Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well.
4
5         * dfg/DFGSpeculativeJIT32_64.cpp:
6         (JSC::DFG::SpeculativeJIT::compile):
7
8 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
9
10         DFG should allow Phantoms after terminals
11         https://bugs.webkit.org/show_bug.cgi?id=126778
12
13         Reviewed by Mark Lam.
14         
15         It's important for us to be able to place liveness-marking nodes after nodes that do
16         things. These liveness-marking nodes are nops. Previously, we disallowed such nodes after
17         terminals. That made things awkward, especially for Switch and Branch, which may do
18         things that necessitate liveness markers (for example they might want to use a converted
19         version of a value rather than the value that was MovHinted). We previously made this
20         work by disallowing certain optimizations on Switch and Branch, which was probably a bad
21         thing.
22         
23         This changes our IR to allow for the terminal to not be the last node in a block. Asking
24         for the terminal involves a search. DFG::validate() checks that the nodes after the
25         terminal are liveness markers that have no effects or checks.
26         
27         This is perf-neutral but will allow more optimizations in the future. It will also make
28         it cleaner to fix https://bugs.webkit.org/show_bug.cgi?id=143735.
29
30         * dfg/DFGBasicBlock.cpp:
31         (JSC::DFG::BasicBlock::replaceTerminal):
32         * dfg/DFGBasicBlock.h:
33         (JSC::DFG::BasicBlock::findTerminal):
34         (JSC::DFG::BasicBlock::terminal):
35         (JSC::DFG::BasicBlock::insertBeforeTerminal):
36         (JSC::DFG::BasicBlock::numSuccessors):
37         (JSC::DFG::BasicBlock::successor):
38         (JSC::DFG::BasicBlock::successorForCondition):
39         (JSC::DFG::BasicBlock::successors):
40         (JSC::DFG::BasicBlock::last): Deleted.
41         (JSC::DFG::BasicBlock::takeLast): Deleted.
42         (JSC::DFG::BasicBlock::insertBeforeLast): Deleted.
43         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable): Deleted.
44         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator): Deleted.
45         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*): Deleted.
46         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++): Deleted.
47         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==): Deleted.
48         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=): Deleted.
49         (JSC::DFG::BasicBlock::SuccessorsIterable::begin): Deleted.
50         (JSC::DFG::BasicBlock::SuccessorsIterable::end): Deleted.
51         * dfg/DFGBasicBlockInlines.h:
52         (JSC::DFG::BasicBlock::appendNonTerminal):
53         (JSC::DFG::BasicBlock::replaceTerminal):
54         * dfg/DFGByteCodeParser.cpp:
55         (JSC::DFG::ByteCodeParser::addToGraph):
56         (JSC::DFG::ByteCodeParser::inlineCall):
57         (JSC::DFG::ByteCodeParser::handleInlining):
58         (JSC::DFG::ByteCodeParser::parseBlock):
59         (JSC::DFG::ByteCodeParser::linkBlock):
60         (JSC::DFG::ByteCodeParser::parseCodeBlock):
61         * dfg/DFGCFGSimplificationPhase.cpp:
62         (JSC::DFG::CFGSimplificationPhase::run):
63         (JSC::DFG::CFGSimplificationPhase::convertToJump):
64         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
65         * dfg/DFGCPSRethreadingPhase.cpp:
66         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
67         * dfg/DFGCommon.h:
68         (JSC::DFG::NodeAndIndex::NodeAndIndex):
69         (JSC::DFG::NodeAndIndex::operator!):
70         * dfg/DFGFixupPhase.cpp:
71         (JSC::DFG::FixupPhase::fixupBlock):
72         (JSC::DFG::FixupPhase::fixupNode):
73         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
74         (JSC::DFG::FixupPhase::clearPhantomsAtEnd): Deleted.
75         * dfg/DFGForAllKills.h:
76         (JSC::DFG::forAllLiveNodesAtTail):
77         * dfg/DFGGraph.cpp:
78         (JSC::DFG::Graph::terminalsAreValid):
79         (JSC::DFG::Graph::dumpBlockHeader):
80         * dfg/DFGGraph.h:
81         * dfg/DFGInPlaceAbstractState.cpp:
82         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
83         * dfg/DFGLICMPhase.cpp:
84         (JSC::DFG::LICMPhase::run):
85         (JSC::DFG::LICMPhase::attemptHoist):
86         * dfg/DFGMovHintRemovalPhase.cpp:
87         * dfg/DFGNode.h:
88         (JSC::DFG::Node::SuccessorsIterable::SuccessorsIterable):
89         (JSC::DFG::Node::SuccessorsIterable::iterator::iterator):
90         (JSC::DFG::Node::SuccessorsIterable::iterator::operator*):
91         (JSC::DFG::Node::SuccessorsIterable::iterator::operator++):
92         (JSC::DFG::Node::SuccessorsIterable::iterator::operator==):
93         (JSC::DFG::Node::SuccessorsIterable::iterator::operator!=):
94         (JSC::DFG::Node::SuccessorsIterable::begin):
95         (JSC::DFG::Node::SuccessorsIterable::end):
96         (JSC::DFG::Node::successors):
97         * dfg/DFGObjectAllocationSinkingPhase.cpp:
98         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
99         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
100         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
101         * dfg/DFGPhantomRemovalPhase.cpp:
102         (JSC::DFG::PhantomRemovalPhase::run):
103         * dfg/DFGPutStackSinkingPhase.cpp:
104         * dfg/DFGSSAConversionPhase.cpp:
105         (JSC::DFG::SSAConversionPhase::run):
106         * dfg/DFGSpeculativeJIT.h:
107         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
108         * dfg/DFGSpeculativeJIT32_64.cpp:
109         (JSC::DFG::SpeculativeJIT::compile):
110         * dfg/DFGSpeculativeJIT64.cpp:
111         (JSC::DFG::SpeculativeJIT::compile):
112         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
113         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
114         * dfg/DFGTierUpCheckInjectionPhase.cpp:
115         (JSC::DFG::TierUpCheckInjectionPhase::run):
116         * dfg/DFGValidate.cpp:
117         (JSC::DFG::Validate::validate):
118         * ftl/FTLLowerDFGToLLVM.cpp:
119         (JSC::FTL::LowerDFGToLLVM::compileNode):
120         * tests/stress/closure-call-exit.js: Added.
121         (foo):
122
123 2015-04-21  Basile Clement  <basile_clement@apple.com>
124
125         PhantomNewObject should be marked NodeMustGenerate
126         https://bugs.webkit.org/show_bug.cgi?id=143974
127
128         Reviewed by Filip Pizlo.
129
130         * dfg/DFGNode.h:
131         (JSC::DFG::Node::convertToPhantomNewObject):
132         Was not properly marking NodeMustGenerate when converting.
133
134 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
135
136         DFG Call/ConstructForwardVarargs fails to restore the stack pointer
137         https://bugs.webkit.org/show_bug.cgi?id=144007
138
139         Reviewed by Mark Lam.
140         
141         We were conditioning the stack pointer restoration on isVarargs, but we also need to do it
142         if isForwardVarargs.
143
144         * dfg/DFGSpeculativeJIT32_64.cpp:
145         (JSC::DFG::SpeculativeJIT::emitCall):
146         * dfg/DFGSpeculativeJIT64.cpp:
147         (JSC::DFG::SpeculativeJIT::emitCall):
148         * tests/stress/varargs-then-slow-call.js: Added.
149         (foo):
150         (bar):
151         (fuzz):
152         (baz):
153
154 2015-04-21  Basile Clement  <basile_clement@apple.com>
155
156         Remove AllocationProfileWatchpoint node
157         https://bugs.webkit.org/show_bug.cgi?id=143999
158
159         Reviewed by Filip Pizlo.
160
161         * dfg/DFGAbstractInterpreterInlines.h:
162         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
163         * dfg/DFGByteCodeParser.cpp:
164         (JSC::DFG::ByteCodeParser::parseBlock):
165         * dfg/DFGClobberize.h:
166         (JSC::DFG::clobberize):
167         * dfg/DFGDoesGC.cpp:
168         (JSC::DFG::doesGC):
169         * dfg/DFGFixupPhase.cpp:
170         (JSC::DFG::FixupPhase::fixupNode):
171         * dfg/DFGHeapLocation.cpp:
172         (WTF::printInternal):
173         * dfg/DFGHeapLocation.h:
174         * dfg/DFGNode.h:
175         (JSC::DFG::Node::hasCellOperand):
176         * dfg/DFGNodeType.h:
177         * dfg/DFGPredictionPropagationPhase.cpp:
178         (JSC::DFG::PredictionPropagationPhase::propagate):
179         * dfg/DFGSafeToExecute.h:
180         (JSC::DFG::safeToExecute):
181         * dfg/DFGSpeculativeJIT32_64.cpp:
182         (JSC::DFG::SpeculativeJIT::compile):
183         * dfg/DFGSpeculativeJIT64.cpp:
184         (JSC::DFG::SpeculativeJIT::compile):
185         * dfg/DFGWatchpointCollectionPhase.cpp:
186         (JSC::DFG::WatchpointCollectionPhase::handle):
187         * ftl/FTLCapabilities.cpp:
188         (JSC::FTL::canCompile):
189         * ftl/FTLLowerDFGToLLVM.cpp:
190         (JSC::FTL::LowerDFGToLLVM::compileNode):
191         * runtime/JSFunction.h:
192         (JSC::JSFunction::rareData):
193         (JSC::JSFunction::allocationProfileWatchpointSet): Deleted.
194
195 2015-04-19  Filip Pizlo  <fpizlo@apple.com>
196
197         MovHint should be a strong use
198         https://bugs.webkit.org/show_bug.cgi?id=143734
199
200         Reviewed by Geoffrey Garen.
201         
202         This disables any DCE that assumes equivalence between DFG IR uses and bytecode uses. Doing
203         so is a major step towards allowing more fancy DFG transformations and also probably fixing
204         some bugs.
205         
206         Just making MovHint a strong use would also completely disable DCE. So we mitigate this by
207         introducing a MovHint removal phase that runs in FTL.
208         
209         This is a slight slowdown on Octane/gbemu, but it's basically neutral on suite averages.
210
211         * CMakeLists.txt:
212         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
213         * JavaScriptCore.xcodeproj/project.pbxproj:
214         * bytecode/CodeOrigin.cpp:
215         (JSC::InlineCallFrame::dumpInContext):
216         * dfg/DFGDCEPhase.cpp:
217         (JSC::DFG::DCEPhase::fixupBlock):
218         * dfg/DFGDisassembler.cpp:
219         (JSC::DFG::Disassembler::createDumpList):
220         * dfg/DFGEpoch.cpp: Added.
221         (JSC::DFG::Epoch::dump):
222         * dfg/DFGEpoch.h: Added.
223         (JSC::DFG::Epoch::Epoch):
224         (JSC::DFG::Epoch::first):
225         (JSC::DFG::Epoch::operator!):
226         (JSC::DFG::Epoch::next):
227         (JSC::DFG::Epoch::bump):
228         (JSC::DFG::Epoch::operator==):
229         (JSC::DFG::Epoch::operator!=):
230         * dfg/DFGMayExit.cpp:
231         (JSC::DFG::mayExit):
232         * dfg/DFGMovHintRemovalPhase.cpp: Added.
233         (JSC::DFG::performMovHintRemoval):
234         * dfg/DFGMovHintRemovalPhase.h: Added.
235         * dfg/DFGNodeType.h:
236         * dfg/DFGPlan.cpp:
237         (JSC::DFG::Plan::compileInThreadImpl):
238         * dfg/DFGSpeculativeJIT.cpp:
239         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
240         * dfg/DFGSpeculativeJIT64.cpp:
241         (JSC::DFG::SpeculativeJIT::compile):
242         * runtime/Options.h:
243
244 2015-04-21  Basile Clement  <basile_clement@apple.com>
245
246         REGRESSION (r182899): icloud.com crashes
247         https://bugs.webkit.org/show_bug.cgi?id=143960
248
249         Reviewed by Filip Pizlo.
250
251         * runtime/JSFunction.h:
252         (JSC::JSFunction::allocationStructure):
253         * tests/stress/dfg-rare-data.js: Added.
254         (F): Regression test
255
256 2015-04-21  Michael Saboff  <msaboff@apple.com>
257
258         Crash in JSC::Interpreter::execute
259         https://bugs.webkit.org/show_bug.cgi?id=142625
260
261         Reviewed by Filip Pizlo.
262
263         We need to keep the FunctionExecutables in the code block for the eval flavor of 
264         Interpreter::execute() in order to create the scope used to eval.
265
266         * bytecode/CodeBlock.cpp:
267         (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): Deleted.
268         * bytecode/CodeBlock.h:
269         * dfg/DFGGraph.cpp:
270         (JSC::DFG::Graph::registerFrozenValues):
271
272 2015-04-21  Chris Dumez  <cdumez@apple.com>
273
274         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) constructor explicit
275         https://bugs.webkit.org/show_bug.cgi?id=143970
276
277         Reviewed by Darin Adler.
278
279         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&)
280         constructor explicit as it copies the vector and it is easy to call it
281         by mistake.
282
283         * bytecode/UnlinkedInstructionStream.cpp:
284         (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
285         * bytecode/UnlinkedInstructionStream.h:
286         * ftl/FTLLowerDFGToLLVM.cpp:
287         (JSC::FTL::LowerDFGToLLVM::lower):
288
289 2015-04-20  Basile Clement  <basile_clement@apple.com>
290
291         PhantomNewObject should be marked NodeMustGenerate
292         https://bugs.webkit.org/show_bug.cgi?id=143974
293
294         Reviewed by Filip Pizlo.
295
296         * dfg/DFGNodeType.h: Mark PhantomNewObject as NodeMustGenerate
297
298 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
299
300         Cleanup some StringBuilder use
301         https://bugs.webkit.org/show_bug.cgi?id=143550
302
303         Reviewed by Darin Adler.
304
305         * runtime/Symbol.cpp:
306         (JSC::Symbol::descriptiveString):
307         * runtime/TypeProfiler.cpp:
308         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
309         * runtime/TypeSet.cpp:
310         (JSC::TypeSet::toJSONString):
311         (JSC::StructureShape::propertyHash):
312         (JSC::StructureShape::stringRepresentation):
313         (JSC::StructureShape::toJSONString):
314
315 2015-04-20  Mark Lam  <mark.lam@apple.com>
316
317         Add debugging tools to test if a given pointer is a valid object and in the heap.
318         https://bugs.webkit.org/show_bug.cgi?id=143910
319
320         Reviewed by Geoffrey Garen.
321
322         When doing debugging from lldb, sometimes, it is useful to be able to tell if a
323         purported JSObject is really a valid object in the heap or not.  We can add the
324         following utility functions to help:
325             isValidCell(heap, candidate) - returns true if the candidate is a "live" cell in the heap.
326             isInHeap(heap, candidate) - returns true if the candidate is the heap's Object space or Storage space.
327             isInObjectSpace(heap, candidate) - returns true if the candidate is the heap's Object space.
328             isInStorageSpace(heap, candidate) - returns true if the candidate is the heap's Storage space.
329
330         Also moved lldb callable debug utility function prototypes from
331         JSDollarVMPrototype.cpp to JSDollarVMPrototype.h as static members of the
332         JSDollarVMPrototype class.  This is so that we can conveniently #include that
333         file to get the prototypes when we need to call them programmatically from
334         instrumentation that we add while debugging an issue.
335
336         * heap/Heap.h:
337         (JSC::Heap::storageSpace):
338         * tools/JSDollarVMPrototype.cpp:
339         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
340         (JSC::ensureCurrentThreadOwnsJSLock):
341         (JSC::JSDollarVMPrototype::gc):
342         (JSC::functionGC):
343         (JSC::JSDollarVMPrototype::edenGC):
344         (JSC::functionEdenGC):
345         (JSC::JSDollarVMPrototype::isInHeap):
346         (JSC::JSDollarVMPrototype::isInObjectSpace):
347         (JSC::JSDollarVMPrototype::isInStorageSpace):
348         (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor):
349         (JSC::ObjectAddressCheckFunctor::operator()):
350         (JSC::JSDollarVMPrototype::isValidCell):
351         (JSC::JSDollarVMPrototype::isValidCodeBlock):
352         (JSC::JSDollarVMPrototype::codeBlockForFrame):
353         (JSC::functionCodeBlockForFrame):
354         (JSC::codeBlockFromArg):
355         (JSC::JSDollarVMPrototype::printCallFrame):
356         (JSC::JSDollarVMPrototype::printStack):
357         (JSC::JSDollarVMPrototype::printValue):
358         (JSC::currentThreadOwnsJSLock): Deleted.
359         (JSC::gc): Deleted.
360         (JSC::edenGC): Deleted.
361         (JSC::isValidCodeBlock): Deleted.
362         (JSC::codeBlockForFrame): Deleted.
363         (JSC::printCallFrame): Deleted.
364         (JSC::printStack): Deleted.
365         (JSC::printValue): Deleted.
