::DFG::preciseLocalClobberize):
2559         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
2560         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
2561         * dfg/DFGPredictionPropagationPhase.cpp:
2562         (JSC::DFG::PredictionPropagationPhase::run):
2563         (JSC::DFG::PredictionPropagationPhase::propagate):
2564         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2565         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
2566         * dfg/DFGPromoteHeapAccess.h:
2567         (JSC::DFG::promoteHeapAccess):
2568         * dfg/DFGPromotedHeapLocation.cpp:
2569         (WTF::printInternal):
2570         * dfg/DFGPromotedHeapLocation.h:
2571         * dfg/DFGSSAConversionPhase.cpp:
2572         (JSC::DFG::SSAConversionPhase::run):
2573         * dfg/DFGSafeToExecute.h:
2574         (JSC::DFG::safeToExecute):
2575         * dfg/DFGSpeculativeJIT.cpp:
2576         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2577         (JSC::DFG::SpeculativeJIT::emitGetLength):
2578         (JSC::DFG::SpeculativeJIT::emitGetCallee):
2579         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2580         (JSC::DFG::SpeculativeJIT::checkArray):
2581         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2582         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2583         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2584         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2585         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
2586         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2587         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2588         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2589         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2590         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
2591         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
2592         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
2593         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
2594         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
2595         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
2596         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
2597         * dfg/DFGSpeculativeJIT.h:
2598         (JSC::DFG::SpeculativeJIT::callOperation):
2599         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2600         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2601         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
2602         * dfg/DFGSpeculativeJIT32_64.cpp:
2603         (JSC::DFG::SpeculativeJIT::emitCall):
2604         (JSC::DFG::SpeculativeJIT::compile):
2605         * dfg/DFGSpeculativeJIT64.cpp:
2606         (JSC::DFG::SpeculativeJIT::emitCall):
2607         (JSC::DFG::SpeculativeJIT::compile):
2608         * dfg/DFGStackLayoutPhase.cpp:
2609         (JSC::DFG::StackLayoutPhase::run):
2610         * dfg/DFGStrengthReductionPhase.cpp:
2611         (JSC::DFG::StrengthReductionPhase::handleNode):
2612         * dfg/DFGStructureRegistrationPhase.cpp:
2613         (JSC::DFG::StructureRegistrationPhase::run):
2614         * dfg/DFGUnificationPhase.cpp:
2615         (JSC::DFG::UnificationPhase::run):
2616         * dfg/DFGValidate.cpp:
2617         (JSC::DFG::Validate::validateCPS):
2618         * dfg/DFGValueSource.cpp:
2619         (JSC::DFG::ValueSource::dump):
2620         * dfg/DFGValueSource.h:
2621         (JSC::DFG::dataFormatToValueSourceKind):
2622         (JSC::DFG::valueSourceKindToDataFormat):
2623         (JSC::DFG::ValueSource::ValueSource):
2624         (JSC::DFG::ValueSource::forFlushFormat):
2625         (JSC::DFG::ValueSource::valueRecovery):
2626         * dfg/DFGVarargsForwardingPhase.cpp: Added.
2627         (JSC::DFG::performVarargsForwarding):
2628         * dfg/DFGVarargsForwardingPhase.h: Added.
2629         * dfg/DFGVariableAccessData.cpp:
2630         (JSC::DFG::VariableAccessData::VariableAccessData):
2631         (JSC::DFG::VariableAccessData::flushFormat):
2632         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2633         * dfg/DFGVariableAccessData.h:
2634         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
2635         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
2636         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
2637         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
2638         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
2639         * dfg/DFGVariableAccessDataDump.cpp:
2640         (JSC::DFG::VariableAccessDataDump::dump):
2641         * dfg/DFGVariableAccessDataDump.h:
2642         * dfg/DFGVariableEventStream.cpp:
2643         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2644         * dfg/DFGVariableEventStream.h:
2645         * ftl/FTLAbstractHeap.cpp:
2646         (JSC::FTL::AbstractHeap::dump):
2647         (JSC::FTL::AbstractField::dump):
2648         (JSC::FTL::IndexedAbstractHeap::dump):
2649         (JSC::FTL::NumberedAbstractHeap::dump):
2650         (JSC::FTL::AbsoluteAbstractHeap::dump):
2651         * ftl/FTLAbstractHeap.h:
2652         * ftl/FTLAbstractHeapRepository.cpp:
2653         * ftl/FTLAbstractHeapRepository.h:
2654         * ftl/FTLCapabilities.cpp:
2655         (JSC::FTL::canCompile):
2656         * ftl/FTLCompile.cpp:
2657         (JSC::FTL::mmAllocateDataSection):
2658         * ftl/FTLExitArgument.cpp:
2659         (JSC::FTL::ExitArgument::dump):
2660         * ftl/FTLExitPropertyValue.cpp:
2661         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
2662         * ftl/FTLExitPropertyValue.h:
2663         * ftl/FTLExitTimeObjectMaterialization.cpp:
2664         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
2665         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
2666         * ftl/FTLExitTimeObjectMaterialization.h:
2667         (JSC::FTL::ExitTimeObjectMaterialization::origin):
2668         * ftl/FTLExitValue.cpp:
2669         (JSC::FTL::ExitValue::withLocalsOffset):
2670         (JSC::FTL::ExitValue::valueFormat):
2671         (JSC::FTL::ExitValue::dumpInContext):
2672         * ftl/FTLExitValue.h:
2673         (JSC::FTL::ExitValue::isArgument):
2674         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
2675         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
2676         (JSC::FTL::ExitValue::valueFormat): Deleted.
