parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
2
3         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
4         https://bugs.webkit.org/show_bug.cgi?id=143170
5
6         Reviewed by Benjamin Poulain.
7
8         Assert that we never use 16-bit version of the parser to parse a default constructor
9         since both base and derived default constructors should be using a 8-bit string.
10
11         * parser/Parser.h:
12         (JSC::parse):
13
14 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
15
16         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
17         https://bugs.webkit.org/show_bug.cgi?id=142862
18
19         Reviewed by Benjamin Poulain.
20
21         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
22
23         * tests/stress/class-syntax-derived-default-constructor.js: Added.
24
25 2015-03-27  Michael Saboff  <msaboff@apple.com>
26
27         load8Signed() and load16Signed() should be renamed to avoid confusion
28         https://bugs.webkit.org/show_bug.cgi?id=143168
29
30         Reviewed by Benjamin Poulain.
31
32         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
33
34         * assembler/MacroAssemblerARM.h:
35         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
36         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
37         (JSC::MacroAssemblerARM::load8Signed): Deleted.
38         (JSC::MacroAssemblerARM::load16Signed): Deleted.
39         * assembler/MacroAssemblerARM64.h:
40         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
41         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
42         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
43         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
44         * assembler/MacroAssemblerARMv7.h:
45         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
46         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
47         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
48         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
49         * assembler/MacroAssemblerMIPS.h:
50         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
51         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
52         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
53         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
54         * assembler/MacroAssemblerSH4.h:
55         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
56         (JSC::MacroAssemblerSH4::load8):
57         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
58         (JSC::MacroAssemblerSH4::load16):
59         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
60         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
61         * assembler/MacroAssemblerX86Common.h:
62         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
63         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
64         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
65         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
66         * dfg/DFGSpeculativeJIT.cpp:
67         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
68         * jit/JITPropertyAccess.cpp:
69         (JSC::JIT::emitIntTypedArrayGetByVal):
70
71 2015-03-27  Michael Saboff  <msaboff@apple.com>
72
73         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
74         https://bugs.webkit.org/show_bug.cgi?id=138390
75
76         Reviewed by Mark Lam.
77
78         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
79         instead of 64 bits.  This is what X86-64 does.
80
81         * assembler/MacroAssemblerARM64.h:
82         (JSC::MacroAssemblerARM64::load16Signed):
83         (JSC::MacroAssemblerARM64::load8Signed):
84
85 2015-03-27  Saam Barati  <saambarati1@gmail.com>
86
87         Add back previously broken assert from bug 141869
88         https://bugs.webkit.org/show_bug.cgi?id=143005
89
90         Reviewed by Michael Saboff.
91
92         * runtime/ExceptionHelpers.cpp:
93         (JSC::invalidParameterInSourceAppender):
94
95 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
96
97         Make some more objects use FastMalloc
98         https://bugs.webkit.org/show_bug.cgi?id=143122
99
100         Reviewed by Csaba Osztrogonác.
101
102         * API/JSCallbackObject.h:
103         * heap/IncrementalSweeper.h:
104         * jit/JITThunks.h:
105         * runtime/JSGlobalObjectDebuggable.h:
106         * runtime/RegExpCache.h:
107
108 2015-03-27  Michael Saboff  <msaboff@apple.com>
109
110         Objects with numeric properties intermittently get a phantom 'length' property
111         https://bugs.webkit.org/show_bug.cgi?id=142792
112
113         Reviewed by Csaba Osztrogonác.
114
115         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
116         test and branch instructions.  This function is used for linking tbz/tbnz branches between
117         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
118         the failure case checks in the GetById array length stub created for "obj.length" access.
119         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
120         being set when we should have been looking for bit 0.
121
122         * assembler/ARM64Assembler.h:
123         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
124
125 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
126
127         Insert exception check around toPropertyKey call
128         https://bugs.webkit.org/show_bug.cgi?id=142922
129
130         Reviewed by Geoffrey Garen.
131
132         In some places, exception check is missing after/before toPropertyKey.
133         However, since it calls toString, it's observable to users,
134
135         Missing exception checks in Object.prototype methods can be
136         observed since it would be overridden with toObject(null/undefined) errors.
137         We inserted exception checks after toPropertyKey.
138
139         Missing exception checks in GetById related code can be
140         observed since it would be overridden with toObject(null/undefined) errors.
141         In this case, we need to insert exception checks before/after toPropertyKey
142         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
143
144         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
145         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
146         According to the spec, we first perform RequireObjectCoercible and check the exception.
147         And second, we perform ToPropertyKey and check the exception.
148         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
149         For example, if the target is not object coercible,
150         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
151         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
152
153         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
154
155         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
156
157         toObject converts primitive types into wrapper objects.
158         But it is not efficient since wrapper objects are not necessary
159         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
160
161         2. Using the result of toObject is not correct to the spec.
162
163         To align to the spec correctly, we cannot use JSObject::get
164         by using the wrapper object produced by the toObject suggested in (1).
165         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
166         It is not correct since getter should be called with the original |this| value that may be primitive types.
167
168         So in this patch, we use JSValue::requireObjectCoercible
169         to check the target is object coercible and raise an error if it's not.
170
171         * dfg/DFGOperations.cpp:
172         * jit/JITOperations.cpp:
173         (JSC::getByVal):
174         * llint/LLIntSlowPaths.cpp:
175         (JSC::LLInt::getByVal):
176         * runtime/CommonSlowPaths.cpp:
177         (JSC::SLOW_PATH_DECL):
178         * runtime/JSCJSValue.h:
179         * runtime/JSCJSValueInlines.h:
180         (JSC::JSValue::requireObjectCoercible):
181         * runtime/ObjectPrototype.cpp:
182         (JSC::objectProtoFuncHasOwnProperty):
183         (JSC::objectProtoFuncDefineGetter):
184         (JSC::objectProtoFuncDefineSetter):
185         (JSC::objectProtoFuncLookupGetter):
186         (JSC::objectProtoFuncLookupSetter):
187         (JSC::objectProtoFuncPropertyIsEnumerable):
188         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
189         (shouldThrow):
190         (if):
191         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
192         (shouldThrow):
193         (.):
194
195 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
196
197         WebContent Crash when instantiating class with Type Profiling enabled
198         https://bugs.webkit.org/show_bug.cgi?id=143037
199
200         Reviewed by Ryosuke Niwa.
201
202         * bytecompiler/BytecodeGenerator.h:
203         * bytecompiler/BytecodeGenerator.cpp:
204         (JSC::BytecodeGenerator::BytecodeGenerator):
205         (JSC::BytecodeGenerator::emitMoveEmptyValue):
206         We cannot profile the type of an uninitialized empty JSValue.
207         Nor do we expect this to be necessary, since it is effectively
208         an unseen undefined value. So add a way to put the empty value
209         without profiling.
210
211         (JSC::BytecodeGenerator::emitMove):
212         Add an assert to try to catch this issue early on, and force
213         callers to explicitly use emitMoveEmptyValue instead.
214
215         * tests/typeProfiler/classes.js: Added.
216         (wrapper.Base):
217         (wrapper.Derived):
218         (wrapper):
219         Add test coverage both for this case and classes in general.
220
221 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
222
223         Web Inspector: ES6: Provide a better view for Classes in the console
224         https://bugs.webkit.org/show_bug.cgi?id=142999
225
226         Reviewed by Timothy Hatcher.
227
228         * inspector/protocol/Runtime.json:
229         Provide a new `subtype` enum "class". This is a subtype of `type`
230         "function", all other subtypes are subtypes of `object` types.
231         For a class, the frontend will immediately want to get the prototype
232         to enumerate its methods, so include the `classPrototype`.
233
234         * inspector/JSInjectedScriptHost.cpp:
235         (Inspector::JSInjectedScriptHost::subtype):
236         Denote class construction functions as "class" subtypes.
237
238         * inspector/InjectedScriptSource.js:
239         Handling for the new "class" type.
240
241         * bytecode/UnlinkedCodeBlock.h:
242         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
243         * runtime/Executable.h:
244         (JSC::FunctionExecutable::isClassConstructorFunction):
245         * runtime/JSFunction.h:
246         * runtime/JSFunctionInlines.h:
247         (JSC::JSFunction::isClassConstructorFunction):
248         Check if this function is a class constructor function. That information
249         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
250
251 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
252
253         Function.prototype.toString should not decompile the AST
254         https://bugs.webkit.org/show_bug.cgi?id=142853
255
256         Reviewed by Darin Adler.
257
258         Following up on Darin's review comments.
259
260         * runtime/FunctionConstructor.cpp:
261         (JSC::constructFunctionSkippingEvalEnabledCheck):
262
263 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
264
265         "lineNo" does not match WebKit coding style guidelines
266         https://bugs.webkit.org/show_bug.cgi?id=143119
267
268         Reviewed by Michael Saboff.
269
270         We can afford to use whole words.
271
272         * bytecode/CodeBlock.cpp:
273         (JSC::CodeBlock::lineNumberForBytecodeOffset):
274         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
275         * bytecode/UnlinkedCodeBlock.cpp:
276         (JSC::UnlinkedFunctionExecutable::link):
277         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
278         * bytecode/UnlinkedCodeBlock.h:
279         * bytecompiler/NodesCodegen.cpp:
280         (JSC::WhileNode::emitBytecode):
281         * debugger/Debugger.cpp:
282         (JSC::Debugger::toggleBreakpoint):
283         * interpreter/Interpreter.cpp:
284         (JSC::StackFrame::computeLineAndColumn):
285         (JSC::GetStackTraceFunctor::operator()):
286         (JSC::Interpreter::execute):
287         * interpreter/StackVisitor.cpp:
288         (JSC::StackVisitor::Frame::computeLineAndColumn):
289         * parser/Nodes.h:
290         (JSC::Node::firstLine):
291         (JSC::Node::lineNo): Deleted.
292         (JSC::StatementNode::firstLine): Deleted.
293         * parser/ParserError.h:
294         (JSC::ParserError::toErrorObject):
295         * profiler/LegacyProfiler.cpp:
296         (JSC::createCallIdentifierFromFunctionImp):
297         * runtime/CodeCache.cpp:
298         (JSC::CodeCache::getGlobalCodeBlock):
299         * runtime/Executable.cpp:
300         (JSC::ScriptExecutable::ScriptExecutable):
301         (JSC::ScriptExecutable::newCodeBlockFor):
302         (JSC::FunctionExecutable::fromGlobalCode):
303         * runtime/Executable.h:
304         (JSC::ScriptExecutable::firstLine):
305         (JSC::ScriptExecutable::setOverrideLineNumber):
306         (JSC::ScriptExecutable::hasOverrideLineNumber):
307         (JSC::ScriptExecutable::overrideLineNumber):
308         (JSC::ScriptExecutable::lineNo): Deleted.
309         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
310         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
311         (JSC::ScriptExecutable::overrideLineNo): Deleted.
312         * runtime/FunctionConstructor.cpp:
313         (JSC::constructFunctionSkippingEvalEnabledCheck):
314         * runtime/FunctionConstructor.h:
315         * tools/CodeProfile.cpp:
316         (JSC::CodeProfile::report):
317         * tools/CodeProfile.h:
318         (JSC::CodeProfile::CodeProfile):
319
320 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
321
322         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
323         https://bugs.webkit.org/show_bug.cgi?id=142974
324
325         Reviewed by Joseph Pecoraro.
326
327         This patch does two things:
328
329         (1) Restore JavaScriptCore's sanitization of line and column numbers to
330         one-based values.
331
332         We need this because WebCore sometimes provides huge negative column
333         numbers.
334
335         (2) Solve the attribute event listener line numbering problem a different
336         way: Rather than offseting all line numbers by -1 in an attribute event
337         listener in order to arrange for a custom result, instead use an explicit
338         feature for saying "all errors in this code should map to this line number".
339
340         * bytecode/UnlinkedCodeBlock.cpp:
341         (JSC::UnlinkedFunctionExecutable::link):
342         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
343         * bytecode/UnlinkedCodeBlock.h:
344         * interpreter/Interpreter.cpp:
345         (JSC::StackFrame::computeLineAndColumn):
346         (JSC::GetStackTraceFunctor::operator()):
347         * interpreter/Interpreter.h:
348         * interpreter/StackVisitor.cpp:
349         (JSC::StackVisitor::Frame::computeLineAndColumn):
350         * parser/ParserError.h:
351         (JSC::ParserError::toErrorObject): Plumb through an override line number.
352         When a function has an override line number, all syntax and runtime
353         errors in the function will map to it. This is useful for attribute event
354         listeners.
355  
356         * parser/SourceCode.h:
357         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
358         column numbers to one-based integers. It was kind of a hack to remove this.
359
360         * runtime/Executable.cpp:
361         (JSC::ScriptExecutable::ScriptExecutable):
362         (JSC::FunctionExecutable::fromGlobalCode):
363         * runtime/Executable.h:
364         (JSC::ScriptExecutable::setOverrideLineNo):
365         (JSC::ScriptExecutable::hasOverrideLineNo):
366         (JSC::ScriptExecutable::overrideLineNo):
367         * runtime/FunctionConstructor.cpp:
368         (JSC::constructFunctionSkippingEvalEnabledCheck):
369         * runtime/FunctionConstructor.h: Plumb through an override line number.
370
371 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
372
373         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
374
375         Reviewed by Michael Saboff.
376
377         * jit/JITPropertyAccess.cpp:
378         (JSC::JIT::emitScopedArgumentsGetByVal):
379         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
380
381 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
382
383         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
384         https://bugs.webkit.org/show_bug.cgi?id=143098
385
386         Reviewed by Csaba Osztrogonác.
387
388         * ftl/FTLLowerDFGToLLVM.cpp:
389         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
390         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
391
392 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
393
394         Unreviewed gardening, skip failing tests on AArch64 Linux.
395
396         * tests/mozilla/mozilla-tests.yaml:
397         * tests/stress/cached-prototype-setter.js:
398
399 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
400
401         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
402
403         * dfg/DFGConstantFoldingPhase.cpp:
404         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
405         * ftl/FTLCompile.cpp:
406         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
407         * ftl/FTLState.cpp:
408         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
409         * ftl/FTLState.h:
410
411 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
412
413         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
414         right, so this just makes 32-bit do the same.
415
416         * dfg/DFGSpeculativeJIT32_64.cpp:
417         (JSC::DFG::SpeculativeJIT::emitCall):
418
419 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
420
421         Fix a typo that ggaren found but that I didn't fix before.
422
423         * runtime/DirectArgumentsOffset.h:
424
425 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
426
427         Unreviewed, VC found a bug. This fixes the bug.
428
429         * dfg/DFGConstantFoldingPhase.cpp:
430         (JSC::DFG::ConstantFoldingPhase::foldConstants):
431
432 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
433
434         Unreviewed, try to fix Windows build.
435
436         * runtime/ClonedArguments.cpp:
437         (JSC::ClonedArguments::createWithInlineFrame):
438
439 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
440
441         Unreviewed, fix debug build.
442
443         * bytecompiler/NodesCodegen.cpp:
444         (JSC::ConstDeclNode::emitCodeSingle):
445
446 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
447
448         Unreviewed, fix CLOOP build.
449
450         * dfg/DFGMinifiedID.h:
451
452 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
453
454         Heap variables shouldn't end up in the stack frame
455         https://bugs.webkit.org/show_bug.cgi?id=141174
456
457         Reviewed by Geoffrey Garen.
458         
459         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
460         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
461         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
462         simplifications:
463         
464         - Accesses to variables no longer need checks or indirections to determine where the variable is
465           at that moment in time. For example, loading a closure variable now takes just one load instead
466           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
467           (when no arguments object allocation is required) while previously that same operation required
468           a "did I allocate arguments yet" check, a bounds check, and then the load.
469         
470         - Reasoning about the allocation of an activation or arguments object now follows the same simple
471           logic as the allocation of any other kind of object. Previously, those objects were lazily
472           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
473           allocate anything at all. This made the implementation of traditional escape analyses really
474           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
475           arguments object using the usual SSA tricks which allows for more comprehensive removal.
476         
477         - The allocations of arguments objects, functions, and activations are now much faster. While
478           this patch generally expands our ability to eliminate arguments object allocations, an earlier
479           version of the patch - which lacked that functionality - was a progression on some arguments-
480           and closure-happy benchmarks because although no allocations were eliminated, all allocations
481           were faster.
482         
483         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
484           its arguments objects or activations. The runtime doesn't have to do things to the arguments
485           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
486           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
487           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
488           now gone. This also enables implementing block-scoping. Without this change, block-scope
489           support would require telling CodeBlock and all of the rest of the runtime about all of the
490           variables that store currently-live scopes. That would have been so disastrously hard that it
491           might as well be impossible. With this change, it's fair game for the bytecode generator to
492           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
493           however long it wants. This all works, because after bytecode generation, an activation is just
494           an object and variables that refer to it are just normal variables.
495         
496         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
497           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
498           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
499           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
500           an arguments object.
501         
502         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
503           using activations used to prevent inlining; now functions that use activations can be inlined
504           just fine.