366         * tools/JSDollarVMPrototype.h:
367
368 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
369
370         Web Inspector: Improve Support for WeakSet in Console
371         https://bugs.webkit.org/show_bug.cgi?id=143951
372
373         Reviewed by Darin Adler.
374
375         * inspector/InjectedScriptSource.js:
376         * inspector/JSInjectedScriptHost.cpp:
377         (Inspector::JSInjectedScriptHost::subtype):
378         (Inspector::JSInjectedScriptHost::weakSetSize):
379         (Inspector::JSInjectedScriptHost::weakSetEntries):
380         * inspector/JSInjectedScriptHost.h:
381         * inspector/JSInjectedScriptHostPrototype.cpp:
382         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
383         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
384         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
385         Treat WeakSets like special sets.
386
387         * inspector/protocol/Runtime.json:
388         Add a new object subtype, "weakset".
389
390 2015-04-20  Yusuke Suzuki  <utatane.tea@gmail.com>
391
392         HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols
393         https://bugs.webkit.org/show_bug.cgi?id=143947
394
395         Reviewed by Darin Adler.
396
397         Type profiler has map between PropertyKey (StringImpl*) and offset.
398         StringImpl* is also used for Symbol PropertyKey.
399         So equality of hash tables is considered by interned StringImpl*'s pointer value.
400         To do so, use IdentifierRepHash instead of StringHash.
401
402         * runtime/SymbolTable.h:
403
404 2015-04-20  Jordan Harband  <ljharb@gmail.com>
405
406         Implement `Object.is`
407         https://bugs.webkit.org/show_bug.cgi?id=143865
408
409         Reviewed by Darin Adler.
410
411         Expose sameValue to JS, via Object.is
412         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.is
413
414         * runtime/ObjectConstructor.cpp:
415         (JSC::objectConstructorIs):
416         * runtime/PropertyDescriptor.cpp:
417         (JSC::sameValue):
418
419 2015-04-19  Darin Adler  <darin@apple.com>
420
421         Remove all the remaining uses of OwnPtr and PassOwnPtr in JavaScriptCore
422         https://bugs.webkit.org/show_bug.cgi?id=143941
423
424         Reviewed by Gyuyoung Kim.
425
426         * API/JSCallbackObject.h: Use unique_ptr for m_callbackObjectData.
427         * API/JSCallbackObjectFunctions.h: Ditto.
428
429         * API/ObjCCallbackFunction.h: Use unique_ptr for the arguments to the
430         create function and the constructor and for m_impl.
431         * API/ObjCCallbackFunction.mm:
432         (CallbackArgumentOfClass::CallbackArgumentOfClass): Streamline this
433         class by using RetainPtr<Class>.
434         (ArgumentTypeDelegate::typeInteger): Use make_unique.
435         (ArgumentTypeDelegate::typeDouble): Ditto.
436         (ArgumentTypeDelegate::typeBool): Ditto.
437         (ArgumentTypeDelegate::typeVoid): Ditto.
438         (ArgumentTypeDelegate::typeId): Ditto.
439         (ArgumentTypeDelegate::typeOfClass): Ditto.
440         (ArgumentTypeDelegate::typeBlock): Ditto.
441         (ArgumentTypeDelegate::typeStruct): Ditto.
442         (ResultTypeDelegate::typeInteger): Ditto.
443         (ResultTypeDelegate::typeDouble): Ditto.
444         (ResultTypeDelegate::typeBool): Ditto.
445         (ResultTypeDelegate::typeVoid): Ditto.
446         (ResultTypeDelegate::typeId): Ditto.
447         (ResultTypeDelegate::typeOfClass): Ditto.
448         (ResultTypeDelegate::typeBlock): Ditto.
449         (ResultTypeDelegate::typeStruct): Ditto.
450         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): Use
451         unique_ptr for the arguments to the constructor, m_arguments, and m_result.
452         Use RetainPtr<Class> for m_instanceClass.
453         (JSC::objCCallbackFunctionCallAsConstructor): Use nullptr instead of nil or 0
454         for non-Objective-C object pointer null.
455         (JSC::ObjCCallbackFunction::ObjCCallbackFunction): Use unique_ptr for
456         the arguments to the constructor and for m_impl.
457         (JSC::ObjCCallbackFunction::create): Use unique_ptr for arguments.
458         (skipNumber): Mark this static since it's local to this source file.
459         (objCCallbackFunctionForInvocation): Call parseObjCType without doing any
460         explicit adoptPtr since the types in the traits are now unique_ptr. Also use
461         nullptr instead of nil for JSObjectRef values.
462         (objCCallbackFunctionForMethod): Tweaked comment.
463         (objCCallbackFunctionForBlock): Use nullptr instead of 0 for JSObjectRef.
464
465         * bytecode/CallLinkInfo.h: Removed unneeded include of OwnPtr.h.
466
467         * heap/GCThread.cpp:
468         (JSC::GCThread::GCThread): Use unique_ptr.
469         * heap/GCThread.h: Use unique_ptr for arguments to the constructor and for
470         m_slotVisitor and m_copyVisitor.
471         * heap/GCThreadSharedData.cpp:
472         (JSC::GCThreadSharedData::GCThreadSharedData): Ditto.
473
474         * parser/SourceProvider.h: Removed unneeded include of PassOwnPtr.h.
475
476 2015-04-19  Benjamin Poulain  <benjamin@webkit.org>
477
478         Improve the feature.json files
479
480         * features.json:
481
482 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
483
484         Introduce bytecode intrinsics
485         https://bugs.webkit.org/show_bug.cgi?id=143926
486
487         Reviewed by Filip Pizlo.
488
489         This patch introduces bytecode level intrinsics into builtins/*.js JS code.
490         When implementing functions in builtins/*.js,
491         sometimes we require lower level functionality.
492
493         For example, in the current Array.from, we use `result[k] = value`.
494         The spec requires `[[DefineOwnProperty]]` operation here.
495         However, usual `result[k] = value` is evaluated as `[[Set]]`. (`PutValue` => `[[Set]]`)
496         So if we implement `Array.prototype[k]` getter/setter, the difference is observable.
497
498         Ideally, reaching here, we would like to use put_by_val_direct bytecode.
499         However, there's no syntax to generate it directly.
500
501         This patch introduces bytecode level intrinsics into JSC BytecodeCompiler.
502         Like @call, @apply, we introduce a new node, Intrinsic.
503         These are generated when calling appropriate private symbols in privileged code.
504         AST parser detects them and generates Intrinsic nodes and
505         BytecodeCompiler detects them and generate required bytecodes.
506
507         Currently, Array.from implementation works fine without this patch.
508         This is because when the target code is builtin JS,
509         BytecodeGenerator emits put_by_val_direct instead of put_by_val.
510         This solves the above issue. However, instead of solving this issue,
511         it raises another issue; There's no way to emit `[[Set]]` operation.
512         `[[Set]]` operation is actually used in the spec (Array.from's "length" is set by `[[Set]]`).
513         So to implement it precisely, introducing bytecode level intrinsics is necessary.
514
515         In the subsequent fixes, we'll remove that special path emitting put_by_val_direct
516         for `result[k] = value` under builtin JS environment. Instead of that special handling,
517         use bytecode intrinsics instead. It solves problems and it is more intuitive
518         because written JS code in builtin works as the same to the usual JS code.
519
520         * CMakeLists.txt:
521         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
522         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
523         * JavaScriptCore.xcodeproj/project.pbxproj:
524         * builtins/ArrayConstructor.js:
525         (from):
526         * bytecode/BytecodeIntrinsicRegistry.cpp: Added.
527         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
528         (JSC::BytecodeIntrinsicRegistry::lookup):
529         * bytecode/BytecodeIntrinsicRegistry.h: Added.
530         * bytecompiler/NodesCodegen.cpp:
531         (JSC::BytecodeIntrinsicNode::emitBytecode):
532         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
533         * parser/ASTBuilder.h:
534         (JSC::ASTBuilder::makeFunctionCallNode):
535         * parser/NodeConstructors.h:
536         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
537         * parser/Nodes.h:
538         (JSC::BytecodeIntrinsicNode::identifier):
539         * runtime/CommonIdentifiers.cpp:
540         (JSC::CommonIdentifiers::CommonIdentifiers):
541         * runtime/CommonIdentifiers.h:
542         (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry):
543         * tests/stress/array-from-with-accessors.js: Added.
544         (shouldBe):
545
546 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
547
548         Make Builtin functions non constructible
549         https://bugs.webkit.org/show_bug.cgi?id=143923
550
551         Reviewed by Darin Adler.
552
553         Builtin functions defined by builtins/*.js accidentally have [[Construct]].
554         According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]].
555         This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error.
556
557         Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough.
558         However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType.
559         In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]].
560         So in this patch, we check `isBuiltinFunction()` in those places.
561
562         * dfg/DFGByteCodeParser.cpp:
563         (JSC::DFG::ByteCodeParser::inliningCost):
564         * jit/JITOperations.cpp:
565         * llint/LLIntSlowPaths.cpp:
566         (JSC::LLInt::setUpCall):
567         * runtime/JSFunction.cpp:
568         (JSC::JSFunction::getConstructData):
569         * tests/stress/builtin-function-is-construct-type-none.js: Added.
570         (shouldThrow):
571
572 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
573
574         [ES6] Implement WeakSet
575         https://bugs.webkit.org/show_bug.cgi?id=142408
576
577         Reviewed by Darin Adler.
578
579         This patch implements ES6 WeakSet.
580         Current implementation simply leverages WeakMapData with undefined value.
581         This WeakMapData should be optimized in the same manner as MapData/SetData in the subsequent patch[1].
582
583         And in this patch, we also fix WeakMap/WeakSet behavior to conform the ES6 spec.
584         Except for adders (WeakMap.prototype.set/WeakSet.prototype.add),
585         methods return false (or undefined for WeakMap.prototype.get)
586         when a key is not Object instead of throwing a type error.
587
588         [1]: https://bugs.webkit.org/show_bug.cgi?id=143919
589
590         * CMakeLists.txt:
591         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
592         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
593         * JavaScriptCore.xcodeproj/project.pbxproj:
594         * runtime/CommonIdentifiers.h:
595         * runtime/JSGlobalObject.cpp:
596         * runtime/JSGlobalObject.h:
597         * runtime/JSWeakSet.cpp: Added.
598         (JSC::JSWeakSet::finishCreation):
599         (JSC::JSWeakSet::visitChildren):
600         * runtime/JSWeakSet.h: Added.
601         (JSC::JSWeakSet::createStructure):
602         (JSC::JSWeakSet::create):
603         (JSC::JSWeakSet::weakMapData):
604         (JSC::JSWeakSet::JSWeakSet):
605         * runtime/WeakMapPrototype.cpp:
606         (JSC::getWeakMapData):
607         (JSC::protoFuncWeakMapDelete):
608         (JSC::protoFuncWeakMapGet):
609         (JSC::protoFuncWeakMapHas):
610         * runtime/WeakSetConstructor.cpp: Added.
611         (JSC::WeakSetConstructor::finishCreation):
612         (JSC::callWeakSet):
613         (JSC::constructWeakSet):
614         (JSC::WeakSetConstructor::getConstructData):
615         (JSC::WeakSetConstructor::getCallData):
616         * runtime/WeakSetConstructor.h: Added.
617         (JSC::WeakSetConstructor::create):
618         (JSC::WeakSetConstructor::createStructure):
619         (JSC::WeakSetConstructor::WeakSetConstructor):
620         * runtime/WeakSetPrototype.cpp: Added.
621         (JSC::WeakSetPrototype::finishCreation):
622         (JSC::getWeakMapData):
623         (JSC::protoFuncWeakSetDelete):
624         (JSC::protoFuncWeakSetHas):
625         (JSC::protoFuncWeakSetAdd):
626         * runtime/WeakSetPrototype.h: Added.
627         (JSC::WeakSetPrototype::create):
628         (JSC::WeakSetPrototype::createStructure):
629         (JSC::WeakSetPrototype::WeakSetPrototype):
630         * tests/stress/weak-set-constructor-adder.js: Added.
631         (WeakSet.prototype.add):
632         * tests/stress/weak-set-constructor.js: Added.
633
634 2015-04-17  Alexey Proskuryakov  <ap@apple.com>
635
636         Remove unused BoundsCheckedPointer
637         https://bugs.webkit.org/show_bug.cgi?id=143896
638
639         Reviewed by Geoffrey Garen.
640
641         * bytecode/SpeculatedType.cpp: The header was included here.
642
643 2015-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
644
645         [ES6] Fix name enumeration of static functions for Symbol constructor
646         https://bugs.webkit.org/show_bug.cgi?id=143891
647
648         Reviewed by Geoffrey Garen.
649
650         Fix missing symbolPrototypeTable registration to the js class object.
651         This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor.
652
653         * runtime/SymbolConstructor.cpp:
654
655 2015-04-17  Basile Clement  <basile_clement@apple.com>
656
657         Inline JSFunction allocation in DFG
658         https://bugs.webkit.org/show_bug.cgi?id=143858
659
660         Reviewed by Filip Pizlo.
661
662         Followup to my previous patch which inlines JSFunction allocation when
663         using FTL, now also enabled in DFG.
664
665         * dfg/DFGSpeculativeJIT.cpp:
666         (JSC::DFG::SpeculativeJIT::compileNewFunction):
667
668 2015-04-16  Jordan Harband  <ljharb@gmail.com>
669
670         Number.parseInt is not === global parseInt in nightly r182673
671         https://bugs.webkit.org/show_bug.cgi?id=143799
672
673         Reviewed by Darin Adler.
674
675         Ensuring parseInt === Number.parseInt, per spec
676         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
677
678         * runtime/CommonIdentifiers.h:
679         * runtime/JSGlobalObject.cpp:
680         (JSC::JSGlobalObject::init):
681         * runtime/JSGlobalObject.h:
682         (JSC::JSGlobalObject::parseIntFunction):
683         * runtime/NumberConstructor.cpp:
684         (JSC::NumberConstructor::finishCreation):
685
686 2015-04-16  Mark Lam  <mark.lam@apple.com>
687
688         Gardening: fix CLOOP build after r182927.
689
690         Not reviewed.
691
692         * interpreter/StackVisitor.cpp:
693         (JSC::StackVisitor::Frame::print):
694
695 2015-04-16  Basile Clement  <basile_clement@apple.com>
696
697         Inline JSFunction allocation in FTL
698         https://bugs.webkit.org/show_bug.cgi?id=143851
699
700         Reviewed by Filip Pizlo.
701
702         JSFunction allocation is a simple operation that should be inlined when possible.
703
704         * ftl/FTLAbstractHeapRepository.h:
705         * ftl/FTLLowerDFGToLLVM.cpp:
706         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
707         * runtime/JSFunction.h:
708         (JSC::JSFunction::allocationSize):
709
710 2015-04-16  Mark Lam  <mark.lam@apple.com>
711
712         Add $vm debugging tool.
713         https://bugs.webkit.org/show_bug.cgi?id=143809
714
715         Reviewed by Geoffrey Garen.
716
717         For debugging VM bugs, it would be useful to be able to dump VM data structures
718         from JS code that we instrument.  To this end, let's introduce a
719         JS_enableDollarVM option that, if true, installs an $vm property into each JS
720         global object at creation time.  The $vm property refers to an object that
721         provides a collection of useful utility functions.  For this initial
722         implementation, $vm will have the following:
723
724             crash() - trigger an intentional crash.
725
726             dfgTrue() - returns true if the current function is DFG compiled, else returns false.
727             jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
728             llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
729
730             gc() - runs a full GC.
731             edenGC() - runs an eden GC.
732
733             codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
734             printSourceFor(codeBlock) - prints the source code for the codeBlock.
735             printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
736
737             print(str) - prints a string to dataLog output.
738             printCallFrame() - prints the current CallFrame.
739             printStack() - prints the JS stack.
740             printInternal(value) - prints the JSC internal info for the specified value.
741
742         With JS_enableDollarVM=true, JS code can use the above functions like so:
743
744             $vm.print("Using $vm features\n");
745
746         * CMakeLists.txt:
747         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
748         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
749         * JavaScriptCore.xcodeproj/project.pbxproj:
750         * bytecode/CodeBlock.cpp:
751         (JSC::CodeBlock::printCallOp):
752         - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
753           Hence, we skip this step if we're dumping an FTL codeBlock.
754
755         * heap/Heap.cpp:
756         (JSC::Heap::collectAndSweep):
757         (JSC::Heap::collectAllGarbage): Deleted.
758         * heap/Heap.h:
759         (JSC::Heap::collectAllGarbage):
760         - Add ability to do an Eden collection and sweep.
761
762         * interpreter/StackVisitor.cpp:
763         (JSC::printIndents):
764         (JSC::log):
765         (JSC::logF):
766         (JSC::StackVisitor::Frame::print):
767         (JSC::jitTypeName): Deleted.
768         (JSC::printif): Deleted.
769         - Modernize the implementation of StackVisitor::Frame::print(), and remove some
770           now redundant code.
771         - Also fix it so that it downgrades gracefully when encountering inlined DFG
772           and compiled FTL functions.
773
774         (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
775         (DebugPrintFrameFunctor::operator()): Deleted.