2677         * ftl/FTLInlineCacheSize.cpp:
2678         (JSC::FTL::sizeOfCallForwardVarargs):
2679         (JSC::FTL::sizeOfConstructForwardVarargs):
2680         (JSC::FTL::sizeOfICFor):
2681         * ftl/FTLInlineCacheSize.h:
2682         * ftl/FTLIntrinsicRepository.h:
2683         * ftl/FTLJSCallVarargs.cpp:
2684         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2685         (JSC::FTL::JSCallVarargs::emit):
2686         * ftl/FTLJSCallVarargs.h:
2687         * ftl/FTLLowerDFGToLLVM.cpp:
2688         (JSC::FTL::LowerDFGToLLVM::lower):
2689         (JSC::FTL::LowerDFGToLLVM::compileNode):
2690         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2691         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2692         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2693         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2694         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2695         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2696         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2697         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2698         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2699         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
2700         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
2701         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
2702         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2703         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
2704         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
2705         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
2706         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
2707         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
2708         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
2709         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
2710         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
2711         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2712         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
2713         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2714         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
2715         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
2716         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
2717         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
2718         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2719         (JSC::FTL::LowerDFGToLLVM::allocateObject):
2720         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
2721         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2722         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2723         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2724         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2725         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2726         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2727         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
2728         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
2729         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
2730         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
2731         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
2732         * ftl/FTLOSRExitCompiler.cpp:
2733         (JSC::FTL::compileRecovery):
2734         (JSC::FTL::compileStub):
2735         * ftl/FTLOperations.cpp:
2736         (JSC::FTL::operationMaterializeObjectInOSR):
2737         * ftl/FTLOutput.h:
2738         (JSC::FTL::Output::aShr):
2739         (JSC::FTL::Output::lShr):
2740         (JSC::FTL::Output::zeroExtPtr):
2741         * heap/CopyToken.h:
2742         * interpreter/CallFrame.h:
2743         (JSC::ExecState::getArgumentUnsafe):
2744         * interpreter/Interpreter.cpp:
2745         (JSC::sizeOfVarargs):
2746         (JSC::sizeFrameForVarargs):
2747         (JSC::loadVarargs):
2748         (JSC::unwindCallFrame):
2749         * interpreter/Interpreter.h:
2750         * interpreter/StackVisitor.cpp:
2751         (JSC::StackVisitor::Frame::createArguments):
2752         (JSC::StackVisitor::Frame::existingArguments): Deleted.
2753         * interpreter/StackVisitor.h:
2754         * jit/AssemblyHelpers.h:
2755         (JSC::AssemblyHelpers::storeValue):
2756         (JSC::AssemblyHelpers::loadValue):
2757         (JSC::AssemblyHelpers::storeTrustedValue):
2758         (JSC::AssemblyHelpers::branchIfNotCell):
2759         (JSC::AssemblyHelpers::branchIsEmpty):
2760         (JSC::AssemblyHelpers::argumentsStart):
2761         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
2762         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
2763         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
2764         * jit/CCallHelpers.h:
2765         (JSC::CCallHelpers::setupArgument):
2766         * jit/GPRInfo.h:
2767         (JSC::JSValueRegs::withTwoAvailableRegs):
2768         * jit/JIT.cpp:
2769         (JSC::JIT::privateCompileMainPass):
2770         (JSC::JIT::privateCompileSlowCases):
2771         * jit/JIT.h:
2772         * jit/JITCall.cpp:
2773         (JSC::JIT::compileSetupVarargsFrame):
2774         * jit/JITCall32_64.cpp:
2775         (JSC::JIT::compileSetupVarargsFrame):
2776         * jit/JITInlines.h:
2777         (JSC::JIT::callOperation):
2778         * jit/JITOpcodes.cpp:
2779         (JSC::JIT::emit_op_create_lexical_environment):
2780         (JSC::JIT::emit_op_new_func):
2781         (JSC::JIT::emit_op_create_direct_arguments):
2782         (JSC::JIT::emit_op_create_scoped_arguments):
2783         (JSC::JIT::emit_op_create_out_of_band_arguments):
2784         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2785         (JSC::JIT::emit_op_create_arguments): Deleted.