505         
506         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
507         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
508         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
509         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
510         
511         The easiest way of understanding this change is to start by looking at the changes in runtime/,
512         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
513
514         * CMakeLists.txt:
515         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
516         * JavaScriptCore.xcodeproj/project.pbxproj:
517         * assembler/AbortReason.h:
518         * assembler/AbstractMacroAssembler.h:
519         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
520         * bytecode/ByValInfo.h:
521         (JSC::hasOptimizableIndexingForJSType):
522         (JSC::hasOptimizableIndexing):
523         (JSC::jitArrayModeForJSType):
524         (JSC::jitArrayModePermitsPut):
525         (JSC::jitArrayModeForStructure):
526         * bytecode/BytecodeKills.h: Added.
527         (JSC::BytecodeKills::BytecodeKills):
528         (JSC::BytecodeKills::operandIsKilled):
529         (JSC::BytecodeKills::forEachOperandKilledAt):
530         (JSC::BytecodeKills::KillSet::KillSet):
531         (JSC::BytecodeKills::KillSet::add):
532         (JSC::BytecodeKills::KillSet::forEachLocal):
533         (JSC::BytecodeKills::KillSet::contains):
534         * bytecode/BytecodeList.json:
535         * bytecode/BytecodeLivenessAnalysis.cpp:
536         (JSC::isValidRegisterForLiveness):
537         (JSC::stepOverInstruction):
538         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
539         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
540         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
541         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
542         (JSC::BytecodeLivenessAnalysis::computeKills):
543         (JSC::indexForOperand): Deleted.
544         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
545         (JSC::getLivenessInfo): Deleted.
546         * bytecode/BytecodeLivenessAnalysis.h:
547         * bytecode/BytecodeLivenessAnalysisInlines.h:
548         (JSC::operandIsAlwaysLive):
549         (JSC::operandThatIsNotAlwaysLiveIsLive):
550         (JSC::operandIsLive):
551         * bytecode/BytecodeUseDef.h:
552         (JSC::computeUsesForBytecodeOffset):
553         (JSC::computeDefsForBytecodeOffset):
554         * bytecode/CodeBlock.cpp:
555         (JSC::CodeBlock::dumpBytecode):
556         (JSC::CodeBlock::CodeBlock):
557         (JSC::CodeBlock::nameForRegister):
558         (JSC::CodeBlock::validate):
559         (JSC::CodeBlock::isCaptured): Deleted.
560         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
561         (JSC::CodeBlock::machineSlowArguments): Deleted.
562         * bytecode/CodeBlock.h:
563         (JSC::unmodifiedArgumentsRegister): Deleted.
564         (JSC::CodeBlock::setArgumentsRegister): Deleted.
565         (JSC::CodeBlock::argumentsRegister): Deleted.
566         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
567         (JSC::CodeBlock::usesArguments): Deleted.
568         (JSC::CodeBlock::captureCount): Deleted.
569         (JSC::CodeBlock::captureStart): Deleted.
570         (JSC::CodeBlock::captureEnd): Deleted.
571         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
572         (JSC::CodeBlock::hasSlowArguments): Deleted.
573         (JSC::ExecState::argumentAfterCapture): Deleted.
574         * bytecode/CodeOrigin.h:
575         * bytecode/DataFormat.h:
576         (JSC::dataFormatToString):
577         * bytecode/FullBytecodeLiveness.h:
578         (JSC::FullBytecodeLiveness::getLiveness):
579         (JSC::FullBytecodeLiveness::operandIsLive):
580         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
581         (JSC::FullBytecodeLiveness::getOut): Deleted.
582         * bytecode/Instruction.h:
583         (JSC::Instruction::Instruction):
584         * bytecode/Operands.h:
585         (JSC::Operands::virtualRegisterForIndex):
586         * bytecode/SpeculatedType.cpp:
587         (JSC::dumpSpeculation):
588         (JSC::speculationToAbbreviatedString):
589         (JSC::speculationFromClassInfo):
590         * bytecode/SpeculatedType.h:
591         (JSC::isDirectArgumentsSpeculation):
592         (JSC::isScopedArgumentsSpeculation):
593         (JSC::isActionableMutableArraySpeculation):
594         (JSC::isActionableArraySpeculation):
595         (JSC::isArgumentsSpeculation): Deleted.
596         * bytecode/UnlinkedCodeBlock.cpp:
597         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
598         * bytecode/UnlinkedCodeBlock.h:
599         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
600         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
601         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
602         * bytecode/ValueRecovery.cpp:
603         (JSC::ValueRecovery::dumpInContext):
604         * bytecode/ValueRecovery.h:
605         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
606         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
607         (JSC::ValueRecovery::nodeID):
608         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
609         * bytecode/VirtualRegister.h:
610         (JSC::VirtualRegister::operator==):
611         (JSC::VirtualRegister::operator!=):
612         (JSC::VirtualRegister::operator<):
613         (JSC::VirtualRegister::operator>):
614         (JSC::VirtualRegister::operator<=):
615         (JSC::VirtualRegister::operator>=):
616         * bytecompiler/BytecodeGenerator.cpp:
617         (JSC::BytecodeGenerator::generate):
618         (JSC::BytecodeGenerator::BytecodeGenerator):
619         (JSC::BytecodeGenerator::initializeNextParameter):
620         (JSC::BytecodeGenerator::visibleNameForParameter):
621         (JSC::BytecodeGenerator::emitMove):
622         (JSC::BytecodeGenerator::variable):
623         (JSC::BytecodeGenerator::createVariable):
624         (JSC::BytecodeGenerator::emitResolveScope):
625         (JSC::BytecodeGenerator::emitGetFromScope):
626         (JSC::BytecodeGenerator::emitPutToScope):
627         (JSC::BytecodeGenerator::initializeVariable):
628         (JSC::BytecodeGenerator::emitInstanceOf):
629         (JSC::BytecodeGenerator::emitNewFunction):
630         (JSC::BytecodeGenerator::emitNewFunctionInternal):
631         (JSC::BytecodeGenerator::emitCall):
632         (JSC::BytecodeGenerator::emitReturn):
633         (JSC::BytecodeGenerator::emitConstruct):
634         (JSC::BytecodeGenerator::isArgumentNumber):
635         (JSC::BytecodeGenerator::emitEnumeration):
636         (JSC::BytecodeGenerator::addVar): Deleted.
637         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
638         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
639         (JSC::BytecodeGenerator::resolveCallee): Deleted.
640         (JSC::BytecodeGenerator::addCallee): Deleted.
641         (JSC::BytecodeGenerator::addParameter): Deleted.
642         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
643         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
644         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
645         (JSC::BytecodeGenerator::isCaptured): Deleted.
646         (JSC::BytecodeGenerator::local): Deleted.
647         (JSC::BytecodeGenerator::constLocal): Deleted.
648         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
649         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
650         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
651         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
652         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
653         * bytecompiler/BytecodeGenerator.h:
654         (JSC::Variable::Variable):
655         (JSC::Variable::isResolved):
656         (JSC::Variable::ident):
657         (JSC::Variable::offset):
658         (JSC::Variable::isLocal):
659         (JSC::Variable::local):
660         (JSC::Variable::isSpecial):
661         (JSC::BytecodeGenerator::argumentsRegister):
662         (JSC::BytecodeGenerator::emitNode):
663         (JSC::BytecodeGenerator::registerFor):
664         (JSC::Local::Local): Deleted.
665         (JSC::Local::operator bool): Deleted.
666         (JSC::Local::get): Deleted.
667         (JSC::Local::isSpecial): Deleted.
668         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
669         (JSC::ResolveScopeInfo::isLocal): Deleted.
670         (JSC::ResolveScopeInfo::localIndex): Deleted.
671         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
672         (JSC::BytecodeGenerator::captureMode): Deleted.
673         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
674         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
675         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
676         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
677         * bytecompiler/NodesCodegen.cpp:
678         (JSC::ResolveNode::isPure):
679         (JSC::ResolveNode::emitBytecode):
680         (JSC::BracketAccessorNode::emitBytecode):
681         (JSC::DotAccessorNode::emitBytecode):
682         (JSC::EvalFunctionCallNode::emitBytecode):
683         (JSC::FunctionCallResolveNode::emitBytecode):
684         (JSC::CallFunctionCallDotNode::emitBytecode):
685         (JSC::ApplyFunctionCallDotNode::emitBytecode):
686         (JSC::PostfixNode::emitResolve):
687         (JSC::DeleteResolveNode::emitBytecode):
688         (JSC::TypeOfResolveNode::emitBytecode):
689         (JSC::PrefixNode::emitResolve):
690         (JSC::ReadModifyResolveNode::emitBytecode):
691         (JSC::AssignResolveNode::emitBytecode):
692         (JSC::ConstDeclNode::emitCodeSingle):
693         (JSC::EmptyVarExpression::emitBytecode):
694         (JSC::ForInNode::tryGetBoundLocal):
695         (JSC::ForInNode::emitLoopHeader):
696         (JSC::ForOfNode::emitBytecode):
697         (JSC::ArrayPatternNode::emitDirectBinding):
698         (JSC::BindingNode::bindValue):
699         (JSC::getArgumentByVal): Deleted.
700         * dfg/DFGAbstractHeap.h:
701         * dfg/DFGAbstractInterpreter.h:
702         * dfg/DFGAbstractInterpreterInlines.h:
703         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
704         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
705         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
706         * dfg/DFGAbstractValue.h:
707         * dfg/DFGArgumentPosition.h:
708         (JSC::DFG::ArgumentPosition::addVariable):
709         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
710         (JSC::DFG::performArgumentsElimination):
711         * dfg/DFGArgumentsEliminationPhase.h: Added.
712         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
713         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
714         * dfg/DFGArgumentsUtilities.cpp: Added.
715         (JSC::DFG::argumentsInvolveStackSlot):
716         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
717         * dfg/DFGArgumentsUtilities.h: Added.
718         * dfg/DFGArrayMode.cpp:
719         (JSC::DFG::ArrayMode::refine):
720         (JSC::DFG::ArrayMode::alreadyChecked):
721         (JSC::DFG::arrayTypeToString):
722         * dfg/DFGArrayMode.h:
723         (JSC::DFG::ArrayMode::canCSEStorage):
724         (JSC::DFG::ArrayMode::modeForPut):
725         * dfg/DFGAvailabilityMap.cpp:
726         (JSC::DFG::AvailabilityMap::prune):
727         * dfg/DFGAvailabilityMap.h:
728         (JSC::DFG::AvailabilityMap::closeOverNodes):
729         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
730         * dfg/DFGBackwardsPropagationPhase.cpp:
731         (JSC::DFG::BackwardsPropagationPhase::propagate):
732         * dfg/DFGByteCodeParser.cpp:
733         (JSC::DFG::ByteCodeParser::newVariableAccessData):
734         (JSC::DFG::ByteCodeParser::getLocal):
735         (JSC::DFG::ByteCodeParser::setLocal):
736         (JSC::DFG::ByteCodeParser::getArgument):
737         (JSC::DFG::ByteCodeParser::setArgument):
738         (JSC::DFG::ByteCodeParser::flushDirect):
739         (JSC::DFG::ByteCodeParser::flush):
740         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
741         (JSC::DFG::ByteCodeParser::handleVarargsCall):
742         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
743         (JSC::DFG::ByteCodeParser::handleInlining):
744         (JSC::DFG::ByteCodeParser::parseBlock):
745         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
746         (JSC::DFG::ByteCodeParser::parseCodeBlock):
747         * dfg/DFGCPSRethreadingPhase.cpp:
748         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
749         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
750         * dfg/DFGCSEPhase.cpp:
751         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
752         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
753         * dfg/DFGCapabilities.cpp:
754         (JSC::DFG::isSupportedForInlining):
755         (JSC::DFG::capabilityLevel):
756         * dfg/DFGClobberize.h:
757         (JSC::DFG::clobberize):
758         * dfg/DFGCommon.h:
759         * dfg/DFGCommonData.h:
760         (JSC::DFG::CommonData::CommonData):
761         * dfg/DFGConstantFoldingPhase.cpp:
762         (JSC::DFG::ConstantFoldingPhase::foldConstants):
763         * dfg/DFGDCEPhase.cpp:
764         (JSC::DFG::DCEPhase::cleanVariables):
765         * dfg/DFGDisassembler.h:
766         * dfg/DFGDoesGC.cpp:
767         (JSC::DFG::doesGC):
768         * dfg/DFGFixupPhase.cpp:
769         (JSC::DFG::FixupPhase::fixupNode):
770         * dfg/DFGFlushFormat.cpp:
771         (WTF::printInternal):
772         * dfg/DFGFlushFormat.h:
773         (JSC::DFG::resultFor):
774         (JSC::DFG::useKindFor):
775         (JSC::DFG::dataFormatFor):
776         * dfg/DFGForAllKills.h: Added.
777         (JSC::DFG::forAllLiveNodesAtTail):
778         (JSC::DFG::forAllDirectlyKilledOperands):
779         (JSC::DFG::forAllKilledOperands):
780         (JSC::DFG::forAllKilledNodesAtNodeIndex):
781         (JSC::DFG::forAllKillsInBlock):
782         * dfg/DFGGraph.cpp:
783         (JSC::DFG::Graph::Graph):
784         (JSC::DFG::Graph::dump):
785         (JSC::DFG::Graph::substituteGetLocal):
786         (JSC::DFG::Graph::livenessFor):
787         (JSC::DFG::Graph::killsFor):
788         (JSC::DFG::Graph::tryGetConstantClosureVar):
789         (JSC::DFG::Graph::tryGetRegisters): Deleted.
790         * dfg/DFGGraph.h:
791         (JSC::DFG::Graph::symbolTableFor):
792         (JSC::DFG::Graph::uses):
793         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
794         (JSC::DFG::Graph::capturedVarsFor): Deleted.
795         (JSC::DFG::Graph::usesArguments): Deleted.
796         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
797         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
798         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
799         * dfg/DFGHeapLocation.cpp:
800         (WTF::printInternal):
801         * dfg/DFGHeapLocation.h:
802         * dfg/DFGInPlaceAbstractState.cpp:
803         (JSC::DFG::InPlaceAbstractState::initialize):
804         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
805         * dfg/DFGJITCompiler.cpp:
806         (JSC::DFG::JITCompiler::link):
807         * dfg/DFGMayExit.cpp:
808         (JSC::DFG::mayExit):
809         * dfg/DFGMinifiedID.h:
810         * dfg/DFGMinifiedNode.cpp:
811         (JSC::DFG::MinifiedNode::fromNode):
812         * dfg/DFGMinifiedNode.h:
813         (JSC::DFG::belongsInMinifiedGraph):
814         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
815         (JSC::DFG::MinifiedNode::inlineCallFrame):
816         * dfg/DFGNode.cpp:
817         (JSC::DFG::Node::convertToIdentityOn):
818         * dfg/DFGNode.h:
819         (JSC::DFG::Node::hasConstant):
820         (JSC::DFG::Node::constant):
821         (JSC::DFG::Node::hasScopeOffset):
822         (JSC::DFG::Node::scopeOffset):
823         (JSC::DFG::Node::hasDirectArgumentsOffset):
824         (JSC::DFG::Node::capturedArgumentsOffset):
825         (JSC::DFG::Node::variablePointer):
826         (JSC::DFG::Node::hasCallVarargsData):
827         (JSC::DFG::Node::hasLoadVarargsData):
828         (JSC::DFG::Node::hasHeapPrediction):
829         (JSC::DFG::Node::hasCellOperand):
830         (JSC::DFG::Node::objectMaterializationData):
831         (JSC::DFG::Node::isPhantomAllocation):
832         (JSC::DFG::Node::willHaveCodeGenOrOSR):
833         (JSC::DFG::Node::shouldSpeculateDirectArguments):
834         (JSC::DFG::Node::shouldSpeculateScopedArguments):
835         (JSC::DFG::Node::isPhantomArguments): Deleted.
836         (JSC::DFG::Node::hasVarNumber): Deleted.
837         (JSC::DFG::Node::varNumber): Deleted.
838         (JSC::DFG::Node::registerPointer): Deleted.