776         (debugPrintCallFrame): Deleted.
777         (debugPrintStack): Deleted.
778         - these have been moved into JSDollarVMPrototype.cpp. 
779
780         * interpreter/StackVisitor.h:
781         - StackVisitor::Frame::print() is now enabled for release builds as well so that
782           we can call it from $vm.
783
784         * runtime/JSGlobalObject.cpp:
785         (JSC::JSGlobalObject::init):
786         (JSC::JSGlobalObject::visitChildren):
787         * runtime/JSGlobalObject.h:
788         - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
789           option.
790
791         * runtime/Options.h:
792         - Added the JSC_enableDollarVM option.
793
794         * tools/JSDollarVM.cpp: Added.
795         * tools/JSDollarVM.h: Added.
796         (JSC::JSDollarVM::createStructure):
797         (JSC::JSDollarVM::create):
798         (JSC::JSDollarVM::JSDollarVM):
799
800         * tools/JSDollarVMPrototype.cpp: Added.
801         - This file contains 2 sets of functions:
802
803           a. a C++ implementation of debugging utility functions that are callable when
804              doing debugging from lldb.  To the extent possible, these functions try to
805              be cautious and not cause unintended crashes should the user call them with
806              the wrong info.  Hence, they are designed to be robust rather than speedy.
807
808           b. the native implementations of JS functions in the $vm object.  Where there
809              is overlapping functionality, these are built on top of the C++ functions
810              above to do the work.
811
812           Note: it does not make sense for all of the $vm functions to have a C++
813           counterpart for lldb debugging.  For example, the $vm.dfgTrue() function is
814           only useful for JS code, and works via the DFG intrinsics mechanism.
815           When doing debugging via lldb, the optimization level of the currently
816           executing JS function can be gotten by dumping the current CallFrame instead.
817
818         (JSC::currentThreadOwnsJSLock):
819         (JSC::ensureCurrentThreadOwnsJSLock):
820         (JSC::JSDollarVMPrototype::addFunction):
821         (JSC::functionCrash): - $vm.crash()
822         (JSC::functionDFGTrue): - $vm.dfgTrue()
823         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
824         (JSC::CallerFrameJITTypeFunctor::operator()):
825         (JSC::CallerFrameJITTypeFunctor::jitType):
826         (JSC::functionLLintTrue): - $vm.llintTrue()
827         (JSC::functionJITTrue): - $vm.jitTrue()
828         (JSC::gc):
829         (JSC::functionGC): - $vm.gc()
830         (JSC::edenGC):
831         (JSC::functionEdenGC): - $vm.edenGC()
832         (JSC::isValidCodeBlock):
833         (JSC::codeBlockForFrame):
834         (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
835         (JSC::codeBlockFromArg):
836         (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
837         (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
838         (JSC::functionPrint): - $vm.print(str)
839         (JSC::PrintFrameFunctor::PrintFrameFunctor):
840         (JSC::PrintFrameFunctor::operator()):
841         (JSC::printCallFrame):
842         (JSC::printStack):
843         (JSC::functionPrintCallFrame): - $vm.printCallFrame()
844         (JSC::functionPrintStack): - $vm.printStack()
845         (JSC::printValue):
846         (JSC::functionPrintValue): - $vm.printValue()
847         (JSC::JSDollarVMPrototype::finishCreation):
848         * tools/JSDollarVMPrototype.h: Added.
849         (JSC::JSDollarVMPrototype::create):
850         (JSC::JSDollarVMPrototype::createStructure):
851         (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
852
853 2015-04-16  Geoffrey Garen  <ggaren@apple.com>
854
855         Speculative fix after r182915
856         https://bugs.webkit.org/show_bug.cgi?id=143404
857
858         Reviewed by Alexey Proskuryakov.
859
860         * runtime/SymbolConstructor.h:
861
862 2015-04-16  Mark Lam  <mark.lam@apple.com>
863
864         Fixed some typos in a comment.
865
866         Not reviewed.
867
868         * dfg/DFGGenerationInfo.h:
869
870 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
871
872         [ES6] Implement Symbol.for and Symbol.keyFor
873         https://bugs.webkit.org/show_bug.cgi?id=143404
874
875         Reviewed by Geoffrey Garen.
876
877         This patch implements Symbol.for and Symbol.keyFor.
878         SymbolRegistry maintains registered StringImpl* symbols.
879         And to make this mapping enabled over realms,
880         VM owns this mapping (not JSGlobalObject).
881
882         While there's Default AtomicStringTable per thread,
883         SymbolRegistry should not exist over VMs.
884         So everytime VM is created, SymbolRegistry is also created.
885
886         In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
887         Theres are several reasons.
888         1. StringImpl* which represents identity of Symbols is not GC-managed object.
889            So we cannot use WeakGCMap directly.
890            While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
891            because distinct Symbol* can exist.
892            Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
893
894         2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
895            However there's problem about when we prune staled entries in SymbolRegistry.
896            Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
897            and it is not in GC-heap.
898            While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
899            So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
900            As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
901
902         So instead of using Weak reference, we take relatively easy design.
903         When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
904         And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
905
906         * CMakeLists.txt:
907         * DerivedSources.make:
908         * runtime/SymbolConstructor.cpp:
909         (JSC::SymbolConstructor::getOwnPropertySlot):
910         (JSC::symbolConstructorFor):
911         (JSC::symbolConstructorKeyFor):
912         * runtime/SymbolConstructor.h:
913         * runtime/VM.cpp:
914         * runtime/VM.h:
915         (JSC::VM::symbolRegistry):
916         * tests/stress/symbol-registry.js: Added.
917         (test):
918
919 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
920
921         [ES6] Use specific functions for @@iterator functions
922         https://bugs.webkit.org/show_bug.cgi?id=143838
923
924         Reviewed by Geoffrey Garen.
925
926         In ES6, some methods are defined with the different names.
927
928         For example,
929
930         Map.prototype[Symbol.iterator] === Map.prototype.entries
931         Set.prototype[Symbol.iterator] === Set.prototype.values
932         Array.prototype[Symbol.iterator] === Array.prototype.values
933         %Arguments%[Symbol.iterator] === Array.prototype.values
934
935         However, current implementation creates different function objects per name.
936         This patch fixes it by setting the object that is used for the other method to @@iterator.
937         e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
938
939         And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
940         with Array.prototype.values to conform to the spec.
941
942         * CMakeLists.txt:
943         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
944         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
945         * JavaScriptCore.xcodeproj/project.pbxproj:
946         * inspector/JSInjectedScriptHost.cpp:
947         (Inspector::JSInjectedScriptHost::subtype):
948         (Inspector::JSInjectedScriptHost::getInternalProperties):
949         (Inspector::JSInjectedScriptHost::iteratorEntries):
950         * runtime/ArgumentsIteratorConstructor.cpp: Removed.
951         * runtime/ArgumentsIteratorConstructor.h: Removed.
952         * runtime/ArgumentsIteratorPrototype.cpp: Removed.
953         * runtime/ArgumentsIteratorPrototype.h: Removed.
954         * runtime/ArrayPrototype.cpp:
955         (JSC::ArrayPrototype::finishCreation):
956         * runtime/ArrayPrototype.h:
957         * runtime/ClonedArguments.cpp:
958         (JSC::ClonedArguments::getOwnPropertySlot):
959         (JSC::ClonedArguments::put):
960         (JSC::ClonedArguments::deleteProperty):
961         (JSC::ClonedArguments::defineOwnProperty):
962         (JSC::ClonedArguments::materializeSpecials):
963         * runtime/ClonedArguments.h:
964         * runtime/CommonIdentifiers.h:
965         * runtime/DirectArguments.cpp:
966         (JSC::DirectArguments::overrideThings):
967         * runtime/GenericArgumentsInlines.h:
968         (JSC::GenericArguments<Type>::getOwnPropertySlot):
969         (JSC::GenericArguments<Type>::getOwnPropertyNames):
970         (JSC::GenericArguments<Type>::put):
971         (JSC::GenericArguments<Type>::deleteProperty):
972         (JSC::GenericArguments<Type>::defineOwnProperty):
973         * runtime/JSArgumentsIterator.cpp: Removed.
974         * runtime/JSArgumentsIterator.h: Removed.
975         * runtime/JSGlobalObject.cpp:
976         (JSC::JSGlobalObject::init):
977         (JSC::JSGlobalObject::visitChildren):
978         * runtime/JSGlobalObject.h:
979         (JSC::JSGlobalObject::arrayProtoValuesFunction):
980         * runtime/MapPrototype.cpp:
981         (JSC::MapPrototype::finishCreation):
982         * runtime/ScopedArguments.cpp:
983         (JSC::ScopedArguments::overrideThings):
984         * runtime/SetPrototype.cpp:
985         (JSC::SetPrototype::finishCreation):
986         * tests/stress/arguments-iterator.js: Added.
987         (test):
988         (testArguments):
989         * tests/stress/iterator-functions.js: Added.
990         (test):
991         (argumentsTests):
992
993 2015-04-14  Mark Lam  <mark.lam@apple.com>
994
995         Add JSC_functionOverrides=<overrides file> debugging tool.
996         https://bugs.webkit.org/show_bug.cgi?id=143717
997
998         Reviewed by Geoffrey Garen.
999
1000         This tool allows us to do runtime replacement of function bodies with alternatives
1001         for debugging purposes.  For example, this is useful when we need to debug VM bugs
1002         which manifest in scripts executing in webpages downloaded from remote servers
1003         that we don't control.  The tool allows us to augment those scripts with logging
1004         or test code to help isolate the bugs.
1005
1006         This tool works by substituting the SourceCode at FunctionExecutable creation
1007         time.  It identifies which SourceCode to substitute by comparing the source
1008         string against keys in a set of key value pairs.
1009
1010         The keys are function body strings defined by 'override' clauses in the overrides
1011         file specified by in the JSC_functionOverrides option.  The values are function
1012         body strings defines by 'with' clauses in the overrides file.
1013         See comment blob at top of FunctionOverrides.cpp on the formatting
1014         of the overrides file.
1015
1016         At FunctionExecutable creation time, if the SourceCode string matches one of the
1017         'override' keys from the overrides file, the tool will replace the SourceCode with
1018         a new one based on the corresponding 'with' value string.  The FunctionExecutable
1019         will then be created with the new SourceCode instead.
1020
1021         Some design decisions:
1022         1. We opted to require that the 'with' clause appear on a separate line than the
1023            'override' clause because this makes it easier to read and write when the
1024            'override' clause's function body is single lined and long.
1025
1026         2. The user can use any sequence of characters for the delimiter (except for '{',
1027            '}' and white space characters) because this ensures that there can always be
1028            some delimiter pattern that does not appear in the function body in the clause
1029            e.g. in the body of strings in the JS code.
1030
1031            '{' and '}' are disallowed because they are used to mark the boundaries of the
1032            function body string.  White space characters are disallowed because they can
1033            be error prone (the user may not be able to tell between spaces and tabs).
1034
1035         3. The start and end delimiter must be an identical sequence of characters.
1036
1037            I had considered allowing the use of complementary characters like <>, [], and
1038            () for making delimiter pairs like:
1039                [[[[ ... ]]]]
1040                <[([( ... )])]>
1041
1042            But in the end, decided against it because:
1043            a. These sequences of complementary characters can exists in JS code.
1044               In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
1045               code.
1046            b. It can be error prone for the user to have to type the exact complement
1047               character for the end delimiter in reverse order.
1048               In contrast, a repeating delimiter like %%%% is much easier to type and
1049               less error prone.  Even a sequence like @#$%^ is less error prone than
1050               a complementary sequence because it can be copy-pasted, and need not be
1051               typed in reverse order.
1052            c. It is easier to parse for the same delimiter string for both start and end.
1053
1054         4. The tool does a lot of checks for syntax errors in the overrides file because
1055            we don't want any overrides to fail silently.  If a syntax error is detected,
1056            the tool will print an error message and call exit().  This avoids the user
1057            wasting time doing debugging only to be surprised later that their specified
1058            overrides did not take effect because of some unnoticed typo.
1059
1060         * CMakeLists.txt:
1061         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1062         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1063         * JavaScriptCore.xcodeproj/project.pbxproj:
1064         * bytecode/UnlinkedCodeBlock.cpp:
1065         (JSC::UnlinkedFunctionExecutable::link):
1066         * runtime/Executable.h:
1067         * runtime/Options.h:
1068         * tools/FunctionOverrides.cpp: Added.
1069         (JSC::FunctionOverrides::overrides):
1070         (JSC::FunctionOverrides::FunctionOverrides):
1071         (JSC::initializeOverrideInfo):
1072         (JSC::FunctionOverrides::initializeOverrideFor):
1073         (JSC::hasDisallowedCharacters):
1074         (JSC::parseClause):
1075         (JSC::FunctionOverrides::parseOverridesInFile):
1076         * tools/FunctionOverrides.h: Added.
1077
1078 2015-04-16  Basile Clement  <basile_clement@apple.com>
1079  
1080         Extract the allocation profile from JSFunction into a rare object
1081         https://bugs.webkit.org/show_bug.cgi?id=143807
1082  
1083         Reviewed by Filip Pizlo.
1084  
1085         The allocation profile is only needed for those functions that are used
1086         to create objects with [new].
1087         Extracting it into its own JSCell removes the need for JSFunction and
1088         JSCallee to be JSDestructibleObjects, which should improve performances in most
1089         cases at the cost of an extra pointer dereference when the allocation profile
1090         is actually needed.
1091  
1092         * CMakeLists.txt:
1093         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1094         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1095         * JavaScriptCore.xcodeproj/project.pbxproj:
1096         * dfg/DFGOperations.cpp:
1097         * dfg/DFGSpeculativeJIT32_64.cpp:
1098         (JSC::DFG::SpeculativeJIT::compile):
1099         * dfg/DFGSpeculativeJIT64.cpp:
1100         (JSC::DFG::SpeculativeJIT::compile):
1101         * jit/JITOpcodes.cpp:
1102         (JSC::JIT::emit_op_create_this):
1103         * jit/JITOpcodes32_64.cpp:
1104         (JSC::JIT::emit_op_create_this):
1105         * llint/LowLevelInterpreter32_64.asm:
1106         * llint/LowLevelInterpreter64.asm:
1107         * runtime/CommonSlowPaths.cpp:
1108         (JSC::SLOW_PATH_DECL):
1109         * runtime/FunctionRareData.cpp: Added.
1110         (JSC::FunctionRareData::create):
1111         (JSC::FunctionRareData::destroy):
1112         (JSC::FunctionRareData::createStructure):
1113         (JSC::FunctionRareData::visitChildren):
1114         (JSC::FunctionRareData::FunctionRareData):
1115         (JSC::FunctionRareData::~FunctionRareData):
1116         (JSC::FunctionRareData::finishCreation):
1117         * runtime/FunctionRareData.h: Added.
1118         (JSC::FunctionRareData::offsetOfAllocationProfile):
1119         (JSC::FunctionRareData::allocationProfile):
1120         (JSC::FunctionRareData::allocationStructure):
1121         (JSC::FunctionRareData::allocationProfileWatchpointSet):
1122         * runtime/JSBoundFunction.cpp:
1123         (JSC::JSBoundFunction::destroy): Deleted.
1124         * runtime/JSBoundFunction.h:
1125         * runtime/JSCallee.cpp:
1126         (JSC::JSCallee::destroy): Deleted.
1127         * runtime/JSCallee.h:
1128         * runtime/JSFunction.cpp:
1129         (JSC::JSFunction::JSFunction):
1130         (JSC::JSFunction::createRareData):
1131         (JSC::JSFunction::visitChildren):
1132         (JSC::JSFunction::put):
1133         (JSC::JSFunction::defineOwnProperty):
1134         (JSC::JSFunction::destroy): Deleted.
1135         (JSC::JSFunction::createAllocationProfile): Deleted.
1136         * runtime/JSFunction.h:
1137         (JSC::JSFunction::offsetOfRareData):
1138         (JSC::JSFunction::rareData):
1139         (JSC::JSFunction::allocationStructure):
1140         (JSC::JSFunction::allocationProfileWatchpointSet):
1141         (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
1142         (JSC::JSFunction::allocationProfile): Deleted.