2786         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2787         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2788         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2789         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2790         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2791         * jit/JITOpcodes32_64.cpp:
2792         (JSC::JIT::emit_op_create_lexical_environment):
2793         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2794         (JSC::JIT::emit_op_create_arguments): Deleted.
2795         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2796         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2797         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2798         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2799         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2800         * jit/JITOperations.cpp:
2801         * jit/JITOperations.h:
2802         * jit/JITPropertyAccess.cpp:
2803         (JSC::JIT::emitGetClosureVar):
2804         (JSC::JIT::emitPutClosureVar):
2805         (JSC::JIT::emit_op_get_from_arguments):
2806         (JSC::JIT::emit_op_put_to_arguments):
2807         (JSC::JIT::emit_op_init_global_const):
2808         (JSC::JIT::privateCompileGetByVal):
2809         (JSC::JIT::emitDirectArgumentsGetByVal):
2810         (JSC::JIT::emitScopedArgumentsGetByVal):
2811         * jit/JITPropertyAccess32_64.cpp:
2812         (JSC::JIT::emitGetClosureVar):
2813         (JSC::JIT::emitPutClosureVar):
2814         (JSC::JIT::emit_op_get_from_arguments):
2815         (JSC::JIT::emit_op_put_to_arguments):
2816         (JSC::JIT::emit_op_init_global_const):
2817         * jit/SetupVarargsFrame.cpp:
2818         (JSC::emitSetupVarargsFrameFastCase):
2819         * llint/LLIntOffsetsExtractor.cpp:
2820         * llint/LLIntSlowPaths.cpp:
2821         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2822         * llint/LowLevelInterpreter.asm:
2823         * llint/LowLevelInterpreter32_64.asm:
2824         * llint/LowLevelInterpreter64.asm:
2825         * parser/Nodes.h:
2826         (JSC::ScopeNode::captures):
2827         * runtime/Arguments.cpp: Removed.
2828         * runtime/Arguments.h: Removed.
2829         * runtime/ArgumentsMode.h: Added.
2830         * runtime/DirectArgumentsOffset.cpp: Added.
2831         (JSC::DirectArgumentsOffset::dump):
2832         * runtime/DirectArgumentsOffset.h: Added.
2833         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
2834         * runtime/CommonSlowPaths.cpp:
2835         (JSC::SLOW_PATH_DECL):
2836         * runtime/CommonSlowPaths.h:
2837         * runtime/ConstantMode.cpp: Added.
2838         (WTF::printInternal):
2839         * runtime/ConstantMode.h:
2840         (JSC::modeForIsConstant):
2841         * runtime/DirectArguments.cpp: Added.
2842         (JSC::DirectArguments::DirectArguments):
2843         (JSC::DirectArguments::createUninitialized):
2844         (JSC::DirectArguments::create):
2845         (JSC::DirectArguments::createByCopying):
2846         (JSC::DirectArguments::visitChildren):
2847         (JSC::DirectArguments::copyBackingStore):
2848         (JSC::DirectArguments::createStructure):
2849         (JSC::DirectArguments::overrideThings):
2850         (JSC::DirectArguments::overrideThingsIfNecessary):
2851         (JSC::DirectArguments::overrideArgument):
2852         (JSC::DirectArguments::copyToArguments):
2853         (JSC::DirectArguments::overridesSize):
2854         * runtime/DirectArguments.h: Added.