839         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
840         * dfg/DFGNodeType.h:
841         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
842         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
843         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
844         * dfg/DFGOSRExitCompiler.cpp:
845         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
846         * dfg/DFGOSRExitCompiler.h:
847         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
848         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
849         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
850         * dfg/DFGOSRExitCompiler32_64.cpp:
851         (JSC::DFG::OSRExitCompiler::compileExit):
852         * dfg/DFGOSRExitCompiler64.cpp:
853         (JSC::DFG::OSRExitCompiler::compileExit):
854         * dfg/DFGOSRExitCompilerCommon.cpp:
855         (JSC::DFG::reifyInlinedCallFrames):
856         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
857         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
858         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
859         * dfg/DFGOSRExitCompilerCommon.h:
860         * dfg/DFGOperations.cpp:
861         * dfg/DFGOperations.h:
862         * dfg/DFGPlan.cpp:
863         (JSC::DFG::Plan::compileInThreadImpl):
864         * dfg/DFGPreciseLocalClobberize.h:
865         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
866         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
867         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
868         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
869         (JSC::DFG::preciseLocalClobberize):
870         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
871         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
872         * dfg/DFGPredictionPropagationPhase.cpp:
873         (JSC::DFG::PredictionPropagationPhase::run):
874         (JSC::DFG::PredictionPropagationPhase::propagate):
875         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
876         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
877         * dfg/DFGPromoteHeapAccess.h:
878         (JSC::DFG::promoteHeapAccess):
879         * dfg/DFGPromotedHeapLocation.cpp:
880         (WTF::printInternal):
881         * dfg/DFGPromotedHeapLocation.h:
882         * dfg/DFGSSAConversionPhase.cpp:
883         (JSC::DFG::SSAConversionPhase::run):
884         * dfg/DFGSafeToExecute.h:
885         (JSC::DFG::safeToExecute):
886         * dfg/DFGSpeculativeJIT.cpp:
887         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
888         (JSC::DFG::SpeculativeJIT::emitGetLength):
889         (JSC::DFG::SpeculativeJIT::emitGetCallee):
890         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
891         (JSC::DFG::SpeculativeJIT::checkArray):
892         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
893         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
894         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
895         (JSC::DFG::SpeculativeJIT::compileNewFunction):
896         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
897         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
898         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
899         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
900         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
901         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
902         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
903         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
904         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
905         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
906         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
907         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
908         * dfg/DFGSpeculativeJIT.h:
909         (JSC::DFG::SpeculativeJIT::callOperation):
910         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
911         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
912         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
913         * dfg/DFGSpeculativeJIT32_64.cpp:
914         (JSC::DFG::SpeculativeJIT::emitCall):
915         (JSC::DFG::SpeculativeJIT::compile):
916         * dfg/DFGSpeculativeJIT64.cpp:
917         (JSC::DFG::SpeculativeJIT::emitCall):
918         (JSC::DFG::SpeculativeJIT::compile):
919         * dfg/DFGStackLayoutPhase.cpp:
920         (JSC::DFG::StackLayoutPhase::run):
921         * dfg/DFGStrengthReductionPhase.cpp:
922         (JSC::DFG::StrengthReductionPhase::handleNode):
923         * dfg/DFGStructureRegistrationPhase.cpp:
924         (JSC::DFG::StructureRegistrationPhase::run):
925         * dfg/DFGUnificationPhase.cpp:
926         (JSC::DFG::UnificationPhase::run):
927         * dfg/DFGValidate.cpp:
928         (JSC::DFG::Validate::validateCPS):
929         * dfg/DFGValueSource.cpp:
930         (JSC::DFG::ValueSource::dump):
931         * dfg/DFGValueSource.h:
932         (JSC::DFG::dataFormatToValueSourceKind):
933         (JSC::DFG::valueSourceKindToDataFormat):
934         (JSC::DFG::ValueSource::ValueSource):
935         (JSC::DFG::ValueSource::forFlushFormat):
936         (JSC::DFG::ValueSource::valueRecovery):
937         * dfg/DFGVarargsForwardingPhase.cpp: Added.
938         (JSC::DFG::performVarargsForwarding):
939         * dfg/DFGVarargsForwardingPhase.h: Added.
940         * dfg/DFGVariableAccessData.cpp:
941         (JSC::DFG::VariableAccessData::VariableAccessData):
942         (JSC::DFG::VariableAccessData::flushFormat):
943         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
944         * dfg/DFGVariableAccessData.h:
945         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
946         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
947         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
948         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
949         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
950         * dfg/DFGVariableAccessDataDump.cpp:
951         (JSC::DFG::VariableAccessDataDump::dump):
952         * dfg/DFGVariableAccessDataDump.h:
953         * dfg/DFGVariableEventStream.cpp:
954         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
955         * dfg/DFGVariableEventStream.h:
956         * ftl/FTLAbstractHeap.cpp:
957         (JSC::FTL::AbstractHeap::dump):
958         (JSC::FTL::AbstractField::dump):
959         (JSC::FTL::IndexedAbstractHeap::dump):
960         (JSC::FTL::NumberedAbstractHeap::dump):
961         (JSC::FTL::AbsoluteAbstractHeap::dump):
962         * ftl/FTLAbstractHeap.h:
963         * ftl/FTLAbstractHeapRepository.cpp:
964         * ftl/FTLAbstractHeapRepository.h:
965         * ftl/FTLCapabilities.cpp:
966         (JSC::FTL::canCompile):
967         * ftl/FTLCompile.cpp:
968         (JSC::FTL::mmAllocateDataSection):
969         * ftl/FTLExitArgument.cpp:
970         (JSC::FTL::ExitArgument::dump):
971         * ftl/FTLExitPropertyValue.cpp:
972         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
973         * ftl/FTLExitPropertyValue.h:
974         * ftl/FTLExitTimeObjectMaterialization.cpp:
975         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
976         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
977         * ftl/FTLExitTimeObjectMaterialization.h:
978         (JSC::FTL::ExitTimeObjectMaterialization::origin):
979         * ftl/FTLExitValue.cpp:
980         (JSC::FTL::ExitValue::withLocalsOffset):
981         (JSC::FTL::ExitValue::valueFormat):
982         (JSC::FTL::ExitValue::dumpInContext):
983         * ftl/FTLExitValue.h:
984         (JSC::FTL::ExitValue::isArgument):
985         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
986         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
987         (JSC::FTL::ExitValue::valueFormat): Deleted.
988         * ftl/FTLInlineCacheSize.cpp:
989         (JSC::FTL::sizeOfCallForwardVarargs):
990         (JSC::FTL::sizeOfConstructForwardVarargs):
991         (JSC::FTL::sizeOfICFor):
992         * ftl/FTLInlineCacheSize.h:
993         * ftl/FTLIntrinsicRepository.h:
994         * ftl/FTLJSCallVarargs.cpp:
995         (JSC::FTL::JSCallVarargs::JSCallVarargs):
996         (JSC::FTL::JSCallVarargs::emit):
997         * ftl/FTLJSCallVarargs.h:
998         * ftl/FTLLowerDFGToLLVM.cpp:
999         (JSC::FTL::LowerDFGToLLVM::lower):
1000         (JSC::FTL::LowerDFGToLLVM::compileNode):
1001         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
1002         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1003         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1004         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1005         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1006         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1007         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1008         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1009         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1010         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
1011         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
1012         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
1013         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1014         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
1015         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1016         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
1017         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
1018         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1019         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
1020         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
1021         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
1022         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1023         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
1024         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
1025         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
1026         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
1027         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
1028         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
1029         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1030         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1031         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
1032         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1033         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1034         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1035         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1036         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1037         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1038         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
1039         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
1040         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
1041         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
1042         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
1043         * ftl/FTLOSRExitCompiler.cpp:
1044         (JSC::FTL::compileRecovery):
1045         (JSC::FTL::compileStub):
1046         * ftl/FTLOperations.cpp:
1047         (JSC::FTL::operationMaterializeObjectInOSR):
1048         * ftl/FTLOutput.h:
1049         (JSC::FTL::Output::aShr):
1050         (JSC::FTL::Output::lShr):
1051         (JSC::FTL::Output::zeroExtPtr):
1052         * heap/CopyToken.h:
1053         * interpreter/CallFrame.h:
1054         (JSC::ExecState::getArgumentUnsafe):
1055         * interpreter/Interpreter.cpp:
1056         (JSC::sizeOfVarargs):
1057         (JSC::sizeFrameForVarargs):
1058         (JSC::loadVarargs):
1059         (JSC::unwindCallFrame):
1060         * interpreter/Interpreter.h:
1061         * interpreter/StackVisitor.cpp:
1062         (JSC::StackVisitor::Frame::createArguments):
1063         (JSC::StackVisitor::Frame::existingArguments): Deleted.
1064         * interpreter/StackVisitor.h:
1065         * jit/AssemblyHelpers.h:
1066         (JSC::AssemblyHelpers::storeValue):
1067         (JSC::AssemblyHelpers::loadValue):
1068         (JSC::AssemblyHelpers::storeTrustedValue):
1069         (JSC::AssemblyHelpers::branchIfNotCell):
1070         (JSC::AssemblyHelpers::branchIsEmpty):
1071         (JSC::AssemblyHelpers::argumentsStart):
1072         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
1073         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
1074         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
1075         * jit/CCallHelpers.h:
1076         (JSC::CCallHelpers::setupArgument):
1077         * jit/GPRInfo.h:
1078         (JSC::JSValueRegs::withTwoAvailableRegs):
1079         * jit/JIT.cpp:
1080         (JSC::JIT::privateCompileMainPass):
1081         (JSC::JIT::privateCompileSlowCases):
1082         * jit/JIT.h:
1083         * jit/JITCall.cpp:
1084         (JSC::JIT::compileSetupVarargsFrame):
1085         * jit/JITCall32_64.cpp:
1086         (JSC::JIT::compileSetupVarargsFrame):
1087         * jit/JITInlines.h:
1088         (JSC::JIT::callOperation):
1089         * jit/JITOpcodes.cpp:
1090         (JSC::JIT::emit_op_create_lexical_environment):
1091         (JSC::JIT::emit_op_new_func):
1092         (JSC::JIT::emit_op_create_direct_arguments):
1093         (JSC::JIT::emit_op_create_scoped_arguments):
1094         (JSC::JIT::emit_op_create_out_of_band_arguments):
1095         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1096         (JSC::JIT::emit_op_create_arguments): Deleted.
1097         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1098         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1099         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1100         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1101         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1102         * jit/JITOpcodes32_64.cpp:
1103         (JSC::JIT::emit_op_create_lexical_environment):
1104         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1105         (JSC::JIT::emit_op_create_arguments): Deleted.
1106         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1107         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1108         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1109         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1110         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1111         * jit/JITOperations.cpp:
1112         * jit/JITOperations.h:
1113         * jit/JITPropertyAccess.cpp:
1114         (JSC::JIT::emitGetClosureVar):
1115         (JSC::JIT::emitPutClosureVar):
1116         (JSC::JIT::emit_op_get_from_arguments):
1117         (JSC::JIT::emit_op_put_to_arguments):
1118         (JSC::JIT::emit_op_init_global_const):
1119         (JSC::JIT::privateCompileGetByVal):
1120         (JSC::JIT::emitDirectArgumentsGetByVal):
1121         (JSC::JIT::emitScopedArgumentsGetByVal):
1122         * jit/JITPropertyAccess32_64.cpp:
1123         (JSC::JIT::emitGetClosureVar):
1124         (JSC::JIT::emitPutClosureVar):
1125         (JSC::JIT::emit_op_get_from_arguments):
1126         (JSC::JIT::emit_op_put_to_arguments):
1127         (JSC::JIT::emit_op_init_global_const):
1128         * jit/SetupVarargsFrame.cpp:
1129         (JSC::emitSetupVarargsFrameFastCase):
1130         * llint/LLIntOffsetsExtractor.cpp:
1131         * llint/LLIntSlowPaths.cpp:
1132         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1133         * llint/LowLevelInterpreter.asm:
1134         * llint/LowLevelInterpreter32_64.asm:
1135         * llint/LowLevelInterpreter64.asm:
1136         * parser/Nodes.h:
1137         (JSC::ScopeNode::captures):
1138         * runtime/Arguments.cpp: Removed.
1139         * runtime/Arguments.h: Removed.
1140         * runtime/ArgumentsMode.h: Added.
1141         * runtime/DirectArgumentsOffset.cpp: Added.
1142         (JSC::DirectArgumentsOffset::dump):
1143         * runtime/DirectArgumentsOffset.h: Added.
1144         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
1145         * runtime/CommonSlowPaths.cpp:
1146         (JSC::SLOW_PATH_DECL):
1147         * runtime/CommonSlowPaths.h:
1148         * runtime/ConstantMode.cpp: Added.
1149         (WTF::printInternal):
1150         * runtime/ConstantMode.h:
1151         (JSC::modeForIsConstant):
1152         * runtime/DirectArguments.cpp: Added.
1153         (JSC::DirectArguments::DirectArguments):
1154         (JSC::DirectArguments::createUninitialized):
1155         (JSC::DirectArguments::create):
1156         (JSC::DirectArguments::createByCopying):
1157         (JSC::DirectArguments::visitChildren):
1158         (JSC::DirectArguments::copyBackingStore):
1159         (JSC::DirectArguments::createStructure):
1160         (JSC::DirectArguments::overrideThings):
1161         (JSC::DirectArguments::overrideThingsIfNecessary):
1162         (JSC::DirectArguments::overrideArgument):
1163         (JSC::DirectArguments::copyToArguments):
1164         (JSC::DirectArguments::overridesSize):
1165         * runtime/DirectArguments.h: Added.
1166         (JSC::DirectArguments::internalLength):
1167         (JSC::DirectArguments::length):
1168         (JSC::DirectArguments::canAccessIndexQuickly):
1169         (JSC::DirectArguments::getIndexQuickly):
1170         (JSC::DirectArguments::setIndexQuickly):
1171         (JSC::DirectArguments::callee):
1172         (JSC::DirectArguments::argument):
1173         (JSC::DirectArguments::overrodeThings):
1174         (JSC::DirectArguments::offsetOfCallee):
1175         (JSC::DirectArguments::offsetOfLength):
1176         (JSC::DirectArguments::offsetOfMinCapacity):
1177         (JSC::DirectArguments::offsetOfOverrides):
1178         (JSC::DirectArguments::storageOffset):
1179         (JSC::DirectArguments::offsetOfSlot):
1180         (JSC::DirectArguments::allocationSize):
1181         (JSC::DirectArguments::storage):
1182         * runtime/FunctionPrototype.cpp:
1183         * runtime/GenericArguments.h: Added.
1184         (JSC::GenericArguments::GenericArguments):
1185         * runtime/GenericArgumentsInlines.h: Added.
1186         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1187         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1188         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1189         (JSC::GenericArguments<Type>::put):
1190         (JSC::GenericArguments<Type>::putByIndex):
1191         (JSC::GenericArguments<Type>::deleteProperty):
1192         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1193         (JSC::GenericArguments<Type>::defineOwnProperty):
1194         (JSC::GenericArguments<Type>::copyToArguments):
1195         * runtime/GenericOffset.h: Added.
1196         (JSC::GenericOffset::GenericOffset):
1197         (JSC::GenericOffset::operator!):
1198         (JSC::GenericOffset::offsetUnchecked):
1199         (JSC::GenericOffset::offset):
1200         (JSC::GenericOffset::operator==):
1201         (JSC::GenericOffset::operator!=):
1202         (JSC::GenericOffset::operator<):
1203         (JSC::GenericOffset::operator>):
1204         (JSC::GenericOffset::operator<=):
1205         (JSC::GenericOffset::operator>=):
1206         (JSC::GenericOffset::operator+):
1207         (JSC::GenericOffset::operator-):
1208         (JSC::GenericOffset::operator+=):
1209         (JSC::GenericOffset::operator-=):
1210         * runtime/JSArgumentsIterator.cpp:
1211         (JSC::JSArgumentsIterator::finishCreation):
1212         (JSC::argumentsFuncIterator):
1213         * runtime/JSArgumentsIterator.h:
1214         (JSC::JSArgumentsIterator::create):
1215         (JSC::JSArgumentsIterator::next):
1216         * runtime/JSEnvironmentRecord.cpp:
1217         (JSC::JSEnvironmentRecord::visitChildren):
1218         * runtime/JSEnvironmentRecord.h:
1219         (JSC::JSEnvironmentRecord::variables):
1220         (JSC::JSEnvironmentRecord::isValid):
1221         (JSC::JSEnvironmentRecord::variableAt):
1222         (JSC::JSEnvironmentRecord::offsetOfVariables):
1223         (JSC::JSEnvironmentRecord::offsetOfVariable):
1224         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
1225         (JSC::JSEnvironmentRecord::allocationSize):
1226         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1227         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1228         (JSC::JSEnvironmentRecord::finishCreation):
1229         (JSC::JSEnvironmentRecord::registers): Deleted.
1230         (JSC::JSEnvironmentRecord::registerAt): Deleted.
1231         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
1232         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
1233         * runtime/JSFunction.cpp:
1234         * runtime/JSGlobalObject.cpp:
1235         (JSC::JSGlobalObject::init):
1236         (JSC::JSGlobalObject::addGlobalVar):
1237         (JSC::JSGlobalObject::addFunction):
1238         (JSC::JSGlobalObject::visitChildren):
1239         (JSC::JSGlobalObject::addStaticGlobals):
1240         * runtime/JSGlobalObject.h:
1241         (JSC::JSGlobalObject::directArgumentsStructure):
1242         (JSC::JSGlobalObject::scopedArgumentsStructure):
1243         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
1244         (JSC::JSGlobalObject::argumentsStructure): Deleted.
1245         * runtime/JSLexicalEnvironment.cpp:
1246         (JSC::JSLexicalEnvironment::symbolTableGet):
1247         (JSC::JSLexicalEnvironment::symbolTablePut):
1248         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1249         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1250         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
1251         * runtime/JSLexicalEnvironment.h:
1252         (JSC::JSLexicalEnvironment::create):
1253         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1254         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
1255         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
1256         (JSC::JSLexicalEnvironment::storage): Deleted.
1257         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
1258         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
1259         (JSC::JSLexicalEnvironment::isValid): Deleted.
1260         (JSC::JSLexicalEnvironment::registerAt): Deleted.
1261         * runtime/JSNameScope.cpp:
1262         (JSC::JSNameScope::visitChildren): Deleted.