1143         * runtime/JSFunctionInlines.h:
1144         (JSC::JSFunction::JSFunction):
1145         * runtime/VM.cpp:
1146         (JSC::VM::VM):
1147         * runtime/VM.h:
1148  
1149 2015-04-16  Csaba Osztrogonác  <ossy@webkit.org>
1150
1151         Remove the unnecessary WTF_CHANGES define
1152         https://bugs.webkit.org/show_bug.cgi?id=143825
1153
1154         Reviewed by Andreas Kling.
1155
1156         * config.h:
1157
1158 2015-04-15  Andreas Kling  <akling@apple.com>
1159
1160         Make MarkedBlock and WeakBlock 4x smaller.
1161         <https://webkit.org/b/143802>
1162
1163         Reviewed by Mark Hahnenberg.
1164
1165         To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
1166         and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
1167
1168         In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
1169         Some examples:
1170
1171                    apple.com:  6.3MB ->  5.5MB (14.5% smaller)
1172                   reddit.com:  4.5MB ->  4.1MB ( 9.7% smaller)
1173                  twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
1174             cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
1175
1176         Benchmarks look mostly neutral.
1177         Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
1178
1179         * heap/MarkedBlock.h:
1180         * heap/WeakBlock.h:
1181         * llint/LLIntData.cpp:
1182         (JSC::LLInt::Data::performAssertions):
1183         * llint/LowLevelInterpreter.asm:
1184
1185 2015-04-15  Jordan Harband  <ljharb@gmail.com>
1186
1187         String.prototype.startsWith/endsWith/includes have wrong length in r182673
1188         https://bugs.webkit.org/show_bug.cgi?id=143659
1189
1190         Reviewed by Benjamin Poulain.
1191
1192         Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
1193         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
1194         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
1195         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
1196
1197         * runtime/StringPrototype.cpp:
1198         (JSC::StringPrototype::finishCreation):
1199
1200 2015-04-15  Mark Lam  <mark.lam@apple.com>
1201
1202         Remove obsolete VMInspector debugging tool.
1203         https://bugs.webkit.org/show_bug.cgi?id=143798
1204
1205         Reviewed by Michael Saboff.
1206
1207         I added the VMInspector tool 3 years ago to aid in VM hacking work.  Some of it
1208         has bit rotted, and now the VM also has better ways to achieve its functionality.
1209         Hence this code is now obsolete and should be removed.
1210
1211         * CMakeLists.txt:
1212         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1213         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1214         * JavaScriptCore.xcodeproj/project.pbxproj:
1215         * interpreter/CallFrame.h:
1216         * interpreter/VMInspector.cpp: Removed.
1217         * interpreter/VMInspector.h: Removed.
1218         * llint/LowLevelInterpreter.cpp:
1219
1220 2015-04-15  Jordan Harband  <ljharb@gmail.com>
1221
1222         Math.imul has wrong length in Safari 8.0.4
1223         https://bugs.webkit.org/show_bug.cgi?id=143658
1224
1225         Reviewed by Benjamin Poulain.
1226
1227         Correcting function length from 1, to 2, to match spec
1228         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
1229
1230         * runtime/MathObject.cpp:
1231         (JSC::MathObject::finishCreation):
1232
1233 2015-04-15  Jordan Harband  <ljharb@gmail.com>
1234
1235         Number.parseInt in nightly r182673 has wrong length
1236         https://bugs.webkit.org/show_bug.cgi?id=143657
1237
1238         Reviewed by Benjamin Poulain.
1239
1240         Correcting function length from 1, to 2, to match spec
1241         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
1242
1243         * runtime/NumberConstructor.cpp:
1244         (JSC::NumberConstructor::finishCreation):
1245
1246 2015-04-15  Filip Pizlo  <fpizlo@apple.com>
1247
1248         Harden DFGForAllKills
1249         https://bugs.webkit.org/show_bug.cgi?id=143792
1250
1251         Reviewed by Geoffrey Garen.
1252         
1253         Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
1254         bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
1255         
1256         Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
1257         that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
1258         
1259         - It looks for kill sites at forExit origin boundaries. But, something might have been killed
1260           by an operation that was logically in between the forExit origins at the boundary, but was
1261           removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
1262           gaps.
1263         
1264         - It overlooked the fact that a MovHint that addresses a local that is always live kills that
1265           local. For example, storing to an argument means that the prior value of the argument is
1266           killed.
1267         
1268         This fixes the analysis by making it handle MovHints directly, and making it define kills in
1269         the most conservative way possible: it asks if you were live before but dead after. If we
1270         have the compile time budget to afford this more direct approach, then it's definitel a good
1271         idea since it's so fool-proof.
1272
1273         * dfg/DFGArgumentsEliminationPhase.cpp:
1274         * dfg/DFGForAllKills.h:
1275         (JSC::DFG::forAllKilledOperands):
1276         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1277         (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
1278
1279 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1280
1281         Provide SPI to allow changing whether JSContexts are remote debuggable by default
1282         https://bugs.webkit.org/show_bug.cgi?id=143681
1283
1284         Reviewed by Darin Adler.
1285
1286         * API/JSRemoteInspector.h:
1287         * API/JSRemoteInspector.cpp:
1288         (JSRemoteInspectorGetInspectionEnabledByDefault):
1289         (JSRemoteInspectorSetInspectionEnabledByDefault):
1290         Provide SPI to toggle the default enabled inspection state of debuggables.
1291
1292         * API/JSContextRef.cpp:
1293         (JSGlobalContextCreateInGroup):
1294         Respect the default setting.
1295
1296 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1297
1298         JavaScriptCore: Use kCFAllocatorDefault where possible
1299         https://bugs.webkit.org/show_bug.cgi?id=143747
1300
1301         Reviewed by Darin Adler.
1302
1303         * heap/HeapTimer.cpp:
1304         (JSC::HeapTimer::HeapTimer):
1305         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1306         (Inspector::RemoteInspectorInitializeGlobalQueue):
1307         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
1308         For consistency and readability use the constant instead of
1309         different representations of null.
1310
1311 2015-04-14  Michael Saboff  <msaboff@apple.com>
1312
1313         Remove JavaScriptCoreUseJIT default from JavaScriptCore
1314         https://bugs.webkit.org/show_bug.cgi?id=143746
1315
1316         Reviewed by Mark Lam.
1317
1318         * runtime/VM.cpp:
1319         (JSC::enableAssembler):
1320
1321 2015-04-14  Chris Dumez  <cdumez@apple.com>
1322
1323         Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
1324         https://bugs.webkit.org/show_bug.cgi?id=143745
1325         <rdar://problem/20243916>
1326
1327         Reviewed by Joseph Pecoraro.
1328
1329         Add assertion in ContentSearchUtilities::findMagicComment() to make
1330         sure the content String is not null or we would crash in
1331         JSC::Yarr::interpret() later.
1332
1333         * inspector/ContentSearchUtilities.cpp:
1334         (Inspector::ContentSearchUtilities::findMagicComment):
1335
1336 2015-04-14  Michael Saboff  <msaboff@apple.com>
1337
1338         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
1339         https://bugs.webkit.org/show_bug.cgi?id=143727
1340
1341         Reviewed by Geoffrey Garen.
1342
1343         Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
1344         with the requested fill format.  If filter() reports a contradiction, then we force an OSR exit.
1345         Removed individual checks made redundant by the new check.
1346
1347         * dfg/DFGSpeculativeJIT32_64.cpp:
1348         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1349         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1350         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1351         * dfg/DFGSpeculativeJIT64.cpp:
1352         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1353         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1354         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1355         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1356
1357 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1358
1359         Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
1360         https://bugs.webkit.org/show_bug.cgi?id=143691
1361
1362         Reviewed by Geoffrey Garen.
1363
1364         * API/JSRemoteInspector.h:
1365         * API/JSRemoteInspector.cpp:
1366         (JSRemoteInspectorSetLogToSystemConsole):
1367         Add SPI to enable/disable logging to the system console.
1368         This only affects JSContext `console` logs and warnings.
1369
1370         * inspector/JSGlobalObjectConsoleClient.h:
1371         * inspector/JSGlobalObjectConsoleClient.cpp:
1372         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
1373         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
1374         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
1375         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
1376         Simplify access to the setting now that it doesn't need to
1377         initialize its value from preferences.
1378
1379 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1380
1381         Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
1382         https://bugs.webkit.org/show_bug.cgi?id=143682
1383
1384         Reviewed by Timothy Hatcher.
1385
1386         * inspector/remote/RemoteInspector.mm:
1387         (Inspector::RemoteInspector::singleton):
1388         If we are on the main thread, run the initialization immediately.
1389         Otherwise dispatch to the main thread. This way if the first JSContext
1390         was created on the main thread it can get auto-attached if applicable.
1391
1392 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1393
1394         Unreviewed build fix for Mavericks.
1395
1396         Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
1397         so the Inspector namespace is not available when compiling this file.
1398
1399         * API/JSRemoteInspector.cpp:
1400
1401 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1402
1403         Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
1404         https://bugs.webkit.org/show_bug.cgi?id=143729
1405
1406         Reviewed by Timothy Hatcher.
1407
1408         * API/JSRemoteInspector.h: Added.
1409         * API/JSRemoteInspector.cpp: Added.
1410         (JSRemoteInspectorDisableAutoStart):
1411         (JSRemoteInspectorStart):
1412         (JSRemoteInspectorSetParentProcessInformation):
1413         Add the new SPIs for basic remote inspection behavior.
1414
1415         * JavaScriptCore.xcodeproj/project.pbxproj:
1416         Add the new files to Mac only, since remote inspection is only
1417         enabled there anyways.
1418
1419 2015-04-14  Mark Lam  <mark.lam@apple.com>
1420
1421         Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
1422         https://bugs.webkit.org/show_bug.cgi?id=143722
1423
1424         Reviewed by Michael Saboff.
1425
1426         Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
1427         shorter, and easier to remember (without having to look it up) and to
1428         type.  JSC options now support descriptions, and one can always look up
1429         the description if the option's purpose is not already obvious.
1430
1431         * dfg/DFGFunctionWhitelist.cpp:
1432         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1433         (JSC::DFG::FunctionWhitelist::contains):
1434         * runtime/Options.h:
1435
1436 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
1437
1438         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
1439
1440         * runtime/InferredValue.h:
1441
1442 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
1443
1444         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
1445
1446         * runtime/InferredValue.h:
1447
1448 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1449
1450         JSC should detect singleton functions
1451         https://bugs.webkit.org/show_bug.cgi?id=143232
1452
1453         Reviewed by Geoffrey Garen.
1454         
1455         This started out as an attempt to make constructors faster by detecting when a constructor is a
1456         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
1457         along with an inferred value - that detects if only one JSFunction has been allocated for that
1458         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
1459         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
1460         we can constant-fold GetCallee.
1461         
1462         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
1463         process I realized a bunch of things:
1464         
1465         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
1466           had even in code where our singleton-closure detection worked. That's because singleton-closure
1467           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
1468           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
1469           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
1470           values.
1471           
1472         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
1473           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
1474           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
1475         
1476         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
1477           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
1478           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
1479           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
1480           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
1481           scope. Ths saves compile times and it allows prediction propagation to benefit from the
1482           constant folding. Second, it means that we will detect a singleton scope even if it is
1483           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
1484           allows us to eliminate the function reentry watchpoint.
1485         
1486         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
1487           constant values in scopes. Previously when the DFG inferred that a closure variable was
1488           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
1489           value. But now we are first inferring that the function is a singleton, which means that we
1490           know exactly what scope it points to, and we can load the value from the scope. Using a
1491           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
1492           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
1493           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
1494           FunctionExecutable wants.
1495         
1496         This also has the effect of simplifying the implementation of block scoping. Prior to this
1497         change, block scoping would have needed to have some story for the function reentry watchpoint on
1498         any nested symbol table. That's totally weird to think about; it's not really a function reentry
1499         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
1500         will "just work": if we prove that we know the constant value of the scope then the machinery
1501         kicks in, otherwise it doesn't.
1502         
1503         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
1504
1505         * CMakeLists.txt:
1506         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1507         * JavaScriptCore.xcodeproj/project.pbxproj:
1508         * bytecode/BytecodeList.json:
1509         * bytecode/BytecodeUseDef.h:
1510         (JSC::computeUsesForBytecodeOffset):
1511         (JSC::computeDefsForBytecodeOffset):
1512         * bytecode/CodeBlock.cpp:
1513         (JSC::CodeBlock::dumpBytecode):
1514         (JSC::CodeBlock::CodeBlock):
1515         (JSC::CodeBlock::finalizeUnconditionally):
1516         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1517         * bytecode/CodeBlock.h:
1518         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
1519         * bytecode/CodeOrigin.cpp:
1520         (JSC::InlineCallFrame::calleeConstant):
1521         (JSC::InlineCallFrame::visitAggregate):
1522         * bytecode/CodeOrigin.h:
1523         (JSC::InlineCallFrame::calleeConstant): Deleted.
1524         (JSC::InlineCallFrame::visitAggregate): Deleted.
1525         * bytecode/Instruction.h:
1526         * bytecode/VariableWatchpointSet.cpp: Removed.
1527         * bytecode/VariableWatchpointSet.h: Removed.
1528         * bytecode/VariableWatchpointSetInlines.h: Removed.
1529         * bytecode/VariableWriteFireDetail.cpp: Added.
1530         (JSC::VariableWriteFireDetail::dump):
1531         (JSC::VariableWriteFireDetail::touch):
1532         * bytecode/VariableWriteFireDetail.h: Added.
1533         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
1534         * bytecode/Watchpoint.h:
1535         (JSC::WatchpointSet::stateOnJSThread):
1536         (JSC::WatchpointSet::startWatching):
1537         (JSC::WatchpointSet::fireAll):
1538         (JSC::WatchpointSet::touch):
1539         (JSC::WatchpointSet::invalidate):
1540         (JSC::InlineWatchpointSet::stateOnJSThread):
1541         (JSC::InlineWatchpointSet::state):
1542         (JSC::InlineWatchpointSet::hasBeenInvalidated):
1543         (JSC::InlineWatchpointSet::invalidate):
1544         (JSC::InlineWatchpointSet::touch):
1545         * bytecompiler/BytecodeGenerator.cpp:
1546         (JSC::BytecodeGenerator::BytecodeGenerator):
1547         * dfg/DFGAbstractInterpreterInlines.h:
1548         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1549         * dfg/DFGByteCodeParser.cpp:
1550         (JSC::DFG::ByteCodeParser::get):
1551         (JSC::DFG::ByteCodeParser::parseBlock):
1552         (JSC::DFG::ByteCodeParser::getScope): Deleted.
1553         * dfg/DFGCapabilities.cpp:
1554         (JSC::DFG::capabilityLevel):
1555         * dfg/DFGClobberize.h:
1556         (JSC::DFG::clobberize):
1557         * dfg/DFGDesiredWatchpoints.cpp:
1558         (JSC::DFG::InferredValueAdaptor::add):
1559         (JSC::DFG::DesiredWatchpoints::addLazily):
1560         (JSC::DFG::DesiredWatchpoints::reallyAdd):
1561         (JSC::DFG::DesiredWatchpoints::areStillValid):
1562         * dfg/DFGDesiredWatchpoints.h:
1563         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
1564         (JSC::DFG::DesiredWatchpoints::isWatched):
1565         * dfg/DFGGraph.cpp:
1566         (JSC::DFG::Graph::dump):
1567         (JSC::DFG::Graph::tryGetConstantClosureVar):
1568         * dfg/DFGNode.h:
1569         (JSC::DFG::Node::hasWatchpointSet):
1570         (JSC::DFG::Node::watchpointSet):
1571         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
1572         (JSC::DFG::Node::variableWatchpointSet): Deleted.
1573         * dfg/DFGOperations.cpp:
1574         * dfg/DFGOperations.h:
1575         * dfg/DFGSpeculativeJIT.cpp:
1576         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1577         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1578         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1579         * dfg/DFGSpeculativeJIT.h:
1580         (JSC::DFG::SpeculativeJIT::callOperation):
1581         * dfg/DFGSpeculativeJIT32_64.cpp:
1582         (JSC::DFG::SpeculativeJIT::compile):
1583         * dfg/DFGSpeculativeJIT64.cpp:
1584         (JSC::DFG::SpeculativeJIT::compile):
1585         * dfg/DFGVarargsForwardingPhase.cpp:
1586         * ftl/FTLIntrinsicRepository.h:
1587         * ftl/FTLLowerDFGToLLVM.cpp:
1588         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1589         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1590         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
1591         * interpreter/Interpreter.cpp:
1592         (JSC::StackFrame::friendlySourceURL):
1593         (JSC::StackFrame::friendlyFunctionName):
1594         * interpreter/Interpreter.h:
1595         (JSC::StackFrame::friendlySourceURL): Deleted.
1596         (JSC::StackFrame::friendlyFunctionName): Deleted.
1597         * jit/JIT.cpp:
1598         (JSC::JIT::emitNotifyWrite):
1599         (JSC::JIT::privateCompileMainPass):
1600         * jit/JIT.h:
1601         * jit/JITOpcodes.cpp:
1602         (JSC::JIT::emit_op_touch_entry): Deleted.
1603         * jit/JITOperations.cpp:
1604         * jit/JITOperations.h:
1605         * jit/JITPropertyAccess.cpp:
1606         (JSC::JIT::emitPutGlobalVar):
1607         (JSC::JIT::emitPutClosureVar):
1608         (JSC::JIT::emitNotifyWrite): Deleted.
1609         * jit/JITPropertyAccess32_64.cpp:
1610         (JSC::JIT::emitPutGlobalVar):
1611         (JSC::JIT::emitPutClosureVar):
1612         (JSC::JIT::emitNotifyWrite): Deleted.
1613         * llint/LLIntSlowPaths.cpp:
1614         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1615         * llint/LowLevelInterpreter.asm:
1616         * llint/LowLevelInterpreter32_64.asm:
1617         * llint/LowLevelInterpreter64.asm:
1618         * runtime/CommonSlowPaths.cpp:
1619         (JSC::SLOW_PATH_DECL): Deleted.