2855         (JSC::DirectArguments::internalLength):
2856         (JSC::DirectArguments::length):
2857         (JSC::DirectArguments::canAccessIndexQuickly):
2858         (JSC::DirectArguments::getIndexQuickly):
2859         (JSC::DirectArguments::setIndexQuickly):
2860         (JSC::DirectArguments::callee):
2861         (JSC::DirectArguments::argument):
2862         (JSC::DirectArguments::overrodeThings):
2863         (JSC::DirectArguments::offsetOfCallee):
2864         (JSC::DirectArguments::offsetOfLength):
2865         (JSC::DirectArguments::offsetOfMinCapacity):
2866         (JSC::DirectArguments::offsetOfOverrides):
2867         (JSC::DirectArguments::storageOffset):
2868         (JSC::DirectArguments::offsetOfSlot):
2869         (JSC::DirectArguments::allocationSize):
2870         (JSC::DirectArguments::storage):
2871         * runtime/FunctionPrototype.cpp:
2872         * runtime/GenericArguments.h: Added.
2873         (JSC::GenericArguments::GenericArguments):
2874         * runtime/GenericArgumentsInlines.h: Added.
2875         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2876         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2877         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2878         (JSC::GenericArguments<Type>::put):
2879         (JSC::GenericArguments<Type>::putByIndex):
2880         (JSC::GenericArguments<Type>::deleteProperty):
2881         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2882         (JSC::GenericArguments<Type>::defineOwnProperty):
2883         (JSC::GenericArguments<Type>::copyToArguments):
2884         * runtime/GenericOffset.h: Added.
2885         (JSC::GenericOffset::GenericOffset):
2886         (JSC::GenericOffset::operator!):
2887         (JSC::GenericOffset::offsetUnchecked):
2888         (JSC::GenericOffset::offset):
2889         (JSC::GenericOffset::operator==):
2890         (JSC::GenericOffset::operator!=):
2891         (JSC::GenericOffset::operator<):
2892         (JSC::GenericOffset::operator>):
2893         (JSC::GenericOffset::operator<=):
2894         (JSC::GenericOffset::operator>=):
2895         (JSC::GenericOffset::operator+):
2896         (JSC::GenericOffset::operator-):
2897         (JSC::GenericOffset::operator+=):
2898         (JSC::GenericOffset::operator-=):
2899         * runtime/JSArgumentsIterator.cpp:
2900         (JSC::JSArgumentsIterator::finishCreation):
2901         (JSC::argumentsFuncIterator):
2902         * runtime/JSArgumentsIterator.h:
2903         (JSC::JSArgumentsIterator::create):
2904         (JSC::JSArgumentsIterator::next):
2905         * runtime/JSEnvironmentRecord.cpp:
2906         (JSC::JSEnvironmentRecord::visitChildren):
2907         * runtime/JSEnvironmentRecord.h:
2908         (JSC::JSEnvironmentRecord::variables):
2909         (JSC::JSEnvironmentRecord::isValid):
2910         (JSC::JSEnvironmentRecord::variableAt):
2911         (JSC::JSEnvironmentRecord::offsetOfVariables):
2912         (JSC::JSEnvironmentRecord::offsetOfVariable):
2913         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
2914         (JSC::JSEnvironmentRecord::allocationSize):
2915         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2916         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2917         (JSC::JSEnvironmentRecord::finishCreation):
2918         (JSC::JSEnvironmentRecord::registers): Deleted.
2919         (JSC::JSEnvironmentRecord::registerAt): Deleted.
2920         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
2921         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
2922         * runtime/JSFunction.cpp:
2923         * runtime/JSGlobalObject.cpp:
2924         (JSC::JSGlobalObject::init):
2925         (JSC::JSGlobalObject::addGlobalVar):
2926         (JSC::JSGlobalObject::addFunction):
2927         (JSC::JSGlobalObject::visitChildren):
2928         (JSC::JSGlobalObject::addStaticGlobals):
2929         * runtime/JSGlobalObject.h:
2930         (JSC::JSGlobalObject::directArgumentsStructure):
2931         (JSC::JSGlobalObject::scopedArgumentsStructure):
2932         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2933         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2934         * runtime/JSLexicalEnvironment.cpp:
2935         (JSC::JSLexicalEnvironment::symbolTableGet):
2936         (JSC::JSLexicalEnvironment::symbolTablePut):
2937         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2938         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2939         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2940         * runtime/JSLexicalEnvironment.h:
2941         (JSC::JSLexicalEnvironment::create):
2942         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2943         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2944         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2945         (JSC::JSLexicalEnvironment::storage): Deleted.
2946         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2947         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2948         (JSC::JSLexicalEnvironment::isValid): Deleted.