1263         * runtime/JSNameScope.h:
1264         (JSC::JSNameScope::create):
1265         (JSC::JSNameScope::value):
1266         (JSC::JSNameScope::finishCreation):
1267         (JSC::JSNameScope::JSNameScope):
1268         * runtime/JSScope.cpp:
1269         (JSC::abstractAccess):
1270         * runtime/JSSegmentedVariableObject.cpp:
1271         (JSC::JSSegmentedVariableObject::findVariableIndex):
1272         (JSC::JSSegmentedVariableObject::addVariables):
1273         (JSC::JSSegmentedVariableObject::visitChildren):
1274         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
1275         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
1276         * runtime/JSSegmentedVariableObject.h:
1277         (JSC::JSSegmentedVariableObject::variableAt):
1278         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
1279         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
1280         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
1281         * runtime/JSSymbolTableObject.h:
1282         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
1283         (JSC::symbolTableGet):
1284         (JSC::symbolTablePut):
1285         (JSC::symbolTablePutWithAttributes):
1286         * runtime/JSType.h:
1287         * runtime/Options.h:
1288         * runtime/ClonedArguments.cpp: Added.
1289         (JSC::ClonedArguments::ClonedArguments):
1290         (JSC::ClonedArguments::createEmpty):
1291         (JSC::ClonedArguments::createWithInlineFrame):
1292         (JSC::ClonedArguments::createWithMachineFrame):
1293         (JSC::ClonedArguments::createByCopyingFrom):
1294         (JSC::ClonedArguments::createStructure):
1295         (JSC::ClonedArguments::getOwnPropertySlot):
1296         (JSC::ClonedArguments::getOwnPropertyNames):
1297         (JSC::ClonedArguments::put):
1298         (JSC::ClonedArguments::deleteProperty):
1299         (JSC::ClonedArguments::defineOwnProperty):
1300         (JSC::ClonedArguments::materializeSpecials):
1301         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
1302         * runtime/ClonedArguments.h: Added.
1303         (JSC::ClonedArguments::specialsMaterialized):
1304         * runtime/ScopeOffset.cpp: Added.
1305         (JSC::ScopeOffset::dump):
1306         * runtime/ScopeOffset.h: Added.
1307         (JSC::ScopeOffset::ScopeOffset):
1308         * runtime/ScopedArguments.cpp: Added.
1309         (JSC::ScopedArguments::ScopedArguments):
1310         (JSC::ScopedArguments::finishCreation):
1311         (JSC::ScopedArguments::createUninitialized):
1312         (JSC::ScopedArguments::create):
1313         (JSC::ScopedArguments::createByCopying):
1314         (JSC::ScopedArguments::createByCopyingFrom):
1315         (JSC::ScopedArguments::visitChildren):
1316         (JSC::ScopedArguments::createStructure):
1317         (JSC::ScopedArguments::overrideThings):
1318         (JSC::ScopedArguments::overrideThingsIfNecessary):
1319         (JSC::ScopedArguments::overrideArgument):
1320         (JSC::ScopedArguments::copyToArguments):
1321         * runtime/ScopedArguments.h: Added.
1322         (JSC::ScopedArguments::internalLength):
1323         (JSC::ScopedArguments::length):
1324         (JSC::ScopedArguments::canAccessIndexQuickly):
1325         (JSC::ScopedArguments::getIndexQuickly):
1326         (JSC::ScopedArguments::setIndexQuickly):
1327         (JSC::ScopedArguments::callee):
1328         (JSC::ScopedArguments::overrodeThings):
1329         (JSC::ScopedArguments::offsetOfOverrodeThings):
1330         (JSC::ScopedArguments::offsetOfTotalLength):
1331         (JSC::ScopedArguments::offsetOfTable):
1332         (JSC::ScopedArguments::offsetOfScope):
1333         (JSC::ScopedArguments::overflowStorageOffset):
1334         (JSC::ScopedArguments::allocationSize):
1335         (JSC::ScopedArguments::overflowStorage):
1336         * runtime/ScopedArgumentsTable.cpp: Added.
1337         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
1338         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
1339         (JSC::ScopedArgumentsTable::destroy):
1340         (JSC::ScopedArgumentsTable::create):
1341         (JSC::ScopedArgumentsTable::clone):
1342         (JSC::ScopedArgumentsTable::setLength):
1343         (JSC::ScopedArgumentsTable::set):
1344         (JSC::ScopedArgumentsTable::createStructure):
1345         * runtime/ScopedArgumentsTable.h: Added.
1346         (JSC::ScopedArgumentsTable::length):
1347         (JSC::ScopedArgumentsTable::get):
1348         (JSC::ScopedArgumentsTable::lock):
1349         (JSC::ScopedArgumentsTable::offsetOfLength):
1350         (JSC::ScopedArgumentsTable::offsetOfArguments):
1351         (JSC::ScopedArgumentsTable::at):
1352         * runtime/SymbolTable.cpp:
1353         (JSC::SymbolTableEntry::prepareToWatch):
1354         (JSC::SymbolTable::SymbolTable):
1355         (JSC::SymbolTable::visitChildren):
1356         (JSC::SymbolTable::localToEntry):
1357         (JSC::SymbolTable::entryFor):
1358         (JSC::SymbolTable::cloneScopePart):
1359         (JSC::SymbolTable::prepareForTypeProfiling):
1360         (JSC::SymbolTable::uniqueIDForOffset):
1361         (JSC::SymbolTable::globalTypeSetForOffset):
1362         (JSC::SymbolTable::cloneCapturedNames): Deleted.
1363         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1364         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1365         * runtime/SymbolTable.h:
1366         (JSC::SymbolTableEntry::varOffsetFromBits):
1367         (JSC::SymbolTableEntry::scopeOffsetFromBits):
1368         (JSC::SymbolTableEntry::Fast::varOffset):
1369         (JSC::SymbolTableEntry::Fast::scopeOffset):
1370         (JSC::SymbolTableEntry::Fast::isDontEnum):
1371         (JSC::SymbolTableEntry::Fast::getAttributes):
1372         (JSC::SymbolTableEntry::SymbolTableEntry):
1373         (JSC::SymbolTableEntry::varOffset):
1374         (JSC::SymbolTableEntry::isWatchable):
1375         (JSC::SymbolTableEntry::scopeOffset):
1376         (JSC::SymbolTableEntry::setAttributes):
1377         (JSC::SymbolTableEntry::constantMode):
1378         (JSC::SymbolTableEntry::isDontEnum):
1379         (JSC::SymbolTableEntry::disableWatching):
1380         (JSC::SymbolTableEntry::pack):
1381         (JSC::SymbolTableEntry::isValidVarOffset):
1382         (JSC::SymbolTable::createNameScopeTable):
1383         (JSC::SymbolTable::maxScopeOffset):
1384         (JSC::SymbolTable::didUseScopeOffset):
1385         (JSC::SymbolTable::didUseVarOffset):
1386         (JSC::SymbolTable::scopeSize):
1387         (JSC::SymbolTable::nextScopeOffset):
1388         (JSC::SymbolTable::takeNextScopeOffset):
1389         (JSC::SymbolTable::add):
1390         (JSC::SymbolTable::set):
1391         (JSC::SymbolTable::argumentsLength):
1392         (JSC::SymbolTable::setArgumentsLength):
1393         (JSC::SymbolTable::argumentOffset):
1394         (JSC::SymbolTable::setArgumentOffset):
1395         (JSC::SymbolTable::arguments):
1396         (JSC::SlowArgument::SlowArgument): Deleted.
1397         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
1398         (JSC::SymbolTableEntry::getIndex): Deleted.
1399         (JSC::SymbolTableEntry::isValidIndex): Deleted.
1400         (JSC::SymbolTable::captureStart): Deleted.
1401         (JSC::SymbolTable::setCaptureStart): Deleted.
1402         (JSC::SymbolTable::captureEnd): Deleted.
1403         (JSC::SymbolTable::setCaptureEnd): Deleted.
1404         (JSC::SymbolTable::captureCount): Deleted.
1405         (JSC::SymbolTable::isCaptured): Deleted.
1406         (JSC::SymbolTable::parameterCount): Deleted.
1407         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
1408         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
1409         (JSC::SymbolTable::slowArguments): Deleted.
1410         (JSC::SymbolTable::setSlowArguments): Deleted.
1411         * runtime/VM.cpp:
1412         (JSC::VM::VM):
1413         * runtime/VM.h:
1414         * runtime/VarOffset.cpp: Added.
1415         (JSC::VarOffset::dump):
1416         (WTF::printInternal):
1417         * runtime/VarOffset.h: Added.
1418         (JSC::VarOffset::VarOffset):
1419         (JSC::VarOffset::assemble):
1420         (JSC::VarOffset::isValid):
1421         (JSC::VarOffset::operator!):
1422         (JSC::VarOffset::kind):
1423         (JSC::VarOffset::isStack):
1424         (JSC::VarOffset::isScope):
1425         (JSC::VarOffset::isDirectArgument):
1426         (JSC::VarOffset::stackOffsetUnchecked):
1427         (JSC::VarOffset::scopeOffsetUnchecked):
1428         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
1429         (JSC::VarOffset::stackOffset):
1430         (JSC::VarOffset::scopeOffset):
1431         (JSC::VarOffset::capturedArgumentsOffset):
1432         (JSC::VarOffset::rawOffset):
1433         (JSC::VarOffset::checkSanity):
1434         (JSC::VarOffset::operator==):
1435         (JSC::VarOffset::operator!=):
1436         (JSC::VarOffset::hash):
1437         (JSC::VarOffset::isHashTableDeletedValue):
1438         (JSC::VarOffsetHash::hash):
1439         (JSC::VarOffsetHash::equal):
1440         * tests/stress/arguments-exit-strict-mode.js: Added.
1441         * tests/stress/arguments-exit.js: Added.
1442         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
1443         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
1444         * tests/stress/arguments-inlined-exit.js: Added.
1445         * tests/stress/arguments-interference.js: Added.
1446         * tests/stress/arguments-interference-cfg.js: Added.
1447         * tests/stress/dead-get-closure-var.js: Added.
1448         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
1449         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
1450         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
1451         * tests/stress/varargs-closure-inlined-exit.js: Added.
1452         * tests/stress/varargs-exit.js: Added.
1453         * tests/stress/varargs-inlined-exit.js: Added.
1454         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
1455         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
1456         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
1457         * tests/stress/varargs-inlined-simple-exit.js: Added.
1458         * tests/stress/varargs-too-few-arguments.js: Added.
1459         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
1460         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
1461         * tests/stress/varargs-varargs-inlined-exit.js: Added.
1462
1463 2015-03-25  Andy Estes  <aestes@apple.com>
1464
1465         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
1466         https://bugs.webkit.org/show_bug.cgi?id=143068
1467
1468         Reviewed by Dan Bernstein.
1469
1470         * inspector/remote/RemoteInspectorXPCConnection.mm:
1471         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
1472
1473 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1474
1475         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
1476         https://bugs.webkit.org/show_bug.cgi?id=142993
1477
1478         Reviewed by Geoffrey Garen and Mark Lam.
1479         
1480         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
1481         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
1482         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
1483         failure, but also involves adding the same kind of thing to the stub generators in
1484         Repatch.
1485         
1486         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
1487         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
1488         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
1489         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
1490         printout.
1491         
1492         Also add a way of inducing executable allocation failure, so that we can test this.
1493
1494         * CMakeLists.txt:
1495         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1496         * JavaScriptCore.xcodeproj/project.pbxproj:
1497         * dfg/DFGJITCompiler.cpp:
1498         (JSC::DFG::JITCompiler::compile):
1499         (JSC::DFG::JITCompiler::compileFunction):
1500         (JSC::DFG::JITCompiler::link): Deleted.
1501         (JSC::DFG::JITCompiler::linkFunction): Deleted.
1502         * dfg/DFGJITCompiler.h:
1503         * dfg/DFGPlan.cpp:
1504         (JSC::DFG::Plan::compileInThreadImpl):
1505         * ftl/FTLCompile.cpp:
1506         (JSC::FTL::mmAllocateCodeSection):
1507         (JSC::FTL::mmAllocateDataSection):
1508         * ftl/FTLLink.cpp:
1509         (JSC::FTL::link):
1510         * ftl/FTLState.h:
1511         * jit/ArityCheckFailReturnThunks.cpp:
1512         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1513         * jit/ExecutableAllocationFuzz.cpp: Added.
1514         (JSC::numberOfExecutableAllocationFuzzChecks):
1515         (JSC::doExecutableAllocationFuzzing):
1516         * jit/ExecutableAllocationFuzz.h: Added.
1517         (JSC::doExecutableAllocationFuzzingIfEnabled):
1518         * jit/ExecutableAllocatorFixedVMPool.cpp:
1519         (JSC::ExecutableAllocator::allocate):
1520         * jit/JIT.cpp:
1521         (JSC::JIT::privateCompile):
1522         * jit/JITCompilationEffort.h:
1523         * jit/Repatch.cpp:
1524         (JSC::generateByIdStub):
1525         (JSC::tryCacheGetByID):
1526         (JSC::tryBuildGetByIDList):
1527         (JSC::emitPutReplaceStub):
1528         (JSC::emitPutTransitionStubAndGetOldStructure):
1529         (JSC::tryCachePutByID):
1530         (JSC::tryBuildPutByIdList):
1531         (JSC::tryRepatchIn):
1532         (JSC::linkPolymorphicCall):
1533         * jsc.cpp:
1534         (jscmain):
1535         * runtime/Options.h:
1536         * runtime/TestRunnerUtils.h:
1537         * runtime/VM.cpp:
1538         * tests/executableAllocationFuzz: Added.
1539         * tests/executableAllocationFuzz.yaml: Added.
1540         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
1541
1542 2015-03-25  Mark Lam  <mark.lam@apple.com>
1543
1544         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
1545         <https://webkit.org/b/135719>
1546
1547         Reviewed by Geoffrey Garen.
1548
1549         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
1550         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
1551         update the LLINT to access it as such.
1552
1553         The issue has only manifested so far on the CLoop tests because those are LLINT
1554         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
1555         hiding the bug in the LLINT.
1556
1557         * API/JSContextRef.cpp:
1558         (createWatchdogIfNeeded):
1559         (JSContextGroupSetExecutionTimeLimit):
1560         (JSContextGroupClearExecutionTimeLimit):
1561         * llint/LowLevelInterpreter.asm:
1562
1563 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1564
1565         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
1566
1567         Rubber stamped by Geoffrey Garen.
1568
1569         * bytecode/CodeBlock.cpp:
1570         (JSC::CodeBlock::visitAggregate):
1571
1572 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1573
1574         Fix formatting in BuiltinExecutables
1575         https://bugs.webkit.org/show_bug.cgi?id=143061
1576
1577         Reviewed by Ryosuke Niwa.
1578
1579         * builtins/BuiltinExecutables.cpp:
1580         (JSC::BuiltinExecutables::createExecutableInternal):
1581
1582 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1583
1584         ES6: Classes: Program level class statement throws exception in strict mode
1585         https://bugs.webkit.org/show_bug.cgi?id=143038
1586
1587         Reviewed by Ryosuke Niwa.
1588
1589         Classes expose a name to the current lexical environment. This treats
1590         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
1591         Also, improve error messages for class statements where the class is missing a name.
1592
1593         * parser/Parser.h:
1594         * parser/Parser.cpp:
1595         (JSC::Parser<LexerType>::parseClass):
1596         Fill name in info parameter if needed. Better error message if name is needed and missing.
1597
1598         (JSC::Parser<LexerType>::parseClassDeclaration):
1599         Pass info parameter to get name, and expose the name as a variable name.
1600
1601         (JSC::Parser<LexerType>::parsePrimaryExpression):
1602         Pass info parameter that is ignored.
1603
1604         * parser/ParserFunctionInfo.h:
1605         Add a parser info for class, to extract the name.
1606
1607 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1608
1609         New map and set modification tests in r181922 fails
1610         https://bugs.webkit.org/show_bug.cgi?id=143031
1611
1612         Reviewed and tweaked by Geoffrey Garen.
1613
1614         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
1615         to adjust for the packed backing store.
1616
1617         Consider the following map data.
1618
1619         x: deleted, o: exists
1620         0 1 2 3 4
1621         x x x x o
1622
1623         And iterator with m_index 3.
1624
1625         When packing the map data, map data will become,
1626
1627         0
1628         o
1629
1630         At that time, we perfom didRemoveEntry 4 times on iterators.
1631         times => m_index/index/result
1632         1 => 3/0/dec
1633         2 => 2/1/dec
1634         3 => 1/2/nothing
1635         4 => 1/3/nothing
1636
1637         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
1638         This is because if we use decremented m_index for comparison,
1639         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
1640
1641         In this patch, we compare against the packed index instead.
1642         times => m_index/packedIndex/result
1643         1 => 3/0/dec
1644         2 => 2/0/dec
1645         3 => 1/0/dec
1646         4 => 0/0/nothing
1647
1648         So m_index becomes 0 as expected.
1649
1650         And according to the spec, once the iterator is closed (becomes done: true),
1651         its internal [[Map]]/[[Set]] is set to undefined.
1652         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
1653
1654         In this patch, we change 2 things.
1655         1.
1656         Compare an iterator's index against the packed index when removing an entry.
1657
1658         2.