1620         * runtime/CommonSlowPaths.h:
1621         * runtime/Executable.cpp:
1622         (JSC::FunctionExecutable::finishCreation):
1623         (JSC::FunctionExecutable::visitChildren):
1624         * runtime/Executable.h:
1625         (JSC::FunctionExecutable::singletonFunction):
1626         * runtime/InferredValue.cpp: Added.
1627         (JSC::InferredValue::create):
1628         (JSC::InferredValue::destroy):
1629         (JSC::InferredValue::createStructure):
1630         (JSC::InferredValue::visitChildren):
1631         (JSC::InferredValue::InferredValue):
1632         (JSC::InferredValue::~InferredValue):
1633         (JSC::InferredValue::notifyWriteSlow):
1634         (JSC::InferredValue::ValueCleanup::ValueCleanup):
1635         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
1636         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
1637         * runtime/InferredValue.h: Added.
1638         (JSC::InferredValue::inferredValue):
1639         (JSC::InferredValue::state):
1640         (JSC::InferredValue::isStillValid):
1641         (JSC::InferredValue::hasBeenInvalidated):
1642         (JSC::InferredValue::add):
1643         (JSC::InferredValue::notifyWrite):
1644         (JSC::InferredValue::invalidate):
1645         * runtime/JSEnvironmentRecord.cpp:
1646         (JSC::JSEnvironmentRecord::visitChildren):
1647         * runtime/JSEnvironmentRecord.h:
1648         (JSC::JSEnvironmentRecord::isValid):
1649         (JSC::JSEnvironmentRecord::finishCreation):
1650         * runtime/JSFunction.cpp:
1651         (JSC::JSFunction::create):
1652         * runtime/JSFunction.h:
1653         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1654         (JSC::JSFunction::createImpl):
1655         (JSC::JSFunction::create): Deleted.
1656         * runtime/JSGlobalObject.cpp:
1657         (JSC::JSGlobalObject::addGlobalVar):
1658         (JSC::JSGlobalObject::addFunction):
1659         * runtime/JSGlobalObject.h:
1660         * runtime/JSLexicalEnvironment.cpp:
1661         (JSC::JSLexicalEnvironment::symbolTablePut):
1662         * runtime/JSScope.h:
1663         (JSC::ResolveOp::ResolveOp):
1664         * runtime/JSSegmentedVariableObject.h:
1665         (JSC::JSSegmentedVariableObject::finishCreation):
1666         * runtime/JSSymbolTableObject.h:
1667         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1668         (JSC::JSSymbolTableObject::setSymbolTable):
1669         (JSC::symbolTablePut):
1670         (JSC::symbolTablePutWithAttributes):
1671         * runtime/PutPropertySlot.h:
1672         * runtime/SymbolTable.cpp:
1673         (JSC::SymbolTableEntry::prepareToWatch):
1674         (JSC::SymbolTable::SymbolTable):
1675         (JSC::SymbolTable::finishCreation):
1676         (JSC::SymbolTable::visitChildren):
1677         (JSC::SymbolTableEntry::inferredValue): Deleted.
1678         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
1679         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
1680         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
1681         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
1682         * runtime/SymbolTable.h:
1683         (JSC::SymbolTableEntry::disableWatching):
1684         (JSC::SymbolTableEntry::watchpointSet):
1685         (JSC::SymbolTable::singletonScope):
1686         (JSC::SymbolTableEntry::notifyWrite): Deleted.
1687         * runtime/TypeProfiler.cpp:
1688         * runtime/VM.cpp:
1689         (JSC::VM::VM):
1690         * runtime/VM.h:
1691         * tests/stress/infer-uninitialized-closure-var.js: Added.
1692         (foo.f):
1693         (foo):
1694         * tests/stress/singleton-scope-then-overwrite.js: Added.
1695         (foo.f):
1696         (foo):
1697         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
1698         (foo):
1699         * tests/stress/singleton-scope-then-realloc.js: Added.
1700         (foo):
1701
1702 2015-04-13  Andreas Kling  <akling@apple.com>
1703
1704         Don't segregate heap objects based on Structure immortality.
1705         <https://webkit.org/b/143638>
1706
1707         Reviewed by Darin Adler.
1708
1709         Put all objects that need a destructor call into the same MarkedBlock.
1710         This reduces memory consumption in many situations, while improving locality,
1711         since much more of the MarkedBlock space can be shared.
1712
1713         Instead of branching on the MarkedBlock type, we now check a bit in the
1714         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
1715         to access the cell's Structure during destruction or not.
1716
1717         Performance benchmarks look mostly neutral. Maybe a small regression on
1718         SunSpider's date objects.
1719
1720         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
1721         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
1722         end of savings we can get from this, but still a very real improvement.
1723
1724         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
1725         derived classes and passing that responsibility to the StructureIsImmortal flag.
1726         StructureFlags is made public so that it's accessible from non-member functions.
1727         I made sure to declare it everywhere and make classes final to try to make it
1728         explicit what each class is doing to its inherited flags.
1729
1730         * API/JSCallbackConstructor.h:
1731         * API/JSCallbackObject.h:
1732         * bytecode/UnlinkedCodeBlock.h:
1733         * debugger/DebuggerScope.h:
1734         * dfg/DFGSpeculativeJIT.cpp:
1735         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1736         * ftl/FTLLowerDFGToLLVM.cpp:
1737         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1738         * heap/Heap.h:
1739         (JSC::Heap::subspaceForObjectDestructor):
1740         (JSC::Heap::allocatorForObjectWithDestructor):
1741         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
1742         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
1743         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
1744         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
1745         * heap/HeapInlines.h:
1746         (JSC::Heap::allocateWithDestructor):
1747         (JSC::Heap::allocateObjectOfType):
1748         (JSC::Heap::subspaceForObjectOfType):
1749         (JSC::Heap::allocatorForObjectOfType):
1750         (JSC::Heap::allocateWithNormalDestructor): Deleted.
1751         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
1752         * heap/MarkedAllocator.cpp:
1753         (JSC::MarkedAllocator::allocateBlock):
1754         * heap/MarkedAllocator.h:
1755         (JSC::MarkedAllocator::needsDestruction):
1756         (JSC::MarkedAllocator::MarkedAllocator):
1757         (JSC::MarkedAllocator::init):
1758         (JSC::MarkedAllocator::destructorType): Deleted.
1759         * heap/MarkedBlock.cpp:
1760         (JSC::MarkedBlock::create):
1761         (JSC::MarkedBlock::MarkedBlock):
1762         (JSC::MarkedBlock::callDestructor):
1763         (JSC::MarkedBlock::specializedSweep):
1764         (JSC::MarkedBlock::sweep):
1765         (JSC::MarkedBlock::sweepHelper):
1766         * heap/MarkedBlock.h:
1767         (JSC::MarkedBlock::needsDestruction):
1768         (JSC::MarkedBlock::destructorType): Deleted.
1769         * heap/MarkedSpace.cpp:
1770         (JSC::MarkedSpace::MarkedSpace):
1771         (JSC::MarkedSpace::resetAllocators):
1772         (JSC::MarkedSpace::forEachAllocator):
1773         (JSC::MarkedSpace::isPagedOut):
1774         (JSC::MarkedSpace::clearNewlyAllocated):
1775         * heap/MarkedSpace.h:
1776         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1777         (JSC::MarkedSpace::destructorAllocatorFor):
1778         (JSC::MarkedSpace::allocateWithDestructor):
1779         (JSC::MarkedSpace::forEachBlock):
1780         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
1781         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
1782         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
1783         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
1784         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
1785         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
1786         * inspector/JSInjectedScriptHost.h:
1787         * inspector/JSInjectedScriptHostPrototype.h:
1788         * inspector/JSJavaScriptCallFrame.h:
1789         * inspector/JSJavaScriptCallFramePrototype.h:
1790         * jsc.cpp:
1791         * runtime/ArrayBufferNeuteringWatchpoint.h:
1792         * runtime/ArrayConstructor.h:
1793         * runtime/ArrayIteratorPrototype.h:
1794         * runtime/BooleanPrototype.h:
1795         * runtime/ClonedArguments.h:
1796         * runtime/CustomGetterSetter.h:
1797         * runtime/DateConstructor.h:
1798         * runtime/DatePrototype.h:
1799         * runtime/ErrorPrototype.h:
1800         * runtime/ExceptionHelpers.h:
1801         * runtime/Executable.h:
1802         * runtime/GenericArguments.h:
1803         * runtime/GetterSetter.h:
1804         * runtime/InternalFunction.h:
1805         * runtime/JSAPIValueWrapper.h:
1806         * runtime/JSArgumentsIterator.h:
1807         * runtime/JSArray.h:
1808         * runtime/JSArrayBuffer.h:
1809         * runtime/JSArrayBufferView.h:
1810         * runtime/JSBoundFunction.h:
1811         * runtime/JSCallee.h:
1812         * runtime/JSCell.h:
1813         * runtime/JSCellInlines.h:
1814         (JSC::JSCell::classInfo):
1815         * runtime/JSDataViewPrototype.h:
1816         * runtime/JSEnvironmentRecord.h:
1817         * runtime/JSFunction.h:
1818         * runtime/JSGenericTypedArrayView.h:
1819         * runtime/JSGlobalObject.h:
1820         * runtime/JSLexicalEnvironment.h:
1821         * runtime/JSNameScope.h:
1822         * runtime/JSNotAnObject.h:
1823         * runtime/JSONObject.h:
1824         * runtime/JSObject.h:
1825         (JSC::JSFinalObject::JSFinalObject):
1826         * runtime/JSPromiseConstructor.h:
1827         * runtime/JSPromiseDeferred.h:
1828         * runtime/JSPromisePrototype.h:
1829         * runtime/JSPromiseReaction.h:
1830         * runtime/JSPropertyNameEnumerator.h:
1831         * runtime/JSProxy.h:
1832         * runtime/JSScope.h:
1833         * runtime/JSString.h:
1834         * runtime/JSSymbolTableObject.h:
1835         * runtime/JSTypeInfo.h:
1836         (JSC::TypeInfo::structureIsImmortal):
1837         * runtime/MathObject.h:
1838         * runtime/NumberConstructor.h:
1839         * runtime/NumberPrototype.h:
1840         * runtime/ObjectConstructor.h:
1841         * runtime/PropertyMapHashTable.h:
1842         * runtime/RegExp.h:
1843         * runtime/RegExpConstructor.h:
1844         * runtime/RegExpObject.h:
1845         * runtime/RegExpPrototype.h:
1846         * runtime/ScopedArgumentsTable.h:
1847         * runtime/SparseArrayValueMap.h:
1848         * runtime/StrictEvalActivation.h:
1849         * runtime/StringConstructor.h:
1850         * runtime/StringIteratorPrototype.h:
1851         * runtime/StringObject.h:
1852         * runtime/StringPrototype.h:
1853         * runtime/Structure.cpp:
1854         (JSC::Structure::Structure):
1855         * runtime/Structure.h:
1856         * runtime/StructureChain.h:
1857         * runtime/StructureRareData.h:
1858         * runtime/Symbol.h:
1859         * runtime/SymbolPrototype.h:
1860         * runtime/SymbolTable.h:
1861         * runtime/WeakMapData.h:
1862
1863 2015-04-13  Mark Lam  <mark.lam@apple.com>
1864
1865         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
1866         https://bugs.webkit.org/show_bug.cgi?id=143407
1867
1868         Reviewed by Filip Pizlo.
1869
1870         DFG inlining of a varargs call / construct needs to keep the local
1871         containing the callee alive with a Phantom node because the LoadVarargs
1872         node may OSR exit.  After the OSR exit, the baseline JIT executes the
1873         op_call_varargs with that callee in the local.
1874
1875         Previously, because that callee local was not explicitly kept alive,
1876         the op_call_varargs case can OSR exit a DFG function and leave an
1877         undefined value in that local.  As a result, the baseline observes the
1878         side effect of an op_call_varargs on an undefined value instead of the
1879         function it expected.
1880
1881         Note: this issue does not manifest with op_construct_varargs because
1882         the inlined constructor will have an op_create_this which operates on
1883         the incoming callee value, thereby keeping it alive.
1884
1885         * dfg/DFGByteCodeParser.cpp:
1886         (JSC::DFG::ByteCodeParser::handleInlining):
1887         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
1888         (foo):
1889         (Foo):
1890         (doTest):
1891
1892 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1893
1894         [ES6] Implement Array.prototype.values
1895         https://bugs.webkit.org/show_bug.cgi?id=143633
1896
1897         Reviewed by Darin Adler.
1898
1899         Symbol.unscopables is implemented, so we can implement Array.prototype.values
1900         without largely breaking the web. The following script passes.
1901
1902         var array = [];
1903         var values = 42;
1904         with (array) {
1905             assert(values, 42);
1906         }
1907
1908         * runtime/ArrayPrototype.cpp:
1909         * tests/stress/array-iterators-next.js:
1910         * tests/stress/map-iterators-next.js:
1911         * tests/stress/set-iterators-next.js:
1912         * tests/stress/values-unscopables.js: Added.
1913         (test):
1914
1915 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1916
1917         Run flaky conservative GC related test first before polluting stack and registers
1918         https://bugs.webkit.org/show_bug.cgi?id=143634
1919
1920         Reviewed by Ryosuke Niwa.
1921
1922         After r182653, JSC API tests fail. However, it's not related to the change.
1923         After investigating the cause of this failure, I've found that the failed test is flaky
1924         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
1925         due to conservative roots in C stack and registers, this test fails.
1926
1927         Since GC marks C stack and registers as roots conservatively,
1928         objects not referenced logically can be accidentally marked and alive.
1929         To avoid this situation as possible as we can,
1930         1. run this test first before stack is polluted,
1931         2. extract this test as a function to suppress stack height.
1932
1933         * API/tests/testapi.mm:
1934         (testWeakValue):
1935         (testObjectiveCAPIMain):
1936         (testObjectiveCAPI):
1937
1938 2015-04-11  Matt Baker  <mattbaker@apple.com>
1939
1940         Web Inspector: create content view and details sidebar for Frames timeline
1941         https://bugs.webkit.org/show_bug.cgi?id=143533
1942
1943         Reviewed by Timothy Hatcher.
1944
1945         Refactoring: RunLoop prefix changed to RenderingFrame.
1946
1947         * inspector/protocol/Timeline.json:
1948
1949 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1950
1951         [ES6] Enable Symbol in web pages
1952         https://bugs.webkit.org/show_bug.cgi?id=143375
1953
1954         Reviewed by Ryosuke Niwa.
1955
1956         Expose Symbol to web pages.
1957         Symbol was exposed, but it was hidden since it breaks Facebook comments.
1958         This is because at that time Symbol is implemented,
1959         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
1960         and it breaks React.js and immutable.js.
1961
1962         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
1963         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
1964
1965         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
1966         and makes enabling symbols by default.
1967
1968         * runtime/ArrayPrototype.cpp:
1969         (JSC::ArrayPrototype::finishCreation):
1970         * runtime/CommonIdentifiers.h:
1971         * runtime/JSGlobalObject.cpp:
1972         (JSC::JSGlobalObject::init):
1973         * runtime/ObjectConstructor.cpp:
1974         (JSC::ObjectConstructor::finishCreation):
1975         * runtime/RuntimeFlags.h:
1976
1977 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1978
1979         ES6: Iterator toString names should be consistent
1980         https://bugs.webkit.org/show_bug.cgi?id=142424
1981
1982         Reviewed by Geoffrey Garen.
1983
1984         Iterator Object Names in the spec right now have spaces.
1985         In our implementation some do and some don't.
1986         This patch aligns JSC to the spec.
1987
1988         * runtime/JSArrayIterator.cpp:
1989         * runtime/JSStringIterator.cpp:
1990         * tests/stress/iterator-names.js: Added.
1991         (test):
1992         (iter):
1993         (check):
1994
1995 2015-04-10  Michael Saboff  <msaboff@apple.com>
1996
1997         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
1998         https://bugs.webkit.org/show_bug.cgi?id=143582
1999
2000         Reviewed by Mark Lam.
2001
2002         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
2003         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
2004         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
2005         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
2006         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
2007         we would still OSR exit after the speculation check.
2008
2009         * dfg/DFGFixupPhase.cpp:
2010         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
2011         * dfg/DFGSpeculativeJIT32_64.cpp:
2012         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2013
2014 2015-04-10  Milan Crha  <mcrha@redhat.com>
2015
2016         Disable Linux-specific code in a Windows build
2017         https://bugs.webkit.org/show_bug.cgi?id=137973
2018
2019         Reviewed by Joseph Pecoraro.
2020
2021         * inspector/JSGlobalObjectInspectorController.cpp:
2022         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2023
2024 2015-04-10  Csaba Osztrogonác  <ossy@webkit.org>
2025
2026         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
2027         https://bugs.webkit.org/show_bug.cgi?id=143368
2028
2029         Reviewed by Michael Saboff.
2030
2031         * jit/RegisterSet.cpp:
2032         (JSC::RegisterSet::calleeSaveRegisters):
2033
2034 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
2035
2036         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
2037         https://bugs.webkit.org/show_bug.cgi?id=143430
2038
2039         Reviewed by Darin Adler.
2040
2041         * runtime/ExceptionHelpers.cpp:
2042         (JSC::errorDescriptionForValue):
2043         * runtime/NumberPrototype.cpp:
2044         (JSC::numberProtoFuncToExponential):
2045         (JSC::numberProtoFuncToPrecision):
2046         (JSC::numberProtoFuncToString):
2047         * runtime/SymbolPrototype.cpp:
2048         (JSC::symbolProtoFuncToString):
2049
2050 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
2051
2052         JSArray::sortNumeric should handle ArrayWithUndecided
2053         https://bugs.webkit.org/show_bug.cgi?id=143535
2054
2055         Reviewed by Geoffrey Garen.
2056         
2057         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
2058
2059         * runtime/JSArray.cpp:
2060         (JSC::JSArray::sortNumeric):
2061         * tests/stress/sort-array-with-undecided.js: Added.
2062
2063 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
2064
2065         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
2066         https://bugs.webkit.org/show_bug.cgi?id=143532
2067
2068         Reviewed by Gavin Barraclough.
2069         
2070         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
2071         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
2072         would think that there never was wrap-around.
2073         
2074         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
2075
2076         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2077         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
2078
2079 2015-04-07  Michael Saboff  <msaboff@apple.com>
2080
2081         Lazily initialize LogToSystemConsole flag to reduce memory usage
2082         https://bugs.webkit.org/show_bug.cgi?id=143506
2083
2084         Reviewed by Mark Lam.
2085
2086         Only call into CF preferences code when we need to in order to reduce memory usage.
2087
2088         * inspector/JSGlobalObjectConsoleClient.cpp:
2089         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
2090         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
2091         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
2092         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
2093
2094 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
2095
2096         Get the features.json files ready for open contributions
2097         https://bugs.webkit.org/show_bug.cgi?id=143436
2098
2099         Reviewed by Darin Adler.
2100
2101         * features.json:
2102
2103 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
2104
2105         Constant folding of typed array properties should be handled by AI rather than strength reduction
2106         https://bugs.webkit.org/show_bug.cgi?id=143496
2107
2108         Reviewed by Geoffrey Garen.
2109         
2110         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
2111         phase and whatever other phase did the folding in order to find all constants.
2112         
2113         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
2114         directly.
2115         
2116         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
2117         found because all of the tests for it involved the property getting constant folded. I found that
2118         the codegen was bad because an earlier version of the patch broke that constant folding. This
2119         adds a new test for that node type, which makes constant folding impossible by allocating a new
2120         typed array every type. The lesson here is: if you write a test for something, run the test with
2121         full IR dumps to make sure it's actually testing the thing you want it to test.
2122
2123         * dfg/DFGAbstractInterpreterInlines.h:
2124         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2125         * dfg/DFGClobberize.h:
2126         (JSC::DFG::clobberize):
2127         * dfg/DFGConstantFoldingPhase.cpp:
2128         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2129         * dfg/DFGDoesGC.cpp:
2130         (JSC::DFG::doesGC):
2131         * dfg/DFGFixupPhase.cpp:
2132         (JSC::DFG::FixupPhase::fixupNode):
2133         * dfg/DFGGraph.cpp:
2134         (JSC::DFG::Graph::dump):
2135         (JSC::DFG::Graph::tryGetFoldableView):
2136         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
2137         * dfg/DFGGraph.h:
2138         * dfg/DFGNode.h:
2139         (JSC::DFG::Node::hasTypedArray): Deleted.
2140         (JSC::DFG::Node::typedArray): Deleted.
2141         * dfg/DFGNodeType.h:
2142         * dfg/DFGPredictionPropagationPhase.cpp:
2143         (JSC::DFG::PredictionPropagationPhase::propagate):
2144         * dfg/DFGSafeToExecute.h:
2145         (JSC::DFG::safeToExecute):
2146         * dfg/DFGSpeculativeJIT.cpp:
2147         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2148         * dfg/DFGSpeculativeJIT32_64.cpp:
2149         (JSC::DFG::SpeculativeJIT::compile):
2150         * dfg/DFGSpeculativeJIT64.cpp:
2151         (JSC::DFG::SpeculativeJIT::compile):
2152         * dfg/DFGStrengthReductionPhase.cpp:
2153         (JSC::DFG::StrengthReductionPhase::handleNode):
2154         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
2155         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
2156         * dfg/DFGWatchpointCollectionPhase.cpp:
2157         (JSC::DFG::WatchpointCollectionPhase::handle):
2158         (JSC::DFG::WatchpointCollectionPhase::addLazily):
2159         * ftl/FTLCapabilities.cpp:
2160         (JSC::FTL::canCompile):
2161         * ftl/FTLLowerDFGToLLVM.cpp:
2162         (JSC::FTL::LowerDFGToLLVM::compileNode):
2163         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
2164         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2165         * tests/stress/fold-typed-array-properties.js:
2166         (foo):
2167         * tests/stress/typed-array-byte-offset.js: Added.
2168         (foo):
2169
2170 2015-04-07  Matthew Mirman  <mmirman@apple.com>
2171
2172         Source and stack information should get appended only to native errors
2173         and should be added directly after construction rather than when thrown. 
2174         This fixes frozen objects being unfrozen when thrown while conforming to 
2175         ecma script standard and other browser behavior.
2176         rdar://problem/19927293
2177         https://bugs.webkit.org/show_bug.cgi?id=141871
2178         
2179         Reviewed by Geoffrey Garen.
2180
2181         Appending stack, source, line, and column information to an object whenever that object is thrown 
2182         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
2183         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
2184         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
2185         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
2186         a control flow construct rather than just an error reporting mechanism.  
2187         
2188         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
2189         appending the error properties as a seperate call after construction of the error is required 
2190         to avoid having to manually truncate the stack and gather local source information due to 
2191         the stack being extended by a nested call to construct one of the native jsc error.
2192         
2193         * interpreter/Interpreter.cpp:
2194         (JSC::Interpreter::execute):
2195         * interpreter/Interpreter.h:
2196         * parser/ParserError.h:
2197         (JSC::ParserError::toErrorObject):
2198         * runtime/CommonIdentifiers.h:
2199         * runtime/Error.cpp:
2200         (JSC::createError):
2201         (JSC::createEvalError):
2202         (JSC::createRangeError):
2203         (JSC::createReferenceError):
2204         (JSC::createSyntaxError):
2205         (JSC::createTypeError):
2206         (JSC::createNotEnoughArgumentsError):
2207         (JSC::createURIError):
2208         (JSC::createOutOfMemoryError):
2209         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
2210         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
2211         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
2212         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
2213         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
2214         (JSC::addErrorInfo): Added special case for appending complete error info 
2215         to a newly constructed error object.
2216         * runtime/Error.h:
2217         * runtime/ErrorConstructor.cpp:
2218         (JSC::Interpreter::constructWithErrorConstructor):
2219         (JSC::Interpreter::callErrorConstructor):
2220         * runtime/ErrorInstance.cpp:
2221         (JSC::appendSourceToError): Moved from VM.cpp
2222         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
2223         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
2224         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
2225         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
2226         (JSC::addErrorInfoAndGetBytecodeOffset):
2227         (JSC::ErrorInstance::finishCreation):
2228         * runtime/ErrorInstance.h:
2229         (JSC::ErrorInstance::create):
2230         * runtime/ErrorPrototype.cpp:
2231         (JSC::ErrorPrototype::finishCreation):
2232         * runtime/ExceptionFuzz.cpp:
2233         (JSC::doExceptionFuzzing):
2234         * runtime/ExceptionHelpers.cpp:
2235         (JSC::createError):
2236         (JSC::createInvalidFunctionApplyParameterError):
2237         (JSC::createInvalidInParameterError):
2238         (JSC::createInvalidInstanceofParameterError):
2239         (JSC::createNotAConstructorError):
2240         (JSC::createNotAFunctionError):
2241         (JSC::createNotAnObjectError):
2242         (JSC::throwOutOfMemoryError):
2243         (JSC::createStackOverflowError): Deleted.
2244         (JSC::createOutOfMemoryError): Deleted.
2245         * runtime/ExceptionHelpers.h:
2246         * runtime/JSArrayBufferConstructor.cpp:
2247         (JSC::constructArrayBuffer):
2248         * runtime/JSArrayBufferPrototype.cpp:
2249         (JSC::arrayBufferProtoFuncSlice):
2250         * runtime/JSGenericTypedArrayViewInlines.h:
2251         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2252         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
2253         * runtime/NativeErrorConstructor.cpp:
2254         (JSC::Interpreter::constructWithNativeErrorConstructor):
2255         (JSC::Interpreter::callNativeErrorConstructor):
2256         * runtime/VM.cpp:
2257         (JSC::VM::throwException):
2258         (JSC::appendSourceToError): Moved to Error.cpp
2259         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
2260         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
2261         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
2262         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
2263         * tests/stress/freeze_leek.js: Added.
2264
2265 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
2266
2267         Web Inspector: ES6: Show Symbol properties on Objects
2268         https://bugs.webkit.org/show_bug.cgi?id=141279
2269
2270         Reviewed by Timothy Hatcher.
2271
2272         * inspector/protocol/Runtime.json:
2273         Give PropertyDescriptor a reference to the Symbol RemoteObject
2274         if the property is a symbol property.
2275
2276         * inspector/InjectedScriptSource.js:
2277         Enumerate symbol properties on objects.
2278
2279 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
2280
2281         Make it possible to enable LLVM FastISel
2282         https://bugs.webkit.org/show_bug.cgi?id=143489
2283
2284         Reviewed by Michael Saboff.
2285
2286         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
2287         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
2288         if we should enable it.
2289
2290         * ftl/FTLCompile.cpp:
2291         (JSC::FTL::mmAllocateDataSection):
2292         * llvm/InitializeLLVM.cpp:
2293         (JSC::initializeLLVMImpl):
2294         * llvm/InitializeLLVM.h:
2295         * llvm/InitializeLLVMLinux.cpp:
2296         (JSC::getLLVMInitializerFunction):
2297         (JSC::initializeLLVMImpl): Deleted.
2298         * llvm/InitializeLLVMMac.cpp:
2299         (JSC::getLLVMInitializerFunction):
2300         (JSC::initializeLLVMImpl): Deleted.
2301         * llvm/InitializeLLVMPOSIX.cpp:
2302         (JSC::getLLVMInitializerFunctionPOSIX):
2303         (JSC::initializeLLVMPOSIX): Deleted.
2304         * llvm/InitializeLLVMPOSIX.h:
2305         * llvm/InitializeLLVMWin.cpp:
2306         (JSC::getLLVMInitializerFunction):
2307         (JSC::initializeLLVMImpl): Deleted.
2308         * llvm/LLVMAPI.cpp:
2309         * llvm/LLVMAPI.h:
2310         * llvm/library/LLVMExports.cpp:
2311         (initCommandLine):
2312         (initializeAndGetJSCLLVMAPI):
2313         * runtime/Options.cpp:
2314         (JSC::Options::initialize):
2315
2316 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2317
2318         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
2319         https://bugs.webkit.org/show_bug.cgi?id=140426
2320
2321         Reviewed by Darin Adler.
2322
2323         In the put_by_val_direct operation, we use JSObject::putDirect.
2324         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2325         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2326
2327         * dfg/DFGOperations.cpp:
2328         (JSC::DFG::putByVal):
2329         (JSC::DFG::operationPutByValInternal):
2330         * jit/JITOperations.cpp:
2331         * llint/LLIntSlowPaths.cpp:
2332         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2333         * runtime/Identifier.h:
2334         (JSC::isIndex):
2335         (JSC::parseIndex):
2336         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
2337         (lookupWithKey):
2338         (toStringThrowsError.toString):
2339
2340 2015-04-06  Alberto Garcia  <berto@igalia.com>
2341
2342         [GTK] Fix HPPA build
2343         https://bugs.webkit.org/show_bug.cgi?id=143453
2344
2345         Reviewed by Darin Adler.
2346
2347         Add HPPA to the list of supported CPUs.
2348
2349         * CMakeLists.txt:
2350
2351 2015-04-06  Mark Lam  <mark.lam@apple.com>
2352
2353         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
2354         <https://webkit.org/b/143396>
2355
2356         Reviewed by Filip Pizlo.
2357
2358         The DFG was neglecting to set the result boolean.  The FTL was setting it with
2359         an inverted value.  Both of these are now resolved.
2360
2361         * dfg/DFGSpeculativeJIT64.cpp:
2362         (JSC::DFG::SpeculativeJIT::compile):
2363         * ftl/FTLLowerDFGToLLVM.cpp:
2364         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
2365         * tests/stress/for-in-array-mode.js: Added.
2366         (.):
2367         (test):
2368
2369 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2370
2371         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
2372         https://bugs.webkit.org/show_bug.cgi?id=143424
2373
2374         Reviewed by Geoffrey Garen.
2375
2376         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
2377
2378         ToString(symbol) throws a type error.
2379         However, String(symbol) produces SymbolDescriptiveString(symbol).
2380
2381         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
2382
2383         Now, in the template literals patch, ToString DFG operation is planned to be used.
2384         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
2385         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
2386         In CallStringConstructor, all behavior in DFG analysis is the same.
2387         Only the difference from ToString is, when calling DFG operation functions, it calls
2388         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
2389         operationToStringOnCell and operationToString.
2390
2391         * dfg/DFGAbstractInterpreterInlines.h:
2392         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2393         * dfg/DFGBackwardsPropagationPhase.cpp:
2394         (JSC::DFG::BackwardsPropagationPhase::propagate):
2395         * dfg/DFGByteCodeParser.cpp:
2396         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2397         * dfg/DFGClobberize.h:
2398         (JSC::DFG::clobberize):
2399         * dfg/DFGDoesGC.cpp:
2400         (JSC::DFG::doesGC):
2401         * dfg/DFGFixupPhase.cpp:
2402         (JSC::DFG::FixupPhase::fixupNode):
2403         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2404         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
2405         (JSC::DFG::FixupPhase::fixupToString): Deleted.
2406         * dfg/DFGNodeType.h:
2407         * dfg/DFGOperations.cpp:
2408         * dfg/DFGOperations.h:
2409         * dfg/DFGPredictionPropagationPhase.cpp:
2410         (JSC::DFG::PredictionPropagationPhase::propagate):
2411         * dfg/DFGSafeToExecute.h:
2412         (JSC::DFG::safeToExecute):
2413         * dfg/DFGSpeculativeJIT.cpp:
2414         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
2415         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
2416         * dfg/DFGSpeculativeJIT.h:
2417         * dfg/DFGSpeculativeJIT32_64.cpp:
2418         (JSC::DFG::SpeculativeJIT::compile):
2419         * dfg/DFGSpeculativeJIT64.cpp:
2420         (JSC::DFG::SpeculativeJIT::compile):
2421         * dfg/DFGStructureRegistrationPhase.cpp:
2422         (JSC::DFG::StructureRegistrationPhase::run):
2423         * ftl/FTLCapabilities.cpp:
2424         (JSC::FTL::canCompile):
2425         * ftl/FTLLowerDFGToLLVM.cpp:
2426         (JSC::FTL::LowerDFGToLLVM::compileNode):
2427         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
2428         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
2429         * runtime/StringConstructor.cpp:
2430         (JSC::stringConstructor):
2431         (JSC::callStringConstructor):
2432         * runtime/StringConstructor.h:
2433         * tests/stress/symbol-and-string-constructor.js: Added.
2434         (performString):
2435
2436 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2437
2438         Return Optional<uint32_t> from PropertyName::asIndex
2439         https://bugs.webkit.org/show_bug.cgi?id=143422
2440
2441         Reviewed by Darin Adler.
2442
2443         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
2444         But it's not obvious to callers.
2445
2446         This patch changes
2447         1. PropertyName::asIndex() to return Optional<uint32_t> and
2448         2. function name `asIndex()` to `parseIndex()`.