2949         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2950         * runtime/JSNameScope.cpp:
2951         (JSC::JSNameScope::visitChildren): Deleted.
2952         * runtime/JSNameScope.h:
2953         (JSC::JSNameScope::create):
2954         (JSC::JSNameScope::value):
2955         (JSC::JSNameScope::finishCreation):
2956         (JSC::JSNameScope::JSNameScope):
2957         * runtime/JSScope.cpp:
2958         (JSC::abstractAccess):
2959         * runtime/JSSegmentedVariableObject.cpp:
2960         (JSC::JSSegmentedVariableObject::findVariableIndex):
2961         (JSC::JSSegmentedVariableObject::addVariables):
2962         (JSC::JSSegmentedVariableObject::visitChildren):
2963         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2964         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2965         * runtime/JSSegmentedVariableObject.h:
2966         (JSC::JSSegmentedVariableObject::variableAt):
2967         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2968         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2969         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2970         * runtime/JSSymbolTableObject.h:
2971         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2972         (JSC::symbolTableGet):
2973         (JSC::symbolTablePut):
2974         (JSC::symbolTablePutWithAttributes):
2975         * runtime/JSType.h:
2976         * runtime/Options.h:
2977         * runtime/ClonedArguments.cpp: Added.
2978         (JSC::ClonedArguments::ClonedArguments):
2979         (JSC::ClonedArguments::createEmpty):
2980         (JSC::ClonedArguments::createWithInlineFrame):
2981         (JSC::ClonedArguments::createWithMachineFrame):
2982         (JSC::ClonedArguments::createByCopyingFrom):
2983         (JSC::ClonedArguments::createStructure):
2984         (JSC::ClonedArguments::getOwnPropertySlot):
2985         (JSC::ClonedArguments::getOwnPropertyNames):
2986         (JSC::ClonedArguments::put):
2987         (JSC::ClonedArguments::deleteProperty):
2988         (JSC::ClonedArguments::defineOwnProperty):
2989         (JSC::ClonedArguments::materializeSpecials):
2990         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2991         * runtime/ClonedArguments.h: Added.
2992         (JSC::ClonedArguments::specialsMaterialized):
2993         * runtime/ScopeOffset.cpp: Added.
2994         (JSC::ScopeOffset::dump):
2995         * runtime/ScopeOffset.h: Added.
2996         (JSC::ScopeOffset::ScopeOffset):
2997         * runtime/ScopedArguments.cpp: Added.
2998         (JSC::ScopedArguments::ScopedArguments):
2999         (JSC::ScopedArguments::finishCreation):
3000         (JSC::ScopedArguments::createUninitialized):
3001         (JSC::ScopedArguments::create):
3002         (JSC::ScopedArguments::createByCopying):
3003         (JSC::ScopedArguments::createByCopyingFrom):
3004         (JSC::ScopedArguments::visitChildren):
3005         (JSC::ScopedArguments::createStructure):
3006         (JSC::ScopedArguments::overrideThings):
3007         (JSC::ScopedArguments::overrideThingsIfNecessary):
3008         (JSC::ScopedArguments::overrideArgument):
3009         (JSC::ScopedArguments::copyToArguments):
3010         * runtime/ScopedArguments.h: Added.
3011         (JSC::ScopedArguments::internalLength):
3012         (JSC::ScopedArguments::length):
3013         (JSC::ScopedArguments::canAccessIndexQuickly):
3014         (JSC::ScopedArguments::getIndexQuickly):
3015         (JSC::ScopedArguments::setIndexQuickly):
3016         (JSC::ScopedArguments::callee):
3017         (JSC::ScopedArguments::overrodeThings):
3018         (JSC::ScopedArguments::offsetOfOverrodeThings):
3019         (JSC::ScopedArguments::offsetOfTotalLength):
3020         (JSC::ScopedArguments::offsetOfTable):
3021         (JSC::ScopedArguments::offsetOfScope):
3022         (JSC::ScopedArguments::overflowStorageOffset):
3023         (JSC::ScopedArguments::allocationSize):
3024         (JSC::ScopedArguments::overflowStorage):
3025         * runtime/ScopedArgumentsTable.cpp: Added.
3026         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
3027         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
3028         (JSC::ScopedArgumentsTable::destroy):
3029         (JSC::ScopedArgumentsTable::create):
3030         (JSC::ScopedArgumentsTable::clone):
3031         (JSC::ScopedArgumentsTable::setLength):
3032         (JSC::ScopedArgumentsTable::set):
3033         (JSC::ScopedArgumentsTable::createStructure):
3034         * runtime/ScopedArgumentsTable.h: Added.
3035         (JSC::ScopedArgumentsTable::length):
3036         (JSC::ScopedArgumentsTable::get):
3037         (JSC::ScopedArgumentsTable::lock):
3038         (JSC::ScopedArgumentsTable::offsetOfLength):
3039         (JSC::ScopedArgumentsTable::offsetOfArguments):
3040         (JSC::ScopedArgumentsTable::at):
3041         * runtime/SymbolTable.cpp:
3042         (JSC::SymbolTableEntry::prepareToWatch):
3043         (JSC::SymbolTable::SymbolTable):
3044         (JSC::SymbolTable::visitChildren):
3045         (JSC::SymbolTable::localToEntry):
3046         (JSC::SymbolTable::entryFor):
3047         (JSC::SymbolTable::cloneScopePart):
3048         (JSC::SymbolTable::prepareForTypeProfiling):
3049         (JSC::SymbolTable::uniqueIDForOffset):
3050         (JSC::SymbolTable::globalTypeSetForOffset):
3051         (JSC::SymbolTable::cloneCapturedNames): Deleted.
3052         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
3053         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
3054         * runtime/SymbolTable.h:
3055         (JSC::SymbolTableEntry::varOffsetFromBits):
3056         (JSC::SymbolTableEntry::scopeOffsetFromBits):
3057         (JSC::SymbolTableEntry::Fast::varOffset):
3058         (JSC::SymbolTableEntry::Fast::scopeOffset):
3059         (JSC::SymbolTableEntry::Fast::isDontEnum):
3060         (JSC::SymbolTableEntry::Fast::getAttributes):
3061         (JSC::SymbolTableEntry::SymbolTableEntry):
3062         (JSC::SymbolTableEntry::varOffset):
3063         (JSC::SymbolTableEntry::isWatchable):
3064         (JSC::SymbolTableEntry::scopeOffset):
3065         (JSC::SymbolTableEntry::setAttributes):
3066         (JSC::SymbolTableEntry::constantMode):
3067         (JSC::SymbolTableEntry::isDontEnum):
3068         (JSC::SymbolTableEntry::disableWatching):
3069         (JSC::SymbolTableEntry::pack):
3070         (JSC::SymbolTableEntry::isValidVarOffset):
3071         (JSC::SymbolTable::createNameScopeTable):
3072         (JSC::SymbolTable::maxScopeOffset):
3073         (JSC::SymbolTable::didUseScopeOffset):
3074         (JSC::SymbolTable::didUseVarOffset):
3075         (JSC::SymbolTable::scopeSize):
3076         (JSC::SymbolTable::nextScopeOffset):
3077         (JSC::SymbolTable::takeNextScopeOffset):
3078         (JSC::SymbolTable::add):
3079         (JSC::SymbolTable::set):
3080         (JSC::SymbolTable::argumentsLength):
3081         (JSC::SymbolTable::setArgumentsLength):
3082         (JSC::SymbolTable::argumentOffset):
3083         (JSC::SymbolTable::setArgumentOffset):
3084         (JSC::SymbolTable::arguments):
3085         (JSC::SlowArgument::SlowArgument): Deleted.
3086         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
3087         (JSC::SymbolTableEntry::getIndex): Deleted.
3088         (JSC::SymbolTableEntry::isValidIndex): Deleted.
3089         (JSC::SymbolTable::captureStart): Deleted.
3090         (JSC::SymbolTable::setCaptureStart): Deleted.
3091         (JSC::SymbolTable::captureEnd): Deleted.
3092         (JSC::SymbolTable::setCaptureEnd): Deleted.
3093         (JSC::SymbolTable::captureCount): Deleted.
3094         (JSC::SymbolTable::isCaptured): Deleted.
3095         (JSC::SymbolTable::parameterCount): Deleted.
3096         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
3097         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
3098         (JSC::SymbolTable::slowArguments): Deleted.
3099         (JSC::SymbolTable::setSlowArguments): Deleted.
3100         * runtime/VM.cpp:
3101         (JSC::VM::VM):
3102         * runtime/VM.h:
3103         * runtime/VarOffset.cpp: Added.
3104         (JSC::VarOffset::dump):
3105         (WTF::printInternal):
3106         * runtime/VarOffset.h: Added.
3107         (JSC::VarOffset::VarOffset):
3108         (JSC::VarOffset::assemble):
3109         (JSC::VarOffset::isValid):
3110         (JSC::VarOffset::operator!):
3111         (JSC::VarOffset::kind):
3112         (JSC::VarOffset::isStack):
3113         (JSC::VarOffset::isScope):
3114         (JSC::VarOffset::isDirectArgument):
3115         (JSC::VarOffset::stackOffsetUnchecked):
3116         (JSC::VarOffset::scopeOffsetUnchecked):
3117         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
3118         (JSC::VarOffset::stackOffset):
3119         (JSC::VarOffset::scopeOffset):
3120         (JSC::VarOffset::capturedArgumentsOffset):
3121         (JSC::VarOffset::rawOffset):
3122         (JSC::VarOffset::checkSanity):
3123         (JSC::VarOffset::operator==):
3124         (JSC::VarOffset::operator!=):
3125         (JSC::VarOffset::hash):
3126         (JSC::VarOffset::isHashTableDeletedValue):
3127         (JSC::VarOffsetHash::hash):
3128         (JSC::VarOffsetHash::equal):
3129         * tests/stress/arguments-exit-strict-mode.js: Added.
3130         * tests/stress/arguments-exit.js: Added.
3131         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
3132         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
3133         * tests/stress/arguments-inlined-exit.js: Added.
3134         * tests/stress/arguments-interference.js: Added.
3135         * tests/stress/arguments-interference-cfg.js: Added.
3136         * tests/stress/dead-get-closure-var.js: Added.
3137         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
3138         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
3139         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
3140         * tests/stress/varargs-closure-inlined-exit.js: Added.
3141         * tests/stress/varargs-exit.js: Added.
3142         * tests/stress/varargs-inlined-exit.js: Added.
3143         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
3144         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
3145         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
3146         * tests/stress/varargs-inlined-simple-exit.js: Added.
3147         * tests/stress/varargs-too-few-arguments.js: Added.
3148         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
3149         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
3150         * tests/stress/varargs-varargs-inlined-exit.js: Added.
3151
3152 2015-03-25  Andy Estes  <aestes@apple.com>
3153
3154         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
3155         https://bugs.webkit.org/show_bug.cgi?id=143068
3156
3157         Reviewed by Dan Bernstein.
3158
3159         * inspector/remote/RemoteInspectorXPCConnection.mm:
3160         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
3161
3162 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3163
3164         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
3165         https://bugs.webkit.org/show_bug.cgi?id=142993
3166
3167         Reviewed by Geoffrey Garen and Mark Lam.
3168         
3169         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
3170         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
3171         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
3172         failure, but also involves adding the same kind of thing to the stub generators in
3173         Repatch.
3174         
3175         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
3176         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
3177         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
3178         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
3179         printout.
3180         
3181         Also add a way of inducing executable allocation failure, so that we can test this.
3182
3183         * CMakeLists.txt:
3184         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3185         * JavaScriptCore.xcodeproj/project.pbxproj:
3186         * dfg/DFGJITCompiler.cpp:
3187         (JSC::DFG::JITCompiler::compile):
3188         (JSC::DFG::JITCompiler::compileFunction):
3189         (JSC::DFG::JITCompiler::link): Deleted.
3190         (JSC::DFG::JITCompiler::linkFunction): Deleted.
3191         * dfg/DFGJITCompiler.h:
3192         * dfg/DFGPlan.cpp:
3193         (JSC::DFG::Plan::compileInThreadImpl):
3194         * ftl/FTLCompile.cpp:
3195         (JSC::FTL::mmAllocateCodeSection):
3196         (JSC::FTL::mmAllocateDataSection):
3197         * ftl/FTLLink.cpp:
3198         (JSC::FTL::link):
3199         * ftl/FTLState.h:
3200         * jit/ArityCheckFailReturnThunks.cpp:
3201         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
3202         * jit/ExecutableAllocationFuzz.cpp: Added.
3203         (JSC::numberOfExecutableAllocationFuzzChecks):
3204         (JSC::doExecutableAllocationFuzzing):
3205         * jit/ExecutableAllocationFuzz.h: Added.
3206         (JSC::doExecutableAllocationFuzzingIfEnabled):
3207         * jit/ExecutableAllocatorFixedVMPool.cpp:
3208         (JSC::ExecutableAllocator::allocate):
3209         * jit/JIT.cpp:
3210         (JSC::JIT::privateCompile):
3211         * jit/JITCompilationEffort.h:
3212         * jit/Repatch.cpp:
3213         (JSC::generateByIdStub):
3214         (JSC::tryCacheGetByID):
3215         (JSC::tryBuildGetByIDList):
3216         (JSC::emitPutReplaceStub):
3217         (JSC::emitPutTransitionStubAndGetOldStructure):
3218         (JSC::tryCachePutByID):
3219         (JSC::tryBuildPutByIdList):
3220         (JSC::tryRepatchIn):
3221         (JSC::linkPolymorphicCall):
3222         * jsc.cpp:
3223         (jscmain):
3224         * runtime/Options.h:
3225         * runtime/TestRunnerUtils.h:
3226         * runtime/VM.cpp:
3227         * tests/executableAllocationFuzz: Added.
3228         * tests/executableAllocationFuzz.yaml: Added.
3229         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
3230
3231 2015-03-25  Mark Lam  <mark.lam@apple.com>
3232
3233         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
3234         <https://webkit.org/b/135719>
3235
3236         Reviewed by Geoffrey Garen.
3237
3238         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
3239         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
3240         update the LLINT to access it as such.
3241
3242         The issue has only manifested so far on the CLoop tests because those are LLINT
3243         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
3244         hiding the bug in the LLINT.
3245
3246         * API/JSContextRef.cpp:
3247         (createWatchdogIfNeeded):
3248         (JSContextGroupSetExecutionTimeLimit):
3249         (JSContextGroupClearExecutionTimeLimit):
3250         * llint/LowLevelInterpreter.asm:
3251
3252 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3253
3254         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
3255
3256         Rubber stamped by Geoffrey Garen.
3257
3258         * bytecode/CodeBlock.cpp:
3259         (JSC::CodeBlock::visitAggregate):
3260
3261 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3262
3263         Fix formatting in BuiltinExecutables
3264         https://bugs.webkit.org/show_bug.cgi?id=143061
3265
3266         Reviewed by Ryosuke Niwa.
3267
3268         * builtins/BuiltinExecutables.cpp:
3269         (JSC::BuiltinExecutables::createExecutableInternal):
3270
3271 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3272
3273         ES6: Classes: Program level class statement throws exception in strict mode
3274         https://bugs.webkit.org/show_bug.cgi?id=143038
3275
3276         Reviewed by Ryosuke Niwa.
3277
3278         Classes expose a name to the current lexical environment. This treats
3279         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
3280         Also, improve error messages for class statements where the class is missing a name.
3281
3282         * parser/Parser.h:
3283         * parser/Parser.cpp:
3284         (JSC::Parser<LexerType>::parseClass):
3285         Fill name in info parameter if needed. Better error message if name is needed and missing.
3286
3287         (JSC::Parser<LexerType>::parseClassDeclaration):
3288         Pass info parameter to get name, and expose the name as a variable name.
3289
3290         (JSC::Parser<LexerType>::parsePrimaryExpression):
3291         Pass info parameter that is ignored.
3292
3293         * parser/ParserFunctionInfo.h:
3294         Add a parser info for class, to extract the name.
3295
3296 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3297
3298         New map and set modification tests in r181922 fails
3299         https://bugs.webkit.org/show_bug.cgi?id=143031
3300
3301         Reviewed and tweaked by Geoffrey Garen.
3302
3303         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
3304         to adjust for the packed backing store.
3305
3306         Consider the following map data.
3307
3308         x: deleted, o: exists
3309         0 1 2 3 4
3310         x x x x o
3311
3312         And iterator with m_index 3.
3313
3314         When packing the map data, map data will become,
3315
3316         0
3317         o
3318
3319         At that time, we perfom didRemoveEntry 4 times on iterators.
3320         times => m_index/index/result
3321         1 => 3/0/dec
3322         2 => 2/1/dec
3323         3 => 1/2/nothing
3324         4 => 1/3/nothing
3325
3326         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
3327         This is because if we use decremented m_index for comparison,
3328         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
3329
3330         In this patch, we compare against the packed index instead.
3331         times => m_index/packedIndex/result
3332         1 => 3/0/dec
3333         2 => 2/0/dec
3334         3 => 1/0/dec
3335         4 => 0/0/nothing
3336
3337         So m_index becomes 0 as expected.
3338
3339         And according to the spec, once the iterator is closed (becomes done: true),
3340         its internal [[Map]]/[[Set]] is set to undefined.
3341         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
3342
3343         In this patch, we change 2 things.
3344         1.
3345         Compare an iterator's index against the packed index when removing an