1659         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
1660
1661         * runtime/MapData.h:
1662         (JSC::MapDataImpl::IteratorData::finish):
1663         (JSC::MapDataImpl::IteratorData::isFinished):
1664         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
1665         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
1666         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
1667         * runtime/MapDataInlines.h:
1668         (JSC::JSIterator>::replaceAndPackBackingStore):
1669         * tests/stress/modify-map-during-iteration.js:
1670         * tests/stress/modify-set-during-iteration.js:
1671
1672 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1673
1674         Setter should have a single formal parameter, Getter no parameters
1675         https://bugs.webkit.org/show_bug.cgi?id=142903
1676
1677         Reviewed by Geoffrey Garen.
1678
1679         * parser/Parser.cpp:
1680         (JSC::Parser<LexerType>::parseFunctionInfo):
1681         Enforce no parameters for getters and a single parameter
1682         for setters, with informational error messages.
1683
1684 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1685
1686         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
1687         https://bugs.webkit.org/show_bug.cgi?id=143012
1688
1689         Reviewed by Ryosuke Niwa.
1690
1691         * bytecompiler/BytecodeGenerator.cpp:
1692         (JSC::BytecodeGenerator::emitReturn):
1693         Fix handling of "undefined" when returned from a Derived class. It was
1694         returning "undefined" when it should have returned "this".
1695
1696 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1697
1698         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
1699         https://bugs.webkit.org/show_bug.cgi?id=142696
1700
1701         Reviewed and tweaked by Geoffrey Garen.
1702
1703         Before r142556, JSSetIterator::destroy was not defined.
1704         So accidentally MapData::const_iterator in JSSet was never destroyed.
1705         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
1706
1707         After r142556, JSSetIterator::destroy works.
1708         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
1709         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
1710
1711         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
1712         and marks it in visitChildren (WriteBarrier<Unknown>).
1713         However, the order of destructions is not guaranteed in GC-ed system.
1714
1715         Consider the following case,
1716         allocate JSSet and subsequently allocate JSSetIterator.
1717         And they resides in the separated MarkedBlock, <1> and <2>.
1718
1719         JSSet<1> <- JSSetIterator<2>
1720
1721         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
1722         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
1723
1724         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
1725         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
1726         However, JSSetIterator<2>'s destructor,
1727         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
1728
1729         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
1730         When packing the removed elements in JSSet/JSMap, we apply the change to all live
1731         iterators tracked by WeakGCMap.
1732
1733         WeakGCMap can only track JSCell since they are managed by GC.
1734         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
1735         introduces JS style iterator signatures into C++ class IteratorData.
1736         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
1737         IteratorData directly.
1738
1739         * runtime/JSMap.cpp:
1740         (JSC::JSMap::destroy):
1741         * runtime/JSMap.h:
1742         (JSC::JSMap::JSMap):
1743         (JSC::JSMap::begin): Deleted.
1744         (JSC::JSMap::end): Deleted.
1745         * runtime/JSMapIterator.cpp:
1746         (JSC::JSMapIterator::destroy):
1747         * runtime/JSMapIterator.h:
1748         (JSC::JSMapIterator::next):
1749         (JSC::JSMapIterator::nextKeyValue):
1750         (JSC::JSMapIterator::iteratorData):
1751         (JSC::JSMapIterator::JSMapIterator):
1752         * runtime/JSSet.cpp:
1753         (JSC::JSSet::destroy):
1754         * runtime/JSSet.h:
1755         (JSC::JSSet::JSSet):
1756         (JSC::JSSet::begin): Deleted.
1757         (JSC::JSSet::end): Deleted.
1758         * runtime/JSSetIterator.cpp:
1759         (JSC::JSSetIterator::destroy):
1760         * runtime/JSSetIterator.h:
1761         (JSC::JSSetIterator::next):
1762         (JSC::JSSetIterator::iteratorData):
1763         (JSC::JSSetIterator::JSSetIterator):
1764         * runtime/MapData.h:
1765         (JSC::MapDataImpl::IteratorData::finish):
1766         (JSC::MapDataImpl::IteratorData::isFinished):
1767         (JSC::MapDataImpl::shouldPack):
1768         (JSC::JSIterator>::MapDataImpl):
1769         (JSC::JSIterator>::KeyType::KeyType):
1770         (JSC::JSIterator>::IteratorData::IteratorData):
1771         (JSC::JSIterator>::IteratorData::next):
1772         (JSC::JSIterator>::IteratorData::ensureSlot):
1773         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
1774         (JSC::JSIterator>::IteratorData::refreshCursor):
1775         (JSC::MapDataImpl::const_iterator::key): Deleted.
1776         (JSC::MapDataImpl::const_iterator::value): Deleted.
1777         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
1778         (JSC::MapDataImpl::const_iterator::finish): Deleted.
1779         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
1780         (JSC::MapDataImpl::begin): Deleted.
1781         (JSC::MapDataImpl::end): Deleted.
1782         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
1783         (JSC::MapDataImpl<Entry>::clear): Deleted.
1784         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
1785         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
1786         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
1787         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
1788         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
1789         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
1790         (JSC::=): Deleted.
1791         * runtime/MapDataInlines.h:
1792         (JSC::JSIterator>::clear):
1793         (JSC::JSIterator>::find):
1794         (JSC::JSIterator>::contains):
1795         (JSC::JSIterator>::add):
1796         (JSC::JSIterator>::set):
1797         (JSC::JSIterator>::get):
1798         (JSC::JSIterator>::remove):
1799         (JSC::JSIterator>::replaceAndPackBackingStore):
1800         (JSC::JSIterator>::replaceBackingStore):
1801         (JSC::JSIterator>::ensureSpaceForAppend):
1802         (JSC::JSIterator>::visitChildren):
1803         (JSC::JSIterator>::copyBackingStore):
1804         (JSC::JSIterator>::applyMapDataPatch):
1805         (JSC::MapDataImpl<Entry>::find): Deleted.
1806         (JSC::MapDataImpl<Entry>::contains): Deleted.
1807         (JSC::MapDataImpl<Entry>::add): Deleted.
1808         (JSC::MapDataImpl<Entry>::set): Deleted.
1809         (JSC::MapDataImpl<Entry>::get): Deleted.
1810         (JSC::MapDataImpl<Entry>::remove): Deleted.
1811         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
1812         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
1813         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
1814         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
1815         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
1816         * runtime/MapPrototype.cpp:
1817         (JSC::mapProtoFuncForEach):
1818         * runtime/SetPrototype.cpp:
1819         (JSC::setProtoFuncForEach):
1820         * runtime/WeakGCMap.h:
1821         (JSC::WeakGCMap::forEach):
1822         * tests/stress/modify-map-during-iteration.js: Added.
1823         (testValue):
1824         (identityPairs):
1825         (.set if):
1826         (var):
1827         (set map):
1828         * tests/stress/modify-set-during-iteration.js: Added.
1829         (testValue):
1830         (set forEach):
1831         (set delete):
1832
1833 2015-03-24  Mark Lam  <mark.lam@apple.com>
1834
1835         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
1836         <https://webkit.org/b/143024>
1837
1838         Reviewed by Geoffrey Garen.
1839
1840         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
1841         passed in from testapi.c.  It should create its own for better
1842         encapsulation of the test.
1843
1844         * API/tests/ExecutionTimeLimitTest.cpp:
1845         (currentCPUTimeAsJSFunctionCallback):
1846         (testExecutionTimeLimit):
1847         * API/tests/ExecutionTimeLimitTest.h:
1848         * API/tests/testapi.c:
1849         (main):
1850
1851 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1852
1853         ES6: Object Literal Methods toString is missing method name
1854         https://bugs.webkit.org/show_bug.cgi?id=142992
1855
1856         Reviewed by Geoffrey Garen.
1857
1858         Always stringify functions in the pattern:
1859
1860           "function " + <function name> + <text from opening parenthesis to closing brace>.
1861
1862         * runtime/FunctionPrototype.cpp:
1863         (JSC::functionProtoFuncToString):
1864         Update the path that was not stringifying in this pattern.
1865
1866         * bytecode/UnlinkedCodeBlock.cpp:
1867         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1868         * bytecode/UnlinkedCodeBlock.h:
1869         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
1870         * parser/Nodes.h:
1871         * runtime/Executable.cpp:
1872         (JSC::FunctionExecutable::FunctionExecutable):
1873         * runtime/Executable.h:
1874         (JSC::FunctionExecutable::parametersStartOffset):
1875         Pass the already known function parameter opening parenthesis
1876         start offset through to the FunctionExecutable. 
1877
1878         * tests/mozilla/js1_5/Scope/regress-185485.js:
1879         (with.g):
1880         Add back original space in this test that was removed by r181810
1881         now that we have the space again in stringification.
1882
1883 2015-03-24  Michael Saboff  <msaboff@apple.com>
1884
1885         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
1886         https://bugs.webkit.org/show_bug.cgi?id=142856
1887
1888         Reviewed by Filip Pizlo.
1889
1890         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
1891         get info for three loops to iterate over indexed properties, structure properties and other properties,
1892         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
1893         for all loops before we exectue any enumeration.
1894
1895         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
1896         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
1897         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
1898
1899         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
1900         op_next_enumerator_pname.
1901         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
1902         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
1903         end value we stop iterating on.
1904
1905         Made corresponding node changes to the DFG and FTL for the bytecode changes.
1906
1907         * bytecode/BytecodeList.json:
1908         * bytecode/BytecodeUseDef.h:
1909         (JSC::computeUsesForBytecodeOffset):
1910         (JSC::computeDefsForBytecodeOffset):
1911         * bytecode/CodeBlock.cpp:
1912         (JSC::CodeBlock::dumpBytecode):
1913         * bytecompiler/BytecodeGenerator.cpp:
1914         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
1915         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
1916         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
1917         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
1918         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
1919         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
1920         * bytecompiler/BytecodeGenerator.h:
1921         * bytecompiler/NodesCodegen.cpp:
1922         (JSC::ForInNode::emitMultiLoopBytecode):
1923         * dfg/DFGAbstractInterpreterInlines.h:
1924         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1925         * dfg/DFGByteCodeParser.cpp:
1926         (JSC::DFG::ByteCodeParser::parseBlock):
1927         * dfg/DFGCapabilities.cpp:
1928         (JSC::DFG::capabilityLevel):
1929         * dfg/DFGClobberize.h:
1930         (JSC::DFG::clobberize):
1931         * dfg/DFGDoesGC.cpp:
1932         (JSC::DFG::doesGC):
1933         * dfg/DFGFixupPhase.cpp:
1934         (JSC::DFG::FixupPhase::fixupNode):
1935         * dfg/DFGNodeType.h:
1936         * dfg/DFGPredictionPropagationPhase.cpp:
1937         (JSC::DFG::PredictionPropagationPhase::propagate):
1938         * dfg/DFGSafeToExecute.h:
1939         (JSC::DFG::safeToExecute):
1940         * dfg/DFGSpeculativeJIT32_64.cpp:
1941         (JSC::DFG::SpeculativeJIT::compile):
1942         * dfg/DFGSpeculativeJIT64.cpp:
1943         (JSC::DFG::SpeculativeJIT::compile):
1944         * ftl/FTLAbstractHeapRepository.h:
1945         * ftl/FTLCapabilities.cpp:
1946         (JSC::FTL::canCompile):
1947         * ftl/FTLLowerDFGToLLVM.cpp:
1948         (JSC::FTL::LowerDFGToLLVM::compileNode):
1949         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
1950         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
1951         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
1952         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
1953         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
1954         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
1955         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
1956         * jit/JIT.cpp:
1957         (JSC::JIT::privateCompileMainPass):
1958         * jit/JIT.h:
1959         * jit/JITOpcodes.cpp:
1960         (JSC::JIT::emit_op_enumerator_structure_pname):
1961         (JSC::JIT::emit_op_enumerator_generic_pname):
1962         (JSC::JIT::emit_op_get_property_enumerator):
1963         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
1964         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
1965         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
1966         * jit/JITOpcodes32_64.cpp:
1967         (JSC::JIT::emit_op_enumerator_structure_pname):
1968         (JSC::JIT::emit_op_enumerator_generic_pname):
1969         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
1970         * jit/JITOperations.cpp:
1971         * jit/JITOperations.h:
1972         * llint/LowLevelInterpreter.asm:
1973         * runtime/CommonSlowPaths.cpp:
1974         (JSC::SLOW_PATH_DECL):
1975         * runtime/CommonSlowPaths.h:
1976         * runtime/JSPropertyNameEnumerator.cpp:
1977         (JSC::JSPropertyNameEnumerator::create):
1978         (JSC::JSPropertyNameEnumerator::finishCreation):
1979         * runtime/JSPropertyNameEnumerator.h:
1980         (JSC::JSPropertyNameEnumerator::indexedLength):
1981         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
1982         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
1983         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
1984         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
1985         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
1986         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
1987         (JSC::propertyNameEnumerator):
1988         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
1989         (JSC::structurePropertyNameEnumerator): Deleted.
1990         (JSC::genericPropertyNameEnumerator): Deleted.
1991         * runtime/Structure.cpp:
1992         (JSC::Structure::setCachedPropertyNameEnumerator):
1993         (JSC::Structure::cachedPropertyNameEnumerator):
1994         (JSC::Structure::canCachePropertyNameEnumerator):
1995         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
1996         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
1997         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
1998         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
1999         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
2000         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
2001         * runtime/Structure.h:
2002         * runtime/StructureRareData.cpp:
2003         (JSC::StructureRareData::visitChildren):
2004         (JSC::StructureRareData::cachedPropertyNameEnumerator):
2005         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
2006         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
2007         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
2008         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
2009         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
2010         * runtime/StructureRareData.h:
2011         * tests/stress/for-in-delete-during-iteration.js:
2012
2013 2015-03-24  Michael Saboff  <msaboff@apple.com>
2014
2015         Unreviewed build fix for debug builds.
2016
2017         * runtime/ExceptionHelpers.cpp:
2018         (JSC::invalidParameterInSourceAppender):
2019
2020 2015-03-24  Saam Barati  <saambarati1@gmail.com>
2021
2022         Improve error messages in JSC
2023         https://bugs.webkit.org/show_bug.cgi?id=141869
2024
2025         Reviewed by Geoffrey Garen.
2026
2027         JavaScriptCore has some unintuitive error messages associated
2028         with certain common errors. This patch changes some specific
2029         error messages to be more understandable and also creates a
2030         mechanism that will allow for easy modification of error messages
2031         in the future. The specific errors we change are not a function
2032         errors and invalid parameter errors.
2033
2034         * CMakeLists.txt:
2035         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2036         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2037         * JavaScriptCore.xcodeproj/project.pbxproj:
2038         * interpreter/Interpreter.cpp:
2039         (JSC::sizeOfVarargs):
2040         * jit/JITOperations.cpp:
2041         op_throw_static_error always has a JSString as its argument.
2042         There is no need to dance around this, and we should assert
2043         that this always holds. This JSString represents the error 
2044         message we want to display to the user, so there is no need
2045         to pass it into errorDescriptionForValue which will now place
2046         quotes around the string.
2047
2048         * llint/LLIntSlowPaths.cpp:
2049         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2050         * runtime/CommonSlowPaths.h:
2051         (JSC::CommonSlowPaths::opIn):
2052         * runtime/ErrorInstance.cpp:
2053         (JSC::ErrorInstance::ErrorInstance):
2054         * runtime/ErrorInstance.h:
2055         (JSC::ErrorInstance::hasSourceAppender):
2056         (JSC::ErrorInstance::sourceAppender):
2057         (JSC::ErrorInstance::setSourceAppender):
2058         (JSC::ErrorInstance::clearSourceAppender):
2059         (JSC::ErrorInstance::setRuntimeTypeForCause):
2060         (JSC::ErrorInstance::runtimeTypeForCause):
2061         (JSC::ErrorInstance::clearRuntimeTypeForCause):
2062         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
2063         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
2064         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
2065         * runtime/ExceptionHelpers.cpp:
2066         (JSC::errorDescriptionForValue):
2067         (JSC::defaultApproximateSourceError):
2068         (JSC::defaultSourceAppender):
2069         (JSC::functionCallBase):
2070         (JSC::notAFunctionSourceAppender):
2071         (JSC::invalidParameterInSourceAppender):
2072         (JSC::invalidParameterInstanceofSourceAppender):
2073         (JSC::createError):
2074         (JSC::createInvalidFunctionApplyParameterError):
2075         (JSC::createInvalidInParameterError):
2076         (JSC::createInvalidInstanceofParameterError):
2077         (JSC::createNotAConstructorError):
2078         (JSC::createNotAFunctionError):
2079         (JSC::createNotAnObjectError):
2080         (JSC::createInvalidParameterError): Deleted.
2081         * runtime/ExceptionHelpers.h:
2082         * runtime/JSObject.cpp:
2083         (JSC::JSObject::hasInstance):
2084         * runtime/RuntimeType.cpp: Added.
2085         (JSC::runtimeTypeForValue):
2086         (JSC::runtimeTypeAsString):
2087         * runtime/RuntimeType.h: Added.