2449         It forces callers to check the value is index or not explicitly.
2450
2451         * bytecode/GetByIdStatus.cpp:
2452         (JSC::GetByIdStatus::computeFor):
2453         * bytecode/PutByIdStatus.cpp:
2454         (JSC::PutByIdStatus::computeFor):
2455         * bytecompiler/BytecodeGenerator.cpp:
2456         (JSC::BytecodeGenerator::emitDirectPutById):
2457         * jit/Repatch.cpp:
2458         (JSC::emitPutTransitionStubAndGetOldStructure):
2459         * jsc.cpp:
2460         * runtime/ArrayPrototype.cpp:
2461         (JSC::arrayProtoFuncSort):
2462         * runtime/GenericArgumentsInlines.h:
2463         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2464         (JSC::GenericArguments<Type>::put):
2465         (JSC::GenericArguments<Type>::deleteProperty):
2466         (JSC::GenericArguments<Type>::defineOwnProperty):
2467         * runtime/Identifier.h:
2468         (JSC::parseIndex):
2469         (JSC::Identifier::isSymbol):
2470         * runtime/JSArray.cpp:
2471         (JSC::JSArray::defineOwnProperty):
2472         * runtime/JSCJSValue.cpp:
2473         (JSC::JSValue::putToPrimitive):
2474         * runtime/JSGenericTypedArrayViewInlines.h:
2475         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2476         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2477         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2478         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2479         * runtime/JSObject.cpp:
2480         (JSC::JSObject::put):
2481         (JSC::JSObject::putDirectAccessor):
2482         (JSC::JSObject::putDirectCustomAccessor):
2483         (JSC::JSObject::deleteProperty):
2484         (JSC::JSObject::putDirectMayBeIndex):
2485         (JSC::JSObject::defineOwnProperty):
2486         * runtime/JSObject.h:
2487         (JSC::JSObject::getOwnPropertySlot):
2488         (JSC::JSObject::getPropertySlot):
2489         (JSC::JSObject::putDirectInternal):
2490         * runtime/JSString.cpp:
2491         (JSC::JSString::getStringPropertyDescriptor):
2492         * runtime/JSString.h:
2493         (JSC::JSString::getStringPropertySlot):
2494         * runtime/LiteralParser.cpp:
2495         (JSC::LiteralParser<CharType>::parse):
2496         * runtime/PropertyName.h:
2497         (JSC::parseIndex):
2498         (JSC::toUInt32FromCharacters): Deleted.
2499         (JSC::toUInt32FromStringImpl): Deleted.
2500         (JSC::PropertyName::asIndex): Deleted.
2501         * runtime/PropertyNameArray.cpp:
2502         (JSC::PropertyNameArray::add):
2503         * runtime/StringObject.cpp:
2504         (JSC::StringObject::deleteProperty):
2505         * runtime/Structure.cpp:
2506         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2507
2508 2015-04-05  Andreas Kling  <akling@apple.com>
2509
2510         URI encoding/escaping should use efficient string building instead of calling snprintf().
2511         <https://webkit.org/b/143426>
2512
2513         Reviewed by Gavin Barraclough.
2514
2515         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
2516         which seemed pretty silly. This change gets that down to nothing in favor of using our
2517         existing JSStringBuilder and HexNumber.h facilities.
2518
2519         These APIs are well-exercised by our existing test suite.
2520
2521         * runtime/JSGlobalObjectFunctions.cpp:
2522         (JSC::encode):
2523         (JSC::globalFuncEscape):
2524
2525 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
2526
2527         documentation for ES Promises points to the wrong one
2528         https://bugs.webkit.org/show_bug.cgi?id=143263
2529
2530         Reviewed by Darin Adler.
2531
2532         * features.json:
2533
2534 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
2535
2536         Remove "go ahead and" from comments
2537         https://bugs.webkit.org/show_bug.cgi?id=143421
2538
2539         Reviewed by Darin Adler, Benjamin Poulain.
2540
2541         Remove the phrase "go ahead and" from comments where it doesn't add
2542         anything (which is almost all of them).
2543
2544         * interpreter/JSStack.cpp:
2545         (JSC::JSStack::growSlowCase):
2546
2547 2015-04-04  Andreas Kling  <akling@apple.com>
2548
2549         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
2550         <https://webkit.org/b/143210>
2551
2552         Reviewed by Geoffrey Garen.
2553
2554         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
2555         we had a little problem where WeakBlocks with only null pointers would still keep their
2556         MarkedBlock alive.
2557
2558         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
2559         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
2560         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
2561         destroying them once they're fully dead.
2562
2563         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
2564         a mysterious issue where doing two full garbage collections back-to-back would free additional
2565         memory in the second collection.
2566
2567         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
2568         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
2569         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
2570
2571         * heap/Heap.h:
2572         * heap/Heap.cpp:
2573         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
2574         owned by Heap, after everything else has been swept.
2575
2576         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
2577         after a full garbage collection ends. Note that we don't do this after Eden collections, since
2578         they are unlikely to cause entire WeakBlocks to go empty.
2579
2580         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
2581         to the Heap when it's detached from a WeakSet.
2582
2583         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
2584         of the logically empty WeakBlocks owned by Heap.
2585
2586         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
2587         and updates the next-logically-empty-weak-block-to-sweep index.
2588
2589         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
2590         won't be another chance after this.
2591
2592         * heap/IncrementalSweeper.h:
2593         (JSC::IncrementalSweeper::hasWork): Deleted.
2594
2595         * heap/IncrementalSweeper.cpp:
2596         (JSC::IncrementalSweeper::fullSweep):
2597         (JSC::IncrementalSweeper::doSweep):
2598         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
2599         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
2600         changed to return a bool (true if there's more work to be done.)
2601
2602         * heap/WeakBlock.cpp:
2603         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
2604         contain any pointers to live objects. The answer is stored in a new SweepResult member.
2605
2606         * heap/WeakBlock.h:
2607         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
2608         if the WeakBlock could be detached from the MarkedBlock.
2609
2610         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
2611         when declaring them.
2612
2613 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2614
2615         Implement ES6 Object.getOwnPropertySymbols
2616         https://bugs.webkit.org/show_bug.cgi?id=141106
2617
2618         Reviewed by Geoffrey Garen.
2619
2620         This patch implements `Object.getOwnPropertySymbols`.
2621         One technical issue is that, since we use private symbols (such as `@Object`) in the
2622         privileged JS code in `builtins/`, they should not be exposed.
2623         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
2624         before adding it into PropertyNameArray.
2625
2626         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
2627         since all private symbols are held in this map.
2628
2629         * builtins/BuiltinExecutables.cpp:
2630         (JSC::BuiltinExecutables::createExecutableInternal):
2631         * builtins/BuiltinNames.h:
2632         (JSC::BuiltinNames::isPrivateName):
2633         * runtime/CommonIdentifiers.cpp:
2634         (JSC::CommonIdentifiers::isPrivateName):
2635         * runtime/CommonIdentifiers.h:
2636         * runtime/EnumerationMode.h:
2637         (JSC::EnumerationMode::EnumerationMode):
2638         (JSC::EnumerationMode::includeSymbolProperties):
2639         * runtime/ExceptionHelpers.cpp:
2640         (JSC::createUndefinedVariableError):
2641         * runtime/JSGlobalObject.cpp:
2642         (JSC::JSGlobalObject::init):
2643         * runtime/JSLexicalEnvironment.cpp:
2644         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2645         * runtime/JSSymbolTableObject.cpp:
2646         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2647         * runtime/ObjectConstructor.cpp:
2648         (JSC::ObjectConstructor::finishCreation):
2649         (JSC::objectConstructorGetOwnPropertySymbols):
2650         (JSC::defineProperties):
2651         (JSC::objectConstructorSeal):
2652         (JSC::objectConstructorFreeze):
2653         (JSC::objectConstructorIsSealed):
2654         (JSC::objectConstructorIsFrozen):
2655         * runtime/ObjectConstructor.h:
2656         (JSC::ObjectConstructor::create):
2657         * runtime/Structure.cpp:
2658         (JSC::Structure::getPropertyNamesFromStructure):
2659         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
2660         (compare):
2661         * tests/stress/object-get-own-property-symbols.js: Added.
2662         (forIn):
2663         * tests/stress/symbol-define-property.js: Added.
2664         (testSymbol):
2665         * tests/stress/symbol-seal-and-freeze.js: Added.
2666         * tests/stress/symbol-with-json.js: Added.
2667
2668 2015-04-03  Mark Lam  <mark.lam@apple.com>
2669
2670         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
2671         <https://webkit.org/b/143385>
2672
2673         Reviewed by Geoffrey Garen.
2674
2675         For debugging purposes, sometimes, we want to be able to make compilation happen
2676         sooner to see if we can accelerate the manifestation of certain events / bugs.
2677         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
2678         which make up the compilation policy.  Let's add a single knob that can tune all
2679         the thresholds up / down in one go proportionately so that we can easily tweak
2680         how soon compilation occurs.
2681
2682         * runtime/Options.cpp:
2683         (JSC::scaleJITPolicy):
2684         (JSC::recomputeDependentOptions):
2685         * runtime/Options.h:
2686
2687 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2688
2689         is* API methods should be @properties
2690         https://bugs.webkit.org/show_bug.cgi?id=143388
2691
2692         Reviewed by Mark Lam.
2693
2694         This appears to be the preferred idiom in WebKit, CA, AppKit, and
2695         Foundation.
2696
2697         * API/JSValue.h: Be @properties.
2698
2699         * API/tests/testapi.mm:
2700         (testObjectiveCAPI): Use the @properties.
2701
2702 2015-04-03  Mark Lam  <mark.lam@apple.com>
2703
2704         Some JSC Options refactoring and enhancements.
2705         <https://webkit.org/b/143384>
2706
2707         Rubber stamped by Benjamin Poulain.
2708
2709         Create a better encapsulated Option class to make working with options easier.  This
2710         is a building block towards a JIT policy scaling debugging option I will introduce later.
2711
2712         This work entails:
2713         1. Convert Options::Option into a public class Option (who works closely with Options).
2714         2. Convert Options::EntryType into an enum class Options::Type and make it public.
2715         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
2716         4. Add misc methods to class Option to make it more useable.
2717
2718         * runtime/Options.cpp:
2719         (JSC::Options::dumpOption):
2720         (JSC::Option::dump):
2721         (JSC::Option::operator==):
2722         (JSC::Options::Option::dump): Deleted.
2723         (JSC::Options::Option::operator==): Deleted.
2724         * runtime/Options.h:
2725         (JSC::Option::Option):
2726         (JSC::Option::operator!=):
2727         (JSC::Option::name):
2728         (JSC::Option::description):
2729         (JSC::Option::type):
2730         (JSC::Option::isOverridden):
2731         (JSC::Option::defaultOption):
2732         (JSC::Option::boolVal):
2733         (JSC::Option::unsignedVal):
2734         (JSC::Option::doubleVal):
2735         (JSC::Option::int32Val):
2736         (JSC::Option::optionRangeVal):
2737         (JSC::Option::optionStringVal):
2738         (JSC::Option::gcLogLevelVal):
2739         (JSC::Options::Option::Option): Deleted.
2740         (JSC::Options::Option::operator!=): Deleted.
2741
2742 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2743
2744         JavaScriptCore API should support type checking for Array and Date
2745         https://bugs.webkit.org/show_bug.cgi?id=143324
2746
2747         Follow-up to address a comment by Dan.
2748
2749         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
2750         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
2751         is equal to 101100.
2752
2753 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2754
2755         JavaScriptCore API should support type checking for Array and Date
2756         https://bugs.webkit.org/show_bug.cgi?id=143324
2757
2758         Follow-up to address a comment by Dan.
2759
2760         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
2761         Added a comment explaining why.
2762
2763 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
2764
2765         FTL JIT tests should fail if LLVM library isn't available
2766         https://bugs.webkit.org/show_bug.cgi?id=143374
2767
2768         Reviewed by Mark Lam.
2769
2770         * dfg/DFGPlan.cpp:
2771         (JSC::DFG::Plan::compileInThreadImpl):
2772         * runtime/Options.h:
2773
2774 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2775
2776         Fix the EFL and GTK build after r182243
2777         https://bugs.webkit.org/show_bug.cgi?id=143361
2778
2779         Reviewed by Csaba Osztrogonác.
2780
2781         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
2782         DerivedSources/JavaScriptCore/inspector/ directory.
2783
2784 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2785
2786         Unreviewed, fixing Clang builds of the GTK port on Linux.
2787
2788         * runtime/Options.cpp:
2789         Include the <math.h> header for isnan().
2790
2791 2015-04-02  Mark Lam  <mark.lam@apple.com>
2792
2793         Enhance ability to dump JSC Options.
2794         <https://webkit.org/b/143357>
2795
2796         Reviewed by Benjamin Poulain.
2797
2798         Some enhancements to how the JSC options work:
2799
2800         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
2801            2 = All, 3 = Verbose.
2802
2803            The default is 0 (None).  This dumps nothing.
2804            With the Overridden setting, at VM initialization time, we will dump all
2805            option values that have been changed from their default.
2806            With the All setting, at VM initialization time, we will dump all option values.
2807            With the Verbose setting, at VM initialization time, we will dump all option
2808            values along with their descriptions (if available).
2809
2810         2. We now store a copy of the default option values.
2811
2812            We later use this for comparison to tell if an option has been overridden, and
2813            print the default value for reference.  As a result, we no longer need the
2814            didOverride flag since we can compute whether the option is overridden at any time.
2815
2816         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
2817
2818            This will come in handy later when we want to rename some of the options to more sane
2819            names that are easier to remember.  For example, we can change
2820            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
2821            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
2822            of the description, we can afford to use shorter and less descriptive option names,
2823            but they will be easier to remember and use for day to day debugging work.
2824
2825            In this patch, I did not change the names of any of the options yet.  I only added
2826            description strings for options that I know about, and where I think the option name
2827            isn't already descriptive enough.
2828
2829         4. Also deleted some unused code.
2830
2831         * jsc.cpp:
2832         (CommandLine::parseArguments):
2833         * runtime/Options.cpp:
2834         (JSC::Options::initialize):
2835         (JSC::Options::setOption):
2836         (JSC::Options::dumpAllOptions):
2837         (JSC::Options::dumpOption):
2838         (JSC::Options::Option::dump):
2839         (JSC::Options::Option::operator==):
2840         * runtime/Options.h:
2841         (JSC::OptionRange::rangeString):
2842         (JSC::Options::Option::Option):
2843         (JSC::Options::Option::operator!=):
2844
2845 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
2846
2847         JavaScriptCore API should support type checking for Array and Date
2848         https://bugs.webkit.org/show_bug.cgi?id=143324
2849
2850         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
2851
2852         * API/JSValue.h:
2853         * API/JSValue.mm:
2854         (-[JSValue isArray]):
2855         (-[JSValue isDate]): Added an ObjC API.
2856
2857         * API/JSValueRef.cpp:
2858         (JSValueIsArray):
2859         (JSValueIsDate):
2860         * API/JSValueRef.h: Added a C API.
2861
2862         * API/WebKitAvailability.h: Brought our availability macros up to date
2863         and fixed a harmless bug where "10_10" translated to "10.0".
2864
2865         * API/tests/testapi.c:
2866         (main): Added a test and corrected a pre-existing leak.
2867
2868         * API/tests/testapi.mm:
2869         (testObjectiveCAPI): Added a test.
2870
2871 2015-04-02  Mark Lam  <mark.lam@apple.com>
2872
2873         Add Options::dumpSourceAtDFGTime().
2874         <https://webkit.org/b/143349>
2875
2876         Reviewed by Oliver Hunt, and Michael Saboff.
2877
2878         Sometimes, we will want to see the JS source code that we're compiling, and it
2879         would be nice to be able to do this without having to jump thru a lot of hoops.
2880         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
2881         Options::dumpBytecodeAtDFGTime() option.
2882
2883         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
2884         that explicitly take no arguments (instead of relying on the version that takes
2885         the default argument).  These versions are friendlier to use when we want to call
2886         them from an interactive debugging session.
2887
2888         * bytecode/CodeBlock.cpp:
2889         (JSC::CodeBlock::dumpSource):
2890         (JSC::CodeBlock::dumpBytecode):
2891         * bytecode/CodeBlock.h:
2892         * dfg/DFGByteCodeParser.cpp:
2893         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2894         * runtime/Options.h:
2895
2896 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2897
2898         Clean up EnumerationMode to easily extend
2899         https://bugs.webkit.org/show_bug.cgi?id=143276
2900
2901         Reviewed by Geoffrey Garen.
2902
2903         To make the followings easily,
2904         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
2905         2. Make ExcludeSymbols implicitly default for the existing flags
2906         we encapsulate EnumerationMode flags into EnumerationMode class.
2907
2908         And this class manages 2 flags. Later it will be extended to 3.
2909         1. DontEnumPropertiesMode (default is Exclude)
2910         2. JSObjectPropertiesMode (default is Include)
2911         3. SymbolPropertiesMode (default is Exclude)
2912             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
2913
2914         This patch replaces places using ExcludeDontEnumProperties
2915         to EnumerationMode() value which represents default mode.
2916
2917         * API/JSCallbackObjectFunctions.h:
2918         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2919         * API/JSObjectRef.cpp:
2920         (JSObjectCopyPropertyNames):
2921         * bindings/ScriptValue.cpp:
2922         (Deprecated::jsToInspectorValue):
2923         * bytecode/ObjectAllocationProfile.h:
2924         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2925         * runtime/ArrayPrototype.cpp:
2926         (JSC::arrayProtoFuncSort):
2927         * runtime/EnumerationMode.h:
2928         (JSC::EnumerationMode::EnumerationMode):
2929         (JSC::EnumerationMode::includeDontEnumProperties):
2930         (JSC::EnumerationMode::includeJSObjectProperties):
2931         (JSC::shouldIncludeDontEnumProperties): Deleted.
2932         (JSC::shouldExcludeDontEnumProperties): Deleted.
2933         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
2934         (JSC::modeThatSkipsJSObject): Deleted.
2935         * runtime/GenericArgumentsInlines.h:
2936         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2937         * runtime/JSArray.cpp:
2938         (JSC::JSArray::getOwnNonIndexPropertyNames):
2939         * runtime/JSArrayBuffer.cpp:
2940         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2941         * runtime/JSArrayBufferView.cpp:
2942         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2943         * runtime/JSFunction.cpp:
2944         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2945         * runtime/JSFunction.h:
2946         * runtime/JSGenericTypedArrayViewInlines.h:
2947         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
2948         * runtime/JSLexicalEnvironment.cpp:
2949         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2950         * runtime/JSONObject.cpp:
2951         (JSC::Stringifier::Holder::appendNextProperty):
2952         (JSC::Walker::walk):
2953         * runtime/JSObject.cpp:
2954         (JSC::getClassPropertyNames):
2955         (JSC::JSObject::getOwnPropertyNames):
2956         (JSC::JSObject::getOwnNonIndexPropertyNames):
2957         (JSC::JSObject::getGenericPropertyNames):
2958         * runtime/JSPropertyNameEnumerator.h:
2959         (JSC::propertyNameEnumerator):
2960         * runtime/JSSymbolTableObject.cpp:
2961         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2962         * runtime/ObjectConstructor.cpp:
2963         (JSC::objectConstructorGetOwnPropertyNames):
2964         (JSC::objectConstructorKeys):
2965         (JSC::defineProperties):
2966         (JSC::objectConstructorSeal):
2967         (JSC::objectConstructorFreeze):
2968         (JSC::objectConstructorIsSealed):
2969         (JSC::objectConstructorIsFrozen):
2970         * runtime/RegExpObject.cpp:
2971         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2972         (JSC::RegExpObject::getPropertyNames):
2973         (JSC::RegExpObject::getGenericPropertyNames):
2974         * runtime/StringObject.cpp:
2975         (JSC::StringObject::getOwnPropertyNames):
2976         * runtime/Structure.cpp:
2977         (JSC::Structure::getPropertyNamesFromStructure):
2978
2979 2015-04-01  Alex Christensen  <achristensen@webkit.org>
2980
2981         Progress towards CMake on Windows and Mac.
2982         https://bugs.webkit.org/show_bug.cgi?id=143293
2983
2984         Reviewed by Filip Pizlo.
2985
2986         * CMakeLists.txt:
2987         Enabled using assembly on Windows.
2988         Replaced unix commands with CMake commands.
2989         * PlatformMac.cmake:
2990         Tell open source builders where to find unicode headers.
2991
2992 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2993
2994         IteratorClose should be called when jumping over the target for-of loop
2995         https://bugs.webkit.org/show_bug.cgi?id=143140
2996
2997         Reviewed by Geoffrey Garen.
2998
2999         This patch fixes labeled break/continue behaviors with for-of and iterators.
3000
3001         1. Support IteratorClose beyond multiple loop contexts
3002         Previously, IteratorClose is only executed in for-of's breakTarget().
3003         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
3004         For example,
3005         outer: for (var e1 of outer) {
3006             inner: for (var e2 of inner) {
3007                 break outer;
3008             }
3009         }
3010         In this case, return method of inner should be called.
3011         We leverage the existing system for `finally` to execute inner.return method correctly.
3012         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
3013         `throw` case is already supported by emitting try-catch handlers in for-of.
3014
3015         2. Incorrect LabelScope creation is done in ForOfNode
3016         ForOfNode creates duplicated LabelScope.
3017         It causes infinite loop when executing the following program that contains
3018         explicitly labeled for-of loop.
3019         For example,
3020         inner: for (var elm of array) {
3021             continue inner;
3022         }
3023
3024         * bytecompiler/BytecodeGenerator.cpp:
3025         (JSC::BytecodeGenerator::pushFinallyContext):
3026         (JSC::BytecodeGenerator::pushIteratorCloseContext):
3027         (JSC::BytecodeGenerator::popFinallyContext):
3028         (JSC::BytecodeGenerator::popIteratorCloseContext):
3029         (JSC::BytecodeGenerator::emitComplexPopScopes):
3030         (JSC::BytecodeGenerator::emitEnumeration):
3031         (JSC::BytecodeGenerator::emitIteratorClose):
3032         * bytecompiler/BytecodeGenerator.h:
3033         * bytecompiler/NodesCodegen.cpp:
3034         (JSC::ForOfNode::emitBytecode):
3035         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
3036         (createIterator.iterator.return):
3037         (createIterator):
3038         * tests/stress/raise-error-in-iterator-close.js: Added.
3039         (createIterator.iterator.return):
3040         (createIterator):
3041
3042 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3043
3044         [ES6] Implement Symbol.unscopables
3045         https://bugs.webkit.org/show_bug.cgi?id=142829
3046
3047         Reviewed by Geoffrey Garen.
3048
3049         This patch introduces Symbol.unscopables functionality.
3050         In ES6, some generic names (like keys, values) are introduced
3051         as Array's method name. And this breaks the web since some web sites
3052         use like the following code.
3053
3054         var values = ...;
3055         with (array) {
3056             values;  // This values is trapped by array's method "values".
3057         }
3058
3059         To fix this, Symbol.unscopables introduces blacklist
3060         for with scope's trapping. When resolving scope,
3061         if name is found in the target scope and the target scope is with scope,
3062         we check Symbol.unscopables object to filter generic names.
3063
3064         This functionality is only active for with scopes.
3065         Global scope does not have unscopables functionality.
3066
3067         And since
3068         1) op_resolve_scope for with scope always return Dynamic resolve type,
3069         2) in that case, JSScope::resolve is always used in JIT and LLInt,
3070         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
3071         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
3072         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
3073
3074         * runtime/ArrayPrototype.cpp:
3075         (JSC::ArrayPrototype::finishCreation):
3076         * runtime/CommonIdentifiers.h:
3077         * runtime/JSGlobalObject.h:
3078         (JSC::JSGlobalObject::runtimeFlags):
3079         * runtime/JSScope.cpp:
3080         (JSC::isUnscopable):
3081         (JSC::JSScope::resolve):
3082         * runtime/JSScope.h:
3083         (JSC::ScopeChainIterator::scope):
3084         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
3085         (test):
3086         * tests/stress/unscopables.js: Added.
3087         (test):
3088         (.):
3089
3090 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
3091
3092         ES6 class syntax should allow static setters and getters
3093         https://bugs.webkit.org/show_bug.cgi?id=143180
3094
3095         Reviewed by Filip Pizlo
3096
3097         Apparently I misread the spec when I initially implemented parseClass.
3098         ES6 class syntax allows static getters and setters so just allow that.
3099
3100         * parser/Parser.cpp:
3101         (JSC::Parser<LexerType>::parseClass):
3102
3103 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
3104
3105         PutClosureVar CSE def() rule has a wrong base
3106         https://bugs.webkit.org/show_bug.cgi?id=143280
3107
3108         Reviewed by Michael Saboff.
3109         
3110         I think that this code was incorrect in a benign way, since the base of a
3111         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
3112
3113         * dfg/DFGClobberize.h:
3114         (JSC::DFG::clobberize):
3115
3116 2015-03-31  Commit Queue  <commit-queue@webkit.org>
3117
3118         Unreviewed, rolling out r182200.
3119         https://bugs.webkit.org/show_bug.cgi?id=143279
3120
3121         Probably causing assertion extravaganza on bots. (Requested by
3122         kling on #webkit).
3123
3124         Reverted changeset:
3125
3126         "Logically empty WeakBlocks should not pin down their
3127         MarkedBlocks indefinitely."
3128         https://bugs.webkit.org/show_bug.cgi?id=143210
3129         http://trac.webkit.org/changeset/182200
3130
3131 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3132
3133         Clean up Identifier factories to clarify the meaning of StringImpl*
3134         https://bugs.webkit.org/show_bug.cgi?id=143146
3135
3136         Reviewed by Filip Pizlo.
3137
3138         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
3139         However, it's ambiguous because `StringImpl*` has 2 different meanings.
3140         1) normal string, it is replacable with `WTFString` and
3141         2) `uid`, which holds `isSymbol` information to represent Symbols.
3142         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
3143         + `Identifier::fromString(VM*/ExecState*, const String&)`.
3144         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
3145         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
3146         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
3147
3148         And to clean up `StringImpl` which is used as uid,
3149         we introduce `StringKind` into `StringImpl`. There's 3 kinds
3150         1. StringNormal (non-atomic, non-symbol)
3151         2. StringAtomic (atomic, non-symbol)
3152         3. StringSymbol (non-atomic, symbol)
3153         They are mutually exclusive. And (atomic, symbol) case should not exist.
3154
3155         * API/JSCallbackObjectFunctions.h:
3156         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
3157         * API/JSObjectRef.cpp:
3158         (JSObjectMakeFunction):
3159         * API/OpaqueJSString.cpp:
3160         (OpaqueJSString::identifier):
3161         * bindings/ScriptFunctionCall.cpp:
3162         (Deprecated::ScriptFunctionCall::call):
3163         * builtins/BuiltinExecutables.cpp:
3164         (JSC::BuiltinExecutables::createExecutableInternal):
3165         * builtins/BuiltinNames.h:
3166         (JSC::BuiltinNames::BuiltinNames):
3167         * bytecompiler/BytecodeGenerator.cpp:
3168         (JSC::BytecodeGenerator::BytecodeGenerator):
3169         (JSC::BytecodeGenerator::emitThrowReferenceError):
3170         (JSC::BytecodeGenerator::emitThrowTypeError):
3171         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3172         (JSC::BytecodeGenerator::emitEnumeration):
3173         * dfg/DFGDesiredIdentifiers.cpp:
3174         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3175         * inspector/JSInjectedScriptHost.cpp:
3176         (Inspector::JSInjectedScriptHost::functionDetails):
3177         (Inspector::constructInternalProperty):
3178         (Inspector::JSInjectedScriptHost::weakMapEntries):
3179         (Inspector::JSInjectedScriptHost::iteratorEntries):
3180         * inspector/JSInjectedScriptHostPrototype.cpp:
3181         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3182         * inspector/JSJavaScriptCallFramePrototype.cpp:
3183         * inspector/ScriptCallStackFactory.cpp:
3184         (Inspector::extractSourceInformationFromException):
3185         * jit/JITOperations.cpp:
3186         * jsc.cpp:
3187         (GlobalObject::finishCreation):
3188         (GlobalObject::addFunction):
3189         (GlobalObject::addConstructableFunction):
3190         (functionRun):
3191         (runWithScripts):
3192         * llint/LLIntData.cpp:
3193         (JSC::LLInt::Data::performAssertions):
3194         * llint/LowLevelInterpreter.asm:
3195         * parser/ASTBuilder.h:
3196         (JSC::ASTBuilder::addVar):
3197         * parser/Parser.cpp:
3198         (JSC::Parser<LexerType>::parseInner):
3199         (JSC::Parser<LexerType>::createBindingPattern):
3200         * parser/ParserArena.h:
3201         (JSC::IdentifierArena::makeIdentifier):
3202         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
3203         (JSC::IdentifierArena::makeNumericIdentifier):
3204         * runtime/ArgumentsIteratorPrototype.cpp:
3205         (JSC::ArgumentsIteratorPrototype::finishCreation):
3206         * runtime/ArrayIteratorPrototype.cpp:
3207         (JSC::ArrayIteratorPrototype::finishCreation):
3208         * runtime/ArrayPrototype.cpp:
3209         (JSC::ArrayPrototype::finishCreation):
3210         (JSC::arrayProtoFuncPush):
3211         * runtime/ClonedArguments.cpp:
3212         (JSC::ClonedArguments::getOwnPropertySlot):
3213         * runtime/CommonIdentifiers.cpp:
3214         (JSC::CommonIdentifiers::CommonIdentifiers):
3215         * runtime/CommonIdentifiers.h:
3216         * runtime/Error.cpp:
3217         (JSC::addErrorInfo):
3218         (JSC::hasErrorInfo):
3219         * runtime/ExceptionHelpers.cpp:
3220         (JSC::createUndefinedVariableError):
3221         * runtime/GenericArgumentsInlines.h:
3222         (JSC::GenericArguments<Type>::getOwnPropertySlot):
3223         * runtime/Identifier.h:
3224         (JSC::Identifier::isSymbol):
3225         (JSC::Identifier::Identifier):
3226         (JSC::Identifier::from): Deleted.
3227         * runtime/IdentifierInlines.h:
3228         (JSC::Identifier::Identifier):
3229         (JSC::Identifier::fromUid):
3230         (JSC::Identifier::fromString):
3231         * runtime/JSCJSValue.cpp:
3232         (JSC::JSValue::dumpInContextAssumingStructure):
3233         * runtime/JSCJSValueInlines.h:
3234         (JSC::JSValue::toPropertyKey):
3235         * runtime/JSGlobalObject.cpp:
3236         (JSC::JSGlobalObject::init):
3237         * runtime/JSLexicalEnvironment.cpp:
3238         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
3239         * runtime/JSObject.cpp:
3240         (JSC::getClassPropertyNames):
3241         (JSC::JSObject::reifyStaticFunctionsForDelete):
3242         * runtime/JSObject.h:
3243         (JSC::makeIdentifier):
3244         * runtime/JSPromiseConstructor.cpp:
3245         (JSC::JSPromiseConstructorFuncRace):
3246         (JSC::JSPromiseConstructorFuncAll):
3247         * runtime/JSString.h:
3248         (JSC::JSString::toIdentifier):
3249         * runtime/JSSymbolTableObject.cpp:
3250         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3251         * runtime/LiteralParser.cpp:
3252         (JSC::LiteralParser<CharType>::tryJSONPParse):
3253         (JSC::LiteralParser<CharType>::makeIdentifier):
3254         * runtime/Lookup.h:
3255         (JSC::reifyStaticProperties):
3256         * runtime/MapConstructor.cpp:
3257         (JSC::constructMap):
3258         * runtime/MapIteratorPrototype.cpp:
3259         (JSC::MapIteratorPrototype::finishCreation):
3260         * runtime/MapPrototype.cpp:
3261         (JSC::MapPrototype::finishCreation):
3262         * runtime/MathObject.cpp:
3263         (JSC::MathObject::finishCreation):
3264         * runtime/NumberConstructor.cpp:
3265         (JSC::NumberConstructor::finishCreation):
3266         * runtime/ObjectConstructor.cpp:
3267         (JSC::ObjectConstructor::finishCreation):
3268         * runtime/PrivateName.h:
3269         (JSC::PrivateName::PrivateName):
3270         * runtime/PropertyMapHashTable.h:
3271         (JSC::PropertyTable::find):
3272         (JSC::PropertyTable::get):
3273         * runtime/PropertyName.h:
3274         (JSC::PropertyName::PropertyName):
3275         (JSC::PropertyName::publicName):
3276         (JSC::PropertyName::asIndex):
3277         * runtime/PropertyNameArray.cpp:
3278         (JSC::PropertyNameArray::add):
3279         * runtime/PropertyNameArray.h:
3280         (JSC::PropertyNameArray::addKnownUnique):
3281         * runtime/RegExpConstructor.cpp:
3282         (JSC::RegExpConstructor::finishCreation):
3283         * runtime/SetConstructor.cpp:
3284         (JSC::constructSet):
3285         * runtime/SetIteratorPrototype.cpp:
3286         (JSC::SetIteratorPrototype::finishCreation):
3287         * runtime/SetPrototype.cpp:
3288         (JSC::SetPrototype::finishCreation):
3289         * runtime/StringIteratorPrototype.cpp:
3290         (JSC::StringIteratorPrototype::finishCreation):
3291         * runtime/StringPrototype.cpp:
3292         (JSC::StringPrototype::finishCreation):
3293         * runtime/Structure.cpp:
3294         (JSC::Structure::getPropertyNamesFromStructure):
3295         * runtime/SymbolConstructor.cpp:
3296         * runtime/VM.cpp:
3297         (JSC::VM::throwException):
3298         * runtime/WeakMapConstructor.cpp:
3299         (JSC::constructWeakMap):
3300
3301 2015-03-31  Andreas Kling  <akling@apple.com>
3302
3303         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
3304         <https://webkit.org/b/143210>
3305
3306         Reviewed by Geoffrey Garen.
3307
3308         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
3309         we had a little problem where WeakBlocks with only null pointers would still keep their
3310         MarkedBlock alive.
3311
3312         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
3313         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
3314         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
3315         destroying them once they're fully dead.
3316
3317         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
3318         a mysterious issue where doing two full garbage collections back-to-back would free additional
3319         memory in the second collection.
3320
3321         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
3322         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
3323         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
3324
3325         * heap/Heap.h:
3326         * heap/Heap.cpp:
3327         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
3328         owned by Heap, after everything else has been swept.
3329
3330         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
3331         after a full garbage collection ends. Note that we don't do this after Eden collections, since
3332         they are unlikely to cause entire WeakBlocks to go empty.
3333
3334         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
3335         to the Heap when it's detached from a WeakSet.
3336
3337         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
3338         of the logically empty WeakBlocks owned by Heap.
3339
3340         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
3341         and updates the next-logically-empty-weak-block-to-sweep index.
3342
3343         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
3344         won't be another chance after this.