2088         * runtime/TypeProfilerLog.cpp:
2089         (JSC::TypeProfilerLog::processLogEntries):
2090         * runtime/TypeSet.cpp:
2091         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
2092         * runtime/TypeSet.h:
2093         * runtime/VM.cpp:
2094         (JSC::appendSourceToError):
2095         (JSC::VM::throwException):
2096
2097 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
2098
2099         JSC should have a low-cost asynchronous disassembler
2100         https://bugs.webkit.org/show_bug.cgi?id=142997
2101
2102         Reviewed by Mark Lam.
2103         
2104         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
2105         doesn't block execution. Some code will live a little longer because of this, since the
2106         work tasks hold a ref to the code, but other than that there is basically no overhead.
2107         
2108         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
2109         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
2110         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
2111         JSC_asyncDisassembly has bizarre behavior - so just choose one.
2112         
2113         A simple way of understanding how great this is, is to run a small benchmark like
2114         V8Spider/earley-boyer.
2115         
2116         Performance without any disassembly flags: 60ms
2117         Performance with JSC_showDisassembly=true: 477ms
2118         Performance with JSC_asyncDisassembly=true: 65ms
2119         
2120         So, the overhead of disassembly goes from 8x to 8%.
2121         
2122         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
2123         measuring benchmark performance. This is because at VM exit, we wait for all async
2124         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
2125         after the benchmark completely finishes to finish the disassemblies. This small weirdness
2126         should be OK for the intended use-cases, since all you have to do to get around it is to
2127         measure the execution time of the benchmark payload rather than the end-to-end time of
2128         launching the VM.
2129
2130         * assembler/LinkBuffer.cpp:
2131         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2132         * assembler/LinkBuffer.h:
2133         (JSC::LinkBuffer::wasAlreadyDisassembled):
2134         (JSC::LinkBuffer::didAlreadyDisassemble):
2135         * dfg/DFGJITCompiler.cpp:
2136         (JSC::DFG::JITCompiler::disassemble):
2137         * dfg/DFGJITFinalizer.cpp:
2138         (JSC::DFG::JITFinalizer::finalize):
2139         (JSC::DFG::JITFinalizer::finalizeFunction):
2140         * disassembler/Disassembler.cpp:
2141         (JSC::disassembleAsynchronously):
2142         (JSC::waitForAsynchronousDisassembly):
2143         * disassembler/Disassembler.h:
2144         * ftl/FTLCompile.cpp:
2145         (JSC::FTL::mmAllocateDataSection):
2146         * ftl/FTLLink.cpp:
2147         (JSC::FTL::link):
2148         * jit/JIT.cpp:
2149         (JSC::JIT::privateCompile):
2150         * jsc.cpp:
2151         * runtime/Options.h:
2152         * runtime/VM.cpp:
2153         (JSC::VM::~VM):
2154
2155 2015-03-23  Dean Jackson  <dino@apple.com>
2156
2157         ES7: Implement Array.prototype.includes
2158         https://bugs.webkit.org/show_bug.cgi?id=142707
2159
2160         Reviewed by Geoffrey Garen.
2161
2162         Add support for the ES7 includes method on Arrays.
2163         https://github.com/tc39/Array.prototype.includes
2164
2165         * builtins/Array.prototype.js:
2166         (includes): Implementation in JS.
2167         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
2168
2169 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2170
2171         __defineGetter__/__defineSetter__ should throw exceptions
2172         https://bugs.webkit.org/show_bug.cgi?id=142934
2173
2174         Reviewed by Geoffrey Garen.
2175
2176         * runtime/ObjectPrototype.cpp:
2177         (JSC::objectProtoFuncDefineGetter):
2178         (JSC::objectProtoFuncDefineSetter):
2179         Throw exceptions when these functions are used directly.
2180
2181 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2182
2183         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
2184         https://bugs.webkit.org/show_bug.cgi?id=142952
2185
2186         Reviewed by Geoffrey Garen.
2187
2188         * runtime/Structure.cpp:
2189         (JSC::PropertyTable::checkConsistency):
2190         The check offset method doesn't exist in PropertyTable, it exists in Structure.
2191
2192         (JSC::Structure::checkConsistency):
2193         So move it here, and always put it at the start to match normal behavior.
2194
2195 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2196
2197         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
2198         https://bugs.webkit.org/show_bug.cgi?id=142956
2199
2200         Rubber stamped by Gyuyoung Kim.
2201         
2202         Just removing dead code.
2203
2204         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2205         * JavaScriptCore.xcodeproj/project.pbxproj:
2206         * dfg/DFGOSRExit.h:
2207         * dfg/DFGOSRExitCompiler.cpp:
2208         * dfg/DFGValueRecoveryOverride.h: Removed.
2209
2210 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2211
2212         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
2213         https://bugs.webkit.org/show_bug.cgi?id=142948
2214
2215         Reviewed by Sam Weinig.
2216         
2217         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
2218         since a signal may clobber the area below the stack pointer. When the DFG is executing,
2219         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
2220         baseline, we will use a different amount of stack. This is because baseline is a different
2221         compiler. It will make different decisions. So it will use a different amount of stack.
2222         
2223         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
2224         incrementally transforming the stack from how it looked in the DFG to how it will look in
2225         baseline. The most conservative approach would be to set the stack pointer to the max of
2226         DFG and baseline.
2227         
2228         When this code was written, a reckless assumption was made: that the stack usage in
2229         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
2230         assumption, the code first adjusts the stack pointer to account for the baseline stack
2231         usage. This sort of usually works, because usually baseline does happen to use more stack.
2232         But that's not an invariant. Nobody guarantees this. We will never make any changes that
2233         would make this be guaranteed, because that would be antithetical to how optimizing
2234         compilers work. The DFG should be allowed to use however much stack it decides that it
2235         should use in order to get good performance, and it shouldn't try to guarantee that it
2236         always uses less stack than baseline.
2237         
2238         As such, we must always assume that the frame size for DFG execution (i.e.
2239         frameRegisterCount) and the frame size in baseline once we exit (i.e.
2240         requiredRegisterCountForExit) are two independent quantities and they have no
2241         relationship.
2242         
2243         Fortunately, though, this code can be made correct by just moving the stack adjustment to
2244         just before we do conversions. This is because we have since changed the OSR exit
2245         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
2246         drop it out of the scratch buffer and into the stack according to the baseline layout. The
2247         point just before conversions is the point where we have finished reading the DFG frame
2248         and will not read it anymore, and we haven't started writing the baseline frame. So, at
2249         this point it is safe to set the stack pointer to account for the frame size at exit.
2250         
2251         This is benign because baseline happens to create larger frames than DFG.
2252
2253         * dfg/DFGOSRExitCompiler32_64.cpp:
2254         (JSC::DFG::OSRExitCompiler::compileExit):
2255         * dfg/DFGOSRExitCompiler64.cpp:
2256         (JSC::DFG::OSRExitCompiler::compileExit):
2257         * dfg/DFGOSRExitCompilerCommon.cpp:
2258         (JSC::DFG::adjustAndJumpToTarget):
2259
2260 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2261
2262         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
2263
2264         Rubber stamped by Sam Weinig.
2265
2266         * tests/stress/equals-masquerader.js:
2267
2268 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2269
2270         tests/stress/*tdz* tests do 10x more iterations than necessary
2271         https://bugs.webkit.org/show_bug.cgi?id=142946
2272
2273         Reviewed by Ryosuke Niwa.
2274         
2275         The stress test harness runs all of these tests in various configurations. This includes
2276         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
2277         enough to get to the highest tier. The only exceptions are very large functions or
2278         functions that have some reoptimizations. That happens rarely, and when it does happen,
2279         usually 20,000 iterations is enough.
2280         
2281         Therefore, these tests use 10x too many iterations. This is bad, since these tests
2282         allocate on each iteration, and so they run very slowly in debug mode.
2283
2284         * tests/stress/class-syntax-no-loop-tdz.js:
2285         * tests/stress/class-syntax-no-tdz-in-catch.js:
2286         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2287         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2288         * tests/stress/class-syntax-no-tdz-in-loop.js:
2289         * tests/stress/class-syntax-no-tdz.js:
2290         * tests/stress/class-syntax-tdz-in-catch.js:
2291         * tests/stress/class-syntax-tdz-in-conditional.js:
2292         * tests/stress/class-syntax-tdz-in-loop.js:
2293         * tests/stress/class-syntax-tdz.js:
2294
2295 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2296
2297         Fix a typo in Parser error message
2298         https://bugs.webkit.org/show_bug.cgi?id=142942
2299
2300         Reviewed by Alexey Proskuryakov.
2301
2302         * jit/JITPropertyAccess.cpp:
2303         (JSC::JIT::emitSlow_op_resolve_scope):
2304         * jit/JITPropertyAccess32_64.cpp:
2305         (JSC::JIT::emitSlow_op_resolve_scope):
2306         * parser/Parser.cpp:
2307         (JSC::Parser<LexerType>::parseClass):
2308         Fix a common identifier typo.
2309
2310 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2311
2312         Computed Property names should allow only AssignmentExpressions not any Expression
2313         https://bugs.webkit.org/show_bug.cgi?id=142902
2314
2315         Reviewed by Ryosuke Niwa.
2316
2317         * parser/Parser.cpp:
2318         (JSC::Parser<LexerType>::parseProperty):
2319         Limit computed expressions to just assignment expressions instead of
2320         any expression (which allowed comma expressions).
2321
2322 2015-03-21  Andreas Kling  <akling@apple.com>
2323
2324         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
2325         <https://webkit.org/b/142939>
2326
2327         Reviewed by Mark Hahnenberg.
2328
2329         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
2330         a 128-byte heap cell instead of requiring a 256-byte one.
2331
2332         Threw in a static_assert to catch anyone pushing it over the limit again.
2333
2334         * bytecode/UnlinkedCodeBlock.cpp:
2335         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2336         * bytecode/UnlinkedCodeBlock.h:
2337         (JSC::UnlinkedFunctionExecutable::functionMode):
2338
2339 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
2340
2341         GCTimer should know keep track of nested GC phases
2342         https://bugs.webkit.org/show_bug.cgi?id=142675
2343
2344         Reviewed by Darin Adler.
2345
2346         This improves the GC phase timing output in Heap.cpp by linking
2347         phases nested inside other phases together, allowing tools
2348         to compute how much time we're spending in various nested phases.
2349
2350         * heap/Heap.cpp:
2351
2352 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
2353
2354         FunctionBodyNode should known where its parameters started
2355         https://bugs.webkit.org/show_bug.cgi?id=142926
2356
2357         Reviewed by Ryosuke Niwa.
2358
2359         This will allow us to re-parse parameters instead of keeping the
2360         parameters piece of the AST around forever.
2361
2362         I also took the opportunity to initialize most FunctionBodyNode data
2363         members at construction time, to help clarify that they are set right.
2364
2365         * parser/ASTBuilder.h:
2366         (JSC::ASTBuilder::createFunctionExpr): No need to pass
2367         functionKeywordStart here; we now provide it at FunctionBodyNode
2368         creation time.
2369
2370         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
2371         construction time, including the start of our parameters.
2372
2373         (JSC::ASTBuilder::createGetterOrSetterProperty):
2374         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
2375         functionKeywordStart here; we now provide it at FunctionBodyNode
2376         creation time.
2377
2378         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
2379
2380         * parser/Nodes.cpp:
2381         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
2382         construction time.
2383
2384         * parser/Nodes.h: Added a field for the location of our parameters.
2385
2386         * parser/Parser.cpp:
2387         (JSC::Parser<LexerType>::parseFunctionBody):
2388         (JSC::Parser<LexerType>::parseFunctionInfo):
2389         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2390         (JSC::Parser<LexerType>::parseClass):
2391         (JSC::Parser<LexerType>::parsePropertyMethod):
2392         (JSC::Parser<LexerType>::parseGetterSetter):
2393         (JSC::Parser<LexerType>::parsePrimaryExpression):
2394         * parser/Parser.h: Refactored to match above interface changes.
2395
2396         * parser/SyntaxChecker.h:
2397         (JSC::SyntaxChecker::createFunctionExpr):
2398         (JSC::SyntaxChecker::createFunctionBody):
2399         (JSC::SyntaxChecker::createFuncDeclStatement):
2400         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
2401         above interface changes.
2402
2403         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
2404
2405 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
2406
2407         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
2408         https://bugs.webkit.org/show_bug.cgi?id=142920
2409
2410         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
2411         
2412         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
2413         executed, then something other than the bytecode instruction's specified outcome will
2414         happen.
2415
2416         We almost never had observably effectful nodes except at the end of the bytecode
2417         instruction.  The exception is a lowered transitioning PutById:
2418
2419         PutStructure(@o, S1 -> S2)
2420         PutByOffset(@o, @o, @v)
2421
2422         The PutStructure is observably effectful: if you try to reexecute the bytecode after
2423         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
2424         first checking what the old structure of the object is; but if we reexecute, the old
2425         structure will seem to be the new structure.  But the property ensured by the new
2426         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
2427
2428         Intriguingly, however, none of the other operations involved in the PutById are
2429         observably effectful.  Consider this example:
2430
2431         PutByOffset(@o, @o, @v)
2432         PutStructure(@o, S1 -> S2)
2433
2434         Note that the PutStructure node doesn't reallocate property storage; see further below
2435         for an example that does that. Because no property storage is happening, we know that we
2436         already had room for the new property.  This means that the PutByOffset is no observable
2437         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
2438         observably effectful.
2439
2440         Now consider this:
2441
2442         b: AllocatePropertyStorage(@o)
2443         PutByOffset(@b, @o, @v)
2444         PutStructure(@o, S1 -> S2)
2445
2446         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
2447         effectful. It *does* reallocate the property storage and the new property storage pointer
2448         is stored into the object. But until the PutStructure occurs, the world will just think
2449         that the reallocation didn't happen, in the sense that we'll think that the property
2450         storage is using less memory than what we just allocated. That's harmless.
2451
2452         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
2453         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
2454         everything could be expected to be fine, so long as all of @o, @v and @b are on the
2455         stack. If they are all on the stack, then the GC will leave the property storage alone
2456         (so the extra memory we just allocated would be safe). The GC will not scan the part of
2457         the property storage that contains @v, but that's fine, so long as @v is on the stack.
2458         
2459         The better long-term solution is probably bug 142921.
2460         
2461         But for now, this:
2462         
2463         - Fixes an object materialization bug, exemplified by the two tests, that previously
2464           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
2465         
2466         - Allows us to remove the workaround introduced in r174856.
2467
2468         * dfg/DFGByteCodeParser.cpp:
2469         (JSC::DFG::ByteCodeParser::handlePutById):
2470         * dfg/DFGConstantFoldingPhase.cpp:
2471         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2472         * dfg/DFGFixupPhase.cpp:
2473         (JSC::DFG::FixupPhase::insertCheck):
2474         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
2475         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
2476         * dfg/DFGInsertionSet.h:
2477         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
2478         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
2479         * tests/stress/materialize-past-butterfly-allocation.js: Added.
2480         (bar):
2481         (foo0):
2482         (foo1):
2483         (foo2):
2484         (foo3):
2485         (foo4):
2486         * tests/stress/materialize-past-put-structure.js: Added.
2487         (foo):
2488
2489 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2490
2491         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
2492         https://bugs.webkit.org/show_bug.cgi?id=142410
2493
2494         Reviewed by Geoffrey Garen.
2495
2496         Before this patch, added function JSValue::toPropertyKey returns PropertyName.
2497         Since PropertyName doesn't have AtomicStringImpl ownership,
2498         if Identifier is implicitly converted to PropertyName and Identifier is destructed,
2499         PropertyName may refer freed AtomicStringImpl*.
2500
2501         This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
2502         to keep AtomicStringImpl* ownership after the toPropertyName call is done.
2503         And receive the result value as Identifier type to keep ownership in the caller side.
2504
2505         To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
2506
2507         However, now we don't need to have both Identifier and PropertyName.
2508         So we'll merge PropertyName to Identifier in the subsequent patch.
2509
2510         * dfg/DFGOperations.cpp:
2511         (JSC::DFG::operationPutByValInternal):
2512         * jit/JITOperations.cpp:
2513         (JSC::getByVal):
2514         * llint/LLIntSlowPaths.cpp:
2515         (JSC::LLInt::getByVal):
2516         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2517         * runtime/CommonSlowPaths.cpp:
2518         (JSC::SLOW_PATH_DECL):
2519         * runtime/CommonSlowPaths.h:
2520         (JSC::CommonSlowPaths::opIn):
2521         * runtime/JSCJSValue.h:
2522         * runtime/JSCJSValueInlines.h:
2523         (JSC::JSValue::toPropertyKey):
2524         * runtime/ObjectConstructor.cpp:
2525         (JSC::objectConstructorGetOwnPropertyDescriptor):
2526         (JSC::objectConstructorDefineProperty):
2527         * runtime/ObjectPrototype.cpp:
2528         (JSC::objectProtoFuncPropertyIsEnumerable):
2529
2530 2015-03-18  Geoffrey Garen  <ggaren@apple.com>
2531
2532         Function.prototype.toString should not decompile the AST
2533         https://bugs.webkit.org/show_bug.cgi?id=142853
2534
2535         Reviewed by Sam Weinig.
2536
2537         To recover the function parameter string, Function.prototype.toString
2538         decompiles the function parameters from the AST. This is bad for a few
2539         reasons:
2540
2541         (1) It requires us to keep pieces of the AST live forever. This is an
2542         awkward design and a waste of memory.
2543
2544         (2) It doesn't match Firefox or Chrome (because it changes whitespace
2545         and ES6 destructuring expressions).
2546
2547         (3) It doesn't scale to ES6 default argument parameters, which require
2548         arbitrarily complex decompilation.
2549
2550         (4) It can counterfeit all the line numbers in a function (because
2551         whitespace can include newlines).
2552
2553         (5) It's expensive, and we've seen cases where websites invoke
2554         Function.prototype.toString a lot by accident.
2555
2556         The fix is to do what we do for the rest of the function: Just quote the
2557         original source text.
2558
2559         Since this change inevitably changes some function stringification, I
2560         took the opportunity to make our stringification match Firefox's and
2561         Chrome's.
2562
2563         * API/tests/testapi.c:
2564         (assertEqualsAsUTF8String): Be more informative when this fails.
2565
2566         (main): Updated to match new stringification rules.
2567
2568         * bytecode/UnlinkedCodeBlock.cpp:
2569         (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
2570         * bytecode/UnlinkedCodeBlock.h:
2571
2572         * parser/Nodes.h:
2573         (JSC::StatementNode::isFuncDeclNode): New helper for constructing
2574         anonymous functions.
2575
2576         * parser/SourceCode.h:
2577         (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.
2578
2579         * runtime/CodeCache.cpp:
2580         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
2581         of function declaration over function expression.
2582
2583         * runtime/Executable.cpp:
2584         (JSC::FunctionExecutable::paramString): Deleted. Yay!
2585         * runtime/Executable.h:
2586         (JSC::FunctionExecutable::parameterCount):
2587
2588         * runtime/FunctionConstructor.cpp:
2589         (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
2590         the opening brace to match Firefox and Chrome, and a space after the comma
2591         to match Firefox and WebKit coding style. Added the function name to
2592         the text of the function so it would look right when stringify-ing. Switched
2593         from parentheses to braces to produce a function declaration instead of
2594         a function expression because we are required to exclude the function's
2595         name from its scope, and that's what a function declaration does.
2596
2597         * runtime/FunctionPrototype.cpp:
2598         (JSC::functionProtoFuncToString): Removed an old workaround because the
2599         library it worked around doesn't really exist anymore, and the behavior
2600         doesn't match Firefox or Chrome. Use type profiling offsets instead of
2601         function body offsets because we want to include the function name and
2602         the parameter string, rather than stitching them in manually by
2603         decompiling the AST.
2604
2605         (JSC::insertSemicolonIfNeeded): Deleted.
2606
2607         * tests/mozilla/js1_2/function/tostring-1.js:
2608         * tests/mozilla/js1_5/Scope/regress-185485.js:
2609         (with.g): Updated these test results for formatting changes.
2610
2611 2015-03-20  Joseph Pecoraro  <pecoraro@apple.com>
2612
2613         SyntaxChecker assertion is trapped with computed property name and getter
2614         https://bugs.webkit.org/show_bug.cgi?id=142863
2615
2616         Reviewed by Ryosuke Niwa.
2617
2618         * parser/SyntaxChecker.h:
2619         (JSC::SyntaxChecker::getName):
2620         Remove invalid assert. Computed properties will not have a name
2621         and the calling code is checking for null expecting it. The
2622         AST path (non-CheckingPath) already does this without the assert
2623         so it is well tested.
2624
2625 2015-03-19  Mark Lam  <mark.lam@apple.com>
2626
2627         JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
2628         <https://webkit.org/b/142846>
2629
2630         Reviewed by Geoffrey Garen.
2631
2632         Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
2633         1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
2634            that a JSCallbackObject references.
2635         2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
2636            vm.heap.addFinalizer() which destroys the JSCallbackObject.
2637
2638         The first finalizer is implemented as a virtual function of a JSCallbackObjectData
2639         instance that will be destructed if the 2nd finalizer is called.  Hence, if the
2640         2nd finalizer if called first, the later invocation of the 1st finalizer will
2641         result in a crash.
2642
2643         This patch fixes the issue by eliminating the finalizer registration in init().
2644         Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
2645         if needed.  This ensures that these finalizers are called before the JSCallbackObject
2646         is destructor.
2647
2648         Also added assertions to a few Heap functions because JSCell::classInfo() expects
2649         all objects that are allocated from MarkedBlock::Normal blocks to be derived from
2650         JSDestructibleObject.  These assertions will help us catch violations of this
2651         expectation earlier.
2652
2653         * API/JSCallbackObject.cpp:
2654         (JSC::JSCallbackObjectData::finalize): Deleted.
2655         * API/JSCallbackObject.h:
2656         (JSC::JSCallbackObjectData::~JSCallbackObjectData):
2657         * API/JSCallbackObjectFunctions.h:
2658         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2659         (JSC::JSCallbackObject<Parent>::init):
2660         * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
2661         (finalize):
2662         (testGlobalContextWithFinalizer):
2663         * API/tests/GlobalContextWithFinalizerTest.h: Added.
2664         * API/tests/testapi.c:
2665         (main):
2666         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
2667         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
2668         * JavaScriptCore.xcodeproj/project.pbxproj:
2669         * heap/HeapInlines.h:
2670         (JSC::Heap::allocateObjectOfType):
2671         (JSC::Heap::subspaceForObjectOfType):
2672         (JSC::Heap::allocatorForObjectOfType):
2673
2674 2015-03-19  Andreas Kling  <akling@apple.com>
2675
2676         JSCallee unnecessarily overrides a bunch of things in the method table.
2677         <https://webkit.org/b/142855>
2678
2679         Reviewed by Geoffrey Garen.
2680
2681         Remove JSCallee method table overrides that simply call to base class.
2682         This makes JSFunction property slot lookups slightly more efficient since
2683         they can take the fast path when passing over JSCallee in the base class chain.
2684
2685         * runtime/JSCallee.cpp:
2686         (JSC::JSCallee::getOwnPropertySlot): Deleted.
2687         (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted.
2688         (JSC::JSCallee::put): Deleted.
2689         (JSC::JSCallee::deleteProperty): Deleted.
2690         (JSC::JSCallee::defineOwnProperty): Deleted.
2691         * runtime/JSCallee.h:
2692
2693 2015-03-19  Andreas Kling  <akling@apple.com>
2694
2695         DFGAllocator should use bmalloc's aligned allocator.
2696         <https://webkit.org/b/142871>
2697
2698         Reviewed by Geoffrey Garen.
2699
2700         Switch DFGAllocator to using bmalloc through fastAlignedMalloc().
2701
2702         * dfg/DFGAllocator.h:
2703         (JSC::DFG::Allocator<T>::allocateSlow):
2704         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
2705         * heap/CopiedSpace.h:
2706         * heap/MarkedBlock.h:
2707         * heap/MarkedSpace.h:
2708
2709 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2710
2711         ES6 Classes: Extends should accept an expression without parenthesis
2712         https://bugs.webkit.org/show_bug.cgi?id=142840
2713
2714         Reviewed by Ryosuke Niwa.
2715
2716         * parser/Parser.cpp:
2717         (JSC::Parser<LexerType>::parseClass):
2718         "extends" allows a LeftHandExpression (new expression / call expression,
2719         which includes a member expression), not a primary expression. Our
2720         parseMemberExpression does all of these.
2721
2722 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2723
2724         Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection
2725         https://bugs.webkit.org/show_bug.cgi?id=142830
2726
2727         Reviewed by Timothy Hatcher.
2728
2729         * inspector/agents/InspectorDebuggerAgent.cpp:
2730         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2731         Give Probe Samples object previews.
2732
2733 2015-03-17  Ryuan Choi  <ryuan.choi@navercorp.com>
2734
2735         [EFL] Expose JavaScript binding interface through ewk_extension
2736         https://bugs.webkit.org/show_bug.cgi?id=142033
2737
2738         Reviewed by Gyuyoung Kim.
2739
2740         * PlatformEfl.cmake: Install Javascript APIs.
2741
2742 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2743
2744         Function bodies should always include braces
2745         https://bugs.webkit.org/show_bug.cgi?id=142795
2746
2747         Reviewed by Michael Saboff.
2748
2749         Having a mode for excluding the opening and closing braces from a function
2750         body was unnecessary and confusing.
2751
2752         * bytecode/CodeBlock.cpp:
2753         (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function.
2754
2755         * bytecode/UnlinkedCodeBlock.cpp:
2756         (JSC::generateFunctionCodeBlock):
2757         (JSC::UnlinkedFunctionExecutable::link):
2758         (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through
2759         a boolean: there is only one kind of function now.
2760
2761         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted.
2762         (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only
2763         have one way to do things. This removes the old mode that would pretend
2764         that a function always started at column 1. That pretense was not true:
2765         an attribute event listener does not necessarily start at column 1.
2766
2767         * bytecode/UnlinkedCodeBlock.h:
2768         * generate-js-builtins: Adopt the new one true linking function.
2769
2770         * parser/Parser.h:
2771         (JSC::Parser<LexerType>::parse):
2772         (JSC::parse): needsReparsingAdjustment is always true now, so I removed it.
2773
2774         * runtime/Executable.cpp:
2775         (JSC::ScriptExecutable::newCodeBlockFor):
2776         (JSC::FunctionExecutable::FunctionExecutable):
2777         (JSC::ProgramExecutable::initializeGlobalProperties):
2778         (JSC::FunctionExecutable::fromGlobalCode):
2779         * runtime/Executable.h:
2780         (JSC::FunctionExecutable::create):
2781         (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff.
2782
2783         * runtime/FunctionConstructor.cpp:
2784         (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a
2785         leading space because that's what this function's comment says is required
2786         for web compatibility. We used to fake this up after the fact when
2787         stringifying, based on the bodyIncludesBraces flag, but that flag is gone now.
2788
2789         * runtime/FunctionPrototype.cpp:
2790         (JSC::insertSemicolonIfNeeded):
2791         (JSC::functionProtoFuncToString): No need to add braces and/or a space
2792         after the fact -- we always have them now.
2793
2794 2015-03-17  Mark Lam  <mark.lam@apple.com>
2795
2796         Refactor execution time limit tests out of testapi.c.
2797         <https://webkit.org/b/142798>
2798
2799         Rubber stamped by Michael Saboff.
2800
2801         These tests were sometimes failing to time out on C loop builds.  Let's
2802         refactor them out of the big monolith that is testapi.c so that we can
2803         reason more easily about them and make adjustments if needed.
2804
2805         * API/tests/ExecutionTimeLimitTest.cpp: Added.
2806         (currentCPUTime):
2807         (currentCPUTimeAsJSFunctionCallback):
2808         (shouldTerminateCallback):
2809         (cancelTerminateCallback):
2810         (extendTerminateCallback):
2811         (testExecutionTimeLimit):
2812         * API/tests/ExecutionTimeLimitTest.h: Added.
2813         * API/tests/testapi.c:
2814         (main):
2815         (currentCPUTime): Deleted.
2816         (currentCPUTime_callAsFunction): Deleted.
2817         (shouldTerminateCallback): Deleted.
2818         (cancelTerminateCallback): Deleted.
2819         (extendTerminateCallback): Deleted.
2820         * JavaScriptCore.xcodeproj/project.pbxproj:
2821
2822 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2823
2824         Built-in functions should know that they use strict mode
2825         https://bugs.webkit.org/show_bug.cgi?id=142788
2826
2827         Reviewed by Mark Lam.
2828
2829         Even though all of our builtin functions use strict mode, the parser
2830         thinks that they don't. This is because Executable::toStrictness treats
2831         builtin-ness and strict-ness as mutually exclusive.
2832
2833         The fix is to disambiguate builtin-ness from strict-ness.
2834
2835         This bug is currently unobservable because of some other parser bugs. But
2836         it causes lots of test failures once those other bugs are fixed.
2837
2838         * API/JSScriptRef.cpp:
2839         (parseScript):
2840         * builtins/BuiltinExecutables.cpp:
2841         (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API
2842         for a separate value to indicate builtin-ness vs strict-ness.
2843
2844         * bytecode/UnlinkedCodeBlock.cpp:
2845         (JSC::generateFunctionCodeBlock):
2846         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto.
2847
2848         * bytecode/UnlinkedCodeBlock.h:
2849         (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function
2850         was misleading since it pretended that no builtin function was ever
2851         strict, which is the opposite of true.
2852
2853         * parser/Lexer.cpp:
2854         (JSC::Lexer<T>::Lexer):
2855         * parser/Lexer.h:
2856         * parser/Parser.cpp:
2857         (JSC::Parser<LexerType>::Parser):
2858         * parser/Parser.h:
2859         (JSC::parse): Adopt the new API.
2860
2861         * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give
2862         existing modes clearer names.
2863
2864         * runtime/CodeCache.cpp:
2865         (JSC::CodeCache::getGlobalCodeBlock):
2866         (JSC::CodeCache::getProgramCodeBlock):
2867         (JSC::CodeCache::getEvalCodeBlock):
2868         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API.
2869
2870         * runtime/CodeCache.h:
2871         (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and
2872         bulitin-ness as separate pieces of the code cache key. We would not want
2873         a user function to match a built-in function in the cache, even if they
2874         agreed about strictness, since builtin functions have different lexing
2875         rules.
2876
2877         * runtime/Completion.cpp:
2878         (JSC::checkSyntax):
2879         * runtime/Executable.cpp:
2880         (JSC::FunctionExecutable::FunctionExecutable):
2881         (JSC::ProgramExecutable::checkSyntax):
2882         * runtime/Executable.h:
2883         (JSC::FunctionExecutable::create):
2884         * runtime/JSGlobalObject.cpp:
2885         (JSC::JSGlobalObject::createProgramCodeBlock):
2886         (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API.
2887
2888 2015-03-16  Filip Pizlo  <fpizlo@apple.com>
2889
2890         DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor
2891         https://bugs.webkit.org/show_bug.cgi?id=142769
2892
2893         Reviewed by Michael Saboff.
2894         
2895         When we sink an object allocation, we need to have some way of tracking what stores would
2896         have happened had the allocation not been sunk, so that we know how to rematerialize the
2897         object on OSR exit. Prior to this change, trunk had two ways of describing such a "put
2898         hint":
2899         
2900         - The PutStrutureHint and PutByOffsetHint node types.
2901         - The PromotedLocationDescriptor class, which has an enum with cases StructurePLoc and
2902           NamedPropertyPLoc.
2903         
2904         We also had ways of converting from a Node with those two node types to a
2905         PromotedLocationDescriptor, and we had a way of converting a PromotedLocationDescriptor to
2906         a Node.
2907         
2908         This change removes the redundancy. We now have just one node type that corresponds to a
2909         put hint, and it's called PutHint. It has a PromotedLocationDescriptor as metadata.
2910         Converting between a PutHint node and a PromotedLocationDescriptor and vice-versa is now
2911         trivial.
2912         
2913         This means that if we add new kinds of sunken objects, we'll have less pro-forma to write
2914         for the put hints to those objects. This is mainly to simplify the implementation of
2915         arguments elimination in bug 141174.
2916
2917         * dfg/DFGAbstractInterpreterInlines.h:
2918         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2919         * dfg/DFGClobberize.h:
2920         (JSC::DFG::clobberize):
2921         * dfg/DFGDoesGC.cpp:
2922         (JSC::DFG::doesGC):
2923         * dfg/DFGFixupPhase.cpp:
2924         (JSC::DFG::FixupPhase::fixupNode):
2925         * dfg/DFGGraph.cpp:
2926         (JSC::DFG::Graph::dump):
2927         (JSC::DFG::Graph::mergeRelevantToOSR):
2928         * dfg/DFGMayExit.cpp:
2929         (JSC::DFG::mayExit):
2930         * dfg/DFGNode.cpp:
2931         (JSC::DFG::Node::convertToPutHint):
2932         (JSC::DFG::Node::convertToPutStructureHint):
2933         (JSC::DFG::Node::convertToPutByOffsetHint):
2934         (JSC::DFG::Node::promotedLocationDescriptor):
2935         * dfg/DFGNode.h:
2936         (JSC::DFG::Node::hasIdentifier):
2937         (JSC::DFG::Node::hasPromotedLocationDescriptor):
2938         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
2939         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
2940         * dfg/DFGNodeType.h:
2941         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2942         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2943         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2944         (JSC::DFG::ObjectAllocationSinkingPhase::run):
2945         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
2946         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2947         * dfg/DFGPredictionPropagationPhase.cpp:
2948         (JSC::DFG::PredictionPropagationPhase::propagate):
2949         * dfg/DFGPromoteHeapAccess.h:
2950         (JSC::DFG::promoteHeapAccess):
2951         * dfg/DFGPromotedHeapLocation.cpp:
2952         (JSC::DFG::PromotedHeapLocation::createHint):
2953         * dfg/DFGPromotedHeapLocation.h:
2954         (JSC::DFG::PromotedLocationDescriptor::imm1):
2955         (JSC::DFG::PromotedLocationDescriptor::imm2):
2956         * dfg/DFGSafeToExecute.h:
2957         (JSC::DFG::safeToExecute):
2958         * dfg/DFGSpeculativeJIT32_64.cpp:
2959         (JSC::DFG::SpeculativeJIT::compile):
2960         * dfg/DFGSpeculativeJIT64.cpp:
2961         (JSC::DFG::SpeculativeJIT::compile):
2962         * dfg/DFGValidate.cpp:
2963         (JSC::DFG::Validate::validateCPS):
2964         * ftl/FTLCapabilities.cpp:
2965         (JSC::FTL::canCompile):
2966         * ftl/FTLLowerDFGToLLVM.cpp:
2967         (JSC::FTL::LowerDFGToLLVM::compileNode):
2968
2969 2015-03-17  Michael Saboff  <msaboff@apple.com>
2970
2971         Windows X86-64 should use the fixed executable allocator
2972         https://bugs.webkit.org/show_bug.cgi?id=142749
2973
2974         Reviewed by Filip Pizlo.
2975
2976         Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build.
2977
2978         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2979         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2980         * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows.
2981
2982 2015-03-17  Matt Baker  <mattbaker@apple.com>
2983
2984         Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline
2985         https://bugs.webkit.org/show_bug.cgi?id=142029
2986
2987         Reviewed by Timothy Hatcher.
2988
2989         * inspector/protocol/Timeline.json:
2990         Added new event type for runloop timeline records.
2991
2992 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
2993
2994         Enable ES6 classes by default
2995         https://bugs.webkit.org/show_bug.cgi?id=142774
2996
2997         Reviewed by Gavin Barraclough.
2998
2999         Enabled the feature and unskipped tests.
3000
3001         * Configurations/FeatureDefines.xcconfig:
3002         * tests/stress/class-syntax-no-loop-tdz.js:
3003         * tests/stress/class-syntax-no-tdz-in-catch.js:
3004         * tests/stress/class-syntax-no-tdz-in-conditional.js:
3005         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
3006         * tests/stress/class-syntax-no-tdz-in-loop.js:
3007         * tests/stress/class-syntax-no-tdz.js:
3008         * tests/stress/class-syntax-tdz-in-catch.js:
3009         * tests/stress/class-syntax-tdz-in-conditional.js:
3010         * tests/stress/class-syntax-tdz-in-loop.js:
3011         * tests/stress/class-syntax-tdz.js:
3012
3013 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3014
3015         Web Inspector: Better Console Previews for Arrays / Small Objects
3016         https://bugs.webkit.org/show_bug.cgi?id=142322
3017
3018         Reviewed by Timothy Hatcher.
3019
3020         * inspector/InjectedScriptSource.js:
3021         Create deep valuePreviews for simple previewable objects,
3022         such as arrays with 5 values, or basic objects with
3023         3 properties.
3024
3025 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3026
3027         Add support for default constructor
3028         https://bugs.webkit.org/show_bug.cgi?id=142388
3029
3030         Reviewed by Filip Pizlo.
3031
3032         Added the support for default constructors. They're generated by ClassExprNode::emitBytecode
3033         via BuiltinExecutables::createDefaultConstructor.
3034
3035         UnlinkedFunctionExecutable now has the ability to override SourceCode provided by the owner
3036         executable. We can't make store SourceCode in UnlinkedFunctionExecutable since CodeCache can use
3037         the same UnlinkedFunctionExecutable to generate code blocks for multiple functions.
3038
3039         Parser now has the ability to treat any function expression as a constructor of the kind specified
3040         by m_defaultConstructorKind member variable.
3041
3042         * builtins/BuiltinExecutables.cpp:
3043         (JSC::BuiltinExecutables::createDefaultConstructor): Added.
3044         (JSC::BuiltinExecutables::createExecutableInternal): Generalized from createBuiltinExecutable.
3045         Parse default constructors as normal non-builtin functions. Override SourceCode in the unlinked
3046         function executable since the Miranda function's code is definitely not in the owner executable's
3047         source code. That's the whole point.
3048         * builtins/BuiltinExecutables.h:
3049         (UnlinkedFunctionExecutable::createBuiltinExecutable): Added. Wraps createExecutableInternal.
3050         * bytecode/UnlinkedCodeBlock.cpp:
3051         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3052         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable):
3053         (JSC::UnlinkedFunctionExecutable::linkGlobalCode):
3054         * bytecode/UnlinkedCodeBlock.h:
3055         (JSC::UnlinkedFunctionExecutable::create):
3056         (JSC::UnlinkedFunctionExecutable::symbolTable): Deleted.
3057         * bytecompiler/BytecodeGenerator.cpp:
3058         (JSC::BytecodeGenerator::emitNewDefaultConstructor): Added.
3059         * bytecompiler/BytecodeGenerator.h:
3060         * bytecompiler/NodesCodegen.cpp:
3061         (JSC::ClassExprNode::emitBytecode): Generate the default constructor if needed.
3062         * parser/Parser.cpp:
3063         (JSC::Parser<LexerType>::Parser):
3064         (JSC::Parser<LexerType>::parseFunctionInfo): Override ownerClassKind and assume the function as
3065         a constructor if we're parsing a default constructor.
3066         (JSC::Parser<LexerType>::parseClass): Allow omission of the class constructor.
3067         * parser/Parser.h:
3068         (JSC::parse):
3069
3070 2015-03-16  Alex Christensen  <achristensen@webkit.org>
3071
3072         Progress towards CMake on Mac
3073         https://bugs.webkit.org/show_bug.cgi?id=142747
3074
3075         Reviewed by Chris Dumez.
3076
3077         * CMakeLists.txt:
3078         Include AugmentableInspectorController.h in CMake build.
3079
3080 2015-03-16  Csaba Osztrogonác  <ossy@webkit.org>
3081
3082         [ARM] Enable generating idiv instructions if it is supported
3083         https://bugs.webkit.org/show_bug.cgi?id=142725
3084
3085         Reviewed by Michael Saboff.
3086
3087         * assembler/ARMAssembler.h: Added sdiv and udiv implementation for ARM Traditional instruction set.
3088         (JSC::ARMAssembler::sdiv):
3089         (JSC::ARMAssembler::udiv):
3090         * assembler/ARMv7Assembler.h: Use HAVE(ARM_IDIV_INSTRUCTIONS) instead of CPU(APPLE_ARMV7S).
3091         * assembler/AbstractMacroAssembler.h:
3092         (JSC::isARMv7IDIVSupported):
3093         (JSC::optimizeForARMv7IDIVSupported):
3094         (JSC::isARMv7s): Renamed to isARMv7IDIVSupported().
3095         (JSC::optimizeForARMv7s): Renamed to optimizeForARMv7IDIVSupported().
3096         * dfg/DFGFixupPhase.cpp:
3097         (JSC::DFG::FixupPhase::fixupNode):
3098         * dfg/DFGSpeculativeJIT.cpp:
3099         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3100         (JSC::DFG::SpeculativeJIT::compileArithMod):
3101
3102 2015-03-15  Filip Pizlo  <fpizlo@apple.com>
3103
3104         DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source, and emit GetStacks when the stack's value is needed and none is deferred
3105         https://bugs.webkit.org/show_bug.cgi?id=141624
3106
3107         Reviewed by Geoffrey Garen.
3108
3109         Not eliminating GetStacks was an obvious omission from the original PutStackSinkingPhase.
3110         Previously, we would treat GetStacks conservatively and assume that the stack slot
3111         escaped. That's pretty dumb, since a GetStack is a local load of the stack. This change
3112         makes GetStack a no-op from the standpoint of this phase's deferral analysis. At the end
3113         we either keep the GetStack (if there was no concrete deferral) or we replace it with an
3114         identity over the value that would have been stored by the deferred PutStack. Note that
3115         this might be a Phi that the phase creates, so this is strictly stronger than what GCSE
3116         could do.
3117         
3118         But this change revealed the fact that this phase never correctly handled side effects in
3119         case that we had done a GetStack, then a side-effect, and then found ourselves wanting the
3120         value on the stack due to (for example) a Phi on a deferred PutStack and that GetStack.
3121         Basically, it's only correct to use the SSA converter's incoming value mapping if we have
3122         a concrete deferral - since anything but a concrete deferral may imply that the value has
3123         been clobbered.
3124         
3125         This has no performance change. I believe that the bug was previously benign because we
3126         have so few operations that clobber the stack anymore, and most of those get used in a
3127         very idiomatic way. The GetStack elimination will be very useful for the varargs
3128         simplification that is part of bug 141174.
3129         
3130         This includes a test for the case that Speedometer hit, plus tests for the other cases I
3131         thought of once I realized the deeper issue.
3132
3133         * dfg/DFGPutStackSinkingPhase.cpp:
3134         * tests/stress/get-stack-identity-due-to-sinking.js: Added.
3135         (foo):
3136         (bar):
3137         * tests/stress/get-stack-mapping-with-dead-get-stack.js: Added.
3138         (bar):
3139         (foo):
3140         * tests/stress/get-stack-mapping.js: Added.
3141         (bar):
3142         (foo):
3143         * tests/stress/weird-put-stack-varargs.js: Added.
3144         (baz):
3145         (foo):
3146         (fuzz):
3147         (bar):
3148
3149 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3150
3151         Update Map/Set to treat -0 and 0 as the same value
3152         https://bugs.webkit.org/show_bug.cgi?id=142709
3153
3154         Reviewed by Csaba Osztrogonác.
3155
3156         * runtime/MapData.h:
3157         (JSC::MapDataImpl<Entry>::KeyType::KeyType):
3158         No longer special case -0. It will be treated as the same as 0.
3159
3160 2015-03-15  Joseph Pecoraro  <pecoraro@apple.com>
3161
3162         Web Inspector: Better handle displaying -0
3163         https://bugs.webkit.org/show_bug.cgi?id=142708
3164
3165         Reviewed by Timothy Hatcher.
3166
3167         Modeled after a blink change:
3168
3169         Patch by <aandrey@chromium.org>
3170         DevTools: DevTools: Show -0 for negative zero in console
3171         https://src.chromium.org/viewvc/blink?revision=162605&view=revision
3172
3173         * inspector/InjectedScriptSource.js:
3174         When creating a description string, or preview value string
3175         for -0, be sure the string is "-0" and not "0".
3176
3177 2015-03-14  Ryosuke Niwa  <rniwa@webkit.org>
3178
3179         parseClass should popScope after pushScope
3180         https://bugs.webkit.org/show_bug.cgi?id=142689
3181
3182         Reviewed by Benjamin Poulain.
3183
3184         Pop the parser scope as needed.
3185
3186         * parser/Parser.cpp:
3187         (JSC::Parser<LexerType>::parseClass):
3188
3189 2015-03-14  Dean Jackson  <dino@apple.com>
3190
3191         Feature flag for Animations Level 2
3192         https://bugs.webkit.org/show_bug.cgi?id=142699
3193         <rdar://problem/20165097>
3194
3195         Reviewed by Brent Fulgham.
3196
3197         Add ENABLE_CSS_ANIMATIONS_LEVEL_2 and a runtime flag animationTriggersEnabled.
3198
3199         * Configurations/FeatureDefines.xcconfig:
3200
3201 2015-03-14  Commit Queue  <commit-queue@webkit.org>
3202
3203         Unreviewed, rolling out r181487.
3204         https://bugs.webkit.org/show_bug.cgi?id=142695
3205
3206         Caused Speedometer/Full.html to fail (Requested by smfr on
3207         #webkit).
3208
3209         Reverted changeset:
3210
3211         "DFG::PutStackSinkingPhase should eliminate GetStacks that
3212         have an obviously known source"
3213         https://bugs.webkit.org/show_bug.cgi?id=141624
3214         http://trac.webkit.org/changeset/181487
3215
3216 2015-03-14  Michael Saboff  <msaboff@apple.com>
3217
3218         ES6: Add binary and octal literal support
3219         https://bugs.webkit.org/show_bug.cgi?id=142681
3220
3221         Reviewed by Ryosuke Niwa.
3222
3223         Added a binary literal parser function, parseBinary(), to Lexer patterned after the octal parser.
3224         Refactored the parseBinary, parseOctal and parseDecimal to use a constant size for the number of
3225         characters to try and handle directly. Factored out the shifting past any prefix to be handled by
3226         the caller. Added binary and octal parsing to toDouble() via helper functions.
3227
3228         * parser/Lexer.cpp:
3229         (JSC::Lexer<T>::parseHex):
3230         (JSC::Lexer<T>::parseBinary):
3231         (JSC::Lexer<T>::parseOctal):
3232         (JSC::Lexer<T>::parseDecimal):
3233         (JSC::Lexer<T>::lex):
3234         * parser/Lexer.h:
3235         * parser/ParserTokens.h:
3236         * runtime/JSGlobalObjectFunctions.cpp:
3237         (JSC::jsBinaryIntegerLiteral):
3238         (JSC::jsOctalIntegerLiteral):
3239         (JSC::toDouble):
3240
3241 2015-03-13  Alex Christensen  <achristensen@webkit.org>
3242
3243         Progress towards CMake on Mac.
3244         https://bugs.webkit.org/show_bug.cgi?id=142680
3245
3246         Reviewed by Gyuyoung Kim.
3247
3248         * PlatformMac.cmake:
3249         Generate TracingDtrace.h based on project.pbxproj.
3250
3251 2015-03-13  Filip Pizlo  <fpizlo@apple.com>
3252
3253         Object allocation sinking phase shouldn't re-decorate previously sunken allocations on each fixpoint operation
3254         https://bugs.webkit.org/show_bug.cgi?id=142686
3255
3256         Reviewed by Oliver Hunt.
3257         
3258         Just because promoteHeapAccess() notifies us of an effect to a heap location in a node doesn't
3259         mean that we should handle it as if it was for one of our sinking candidates. Instead we should
3260         prune based on m_sinkCandidates.
3261         
3262         This fixes a benign bug where we would generate a lot of repeated IR for some pathological
3263         tests.
3264
3265         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3266         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
3267
3268 2015-03-13  Eric Carlson  <eric.carlson@apple.com>
3269
3270         [Mac] Enable WIRELESS_PLAYBACK_TARGET
3271         https://bugs.webkit.org/show_bug.cgi?id=142635
3272
3273         Reviewed by Darin Adler.
3274
3275         * Configurations/FeatureDefines.xcconfig:
3276
3277 2015-03-13  Ryosuke Niwa  <rniwa@webkit.org>
3278
3279         Class constructor should throw TypeError when "called"
3280         https://bugs.webkit.org/show_bug.cgi?id=142566
3281
3282         Reviewed by Michael Saboff.
3283
3284         Added ConstructorKind::None to denote code that doesn't belong to an ES6 class.
3285         This allows BytecodeGenerator to emit code to throw TypeError when generating code block
3286         to call ES6 class constructors.
3287
3288         Most of changes are about increasing the number of bits to store ConstructorKind from one
3289         bit to two bits.
3290
3291         * bytecode/UnlinkedCodeBlock.cpp:
3292         (JSC::generateFunctionCodeBlock):
3293         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3294         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3295         * bytecode/UnlinkedCodeBlock.h:
3296         (JSC::ExecutableInfo::ExecutableInfo):
3297         (JSC::ExecutableInfo::needsActivation):
3298         (JSC::ExecutableInfo::usesEval):
3299         (JSC::ExecutableInfo::isStrictMode):
3300         (JSC::ExecutableInfo::isConstructor):
3301         (JSC::ExecutableInfo::isBuiltinFunction):
3302         (JSC::ExecutableInfo::constructorKind):
3303         (JSC::UnlinkedFunctionExecutable::constructorKind):
3304         (JSC::UnlinkedCodeBlock::constructorKind):
3305         (JSC::UnlinkedFunctionExecutable::constructorKindIsDerived): Deleted.
3306         (JSC::UnlinkedCodeBlock::constructorKindIsDerived): Deleted.
3307         * bytecompiler/BytecodeGenerator.cpp:
3308         (JSC::BytecodeGenerator::generate): Don't emit bytecode when we had already emitted code
3309         to throw TypeError.
3310         (JSC::BytecodeGenerator::BytecodeGenerator): Emit code to throw TypeError when generating
3311         code to call.
3312         (JSC::BytecodeGenerator::emitReturn):
3313         * bytecompiler/BytecodeGenerator.h:
3314         (JSC::BytecodeGenerator::constructorKind):
3315         (JSC::BytecodeGenerator::constructorKindIsDerived): Deleted.
3316         * bytecompiler/NodesCodegen.cpp:
3317         (JSC::ThisNode::emitBytecode):
3318         (JSC::FunctionCallValueNode::emitBytecode):
3319         * parser/Nodes.cpp:
3320         (JSC::FunctionBodyNode::FunctionBodyNode):
3321         * parser/Nodes.h:
3322         * parser/Parser.cpp:
3323         (JSC::Parser<LexerType>::parseFunctionInfo): Renamed the incoming function argument to
3324         ownerClassKind. Set constructorKind to Base or Derived only if we're parsing a constructor.
3325         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3326         (JSC::Parser<LexerType>::parseClass): Don't parse static methods using MethodMode since that
3327         would result in BytecodeGenerator erroneously treating static method named "constructor" as
3328         a class constructor.
3329         (JSC::Parser<LexerType>::parsePropertyMethod):
3330         (JSC::Parser<LexerType>::parsePrimaryExpression):
3331         * parser/Parser.h:
3332         * parser/ParserModes.h: