DFG should only have two mechanisms for describing effectfulness of nodes; previously...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
4         https://bugs.webkit.org/show_bug.cgi?id=141369
5
6         Reviewed by Michael Saboff.
7
8         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
9         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
10         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
11         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
12         finally switch everyone over to DFG::clobberize().
13         
14         Unfortunately there is still another place where effectfulness of nodes is described: the
15         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
16         compile time performance and there are places where the AI is more precise than
17         clobberize() because of its flow-sensitivity.
18         
19         This means that after this change there will be only two places, rather than three, where
20         the effectfulness of a node has to be described:
21
22         - DFG::clobberize()
23         - DFG::AbstractInterpreter
24
25         * dfg/DFGClobberize.cpp:
26         (JSC::DFG::clobbersWorld):
27         * dfg/DFGClobberize.h:
28         * dfg/DFGDoesGC.cpp:
29         (JSC::DFG::doesGC):
30         * dfg/DFGFixupPhase.cpp:
31         (JSC::DFG::FixupPhase::fixupNode):
32         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
33         (JSC::DFG::FixupPhase::convertToGetArrayLength):
34         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
35         * dfg/DFGGraph.h:
36         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
37         (JSC::DFG::Graph::byValIsPure): Deleted.
38         (JSC::DFG::Graph::clobbersWorld): Deleted.
39         * dfg/DFGNode.h:
40         (JSC::DFG::Node::convertToConstant):
41         (JSC::DFG::Node::convertToGetLocalUnlinked):
42         (JSC::DFG::Node::convertToGetByOffset):
43         (JSC::DFG::Node::convertToMultiGetByOffset):
44         (JSC::DFG::Node::convertToPutByOffset):
45         (JSC::DFG::Node::convertToMultiPutByOffset):
46         * dfg/DFGNodeFlags.cpp:
47         (JSC::DFG::dumpNodeFlags):
48         * dfg/DFGNodeFlags.h:
49         * dfg/DFGNodeType.h:
50
51 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
52
53         Fix the !ENABLE(DFG_JIT) build
54         https://bugs.webkit.org/show_bug.cgi?id=141387
55
56         Reviewed by Darin Adler.
57
58         * jit/Repatch.cpp:
59
60 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
61
62         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
63         https://bugs.webkit.org/show_bug.cgi?id=141363
64
65         Reviewed by Darin Adler.
66
67         * dfg/DFGPredictionPropagationPhase.cpp:
68         (JSC::DFG::PredictionPropagationPhase::propagate):
69         Some blocks were duplicated, they probably evolved separately
70         to the same state.
71
72 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
73
74         Remove useless declarations and a stale comment from DFGByteCodeParser.h
75         https://bugs.webkit.org/show_bug.cgi?id=141361
76
77         Reviewed by Darin Adler.
78
79         The comment refers to the original form of the ByteCodeParser:
80             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
81
82         That form is long dead, the comment is more misleading than anything.
83
84         * dfg/DFGByteCodeParser.cpp:
85         * dfg/DFGByteCodeParser.h:
86
87 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
88
89         Encapsulate DFG::Plan's beforeFTL timestamp
90         https://bugs.webkit.org/show_bug.cgi?id=141360
91
92         Reviewed by Darin Adler.
93
94         Make the attribute private, it is an internal state.
95
96         Rename beforeFTL->timeBeforeFTL for readability.
97
98         * dfg/DFGPlan.cpp:
99         (JSC::DFG::Plan::compileInThread):
100         (JSC::DFG::Plan::compileInThreadImpl):
101         * dfg/DFGPlan.h:
102
103 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
104
105         Remove DFGNode::hasArithNodeFlags()
106         https://bugs.webkit.org/show_bug.cgi?id=141319
107
108         Reviewed by Michael Saboff.
109
110         * dfg/DFGNode.h:
111         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
112         Unused code is unused.
113
114 2015-02-07  Chris Dumez  <cdumez@apple.com>
115
116         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
117         https://bugs.webkit.org/show_bug.cgi?id=141321
118
119         Reviewed by Darin Adler.
120
121         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
122
123 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
124
125         DFG SSA shouldn't have SetArgument nodes
126         https://bugs.webkit.org/show_bug.cgi?id=141342
127
128         Reviewed by Mark Lam.
129
130         I was wondering why we kept the SetArgument around for captured
131         variables. It turns out we did so because we thought we had to, even
132         though we didn't have to. The node is meaningless in SSA.
133
134         * dfg/DFGSSAConversionPhase.cpp:
135         (JSC::DFG::SSAConversionPhase::run):
136         * ftl/FTLLowerDFGToLLVM.cpp:
137         (JSC::FTL::LowerDFGToLLVM::compileNode):
138
139 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
140
141         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
142         https://bugs.webkit.org/show_bug.cgi?id=141337
143
144         Reviewed by Mark Lam.
145
146         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
147         are associated with the prologue.
148
149         * dfg/DFGCPSRethreadingPhase.cpp:
150         (JSC::DFG::CPSRethreadingPhase::run):
151         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
152         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
153         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
154         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
155         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
156
157 2015-02-06  Mark Lam  <mark.lam@apple.com>
158
159         MachineThreads should be ref counted.
160         <https://webkit.org/b/141317>
161
162         Reviewed by Filip Pizlo.
163
164         The VM's MachineThreads registry object is being referenced from other
165         threads as a raw pointer.  In a scenario where the VM is destructed on
166         the main thread, there is no guarantee that another thread isn't still
167         holding a reference to the registry and will eventually invoke
168         removeThread() on it on thread exit.  Hence, there's a possible use
169         after free scenario here.
170
171         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
172         threads that references keep a RefPtr to it to ensure that it stays
173         alive until the very last thread is done with it.
174
175         * API/tests/testapi.mm:
176         (useVMFromOtherThread): - Renamed to be more descriptive.
177         (useVMFromOtherThreadAndOutliveVM):
178         - Added a test that has another thread which uses the VM outlive the
179           VM to confirm that there is no crash.
180
181           However, I was not actually able to get the VM to crash without this
182           patch because I wasn't always able to the thread destructor to be
183           called.  With this patch applied, I did verify with some logging that
184           the MachineThreads registry is only destructed after all threads
185           have removed themselves from it.
186
187         (threadMain): Deleted.
188
189         * heap/Heap.cpp:
190         (JSC::Heap::Heap):
191         (JSC::Heap::~Heap):
192         (JSC::Heap::gatherStackRoots):
193         * heap/Heap.h:
194         (JSC::Heap::machineThreads):
195         * heap/MachineStackMarker.cpp:
196         (JSC::MachineThreads::Thread::Thread):
197         (JSC::MachineThreads::addCurrentThread):
198         (JSC::MachineThreads::removeCurrentThread):
199         * heap/MachineStackMarker.h:
200
201 2015-02-06  Commit Queue  <commit-queue@webkit.org>
202
203         Unreviewed, rolling out r179743.
204         https://bugs.webkit.org/show_bug.cgi?id=141335
205
206         caused missing symbols in non-WebKit clients of WTF::Vector
207         (Requested by kling on #webkit).
208
209         Reverted changeset:
210
211         "Remove WTF::fastMallocGoodSize()."
212         https://bugs.webkit.org/show_bug.cgi?id=141020
213         http://trac.webkit.org/changeset/179743
214
215 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
216
217         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
218         https://bugs.webkit.org/show_bug.cgi?id=141211
219
220         Reviewed by Mark Lam.
221
222         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
223         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
224         would raise the refcount on the last (highest-numbered) variable created, and rely on
225         the fact that register reclamation started at higher-numbered registers and worked its
226         way down. So any retained register would block any lower-numbered registers from being
227         reclaimed.
228         
229         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
230         
231         This removes preserveLastVar() and makes addVar() retain each register it creates. This
232         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
233         
234         To make this work I had to remove an assertion that Register::setIndex() can only be
235         called when the refcount is zero. This method might be called after a var is created to
236         change its index. This previously worked because preserveLastVar() would be called after
237         we had already made all index changes, so the vars would still have refcount zero. Now
238         they have refcount 1. I think it's OK to lose this assertion; I can't remember this
239         assertion ever firing in a way that alerted me to a serious issue.
240         
241         * bytecompiler/BytecodeGenerator.cpp:
242         (JSC::BytecodeGenerator::BytecodeGenerator):
243         (JSC::BytecodeGenerator::preserveLastVar): Deleted.
244         * bytecompiler/BytecodeGenerator.h:
245         (JSC::BytecodeGenerator::addVar):
246         * bytecompiler/RegisterID.h:
247         (JSC::RegisterID::setIndex):
248
249 2015-02-06  Andreas Kling  <akling@apple.com>
250
251         Remove WTF::fastMallocGoodSize().
252         <https://webkit.org/b/141020>
253
254         Reviewed by Anders Carlsson.
255
256         * assembler/AssemblerBuffer.h:
257         (JSC::AssemblerData::AssemblerData):
258         (JSC::AssemblerData::grow):
259
260 2015-02-05  Michael Saboff  <msaboff@apple.com>
261
262         CodeCache is not thread safe when adding the same source from two different threads
263         https://bugs.webkit.org/show_bug.cgi?id=141275
264
265         Reviewed by Mark Lam.
266
267         The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
268         but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
269         will fill in later in the function.  During the body of that function, it allocates
270         objects that may garbage collect.  During that garbage collection, we drop the all locks.
271         While the locks are released by the first thread, another thread can enter the VM and might
272         have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
273         looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
274         and crashes.  This fixes the problem by not dropping the locks during garbage collection.
275         There are other likely scenarios where we have a data structure like this code cache in an
276         unsafe state for arbitrary reentrance.
277
278         Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
279         a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
280         Now we accumulate objects to be released and release them when all locks are dropped or
281         when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
282         with the old scope form of this list.
283
284         Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
285         and the lock management no longer needs to be done, just made the list a member of Heap.
286         We do need to guard against the case that releasing an object can create more objects
287         by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
288         an object to release so that we aren't recursively in Vector code.  The other thing we
289         do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
290         the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
291         This case is already tested by testapi.mm.
292
293         * heap/DelayedReleaseScope.h: Removed file
294
295         * API/JSAPIWrapperObject.mm:
296         * API/ObjCCallbackFunction.mm:
297         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
298         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
299         * JavaScriptCore.xcodeproj/project.pbxproj:
300         * heap/IncrementalSweeper.cpp:
301         (JSC::IncrementalSweeper::doSweep):
302         * heap/MarkedAllocator.cpp:
303         (JSC::MarkedAllocator::tryAllocateHelper):
304         (JSC::MarkedAllocator::tryAllocate):
305         * heap/MarkedBlock.cpp:
306         (JSC::MarkedBlock::sweep):
307         * heap/MarkedSpace.cpp:
308         (JSC::MarkedSpace::MarkedSpace):
309         (JSC::MarkedSpace::lastChanceToFinalize):
310         (JSC::MarkedSpace::didFinishIterating):
311         * heap/MarkedSpace.h:
312         * heap/Heap.cpp:
313         (JSC::Heap::collectAllGarbage):
314         (JSC::Heap::zombifyDeadObjects):
315         Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
316
317         * heap/Heap.cpp:
318         (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
319         (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
320         (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
321         delayed release objects.
322
323         * heap/Heap.h:
324         (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
325         (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
326         releaseDelayedReleasedObjects is being called recursively.
327         * heap/HeapInlines.h:
328         (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
329         
330         * runtime/JSLock.cpp:
331         (JSC::JSLock::willReleaseLock):
332         Call Heap::releaseDelayedObjectsNow() when releasing the lock.
333
334 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
335
336         [Streams API] Implement a barebone ReadableStream interface
337         https://bugs.webkit.org/show_bug.cgi?id=141045
338
339         Reviewed by Benjamin Poulain.
340
341         * Configurations/FeatureDefines.xcconfig:
342
343 2015-02-05  Saam Barati  <saambarati1@gmail.com>
344
345         Crash in uninitialized deconstructing variable.
346         https://bugs.webkit.org/show_bug.cgi?id=141070
347
348         Reviewed by Michael Saboff.
349
350         According to the ES6 spec, when a destructuring pattern occurs
351         as the left hand side of an assignment inside a var declaration 
352         statement, the assignment must also have a right hand side value.
353         "var {x} = {};" is a legal syntactic statement, but,
354         "var {x};" is a syntactic error.
355
356         Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
357         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
358
359         * parser/Parser.cpp:
360         (JSC::Parser<LexerType>::parseVarDeclaration):
361         (JSC::Parser<LexerType>::parseVarDeclarationList):
362         (JSC::Parser<LexerType>::parseForStatement):
363         * parser/Parser.h:
364
365 2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
366
367         Unreviewed, fix a build break on EFL port since r179648.
368
369         * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
370         (JSC::MachineThreads::tryCopyOtherThreadStacks):
371
372 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
373
374         Web Inspector: ES6: Improved Console Support for Symbol Objects
375         https://bugs.webkit.org/show_bug.cgi?id=141173
376
377         Reviewed by Timothy Hatcher.
378
379         * inspector/protocol/Runtime.json:
380         New type, "symbol".
381
382         * inspector/InjectedScriptSource.js:
383         Handle Symbol objects in a few places. They don't have properties
384         and they cannot be implicitly converted to strings.
385
386 2015-02-04  Mark Lam  <mark.lam@apple.com>
387
388         Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
389
390         Not reviewed.
391
392         * heap/MachineStackMarker.cpp:
393         (JSC::MachineThreads::tryCopyOtherThreadStacks):
394
395 2015-02-04  Mark Lam  <mark.lam@apple.com>
396
397         Gardening: Changed expected ERROR message to WARNING to make test bots happy.
398
399         Rubber stamped by Simon Fraser.
400
401         * heap/MachineStackMarker.cpp:
402         (JSC::MachineThreads::tryCopyOtherThreadStacks):
403
404 2015-02-04  Mark Lam  <mark.lam@apple.com>
405
406         r179576 introduce a deadlock potential during GC thread suspension.
407         <https://webkit.org/b/141268>
408
409         Reviewed by Michael Saboff.
410
411         http://trac.webkit.org/r179576 introduced a potential for deadlocking.
412         In the GC thread suspension loop, we currently delete
413         MachineThreads::Thread that we detect to be invalid.  This is unsafe
414         because we may have already suspended some threads, and one of those
415         suspended threads may still be holding the C heap lock which we need
416         for deleting the invalid thread.
417
418         The fix is to put the invalid threads in a separate toBeDeleted list,
419         and delete them only after GC has resumed all threads.
420
421         * heap/MachineStackMarker.cpp:
422         (JSC::MachineThreads::removeCurrentThread):
423         - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
424           removeCurrentThread() since it is no longer needed.
425
426         (JSC::MachineThreads::tryCopyOtherThreadStacks):
427         - Put invalid Threads on a threadsToBeDeleted list, and delete those
428           Threads only after all threads have been resumed.
429
430         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
431         * heap/MachineStackMarker.h:
432
433 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
434
435         Web Inspector: Clean up Object Property Descriptor Collection
436         https://bugs.webkit.org/show_bug.cgi?id=141222
437
438         Reviewed by Timothy Hatcher.
439
440         * inspector/InjectedScriptSource.js:
441         Use a list of options when determining which properties to collect
442         instead of a few booleans with overlapping responsibilities.
443
444 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
445
446         Web Inspector: console.table with columnName filter for non-existent property should still show column
447         https://bugs.webkit.org/show_bug.cgi?id=141066
448
449         Reviewed by Timothy Hatcher.
450
451         * inspector/ConsoleMessage.cpp:
452         (Inspector::ConsoleMessage::addToFrontend):
453         When a user provides a second argument, e.g. console.table(..., columnNames),
454         then pass that second argument to the frontend.
455
456         * inspector/InjectedScriptSource.js:
457         Add a FIXME about the old, unused path now.
458
459 2015-02-04  Saam Barati  <saambarati1@gmail.com>
460
461         TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable
462         https://bugs.webkit.org/show_bug.cgi?id=141204
463
464         Reviewed by Darin Adler.
465
466         There is no need to use 32 bits to store a TypeSet::RuntimeType set 
467         bit-vector when the largest value for a single TypeSet::RuntimeType 
468         is 0x80. 8 bits is enough to represent the set of seen types.
469
470         * dfg/DFGFixupPhase.cpp:
471         (JSC::DFG::FixupPhase::fixupNode):
472         * runtime/TypeSet.cpp:
473         (JSC::TypeSet::doesTypeConformTo):
474         * runtime/TypeSet.h:
475         (JSC::TypeSet::seenTypes):
476
477 2015-02-04  Mark Lam  <mark.lam@apple.com>
478
479         Remove concept of makeUsableFromMultipleThreads().
480         <https://webkit.org/b/141221>
481
482         Reviewed by Mark Hahnenberg.
483
484         Currently, we rely on VM::makeUsableFromMultipleThreads() being called before we
485         start acquiring the JSLock and entering the VM from different threads.
486         Acquisition of the JSLock will register the acquiring thread with the VM's thread
487         registry if not already registered.  However, it will only do this if the VM's
488         thread specific key has been initialized by makeUsableFromMultipleThreads().
489
490         This is fragile, and also does not read intuitively because one would expect to
491         acquire the JSLock before calling any methods on the VM.  This is exactly what
492         JSGlobalContextCreateInGroup() did (i.e. acquire the lock before calling
493         makeUsableFromMultipleThreads()), but is wrong.  The result is that the invoking
494         thread will not have been registered with the VM during that first entry into
495         the VM.
496
497         The fix is to make it so that we initialize the VM's thread specific key on
498         construction of the VM's MachineThreads registry instead of relying on
499         makeUsableFromMultipleThreads() being called.  With this, we can eliminate
500         makeUsableFromMultipleThreads() altogether.
501
502         Performance results are neutral in aggregate.
503
504         * API/JSContextRef.cpp:
505         (JSGlobalContextCreateInGroup):
506         * heap/MachineStackMarker.cpp:
507         (JSC::MachineThreads::MachineThreads):
508         (JSC::MachineThreads::~MachineThreads):
509         (JSC::MachineThreads::addCurrentThread):
510         (JSC::MachineThreads::removeThread):
511         (JSC::MachineThreads::gatherConservativeRoots):
512         (JSC::MachineThreads::makeUsableFromMultipleThreads): Deleted.
513         * heap/MachineStackMarker.h:
514         * runtime/VM.cpp:
515         (JSC::VM::sharedInstance):
516         * runtime/VM.h:
517         (JSC::VM::makeUsableFromMultipleThreads): Deleted.
518
519 2015-02-04  Chris Dumez  <cdumez@apple.com>
520
521         Add removeFirst(value) / removeAll(value) methods to WTF::Vector
522         https://bugs.webkit.org/show_bug.cgi?id=141192
523
524         Reviewed by Benjamin Poulain.
525
526         Use new Vector::removeFirst(value) / removeAll(value) API to simplify the
527         code a bit.
528
529         * inspector/InspectorValues.cpp:
530         (Inspector::InspectorObjectBase::remove):
531
532 2015-02-03  Mark Lam  <mark.lam@apple.com>
533
534         Workaround a thread library bug where thread destructors may not get called.
535         <https://webkit.org/b/141209>
536
537         Reviewed by Michael Saboff.
538
539         There's a bug where thread destructors may not get called.  As far as
540         we know, this only manifests on darwin ports.  We will work around this
541         by checking at GC time if the platform thread is still valid.  If not,
542         we'll purge it from the VM's registeredThreads list before proceeding
543         with thread scanning activity.
544
545         Note: it is important that we do this invalid thread detection during
546         suspension, because the validity (and liveness) of the other thread is
547         only guaranteed while it is suspended.
548
549         * API/tests/testapi.mm:
550         (threadMain):
551         - Added a test to enter the VM from another thread before we GC on
552           the main thread.
553
554         * heap/MachineStackMarker.cpp:
555         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
556         (JSC::MachineThreads::removeCurrentThread):
557         - refactored removeThreadWithLockAlreadyAcquired() out from
558           removeCurrentThread() so that we can also call it for purging invalid
559           threads.
560         (JSC::suspendThread):
561         - Added a return status to tell if the suspension succeeded or not.
562         (JSC::MachineThreads::tryCopyOtherThreadStacks):
563         - Check if the suspension failed, and purge the thread if we can't
564           suspend it.  Failure to suspend implies that the thread has
565           terminated without calling its destructor.
566         * heap/MachineStackMarker.h:
567
568 2015-02-03  Joseph Pecoraro  <pecoraro@apple.com>
569
570         Web Inspector: ASSERT mainThreadPthread launching remote debuggable JSContext app with Debug JavaScriptCore
571         https://bugs.webkit.org/show_bug.cgi?id=141189
572
573         Reviewed by Michael Saboff.
574
575         * inspector/remote/RemoteInspector.mm:
576         (Inspector::RemoteInspector::singleton):
577         Ensure we call WTF::initializeMainThread() on the main thread so that
578         we can perform automatic String <-> NSString conversions.
579
580 2015-02-03  Brent Fulgham  <bfulgham@apple.com>
581
582         [Win] Project file cleanups after r179429.
583
584         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
585         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
586
587 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
588
589         arguments[-1] should have well-defined behavior
590         https://bugs.webkit.org/show_bug.cgi?id=141183
591
592         Reviewed by Mark Lam.
593         
594         According to JSC's internal argument numbering, 0 is "this" and 1 is the first argument.
595         In the "arguments[i]" expression, "this" is not accessible and i = 0 refers to the first
596         argument. Previously we handled the bounds check in "arguments[i]" - where "arguments" is
597         statically known to be the current function's arguments object - as follows:
598         
599             add 1, i
600             branchAboveOrEqual i, callFrame.ArgumentCount, slowPath
601         
602         The problem with this is that if i = -1, this passes the test, and we end up accessing
603         what would be the "this" argument slot. That's wrong, since we should really be bottoming
604         out in arguments["-1"], which is usually undefined but could be anything. It's even worse
605         if the function is inlined or if we're in a constructor - in that case the "this" slot
606         could be garbage.
607         
608         It turns out that we had this bug in all of our engines.
609         
610         This fixes the issue by changing the algorithm to:
611         
612             load32 callFrame.ArgumentCount, tmp
613             sub 1, tmp
614             branchAboveOrEqual i, tmp, slowPath
615         
616         In some engines, we would have used the modified "i" (the one that had 1 added to it) for
617         the subsequent argument load; since we don't do this anymore I also had to change some of
618         the offsets on the BaseIndex arguments load.
619         
620         This also includes tests that are written in such a way as to get coverage on LLInt and
621         Baseline JIT (get-my-argument-by-val-wrap-around-no-warm-up), DFG and FTL
622         (get-my-argument-by-val-wrap-around), and DFG when we're being paranoid about the user
623         overwriting the "arguments" variable (get-my-argument-by-val-safe-wrap-around). This also
624         includes off-by-1 out-of-bounds tests for each of these cases, since in the process of
625         writing the patch I broke the arguments[arguments.length] case in the DFG and didn't see
626         any test failures.
627
628         * dfg/DFGSpeculativeJIT32_64.cpp:
629         (JSC::DFG::SpeculativeJIT::compile):
630         * dfg/DFGSpeculativeJIT64.cpp:
631         (JSC::DFG::SpeculativeJIT::compile):
632         * ftl/FTLLowerDFGToLLVM.cpp:
633         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
634         * jit/AssemblyHelpers.h:
635         (JSC::AssemblyHelpers::offsetOfArguments):
636         (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): Deleted.
637         * jit/JITOpcodes.cpp:
638         (JSC::JIT::emit_op_get_argument_by_val):
639         * jit/JITOpcodes32_64.cpp:
640         (JSC::JIT::emit_op_get_argument_by_val):
641         * llint/LowLevelInterpreter.asm:
642         * llint/LowLevelInterpreter32_64.asm:
643         * llint/LowLevelInterpreter64.asm:
644         * tests/stress/get-my-argument-by-val-out-of-bounds-no-warm-up.js: Added.
645         (foo):
646         * tests/stress/get-my-argument-by-val-out-of-bounds.js: Added.
647         (foo):
648         * tests/stress/get-my-argument-by-val-safe-out-of-bounds.js: Added.
649         (foo):
650         * tests/stress/get-my-argument-by-val-safe-wrap-around.js: Added.
651         (foo):
652         * tests/stress/get-my-argument-by-val-wrap-around-no-warm-up.js: Added.
653         (foo):
654         * tests/stress/get-my-argument-by-val-wrap-around.js: Added.
655         (foo):
656
657 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
658
659         MultiGetByOffset should be marked NodeMustGenerate
660         https://bugs.webkit.org/show_bug.cgi?id=140137
661
662         Reviewed by Michael Saboff.
663
664         * dfg/DFGNode.h:
665         (JSC::DFG::Node::convertToGetByOffset): We were sloppy - we should also clear NodeMustGenerate once it's a GetByOffset.
666         (JSC::DFG::Node::convertToMultiGetByOffset): Assert that we converted from something that already had NodeMustGenerate.
667         * dfg/DFGNodeType.h: We shouldn't DCE a node that does checks and could be effectful in baseline. Making MultiGetByOffset as NodeMustGenerate prevents DCE. FTL could still DCE the actual loads, but the checks will stay.
668         * tests/stress/multi-get-by-offset-dce.js: Added. This previously failed because the getter wasn't called.
669         (foo):
670
671 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
672
673         [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
674         https://bugs.webkit.org/show_bug.cgi?id=141180
675         rdar://problem/19677552
676
677         Reviewed by Benjamin Poulain.
678         
679         If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
680         bounds check already terminates execution. This means we can skip the part where we
681         previously did an out-of-bound array access on the inlined call frame arguments vector.
682
683         * ftl/FTLLowerDFGToLLVM.cpp:
684         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
685         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
686         (JSC::FTL::LowerDFGToLLVM::terminate):
687         (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
688         (JSC::FTL::LowerDFGToLLVM::crash):
689         * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
690         (foo):
691         (bar):
692
693 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
694
695         REGRESSION(r179477): arguments simplification no longer works
696         https://bugs.webkit.org/show_bug.cgi?id=141169
697
698         Reviewed by Mark Lam.
699         
700         The operations involved in callee/scope access don't exit and shouldn't get in the way
701         of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
702         the way of further such strength-reduction. We also need to canonicalize PhantomLocal
703         before running arguments simplification.
704
705         * dfg/DFGMayExit.cpp:
706         (JSC::DFG::mayExit):
707         * dfg/DFGPlan.cpp:
708         (JSC::DFG::Plan::compileInThreadImpl):
709         * dfg/DFGStrengthReductionPhase.cpp:
710         (JSC::DFG::StrengthReductionPhase::handleNode):
711
712 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
713
714         VirtualRegister should really know how to dump itself
715         https://bugs.webkit.org/show_bug.cgi?id=141171
716
717         Reviewed by Geoffrey Garen.
718         
719         Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
720         the patch is all about using this new power.
721
722         * CMakeLists.txt:
723         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
724         * JavaScriptCore.xcodeproj/project.pbxproj:
725         * bytecode/CodeBlock.cpp:
726         (JSC::constantName):
727         (JSC::CodeBlock::registerName):
728         * bytecode/CodeBlock.h:
729         (JSC::missingThisObjectMarker): Deleted.
730         * bytecode/VirtualRegister.cpp: Added.
731         (JSC::VirtualRegister::dump):
732         * bytecode/VirtualRegister.h:
733         (WTF::printInternal): Deleted.
734         * dfg/DFGArgumentPosition.h:
735         (JSC::DFG::ArgumentPosition::dump):
736         * dfg/DFGFlushedAt.cpp:
737         (JSC::DFG::FlushedAt::dump):
738         * dfg/DFGGraph.cpp:
739         (JSC::DFG::Graph::dump):
740         * dfg/DFGPutLocalSinkingPhase.cpp:
741         * dfg/DFGSSAConversionPhase.cpp:
742         (JSC::DFG::SSAConversionPhase::run):
743         * dfg/DFGValidate.cpp:
744         (JSC::DFG::Validate::reportValidationContext):
745         * dfg/DFGValueSource.cpp:
746         (JSC::DFG::ValueSource::dump):
747         * dfg/DFGVariableEvent.cpp:
748         (JSC::DFG::VariableEvent::dump):
749         (JSC::DFG::VariableEvent::dumpSpillInfo):
750         * ftl/FTLExitArgumentForOperand.cpp:
751         (JSC::FTL::ExitArgumentForOperand::dump):
752         * ftl/FTLExitValue.cpp:
753         (JSC::FTL::ExitValue::dumpInContext):
754         * profiler/ProfilerBytecodeSequence.cpp:
755         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
756
757 2015-02-02  Geoffrey Garen  <ggaren@apple.com>
758
759         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
760         https://bugs.webkit.org/show_bug.cgi?id=140900
761
762         Reviewed by Mark Hahnenberg.
763
764         Re-landing just the HandleBlock piece of this patch.
765
766         * heap/HandleBlock.h:
767         * heap/HandleBlockInlines.h:
768         (JSC::HandleBlock::create):
769         (JSC::HandleBlock::destroy):
770         (JSC::HandleBlock::HandleBlock):
771         (JSC::HandleBlock::payloadEnd):
772         * heap/HandleSet.cpp:
773         (JSC::HandleSet::~HandleSet):
774         (JSC::HandleSet::grow):
775
776 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
777
778         Web Inspector: Support console.table
779         https://bugs.webkit.org/show_bug.cgi?id=141058
780
781         Reviewed by Timothy Hatcher.
782
783         * inspector/InjectedScriptSource.js:
784         Include the firstLevelKeys filter when generating previews.
785
786         * runtime/ConsoleClient.cpp:
787         (JSC::appendMessagePrefix):
788         Differentiate console.table logs to system log.
789
790 2015-01-31  Filip Pizlo  <fpizlo@apple.com>
791
792         BinarySwitch should be faster on average
793         https://bugs.webkit.org/show_bug.cgi?id=141046
794
795         Reviewed by Anders Carlsson.
796         
797         This optimizes our binary switch using math. It's strictly better than what we had before
798         assuming we bottom out in some case (rather than fall through), assuming all cases get
799         hit with equal probability. The difference is particularly large for large switch
800         statements. For example, a switch statement with 1000 cases would previously require on
801         average 13.207 branches to get to some case, while now it just requires 10.464.
802         
803         This is also a progression for the fall-through case, though we could shave off another
804         1/6 branch on average if we wanted to - though it would regress taking a case (not falling
805         through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
806         through.
807         
808         This also adds some randomness to the algorithm to minimize the likelihood of us
809         generating a switch statement that is always particularly bad for some input. Note that
810         the randomness has no effect on average-case performance assuming all cases are equally
811         likely.
812         
813         This ought to have no actual performance change because we don't rely on binary switches
814         that much. The main reason why this change is interesting is that I'm finding myself
815         increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
816
817         * jit/BinarySwitch.cpp:
818         (JSC::BinarySwitch::BinarySwitch):
819         (JSC::BinarySwitch::~BinarySwitch):
820         (JSC::BinarySwitch::build):
821         * jit/BinarySwitch.h:
822
823 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
824
825         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
826         https://bugs.webkit.org/show_bug.cgi?id=141064
827
828         Reviewed by Timothy Hatcher.
829
830         * inspector/protocol/CSS.json:
831
832 2015-02-02  Daniel Bates  <dabates@apple.com>
833
834         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
835         https://bugs.webkit.org/show_bug.cgi?id=141057
836         <rdar://problem/19068790>
837
838         Reviewed by Alexey Proskuryakov.
839
840         * inspector/remote/RemoteInspector.mm:
841         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
842         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
843         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
844         and CryptoKeyRSA::generatePair().
845
846 2015-02-02  Saam Barati  <saambarati1@gmail.com>
847
848         Create tests for JSC's Control Flow Profiler
849         https://bugs.webkit.org/show_bug.cgi?id=141123
850
851         Reviewed by Filip Pizlo.
852
853         This patch creates a control flow profiler testing API in jsc.cpp 
854         that accepts a function and a string as arguments. The string must 
855         be a substring of the text of the function argument. The API returns 
856         a boolean indicating whether or not the basic block that encloses the 
857         substring has executed.
858
859         This patch uses this API to test that the control flow profiler
860         behaves as expected on basic block boundaries. These tests do not
861         provide full coverage for all JavaScript statements that can create
862         basic blocks boundaries. Full coverage will come in a later patch.
863
864         * jsc.cpp:
865         (GlobalObject::finishCreation):
866         (functionHasBasicBlockExecuted):
867         * runtime/ControlFlowProfiler.cpp:
868         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
869         * runtime/ControlFlowProfiler.h:
870         * tests/controlFlowProfiler: Added.
871         * tests/controlFlowProfiler.yaml: Added.
872         * tests/controlFlowProfiler/driver: Added.
873         * tests/controlFlowProfiler/driver/driver.js: Added.
874         (assert):
875         * tests/controlFlowProfiler/if-statement.js: Added.
876         (testIf):
877         (noMatches):
878         * tests/controlFlowProfiler/loop-statements.js: Added.
879         (forRegular):
880         (forIn):
881         (forOf):
882         (whileLoop):
883         * tests/controlFlowProfiler/switch-statements.js: Added.
884         (testSwitch):
885         * tests/controlFlowProfiler/test-jit.js: Added.
886         (tierUpToBaseline):
887         (tierUpToDFG):
888         (baselineTest):
889         (dfgTest):
890
891 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
892
893         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
894         https://bugs.webkit.org/show_bug.cgi?id=140660
895
896         Reviewed by Geoffrey Garen.
897         
898         When we first implemented polymorphic call inlining, we did the profiling based on a call
899         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
900         global log that was processed lazily. Processing the log would give precise counts of call
901         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
902         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
903         nonetheless.
904         
905         Experience with this code shows three things. First, the call edge profiler is buggy and
906         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
907         overhead for latency code that we care deeply about. Third, it's not at all clear that
908         having call edge counts for every possible callee is any better than just having call edge
909         counts for the limited number of callees that an inline cache would catch.
910         
911         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
912         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
913         out-of-line stub that cases on the previously known callees. If that misses again, then we
914         rewrite that stub to include the new callee. We do this up to some number of callees. If we
915         hit the limit then we switch to using a plain virtual call.
916         
917         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
918         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
919         
920         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
921
922         * CMakeLists.txt:
923         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
924         * JavaScriptCore.xcodeproj/project.pbxproj:
925         * bytecode/CallEdge.h:
926         (JSC::CallEdge::count):
927         (JSC::CallEdge::CallEdge):
928         * bytecode/CallEdgeProfile.cpp: Removed.
929         * bytecode/CallEdgeProfile.h: Removed.
930         * bytecode/CallEdgeProfileInlines.h: Removed.
931         * bytecode/CallLinkInfo.cpp:
932         (JSC::CallLinkInfo::unlink):
933         (JSC::CallLinkInfo::visitWeak):
934         * bytecode/CallLinkInfo.h:
935         * bytecode/CallLinkStatus.cpp:
936         (JSC::CallLinkStatus::CallLinkStatus):
937         (JSC::CallLinkStatus::computeFor):
938         (JSC::CallLinkStatus::computeFromCallLinkInfo):
939         (JSC::CallLinkStatus::isClosureCall):
940         (JSC::CallLinkStatus::makeClosureCall):
941         (JSC::CallLinkStatus::dump):
942         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
943         * bytecode/CallLinkStatus.h:
944         (JSC::CallLinkStatus::CallLinkStatus):
945         (JSC::CallLinkStatus::isSet):
946         (JSC::CallLinkStatus::variants):
947         (JSC::CallLinkStatus::size):
948         (JSC::CallLinkStatus::at):
949         (JSC::CallLinkStatus::operator[]):
950         (JSC::CallLinkStatus::canOptimize):
951         (JSC::CallLinkStatus::edges): Deleted.
952         (JSC::CallLinkStatus::canTrustCounts): Deleted.
953         * bytecode/CallVariant.cpp:
954         (JSC::variantListWithVariant):
955         (JSC::despecifiedVariantList):
956         * bytecode/CallVariant.h:
957         * bytecode/CodeBlock.cpp:
958         (JSC::CodeBlock::~CodeBlock):
959         (JSC::CodeBlock::linkIncomingPolymorphicCall):
960         (JSC::CodeBlock::unlinkIncomingCalls):
961         (JSC::CodeBlock::noticeIncomingCall):
962         * bytecode/CodeBlock.h:
963         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
964         * dfg/DFGAbstractInterpreterInlines.h:
965         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
966         * dfg/DFGByteCodeParser.cpp:
967         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
968         (JSC::DFG::ByteCodeParser::handleCall):
969         (JSC::DFG::ByteCodeParser::handleInlining):
970         * dfg/DFGClobberize.h:
971         (JSC::DFG::clobberize):
972         * dfg/DFGConstantFoldingPhase.cpp:
973         (JSC::DFG::ConstantFoldingPhase::foldConstants):
974         * dfg/DFGDoesGC.cpp:
975         (JSC::DFG::doesGC):
976         * dfg/DFGDriver.cpp:
977         (JSC::DFG::compileImpl):
978         * dfg/DFGFixupPhase.cpp:
979         (JSC::DFG::FixupPhase::fixupNode):
980         * dfg/DFGNode.h:
981         (JSC::DFG::Node::hasHeapPrediction):
982         * dfg/DFGNodeType.h:
983         * dfg/DFGOperations.cpp:
984         * dfg/DFGPredictionPropagationPhase.cpp:
985         (JSC::DFG::PredictionPropagationPhase::propagate):
986         * dfg/DFGSafeToExecute.h:
987         (JSC::DFG::safeToExecute):
988         * dfg/DFGSpeculativeJIT32_64.cpp:
989         (JSC::DFG::SpeculativeJIT::emitCall):
990         (JSC::DFG::SpeculativeJIT::compile):
991         * dfg/DFGSpeculativeJIT64.cpp:
992         (JSC::DFG::SpeculativeJIT::emitCall):
993         (JSC::DFG::SpeculativeJIT::compile):
994         * dfg/DFGTierUpCheckInjectionPhase.cpp:
995         (JSC::DFG::TierUpCheckInjectionPhase::run):
996         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
997         * ftl/FTLCapabilities.cpp:
998         (JSC::FTL::canCompile):
999         * heap/Heap.cpp:
1000         (JSC::Heap::collect):
1001         * jit/BinarySwitch.h:
1002         * jit/ClosureCallStubRoutine.cpp: Removed.
1003         * jit/ClosureCallStubRoutine.h: Removed.
1004         * jit/JITCall.cpp:
1005         (JSC::JIT::compileOpCall):
1006         * jit/JITCall32_64.cpp:
1007         (JSC::JIT::compileOpCall):
1008         * jit/JITOperations.cpp:
1009         * jit/JITOperations.h:
1010         (JSC::operationLinkPolymorphicCallFor):
1011         (JSC::operationLinkClosureCallFor): Deleted.
1012         * jit/JITStubRoutine.h:
1013         * jit/JITWriteBarrier.h:
1014         * jit/PolymorphicCallStubRoutine.cpp: Added.
1015         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
1016         (JSC::PolymorphicCallNode::unlink):
1017         (JSC::PolymorphicCallCase::dump):
1018         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1019         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
1020         (JSC::PolymorphicCallStubRoutine::variants):
1021         (JSC::PolymorphicCallStubRoutine::edges):
1022         (JSC::PolymorphicCallStubRoutine::visitWeak):
1023         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
1024         * jit/PolymorphicCallStubRoutine.h: Added.
1025         (JSC::PolymorphicCallNode::PolymorphicCallNode):
1026         (JSC::PolymorphicCallCase::PolymorphicCallCase):
1027         (JSC::PolymorphicCallCase::variant):
1028         (JSC::PolymorphicCallCase::codeBlock):
1029         * jit/Repatch.cpp:
1030         (JSC::linkSlowFor):
1031         (JSC::linkFor):
1032         (JSC::revertCall):
1033         (JSC::unlinkFor):
1034         (JSC::linkVirtualFor):
1035         (JSC::linkPolymorphicCall):
1036         (JSC::linkClosureCall): Deleted.
1037         * jit/Repatch.h:
1038         * jit/ThunkGenerators.cpp:
1039         (JSC::linkPolymorphicCallForThunkGenerator):
1040         (JSC::linkPolymorphicCallThunkGenerator):
1041         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
1042         (JSC::linkClosureCallForThunkGenerator): Deleted.
1043         (JSC::linkClosureCallThunkGenerator): Deleted.
1044         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
1045         * jit/ThunkGenerators.h:
1046         (JSC::linkPolymorphicCallThunkGeneratorFor):
1047         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
1048         * llint/LLIntSlowPaths.cpp:
1049         (JSC::LLInt::jitCompileAndSetHeuristics):
1050         * runtime/Options.h:
1051         * runtime/VM.cpp:
1052         (JSC::VM::prepareToDiscardCode):
1053         (JSC::VM::ensureCallEdgeLog): Deleted.
1054         * runtime/VM.h:
1055
1056 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
1057
1058         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
1059         https://bugs.webkit.org/show_bug.cgi?id=141107
1060
1061         Reviewed by Michael Saboff.
1062         
1063         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
1064         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
1065         OSR availability analysis to determine the right MovHint value to use for the Phantom.
1066
1067         * dfg/DFGCPSRethreadingPhase.cpp:
1068         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
1069         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1070         (JSC::DFG::CPSRethreadingPhase::clearVariables):
1071         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1072         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1073         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
1074         * dfg/DFGNode.h:
1075         (JSC::DFG::Node::convertPhantomToPhantomLocal):
1076         (JSC::DFG::Node::convertFlushToPhantomLocal):
1077         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
1078         * dfg/DFGStrengthReductionPhase.cpp:
1079         (JSC::DFG::StrengthReductionPhase::handleNode):
1080         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
1081         (foo):
1082         (bar):
1083         (baz):
1084
1085 2015-01-31  Michael Saboff  <msaboff@apple.com>
1086
1087         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
1088         https://bugs.webkit.org/show_bug.cgi?id=141111
1089
1090         Reviewed by Filip Pizlo.
1091
1092         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
1093         exited, we don't need to process the OSR availability or abstract interpreter.
1094
1095         * ftl/FTLLowerDFGToLLVM.cpp:
1096         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
1097         method since we need to call it at the top and near the bottom of compileNode().
1098         (JSC::FTL::LowerDFGToLLVM::compileNode):
1099
1100 2015-01-31  Sam Weinig  <sam@webkit.org>
1101
1102         Remove even more Mountain Lion support
1103         https://bugs.webkit.org/show_bug.cgi?id=141124
1104
1105         Reviewed by Alexey Proskuryakov.
1106
1107         * API/tests/DateTests.mm:
1108         * Configurations/Base.xcconfig:
1109         * Configurations/DebugRelease.xcconfig:
1110         * Configurations/FeatureDefines.xcconfig:
1111         * Configurations/Version.xcconfig:
1112         * jit/ExecutableAllocatorFixedVMPool.cpp:
1113
1114 2015-01-31  Commit Queue  <commit-queue@webkit.org>
1115
1116         Unreviewed, rolling out r179426.
1117         https://bugs.webkit.org/show_bug.cgi?id=141119
1118
1119         "caused a memory use regression" (Requested by Guest45 on
1120         #webkit).
1121
1122         Reverted changeset:
1123
1124         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
1125         pages"
1126         https://bugs.webkit.org/show_bug.cgi?id=140900
1127         http://trac.webkit.org/changeset/179426
1128
1129 2015-01-30  Daniel Bates  <dabates@apple.com>
1130
1131         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
1132         https://bugs.webkit.org/show_bug.cgi?id=141067
1133
1134         Reviewed by Timothy Hatcher.
1135
1136         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
1137         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
1138         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
1139         header RemoteInspectorDebuggableConnection.h.
1140
1141         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
1142         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
1143         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
1144
1145 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1146
1147         Implement ES6 Symbol
1148         https://bugs.webkit.org/show_bug.cgi?id=140435
1149
1150         Reviewed by Geoffrey Garen.
1151
1152         This patch implements ES6 Symbol. In this patch, we don't support
1153         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
1154         supported in the subsequent patches.
1155
1156         Since ES6 Symbol is introduced as new primitive value, we implement
1157         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
1158         as a new primitive value.
1159
1160         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
1161         value represents the Symbol's identity. So don't compare Symbol's
1162         JSCell pointer value for comparison.
1163         This enables re-producing Symbol primitive value from StringImpl* uid
1164         by executing`Symbol::create(vm, uid)`. This is needed to produce
1165         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
1166
1167         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
1168         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
1169
1170         * CMakeLists.txt:
1171         * DerivedSources.make:
1172         * JavaScriptCore.order:
1173         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1174         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1175         * JavaScriptCore.xcodeproj/project.pbxproj:
1176         * builtins/BuiltinExecutables.cpp:
1177         (JSC::BuiltinExecutables::createBuiltinExecutable):
1178         * builtins/BuiltinNames.h:
1179         * dfg/DFGOperations.cpp:
1180         (JSC::DFG::operationPutByValInternal):
1181         * inspector/JSInjectedScriptHost.cpp:
1182         (Inspector::JSInjectedScriptHost::subtype):
1183         * interpreter/Interpreter.cpp:
1184         * jit/JITOperations.cpp:
1185         (JSC::getByVal):
1186         * llint/LLIntData.cpp:
1187         (JSC::LLInt::Data::performAssertions):
1188         * llint/LLIntSlowPaths.cpp:
1189         (JSC::LLInt::getByVal):
1190         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1191         * llint/LowLevelInterpreter.asm:
1192         * runtime/CommonIdentifiers.h:
1193         * runtime/CommonSlowPaths.cpp:
1194         (JSC::SLOW_PATH_DECL):
1195         * runtime/CommonSlowPaths.h:
1196         (JSC::CommonSlowPaths::opIn):
1197         * runtime/ExceptionHelpers.cpp:
1198         (JSC::createUndefinedVariableError):
1199         * runtime/JSCJSValue.cpp:
1200         (JSC::JSValue::synthesizePrototype):
1201         (JSC::JSValue::dumpInContextAssumingStructure):
1202         (JSC::JSValue::toStringSlowCase):
1203         * runtime/JSCJSValue.h:
1204         * runtime/JSCJSValueInlines.h:
1205         (JSC::JSValue::isSymbol):
1206         (JSC::JSValue::isPrimitive):
1207         (JSC::JSValue::toPropertyKey):
1208
1209         It represents ToPropertyKey abstract operation in the ES6 spec.
1210         It cleans up the old implementation's `isName` checks.
1211         And to prevent performance regressions in
1212             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
1213             js/regress/fold-get-by-id-to-multi-get-by-offset.html
1214         we annnotate this function as ALWAYS_INLINE.
1215
1216         (JSC::JSValue::getPropertySlot):
1217         (JSC::JSValue::get):
1218         (JSC::JSValue::equalSlowCaseInline):
1219         (JSC::JSValue::strictEqualSlowCaseInline):
1220         * runtime/JSCell.cpp:
1221         (JSC::JSCell::put):
1222         (JSC::JSCell::putByIndex):
1223         (JSC::JSCell::toPrimitive):
1224         (JSC::JSCell::getPrimitiveNumber):
1225         (JSC::JSCell::toNumber):
1226         (JSC::JSCell::toObject):
1227         * runtime/JSCell.h:
1228         * runtime/JSCellInlines.h:
1229         (JSC::JSCell::isSymbol):
1230         (JSC::JSCell::toBoolean):
1231         (JSC::JSCell::pureToBoolean):
1232         * runtime/JSGlobalObject.cpp:
1233         (JSC::JSGlobalObject::init):
1234         (JSC::JSGlobalObject::visitChildren):
1235         * runtime/JSGlobalObject.h:
1236         (JSC::JSGlobalObject::symbolPrototype):
1237         (JSC::JSGlobalObject::symbolObjectStructure):
1238         * runtime/JSONObject.cpp:
1239         (JSC::Stringifier::Stringifier):
1240         * runtime/JSSymbolTableObject.cpp:
1241         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1242         * runtime/JSType.h:
1243         * runtime/JSTypeInfo.h:
1244         (JSC::TypeInfo::isName): Deleted.
1245         * runtime/MapData.cpp:
1246         (JSC::MapData::find):
1247         (JSC::MapData::add):
1248         (JSC::MapData::remove):
1249         (JSC::MapData::replaceAndPackBackingStore):
1250         * runtime/MapData.h:
1251         (JSC::MapData::clear):
1252         * runtime/NameInstance.h: Removed.
1253         * runtime/NamePrototype.cpp: Removed.
1254         * runtime/ObjectConstructor.cpp:
1255         (JSC::objectConstructorGetOwnPropertyDescriptor):
1256         (JSC::objectConstructorDefineProperty):
1257         * runtime/ObjectPrototype.cpp:
1258         (JSC::objectProtoFuncHasOwnProperty):
1259         (JSC::objectProtoFuncDefineGetter):
1260         (JSC::objectProtoFuncDefineSetter):
1261         (JSC::objectProtoFuncLookupGetter):
1262         (JSC::objectProtoFuncLookupSetter):
1263         (JSC::objectProtoFuncPropertyIsEnumerable):
1264         * runtime/Operations.cpp:
1265         (JSC::jsTypeStringForValue):
1266         (JSC::jsIsObjectType):
1267         * runtime/PrivateName.h:
1268         (JSC::PrivateName::PrivateName):
1269         (JSC::PrivateName::operator==):
1270         (JSC::PrivateName::operator!=):
1271         * runtime/PropertyMapHashTable.h:
1272         (JSC::PropertyTable::find):
1273         (JSC::PropertyTable::get):
1274         * runtime/PropertyName.h:
1275         (JSC::PropertyName::PropertyName):
1276         (JSC::PropertyName::publicName):
1277         * runtime/SmallStrings.h:
1278         * runtime/StringConstructor.cpp:
1279         (JSC::callStringConstructor):
1280
1281         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
1282
1283         * runtime/Structure.cpp:
1284         (JSC::Structure::getPropertyNamesFromStructure):
1285         * runtime/StructureInlines.h:
1286         (JSC::Structure::prototypeForLookup):
1287         * runtime/Symbol.cpp: Added.
1288         (JSC::Symbol::Symbol):
1289         (JSC::SymbolObject::create):
1290         (JSC::Symbol::toPrimitive):
1291         (JSC::Symbol::toBoolean):
1292         (JSC::Symbol::getPrimitiveNumber):
1293         (JSC::Symbol::toObject):
1294         (JSC::Symbol::toNumber):
1295         (JSC::Symbol::destroy):
1296         (JSC::Symbol::descriptiveString):
1297         * runtime/Symbol.h: Added.
1298         (JSC::Symbol::createStructure):
1299         (JSC::Symbol::create):
1300         (JSC::Symbol::privateName):
1301         (JSC::Symbol::finishCreation):
1302         (JSC::asSymbol):
1303         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
1304         (JSC::SymbolConstructor::SymbolConstructor):
1305         (JSC::SymbolConstructor::finishCreation):
1306         (JSC::callSymbol):
1307         (JSC::SymbolConstructor::getConstructData):
1308         (JSC::SymbolConstructor::getCallData):
1309         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
1310         (JSC::SymbolConstructor::create):
1311         (JSC::SymbolConstructor::createStructure):
1312         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
1313         (JSC::SymbolObject::SymbolObject):
1314         (JSC::SymbolObject::finishCreation):
1315         (JSC::SymbolObject::defaultValue):
1316
1317         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
1318         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
1319
1320         * runtime/SymbolObject.h: Added.
1321         (JSC::SymbolObject::create):
1322         (JSC::SymbolObject::internalValue):
1323         (JSC::SymbolObject::createStructure):
1324         * runtime/SymbolPrototype.cpp: Added.
1325         (JSC::SymbolPrototype::SymbolPrototype):
1326         (JSC::SymbolPrototype::finishCreation):
1327         (JSC::SymbolPrototype::getOwnPropertySlot):
1328         (JSC::symbolProtoFuncToString):
1329         (JSC::symbolProtoFuncValueOf):
1330         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
1331         (JSC::SymbolPrototype::create):
1332         (JSC::SymbolPrototype::createStructure):
1333
1334         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
1335         It is tested in js/symbol-prototype-is-ordinary-object.html.
1336
1337         * runtime/VM.cpp:
1338         (JSC::VM::VM):
1339         * runtime/VM.h:
1340
1341 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
1342
1343         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1344         https://bugs.webkit.org/show_bug.cgi?id=140900
1345
1346         Reviewed by Mark Hahnenberg.
1347
1348         Re-landing just the HandleBlock piece of this patch.
1349
1350         * heap/HandleBlock.h:
1351         * heap/HandleBlockInlines.h:
1352         (JSC::HandleBlock::create):
1353         (JSC::HandleBlock::destroy):
1354         (JSC::HandleBlock::HandleBlock):
1355         (JSC::HandleBlock::payloadEnd):
1356         * heap/HandleSet.cpp:
1357         (JSC::HandleSet::~HandleSet):
1358         (JSC::HandleSet::grow):
1359
1360 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
1361
1362         GC marking threads should clear malloc caches
1363         https://bugs.webkit.org/show_bug.cgi?id=141097
1364
1365         Reviewed by Sam Weinig.
1366
1367         Follow-up based on Mark Hahnenberg's review: Release after the copy
1368         phase, rather than after any phase, since we'd rather not release
1369         between marking and copying.
1370
1371         * heap/GCThread.cpp:
1372         (JSC::GCThread::waitForNextPhase):
1373         (JSC::GCThread::gcThreadMain):
1374
1375 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
1376
1377         GC marking threads should clear malloc caches
1378         https://bugs.webkit.org/show_bug.cgi?id=141097
1379
1380         Reviewed by Andreas Kling.
1381
1382         This is an attempt to ameliorate a potential memory use regression
1383         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
1384         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
1385
1386         FastMalloc may accumulate a per-thread cache on each of the 8-ish
1387         GC marking threads, which can be expensive.
1388
1389         * heap/GCThread.cpp:
1390         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
1391         going to sleep. There's probably not too much value to keeping our
1392         per-thread cache between GCs, and it has some memory footprint.
1393
1394 2015-01-30  Chris Dumez  <cdumez@apple.com>
1395
1396         Rename shared() static member functions to singleton() for singleton classes.
1397         https://bugs.webkit.org/show_bug.cgi?id=141088
1398
1399         Reviewed by Ryosuke Niwa and Benjamin Poulain.
1400
1401         Rename shared() static member functions to singleton() for singleton
1402         classes as per the recent coding style change.
1403
1404         * inspector/remote/RemoteInspector.h:
1405         * inspector/remote/RemoteInspector.mm:
1406         (Inspector::RemoteInspector::singleton):
1407         (Inspector::RemoteInspector::start):
1408         (Inspector::RemoteInspector::shared): Deleted.
1409         * inspector/remote/RemoteInspectorDebuggable.cpp:
1410         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
1411         (Inspector::RemoteInspectorDebuggable::init):
1412         (Inspector::RemoteInspectorDebuggable::update):
1413         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1414         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
1415         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
1416         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1417         (Inspector::RemoteInspectorDebuggableConnection::setup):
1418         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
1419
1420 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
1421
1422         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1423         https://bugs.webkit.org/show_bug.cgi?id=140900
1424
1425         Reviewed by Mark Hahnenberg.
1426
1427         Re-landing just the CopyWorkListSegment piece of this patch.
1428
1429         * heap/CopiedBlockInlines.h:
1430         (JSC::CopiedBlock::reportLiveBytes):
1431         * heap/CopyWorkList.h:
1432         (JSC::CopyWorkListSegment::create):
1433         (JSC::CopyWorkListSegment::destroy):
1434         (JSC::CopyWorkListSegment::CopyWorkListSegment):
1435         (JSC::CopyWorkList::CopyWorkList):
1436         (JSC::CopyWorkList::~CopyWorkList):
1437         (JSC::CopyWorkList::append):
1438
1439 2015-01-29  Commit Queue  <commit-queue@webkit.org>
1440
1441         Unreviewed, rolling out r179357 and r179358.
1442         https://bugs.webkit.org/show_bug.cgi?id=141062
1443
1444         Suspect this caused WebGL tests to start flaking (Requested by
1445         kling on #webkit).
1446
1447         Reverted changesets:
1448
1449         "Polymorphic call inlining should be based on polymorphic call
1450         inline caching rather than logging"
1451         https://bugs.webkit.org/show_bug.cgi?id=140660
1452         http://trac.webkit.org/changeset/179357
1453
1454         "Unreviewed, fix no-JIT build."
1455         http://trac.webkit.org/changeset/179358
1456
1457 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
1458
1459         Removed op_ret_object_or_this
1460         https://bugs.webkit.org/show_bug.cgi?id=141048
1461
1462         Reviewed by Michael Saboff.
1463
1464         op_ret_object_or_this was one opcode that would keep us out of the
1465         optimizing compilers.
1466
1467         We don't need a special-purpose opcode; we can just use a branch.
1468
1469         * bytecode/BytecodeBasicBlock.cpp:
1470         (JSC::isTerminal): Removed.
1471         * bytecode/BytecodeList.json:
1472         * bytecode/BytecodeUseDef.h:
1473         (JSC::computeUsesForBytecodeOffset):
1474         (JSC::computeDefsForBytecodeOffset): Removed.
1475
1476         * bytecode/CodeBlock.cpp:
1477         (JSC::CodeBlock::dumpBytecode): Removed.
1478
1479         * bytecompiler/BytecodeGenerator.cpp:
1480         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
1481         if we need to substitute 'this' for the return value. Our engine no longer
1482         benefits from fused opcodes that dispatch less in the interpreter.
1483
1484         * jit/JIT.cpp:
1485         (JSC::JIT::privateCompileMainPass):
1486         * jit/JIT.h:
1487         * jit/JITCall32_64.cpp:
1488         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
1489         * jit/JITOpcodes.cpp:
1490         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
1491         * llint/LowLevelInterpreter32_64.asm:
1492         * llint/LowLevelInterpreter64.asm: Removed.
1493
1494 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
1495
1496         Implement ES6 class syntax without inheritance support
1497         https://bugs.webkit.org/show_bug.cgi?id=140918
1498
1499         Reviewed by Geoffrey Garen.
1500
1501         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
1502         class A {
1503             constructor() { }
1504             someMethod() { }
1505         }
1506
1507         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
1508         We also don't support block scoping of a class declaration.
1509
1510         We support both class declaration and class expression. A class expression is implemented by the newly added
1511         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
1512         AssignResolveNode.
1513
1514         Tests: js/class-syntax-declaration.html
1515                js/class-syntax-expression.html
1516
1517         * bytecompiler/NodesCodegen.cpp:
1518         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
1519         Also fixed the 5-space indentation.
1520         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
1521         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
1522         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
1523         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
1524
1525         * parser/ASTBuilder.h:
1526         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
1527         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
1528
1529         * parser/NodeConstructors.h:
1530         (JSC::ClassDeclNode::ClassDeclNode): Added.
1531         (JSC::ClassExprNode::ClassExprNode): Added.
1532
1533         * parser/Nodes.h:
1534         (JSC::ClassExprNode): Added.
1535         (JSC::ClassDeclNode): Added.
1536
1537         * parser/Parser.cpp:
1538         (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
1539         (JSC::stringForFunctionMode): Return "method" for MethodMode.
1540         (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
1541         it with ClassDeclNode as described above.
1542         (JSC::Parser<LexerType>::parseClass): Parses a class expression.
1543         (JSC::Parser<LexerType>::parseProperty):
1544         (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
1545         and parseClass.
1546         (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
1547
1548         * parser/Parser.h:
1549         (FunctionParseMode): Added MethodMode.
1550
1551         * parser/SyntaxChecker.h:
1552         (JSC::SyntaxChecker::createClassExpr): Added.
1553         (JSC::SyntaxChecker::createClassDeclStatement): Added.
1554
1555 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
1556
1557         Try to fix the Windows build.
1558
1559         Not reviewed.
1560
1561         * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
1562
1563 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
1564
1565         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1566         https://bugs.webkit.org/show_bug.cgi?id=140900
1567
1568         Reviewed by Mark Hahnenberg.
1569
1570         Re-landing just the WeakBlock piece of this patch.
1571
1572         * heap/WeakBlock.cpp:
1573         (JSC::WeakBlock::create):
1574         (JSC::WeakBlock::destroy):
1575         (JSC::WeakBlock::WeakBlock):
1576         * heap/WeakBlock.h:
1577         * heap/WeakSet.cpp:
1578         (JSC::WeakSet::~WeakSet):
1579         (JSC::WeakSet::addAllocator):
1580         (JSC::WeakSet::removeAllocator):
1581
1582 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
1583
1584         Use Vector instead of GCSegmentedArray in CodeBlockSet
1585         https://bugs.webkit.org/show_bug.cgi?id=141044
1586
1587         Reviewed by Ryosuke Niwa.
1588
1589         This is allowed now that we've gotten rid of fastMallocForbid.
1590
1591         4kB was a bit overkill for just storing a few pointers.
1592
1593         * heap/CodeBlockSet.cpp:
1594         (JSC::CodeBlockSet::CodeBlockSet):
1595         * heap/CodeBlockSet.h:
1596         * heap/Heap.cpp:
1597         (JSC::Heap::Heap):
1598
1599 2015-01-29  Filip Pizlo  <fpizlo@apple.com>
1600
1601         Unreviewed, fix no-JIT build.
1602
1603         * jit/PolymorphicCallStubRoutine.cpp:
1604
1605 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
1606
1607         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
1608         https://bugs.webkit.org/show_bug.cgi?id=140660
1609
1610         Reviewed by Geoffrey Garen.
1611         
1612         When we first implemented polymorphic call inlining, we did the profiling based on a call
1613         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
1614         global log that was processed lazily. Processing the log would give precise counts of call
1615         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
1616         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
1617         nonetheless.
1618         
1619         Experience with this code shows three things. First, the call edge profiler is buggy and
1620         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
1621         overhead for latency code that we care deeply about. Third, it's not at all clear that
1622         having call edge counts for every possible callee is any better than just having call edge
1623         counts for the limited number of callees that an inline cache would catch.
1624         
1625         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
1626         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
1627         out-of-line stub that cases on the previously known callees. If that misses again, then we
1628         rewrite that stub to include the new callee. We do this up to some number of callees. If we
1629         hit the limit then we switch to using a plain virtual call.
1630         
1631         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
1632         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
1633
1634         * CMakeLists.txt:
1635         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1636         * JavaScriptCore.xcodeproj/project.pbxproj:
1637         * bytecode/CallEdge.h:
1638         (JSC::CallEdge::count):
1639         (JSC::CallEdge::CallEdge):
1640         * bytecode/CallEdgeProfile.cpp: Removed.
1641         * bytecode/CallEdgeProfile.h: Removed.
1642         * bytecode/CallEdgeProfileInlines.h: Removed.
1643         * bytecode/CallLinkInfo.cpp:
1644         (JSC::CallLinkInfo::unlink):
1645         (JSC::CallLinkInfo::visitWeak):
1646         * bytecode/CallLinkInfo.h:
1647         * bytecode/CallLinkStatus.cpp:
1648         (JSC::CallLinkStatus::CallLinkStatus):
1649         (JSC::CallLinkStatus::computeFor):
1650         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1651         (JSC::CallLinkStatus::isClosureCall):
1652         (JSC::CallLinkStatus::makeClosureCall):
1653         (JSC::CallLinkStatus::dump):
1654         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
1655         * bytecode/CallLinkStatus.h:
1656         (JSC::CallLinkStatus::CallLinkStatus):
1657         (JSC::CallLinkStatus::isSet):
1658         (JSC::CallLinkStatus::variants):
1659         (JSC::CallLinkStatus::size):
1660         (JSC::CallLinkStatus::at):
1661         (JSC::CallLinkStatus::operator[]):
1662         (JSC::CallLinkStatus::canOptimize):
1663         (JSC::CallLinkStatus::edges): Deleted.
1664         (JSC::CallLinkStatus::canTrustCounts): Deleted.
1665         * bytecode/CallVariant.cpp:
1666         (JSC::variantListWithVariant):
1667         (JSC::despecifiedVariantList):
1668         * bytecode/CallVariant.h:
1669         * bytecode/CodeBlock.cpp:
1670         (JSC::CodeBlock::~CodeBlock):
1671         (JSC::CodeBlock::linkIncomingPolymorphicCall):
1672         (JSC::CodeBlock::unlinkIncomingCalls):
1673         (JSC::CodeBlock::noticeIncomingCall):
1674         * bytecode/CodeBlock.h:
1675         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
1676         * dfg/DFGAbstractInterpreterInlines.h:
1677         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1678         * dfg/DFGByteCodeParser.cpp:
1679         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1680         (JSC::DFG::ByteCodeParser::handleCall):
1681         (JSC::DFG::ByteCodeParser::handleInlining):
1682         * dfg/DFGClobberize.h:
1683         (JSC::DFG::clobberize):
1684         * dfg/DFGConstantFoldingPhase.cpp:
1685         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1686         * dfg/DFGDoesGC.cpp:
1687         (JSC::DFG::doesGC):
1688         * dfg/DFGDriver.cpp:
1689         (JSC::DFG::compileImpl):
1690         * dfg/DFGFixupPhase.cpp:
1691         (JSC::DFG::FixupPhase::fixupNode):
1692         * dfg/DFGNode.h:
1693         (JSC::DFG::Node::hasHeapPrediction):
1694         * dfg/DFGNodeType.h:
1695         * dfg/DFGOperations.cpp:
1696         * dfg/DFGPredictionPropagationPhase.cpp:
1697         (JSC::DFG::PredictionPropagationPhase::propagate):
1698         * dfg/DFGSafeToExecute.h:
1699         (JSC::DFG::safeToExecute):
1700         * dfg/DFGSpeculativeJIT32_64.cpp:
1701         (JSC::DFG::SpeculativeJIT::emitCall):
1702         (JSC::DFG::SpeculativeJIT::compile):
1703         * dfg/DFGSpeculativeJIT64.cpp:
1704         (JSC::DFG::SpeculativeJIT::emitCall):
1705         (JSC::DFG::SpeculativeJIT::compile):
1706         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1707         (JSC::DFG::TierUpCheckInjectionPhase::run):
1708         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
1709         * ftl/FTLCapabilities.cpp:
1710         (JSC::FTL::canCompile):
1711         * heap/Heap.cpp:
1712         (JSC::Heap::collect):
1713         * jit/BinarySwitch.h:
1714         * jit/ClosureCallStubRoutine.cpp: Removed.
1715         * jit/ClosureCallStubRoutine.h: Removed.
1716         * jit/JITCall.cpp:
1717         (JSC::JIT::compileOpCall):
1718         * jit/JITCall32_64.cpp:
1719         (JSC::JIT::compileOpCall):
1720         * jit/JITOperations.cpp:
1721         * jit/JITOperations.h:
1722         (JSC::operationLinkPolymorphicCallFor):
1723         (JSC::operationLinkClosureCallFor): Deleted.
1724         * jit/JITStubRoutine.h:
1725         * jit/JITWriteBarrier.h:
1726         * jit/PolymorphicCallStubRoutine.cpp: Added.
1727         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
1728         (JSC::PolymorphicCallNode::unlink):
1729         (JSC::PolymorphicCallCase::dump):
1730         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1731         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
1732         (JSC::PolymorphicCallStubRoutine::variants):
1733         (JSC::PolymorphicCallStubRoutine::edges):
1734         (JSC::PolymorphicCallStubRoutine::visitWeak):
1735         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
1736         * jit/PolymorphicCallStubRoutine.h: Added.
1737         (JSC::PolymorphicCallNode::PolymorphicCallNode):
1738         (JSC::PolymorphicCallCase::PolymorphicCallCase):
1739         (JSC::PolymorphicCallCase::variant):
1740         (JSC::PolymorphicCallCase::codeBlock):
1741         * jit/Repatch.cpp:
1742         (JSC::linkSlowFor):
1743         (JSC::linkFor):
1744         (JSC::revertCall):
1745         (JSC::unlinkFor):
1746         (JSC::linkVirtualFor):
1747         (JSC::linkPolymorphicCall):
1748         (JSC::linkClosureCall): Deleted.
1749         * jit/Repatch.h:
1750         * jit/ThunkGenerators.cpp:
1751         (JSC::linkPolymorphicCallForThunkGenerator):
1752         (JSC::linkPolymorphicCallThunkGenerator):
1753         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
1754         (JSC::linkClosureCallForThunkGenerator): Deleted.
1755         (JSC::linkClosureCallThunkGenerator): Deleted.
1756         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
1757         * jit/ThunkGenerators.h:
1758         (JSC::linkPolymorphicCallThunkGeneratorFor):
1759         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
1760         * llint/LLIntSlowPaths.cpp:
1761         (JSC::LLInt::jitCompileAndSetHeuristics):
1762         * runtime/Options.h:
1763         * runtime/VM.cpp:
1764         (JSC::VM::prepareToDiscardCode):
1765         (JSC::VM::ensureCallEdgeLog): Deleted.
1766         * runtime/VM.h:
1767
1768 2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>
1769
1770         Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
1771         https://bugs.webkit.org/show_bug.cgi?id=122867
1772
1773         Reviewed by Timothy Hatcher.
1774
1775         Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
1776
1777         Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
1778         an ObjectPreview can be used for any value, in place of a RemoteObject,
1779         and not capture / hold a reference to the value. The value will be in
1780         the string description.
1781
1782         Adding this information to ObjectPreview can duplicate some information
1783         in the protocol messages if a preview is provided, but simplifies
1784         previews, so that all the information you need for any RemoteObject
1785         preview is available. To slim messages further, make "overflow" and
1786         "properties" only available on previews that may contain properties.
1787         So, not primitives or null.
1788
1789         Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
1790         that will return previews with "key" and "value" properties depending
1791         on the collection type. To get live, non-preview objects from a
1792         collection, use Runtime.getCollectionEntries.
1793
1794         In order to keep the WeakMap's values Weak the frontend may provide
1795         a unique object group name when getting collection entries. It may
1796         then release that object group, e.g. when not showing the WeakMap's
1797         values to the user, and thus remove the strong reference to the keys
1798         so they may be garbage collected.
1799
1800         * runtime/WeakMapData.h:
1801         (JSC::WeakMapData::begin):
1802         (JSC::WeakMapData::end):
1803         Expose iterators so the Inspector may access WeakMap keys/values.
1804
1805         * inspector/JSInjectedScriptHostPrototype.cpp:
1806         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1807         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
1808         * inspector/JSInjectedScriptHost.h:
1809         * inspector/JSInjectedScriptHost.cpp:
1810         (Inspector::JSInjectedScriptHost::subtype):
1811         Discern "map", "set", and "weakmap" object subtypes.
1812
1813         (Inspector::JSInjectedScriptHost::weakMapEntries):
1814         Return a list of WeakMap entries. These are strong references
1815         that the Inspector code is responsible for releasing.
1816
1817         * inspector/protocol/Runtime.json:
1818         Update types and expose the new getCollectionEntries command.
1819
1820         * inspector/agents/InspectorRuntimeAgent.h:
1821         * inspector/agents/InspectorRuntimeAgent.cpp:
1822         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1823         * inspector/InjectedScript.h:
1824         * inspector/InjectedScript.cpp:
1825         (Inspector::InjectedScript::getInternalProperties):
1826         (Inspector::InjectedScript::getCollectionEntries):
1827         Pass through to the InjectedScript and call getCollectionEntries.
1828
1829         * inspector/scripts/codegen/generator.py:
1830         Add another type with runtime casting.
1831
1832         * inspector/InjectedScriptSource.js:
1833         - Implement getCollectionEntries to get a range of values from a
1834         collection. The non-Weak collections have an order to their keys (in
1835         order of added) so range'd gets are okay. WeakMap does not have an
1836         order, so only allow fetching a number of values.
1837         - Update preview generation to address the Runtime.ObjectPreview
1838         type changes.
1839
1840 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1841
1842         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1843         https://bugs.webkit.org/show_bug.cgi?id=140900
1844
1845         Reviewed by Mark Hahnenberg.
1846
1847         Re-landing just the GCArraySegment piece of this patch.
1848
1849         * heap/CodeBlockSet.cpp:
1850         (JSC::CodeBlockSet::CodeBlockSet):
1851         * heap/CodeBlockSet.h:
1852         * heap/GCSegmentedArray.h:
1853         (JSC::GCArraySegment::GCArraySegment):
1854         * heap/GCSegmentedArrayInlines.h:
1855         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1856         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1857         (JSC::GCSegmentedArray<T>::clear):
1858         (JSC::GCSegmentedArray<T>::expand):
1859         (JSC::GCSegmentedArray<T>::refill):
1860         (JSC::GCArraySegment<T>::create):
1861         (JSC::GCArraySegment<T>::destroy):
1862         * heap/GCThreadSharedData.cpp:
1863         (JSC::GCThreadSharedData::GCThreadSharedData):
1864         * heap/Heap.cpp:
1865         (JSC::Heap::Heap):
1866         * heap/MarkStack.cpp:
1867         (JSC::MarkStackArray::MarkStackArray):
1868         * heap/MarkStack.h:
1869         * heap/SlotVisitor.cpp:
1870         (JSC::SlotVisitor::SlotVisitor):
1871
1872 2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>
1873
1874         Move HAVE_DTRACE definition back to Platform.h
1875         https://bugs.webkit.org/show_bug.cgi?id=141033
1876
1877         Reviewed by Dan Bernstein.
1878
1879         * Configurations/Base.xcconfig:
1880         * JavaScriptCore.xcodeproj/project.pbxproj:
1881
1882 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1883
1884         Removed fastMallocForbid / fastMallocAllow
1885         https://bugs.webkit.org/show_bug.cgi?id=141012
1886
1887         Reviewed by Mark Hahnenberg.
1888
1889         Copy non-current thread stacks before scanning them instead of scanning
1890         them in-place.
1891
1892         This operation is uncommon (i.e., never in the web content process),
1893         and even in a stress test with 4 threads it only copies about 27kB,
1894         so I think the performance cost is OK.
1895
1896         Scanning in-place requires a complex dance where we constrain our GC
1897         data structures not to use malloc, free, or any other interesting functions
1898         that might acquire locks. We've gotten this wrong many times in the past,
1899         and I just got it wrong again yesterday. Since this code path is rarely
1900         tested, I want it to just make sense, and not depend on or constrain the
1901         details of the rest of the GC heap's design.
1902
1903         * heap/MachineStackMarker.cpp:
1904         (JSC::otherThreadStack): Factored out a helper function for dealing with
1905         unaligned and/or backwards pointers.
1906
1907         (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
1908         constrained function, and it only calls memcpy and low-level thread APIs.
1909
1910         (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
1911         you do one pass over all the threads to compute their combined size,
1912         and then a second pass to do all the copying. In theory, the threads may
1913         grow in between passes, in which case you'll continue until the threads
1914         stop growing. In practice, you never continue.
1915
1916         (JSC::growBuffer): Helper function for growing.
1917
1918         (JSC::MachineThreads::gatherConservativeRoots):
1919         (JSC::MachineThreads::gatherFromOtherThread): Deleted.
1920         * heap/MachineStackMarker.h: Updated for interface changes.
1921
1922 2015-01-28  Brian J. Burg  <burg@cs.washington.edu>
1923
1924         Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
1925         https://bugs.webkit.org/show_bug.cgi?id=140961
1926
1927         Reviewed by Timothy Hatcher.
1928
1929         * inspector/protocol/CSS.json: Remove unused protocol methods.
1930
1931 2015-01-28  Dana Burkart  <dburkart@apple.com>
1932
1933         Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
1934         https://bugs.webkit.org/show_bug.cgi?id=136765
1935
1936         Reviewed by Alexey Proskuryakov.
1937
1938         * Configurations/Base.xcconfig:
1939         * Configurations/DebugRelease.xcconfig:
1940
1941 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1942
1943         ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
1944         https://bugs.webkit.org/show_bug.cgi?id=140980
1945
1946         Reviewed by Oliver Hunt.
1947
1948         * bytecode/CallLinkStatus.cpp:
1949         (JSC::CallLinkStatus::computeFor):
1950
1951 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1952
1953         Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
1954         https://bugs.webkit.org/show_bug.cgi?id=140959
1955
1956         Rubber stamped by Geoffrey Garen.
1957         
1958         I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
1959         This code no longer has DFG dependencies so this is a very clean move.
1960
1961         * CMakeLists.txt:
1962         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1963         * JavaScriptCore.xcodeproj/project.pbxproj:
1964         * dfg/DFGBinarySwitch.cpp: Removed.
1965         * dfg/DFGBinarySwitch.h: Removed.
1966         * dfg/DFGSpeculativeJIT.cpp:
1967         * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
1968         * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
1969
1970 2015-01-27  Commit Queue  <commit-queue@webkit.org>
1971
1972         Unreviewed, rolling out r179192.
1973         https://bugs.webkit.org/show_bug.cgi?id=140953
1974
1975         Caused numerous layout test failures (Requested by mattbaker_
1976         on #webkit).
1977
1978         Reverted changeset:
1979
1980         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
1981         pages"
1982         https://bugs.webkit.org/show_bug.cgi?id=140900
1983         http://trac.webkit.org/changeset/179192
1984
1985 2015-01-27  Michael Saboff  <msaboff@apple.com>
1986
1987         REGRESSION(r178591): 20% regression in Octane box2d
1988         https://bugs.webkit.org/show_bug.cgi?id=140948
1989
1990         Reviewed by Geoffrey Garen.
1991
1992         Added check that we have a lexical environment to the arguments is captured check.
1993         It doesn't make sense to resolve "arguments" when it really isn't captured.
1994
1995         * bytecompiler/BytecodeGenerator.cpp:
1996         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
1997
1998 2015-01-26  Geoffrey Garen  <ggaren@apple.com>
1999
2000         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2001         https://bugs.webkit.org/show_bug.cgi?id=140900
2002
2003         Reviewed by Mark Hahnenberg.
2004
2005         Removes some more custom allocation code.
2006
2007         Looks like a speedup. (See results attached to bugzilla.)
2008
2009         Will hopefully reduce memory use by improving sharing between the GC and
2010         malloc heaps.
2011
2012         * API/JSBase.cpp:
2013         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2014         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2015         * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
2016
2017         * heap/BlockAllocator.cpp: Removed.
2018         * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
2019
2020         * heap/CodeBlockSet.cpp:
2021         (JSC::CodeBlockSet::CodeBlockSet):
2022         * heap/CodeBlockSet.h: Feed the compiler.
2023
2024         * heap/CopiedBlock.h:
2025         (JSC::CopiedBlock::createNoZeroFill):
2026         (JSC::CopiedBlock::create):
2027         (JSC::CopiedBlock::CopiedBlock):
2028         (JSC::CopiedBlock::isOversize):
2029         (JSC::CopiedBlock::payloadEnd):
2030         (JSC::CopiedBlock::capacity):
2031         * heap/CopiedBlockInlines.h:
2032         (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
2033         own size, since we can't rely on Region to tell us our size anymore.
2034
2035         * heap/CopiedSpace.cpp:
2036         (JSC::CopiedSpace::~CopiedSpace):
2037         (JSC::CopiedSpace::tryAllocateOversize):
2038         (JSC::CopiedSpace::tryReallocateOversize):
2039         * heap/CopiedSpaceInlines.h:
2040         (JSC::CopiedSpace::recycleEvacuatedBlock):
2041         (JSC::CopiedSpace::recycleBorrowedBlock):
2042         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
2043         (JSC::CopiedSpace::allocateBlock):
2044         (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
2045         than pushing them onto the block allocator's free list; the block
2046         allocator doesn't exist anymore.
2047
2048         * heap/CopyWorkList.h:
2049         (JSC::CopyWorkListSegment::create):
2050         (JSC::CopyWorkListSegment::CopyWorkListSegment):
2051         (JSC::CopyWorkList::~CopyWorkList):
2052         (JSC::CopyWorkList::append):
2053         (JSC::CopyWorkList::CopyWorkList): Deleted.
2054         * heap/GCSegmentedArray.h:
2055         (JSC::GCArraySegment::GCArraySegment):
2056         * heap/GCSegmentedArrayInlines.h:
2057         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
2058         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
2059         (JSC::GCSegmentedArray<T>::clear):
2060         (JSC::GCSegmentedArray<T>::expand):
2061         (JSC::GCSegmentedArray<T>::refill):
2062         (JSC::GCArraySegment<T>::create):
2063         * heap/GCThreadSharedData.cpp:
2064         (JSC::GCThreadSharedData::GCThreadSharedData):
2065         * heap/GCThreadSharedData.h: Feed the compiler.
2066
2067         * heap/HandleBlock.h:
2068         * heap/HandleBlockInlines.h:
2069         (JSC::HandleBlock::create):
2070         (JSC::HandleBlock::HandleBlock):
2071         (JSC::HandleBlock::payloadEnd):
2072         * heap/HandleSet.cpp:
2073         (JSC::HandleSet::~HandleSet):
2074         (JSC::HandleSet::grow): Same as above.
2075
2076         * heap/Heap.cpp:
2077         (JSC::Heap::Heap):
2078         * heap/Heap.h: Removed the block allocator since it is unused now.
2079
2080         * heap/HeapBlock.h:
2081         (JSC::HeapBlock::destroy):
2082         (JSC::HeapBlock::HeapBlock):
2083         (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
2084         HeapBlock since a HeapBlock is just a normal allocation now.
2085
2086         * heap/HeapInlines.h:
2087         (JSC::Heap::blockAllocator): Deleted.
2088
2089         * heap/HeapTimer.cpp:
2090         * heap/MarkStack.cpp:
2091         (JSC::MarkStackArray::MarkStackArray):
2092         * heap/MarkStack.h: Feed the compiler.
2093
2094         * heap/MarkedAllocator.cpp:
2095         (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
2096         based on size, since we use a general purpose allocator now.
2097
2098         * heap/MarkedBlock.cpp:
2099         (JSC::MarkedBlock::create):
2100         (JSC::MarkedBlock::destroy):
2101         (JSC::MarkedBlock::MarkedBlock):
2102         * heap/MarkedBlock.h:
2103         (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
2104
2105         * heap/MarkedSpace.cpp:
2106         (JSC::MarkedSpace::freeBlock):
2107         * heap/MarkedSpace.h:
2108
2109         * heap/Region.h: Removed.
2110
2111         * heap/SlotVisitor.cpp:
2112         (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
2113
2114         * heap/SuperRegion.cpp: Removed.
2115         * heap/SuperRegion.h: Removed.
2116
2117         * heap/WeakBlock.cpp:
2118         (JSC::WeakBlock::create):
2119         (JSC::WeakBlock::WeakBlock):
2120         * heap/WeakBlock.h:
2121         * heap/WeakSet.cpp:
2122         (JSC::WeakSet::~WeakSet):
2123         (JSC::WeakSet::addAllocator):
2124         (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
2125
2126 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
2127
2128         [ARM] Typo fix after r176083
2129         https://bugs.webkit.org/show_bug.cgi?id=140937
2130
2131         Reviewed by Anders Carlsson.
2132
2133         * assembler/ARMv7Assembler.h:
2134         (JSC::ARMv7Assembler::ldrh):
2135
2136 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
2137
2138         [Win] Unreviewed gardening, skip failing tests.
2139
2140         * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
2141         * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
2142
2143 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
2144
2145         [Win] Enable JSC stress tests by default
2146         https://bugs.webkit.org/show_bug.cgi?id=128307
2147
2148         Unreviewed typo fix after r179165.
2149
2150         * tests/mozilla/mozilla-tests.yaml:
2151
2152 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
2153
2154         [Win] Enable JSC stress tests by default
2155         https://bugs.webkit.org/show_bug.cgi?id=128307
2156
2157         Reviewed by Brent Fulgham.
2158
2159         * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
2160         * tests/stress/ftl-arithcos.js: Skipped on Windows.
2161
2162 2015-01-26  Ryosuke Niwa  <rniwa@webkit.org>
2163
2164         Parse a function expression as a primary expression
2165         https://bugs.webkit.org/show_bug.cgi?id=140908
2166
2167         Reviewed by Mark Lam.
2168
2169         Moved the code to generate an AST node for a function expression from parseMemberExpression
2170         to parsePrimaryExpression to match the ES6 specification terminology:
2171         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression
2172
2173         There should be no behavior change from this change since parsePrimaryExpression is only
2174         called in parseMemberExpression other than the fact failIfStackOverflow() is called.
2175
2176         * parser/Parser.cpp:
2177         (JSC::Parser<LexerType>::parsePrimaryExpression):
2178         (JSC::Parser<LexerType>::parseMemberExpression):
2179
2180 2015-01-26  Myles C. Maxfield  <mmaxfield@apple.com>
2181
2182         [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
2183         https://bugs.webkit.org/show_bug.cgi?id=140860
2184
2185         Reviewed by Darin Adler.
2186
2187         The fonts it makes are grotesque. (See what I did there? Typographic
2188         humor is the best humor.)
2189
2190         * Configurations/FeatureDefines.xcconfig:
2191
2192 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
2193
2194         Web Inspector: Rename InjectedScriptHost::type to subtype
2195         https://bugs.webkit.org/show_bug.cgi?id=140841
2196
2197         Reviewed by Timothy Hatcher.
2198
2199         We were using this to set the subtype of an "object" type RemoteObject
2200         so we should clean up the name and call it subtype.
2201
2202         * inspector/InjectedScriptHost.h:
2203         * inspector/InjectedScriptSource.js:
2204         * inspector/JSInjectedScriptHost.cpp:
2205         (Inspector::JSInjectedScriptHost::subtype):
2206         (Inspector::JSInjectedScriptHost::type): Deleted.
2207         * inspector/JSInjectedScriptHost.h:
2208         * inspector/JSInjectedScriptHostPrototype.cpp:
2209         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2210         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
2211         (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.
2212
2213 2015-01-23  Michael Saboff  <msaboff@apple.com>
2214
2215         LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
2216         https://bugs.webkit.org/show_bug.cgi?id=140843
2217
2218         Reviewed by Oliver Hunt.
2219
2220         When we are in vmEntryToJavaScript, we keep the stack pointer at an
2221         alignment sutiable for pointing to a call frame header, which is the
2222         alignment post making a call.  We adjust the sp when calling to JS code,
2223         but don't adjust it before calling the out of stack handler.
2224
2225         * llint/LowLevelInterpreter32_64.asm:
2226         Moved stack point down 8 bytes to get it aligned.
2227
2228 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
2229
2230         Web Inspector: Object Previews in the Console
2231         https://bugs.webkit.org/show_bug.cgi?id=129204
2232
2233         Reviewed by Timothy Hatcher.
2234
2235         Update the very old, unused object preview code. Part of this comes from
2236         the earlier WebKit legacy implementation, and the Blink implementation.
2237
2238         A RemoteObject may include a preview, if it is asked for, and if the
2239         RemoteObject is an object. Previews are a shallow (single level) list
2240         of a limited number of properties on the object. The previewed
2241         properties are always stringified (even if primatives). Previews are
2242         limited to just 5 properties or 100 indices. Previews are marked
2243         as lossless if they are a complete snapshot of the object.
2244
2245         There is a path to make previews two levels deep, that is currently
2246         unused but should soon be used for tables (e.g. IndexedDB).
2247
2248         * inspector/InjectedScriptSource.js:
2249         - Move some code off of InjectedScript to be generic functions
2250         usable by RemoteObject as well.
2251         - Update preview generation to use 
2252
2253         * inspector/protocol/Runtime.json:
2254         - Add a new type, "accessor" for preview objects. This represents
2255         a getter / setter. We currently don't get the value.
2256
2257 2015-01-23  Michael Saboff  <msaboff@apple.com>
2258
2259         Immediate crash when setting JS breakpoint
2260         https://bugs.webkit.org/show_bug.cgi?id=140811
2261
2262         Reviewed by Mark Lam.
2263
2264         When the DFG stack layout phase doesn't allocate a register for the scope register,
2265         it incorrectly sets the scope register in the code block to a bad value, one with
2266         an offset of 0.  Changed it so that we set the code block's scope register to the 
2267         invalid VirtualRegister instead.
2268
2269         No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
2270         We crash with that ASSERT in testapi and likely many other tests as well.
2271
2272         * bytecode/CodeBlock.cpp:
2273         (JSC::CodeBlock::CodeBlock):
2274         * bytecode/CodeBlock.h:
2275         (JSC::CodeBlock::setScopeRegister):
2276         (JSC::CodeBlock::scopeRegister):
2277         Added ASSERTs to catch any future improper setting of the code block's scope register.
2278
2279         * dfg/DFGStackLayoutPhase.cpp:
2280         (JSC::DFG::StackLayoutPhase::run):
2281
2282 2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>
2283
2284         EdenCollections unnecessarily visit SmallStrings
2285         https://bugs.webkit.org/show_bug.cgi?id=140762
2286
2287         Reviewed by Geoffrey Garen.
2288
2289         * heap/Heap.cpp:
2290         (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
2291         backing stores, which is a significant portion of garbage collection.
2292         (JSC::Heap::visitSmallStrings): Check to see if we need to visit
2293         SmallStrings based on the collection type.
2294         * runtime/SmallStrings.cpp:
2295         (JSC::SmallStrings::SmallStrings):
2296         (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
2297         visited the SmallStrings since the last modification.
2298         * runtime/SmallStrings.h:
2299         (JSC::SmallStrings::needsToBeVisited): If we're doing a
2300         FullCollection, we need to visit. Otherwise, it depends on whether
2301         we've been visited since the last modification/allocation.
2302
2303 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
2304
2305         Add a build flag for ES6 class syntax
2306         https://bugs.webkit.org/show_bug.cgi?id=140760
2307
2308         Reviewed by Michael Saboff.
2309
2310         Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
2311         "class", "extends", "static" and "super" keywords.
2312
2313         * Configurations/FeatureDefines.xcconfig:
2314         * parser/Keywords.table:
2315         * parser/ParserTokens.h:
2316
2317 2015-01-22  Commit Queue  <commit-queue@webkit.org>
2318
2319         Unreviewed, rolling out r178894.
2320         https://bugs.webkit.org/show_bug.cgi?id=140775
2321
2322         Broke JSC and bindings tests (Requested by ap_ on #webkit).
2323
2324         Reverted changeset:
2325
2326         "put_by_val_direct need to check the property is index or not
2327         for using putDirect / putDirectIndex"
2328         https://bugs.webkit.org/show_bug.cgi?id=140426
2329         http://trac.webkit.org/changeset/178894
2330
2331 2015-01-22  Mark Lam  <mark.lam@apple.com>
2332
2333         BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
2334         <https://webkit.org/b/140743>
2335
2336         Reviewed by Oliver Hunt.
2337
2338         BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
2339         op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
2340         of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
2341         for which ever captured variable is at local index 0.  In practice, this turns
2342         out to be the local for the Arguments object.  In this reproduction case in the
2343         bug, the wrong inferred value written there is the boolean true.
2344
2345         Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
2346         a check of the local for the Arguments object.  But because that local has a
2347         wrong inferred value, the check always discovers a non-null value and we never
2348         actually create the Arguments object.  Immediately after this, an OSR exit
2349         occurs leaving the Arguments object local uninitialized.  Later on at arguments
2350         tear off, we run into a boolean true where we had expected to find an Arguments
2351         object, which in turn, leads to the crash.
2352
2353         The fix is to:
2354         1. In the case where the resolveModeType is LocalClosureVar, change the
2355            5th operand of op_put_to_scope to be a boolean.  True means that the
2356            local var is watchable.  False means it is not watchable.  We no longer
2357            pass the local index (instead of true) and UINT_MAX (instead of false).
2358
2359            This allows us to express more clearer in the code what that value means,
2360            as well as remove the redundant way of getting the local's identifier.
2361            The identifier is always the one passed in the 2nd operand. 
2362
2363         2. Previously, though intuitively, we know that the watchable variable
2364            identifier should be the same as the one that is passed in operand 2, this
2365            relationship was not clear in the code.  By code analysis, I confirmed that 
2366            the callers of BytecodeGenerator::emitPutToScope() always use the same
2367            identifier for operand 2 and for filling out the ResolveScopeInfo from
2368            which we get the watchable variable identifier later.  I've changed the
2369            code to make this clear now by always using the identifier passed in
2370            operand 2.
2371
2372         3. In the case where the resolveModeType is LocalClosureVar,
2373            initializeCapturedVariable() and emitPutToScope() will now query
2374            hasWatchableVariable() to determine if the local is watchable or not.
2375            Accordingly, we pass the boolean result of hasWatchableVariable() as
2376            operand 5 of op_put_to_scope.
2377
2378         Also added some assertions.
2379
2380         * bytecode/CodeBlock.cpp:
2381         (JSC::CodeBlock::CodeBlock):
2382         * bytecompiler/BytecodeGenerator.cpp:
2383         (JSC::BytecodeGenerator::initializeCapturedVariable):
2384         (JSC::BytecodeGenerator::hasConstant):
2385         (JSC::BytecodeGenerator::emitPutToScope):
2386         * bytecompiler/BytecodeGenerator.h:
2387         (JSC::BytecodeGenerator::hasWatchableVariable):
2388         (JSC::BytecodeGenerator::watchableVariableIdentifier):
2389         (JSC::BytecodeGenerator::watchableVariable): Deleted.
2390
2391 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
2392
2393         PropertyListNode::emitNode duplicates the code to put a constant property
2394         https://bugs.webkit.org/show_bug.cgi?id=140761
2395
2396         Reviewed by Geoffrey Garen.
2397
2398         Extracted PropertyListNode::emitPutConstantProperty to share the code.
2399
2400         Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.
2401
2402         * bytecompiler/NodesCodegen.cpp:
2403         (JSC::PropertyListNode::emitBytecode):
2404         (JSC::PropertyListNode::emitPutConstantProperty): Added.
2405         * parser/Nodes.h:
2406
2407 2015-01-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2408
2409         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
2410         https://bugs.webkit.org/show_bug.cgi?id=140426
2411
2412         Reviewed by Geoffrey Garen.
2413
2414         In the put_by_val_direct operation, we use JSObject::putDirect.
2415         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2416         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
2417         It forces callers to check the value is index or not explicitly.
2418         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2419
2420         * bytecode/GetByIdStatus.cpp:
2421         (JSC::GetByIdStatus::computeFor):
2422         * bytecode/PutByIdStatus.cpp:
2423         (JSC::PutByIdStatus::computeFor):
2424         * bytecompiler/BytecodeGenerator.cpp:
2425         (JSC::BytecodeGenerator::emitDirectPutById):
2426         * dfg/DFGOperations.cpp:
2427         (JSC::DFG::operationPutByValInternal):
2428         * jit/JITOperations.cpp:
2429         * jit/Repatch.cpp:
2430         (JSC::emitPutTransitionStubAndGetOldStructure):
2431         * jsc.cpp:
2432         * llint/LLIntSlowPaths.cpp:
2433         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2434         * runtime/Arguments.cpp:
2435         (JSC::Arguments::getOwnPropertySlot):
2436         (JSC::Arguments::put):
2437         (JSC::Arguments::deleteProperty):
2438         (JSC::Arguments::defineOwnProperty):
2439         * runtime/ArrayPrototype.cpp:
2440         (JSC::arrayProtoFuncSort):
2441         * runtime/JSArray.cpp:
2442         (JSC::JSArray::defineOwnProperty):
2443         * runtime/JSCJSValue.cpp:
2444         (JSC::JSValue::putToPrimitive):
2445         * runtime/JSGenericTypedArrayViewInlines.h:
2446         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2447         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2448         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2449         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2450         * runtime/JSObject.cpp:
2451         (JSC::JSObject::put):
2452         (JSC::JSObject::putDirectAccessor):
2453         (JSC::JSObject::putDirectCustomAccessor):
2454         (JSC::JSObject::deleteProperty):
2455         (JSC::JSObject::putDirectMayBeIndex):
2456         (JSC::JSObject::defineOwnProperty):
2457         * runtime/JSObject.h:
2458         (JSC::JSObject::getOwnPropertySlot):
2459         (JSC::JSObject::getPropertySlot):
2460         (JSC::JSObject::putDirectInternal):
2461         * runtime/JSString.cpp:
2462         (JSC::JSString::getStringPropertyDescriptor):
2463         * runtime/JSString.h:
2464         (JSC::JSString::getStringPropertySlot):
2465         * runtime/LiteralParser.cpp:
2466         (JSC::LiteralParser<CharType>::parse):
2467         * runtime/PropertyName.h:
2468         (JSC::toUInt32FromCharacters):
2469         (JSC::toUInt32FromStringImpl):
2470         (JSC::PropertyName::asIndex):
2471         * runtime/PropertyNameArray.cpp:
2472         (JSC::PropertyNameArray::add):
2473         * runtime/StringObject.cpp:
2474         (JSC::StringObject::deleteProperty):
2475         * runtime/Structure.cpp:
2476         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2477
2478 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
2479
2480         Consolidate out arguments of parseFunctionInfo into a struct
2481         https://bugs.webkit.org/show_bug.cgi?id=140754
2482
2483         Reviewed by Oliver Hunt.
2484
2485         Introduced ParserFunctionInfo for storing out arguments of parseFunctionInfo.
2486
2487         * JavaScriptCore.xcodeproj/project.pbxproj:
2488         * parser/ASTBuilder.h:
2489         (JSC::ASTBuilder::createFunctionExpr):
2490         (JSC::ASTBuilder::createGetterOrSetterProperty): This one takes a property name in addition to
2491         ParserFunctionInfo since the property name and the function name could differ.
2492         (JSC::ASTBuilder::createFuncDeclStatement):
2493         * parser/Parser.cpp:
2494         (JSC::Parser<LexerType>::parseFunctionInfo):
2495         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2496         (JSC::Parser<LexerType>::parseProperty):
2497         (JSC::Parser<LexerType>::parseMemberExpression):
2498         * parser/Parser.h:
2499         * parser/ParserFunctionInfo.h: Added.
2500         * parser/SyntaxChecker.h:
2501         (JSC::SyntaxChecker::createFunctionExpr):
2502         (JSC::SyntaxChecker::createFuncDeclStatement):
2503         (JSC::SyntaxChecker::createClassDeclStatement):
2504         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2505
2506 2015-01-21  Mark Hahnenberg  <mhahnenb@gmail.com>
2507
2508         Change Heap::m_compiledCode to use a Vector
2509         https://bugs.webkit.org/show_bug.cgi?id=140717
2510
2511         Reviewed by Andreas Kling.
2512
2513         Right now it's a DoublyLinkedList, which is iterated during each
2514         collection. This contributes to some of the longish Eden pause times.
2515         A Vector would be more appropriate and would also allow ExecutableBase
2516         to be 2 pointers smaller.
2517
2518         * heap/Heap.cpp:
2519         (JSC::Heap::deleteAllCompiledCode):
2520         (JSC::Heap::deleteAllUnlinkedFunctionCode):
2521         (JSC::Heap::clearUnmarkedExecutables):
2522         * heap/Heap.h:
2523         * runtime/Executable.h: No longer need to inherit from DoublyLinkedListNode.
2524
2525 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
2526
2527         BytecodeGenerator shouldn't expose all of its member variables
2528         https://bugs.webkit.org/show_bug.cgi?id=140752
2529
2530         Reviewed by Mark Lam.
2531
2532         Added "private:" and removed unused data members as detected by clang.
2533
2534         * bytecompiler/BytecodeGenerator.cpp:
2535         (JSC::BytecodeGenerator::BytecodeGenerator):
2536         * bytecompiler/BytecodeGenerator.h:
2537         (JSC::BytecodeGenerator::lastOpcodeID): Added. Used in BinaryOpNode::emitBytecode.
2538         * bytecompiler/NodesCodegen.cpp:
2539         (JSC::BinaryOpNode::emitBytecode):
2540
2541 2015-01-21  Joseph Pecoraro  <pecoraro@apple.com>
2542
2543         Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
2544         https://bugs.webkit.org/show_bug.cgi?id=140746
2545
2546         Reviewed by Timothy Hatcher.
2547
2548         * inspector/InjectedScriptSource.js:
2549         Do not add impure properties to the descriptor object that will
2550         eventually be sent to the frontend.
2551
2552 2015-01-21  Matthew Mirman  <mmirman@apple.com>
2553
2554         Updated split such that it does not include the empty end of input string match.
2555         https://bugs.webkit.org/show_bug.cgi?id=138129
2556         <rdar://problem/18807403>
2557
2558         Reviewed by Filip Pizlo.
2559
2560         * runtime/StringPrototype.cpp:
2561         (JSC::stringProtoFuncSplit):
2562         * tests/stress/empty_eos_regex_split.js: Added.
2563
2564 2015-01-21  Michael Saboff  <msaboff@apple.com>
2565
2566         Eliminate Scope slot from JavaScript CallFrame
2567         https://bugs.webkit.org/show_bug.cgi?id=136724
2568
2569         Reviewed by Geoffrey Garen.
2570
2571         This finishes the removal of the scope chain slot from the call frame header.
2572
2573         * dfg/DFGOSRExitCompilerCommon.cpp:
2574         (JSC::DFG::reifyInlinedCallFrames):
2575         * dfg/DFGPreciseLocalClobberize.h:
2576         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2577         * dfg/DFGSpeculativeJIT32_64.cpp:
2578         (JSC::DFG::SpeculativeJIT::emitCall):
2579         * dfg/DFGSpeculativeJIT64.cpp:
2580         (JSC::DFG::SpeculativeJIT::emitCall):
2581         * ftl/FTLJSCall.cpp:
2582         (JSC::FTL::JSCall::emit):
2583         * ftl/FTLLowerDFGToLLVM.cpp:
2584         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
2585         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
2586         * interpreter/JSStack.h:
2587         * interpreter/VMInspector.cpp:
2588         (JSC::VMInspector::dumpFrame):
2589         * jit/JITCall.cpp:
2590         (JSC::JIT::compileOpCall):
2591         * jit/JITCall32_64.cpp:
2592         (JSC::JIT::compileOpCall):
2593         * jit/JITOpcodes32_64.cpp:
2594         (JSC::JIT::privateCompileCTINativeCall):
2595         * jit/Repatch.cpp:
2596         (JSC::generateByIdStub):
2597         (JSC::linkClosureCall):
2598         * jit/ThunkGenerators.cpp:
2599         (JSC::virtualForThunkGenerator):
2600         (JSC::nativeForGenerator):
2601         Deleted ScopeChain slot from JSStack.  Removed all code where ScopeChain was being
2602         read or set.  In most cases this was where we make JS calls.
2603
2604         * interpreter/CallFrameClosure.h:
2605         (JSC::CallFrameClosure::setArgument):
2606         (JSC::CallFrameClosure::resetCallFrame): Deleted.
2607         * interpreter/Interpreter.cpp:
2608         (JSC::Interpreter::execute):
2609         (JSC::Interpreter::executeCall):
2610         (JSC::Interpreter::executeConstruct):
2611         (JSC::Interpreter::prepareForRepeatCall):
2612         * interpreter/ProtoCallFrame.cpp:
2613         (JSC::ProtoCallFrame::init):
2614         * interpreter/ProtoCallFrame.h:
2615         (JSC::ProtoCallFrame::scope): Deleted.
2616         (JSC::ProtoCallFrame::setScope): Deleted.
2617         * llint/LLIntData.cpp:
2618         (JSC::LLInt::Data::performAssertions):
2619         * llint/LowLevelInterpreter.asm:
2620         * llint/LowLevelInterpreter64.asm:
2621         Removed the related scopeChainValue member from ProtoCallFrame.  Reduced the number of
2622         registers that needed to be copied from the ProtoCallFrame to a callee's frame
2623         from 5 to 4.
2624
2625         * llint/LowLevelInterpreter32_64.asm:
2626         In addition to the prior changes, also deleted the unused macro getDeBruijnScope.
2627
2628 2015-01-21  Michael Saboff  <msaboff@apple.com>
2629
2630         Eliminate construct methods from NullGetterFunction and NullSetterFunction classes
2631         https://bugs.webkit.org/show_bug.cgi?id=140708
2632
2633         Reviewed by Mark Lam.
2634
2635         Eliminated construct methods and change getConstructData() for both classes to return
2636         ConstructTypeNone as they can never be called.
2637
2638         * runtime/NullGetterFunction.cpp:
2639         (JSC::NullGetterFunction::getConstructData):
2640         (JSC::constructReturnUndefined): Deleted.
2641         * runtime/NullSetterFunction.cpp:
2642         (JSC::NullSetterFunction::getConstructData):
2643         (JSC::constructReturnUndefined): Deleted.
2644
2645 2015-01-21  Csaba Osztrogonác  <ossy@webkit.org>
2646
2647         Remove ENABLE(INSPECTOR) ifdef guards
2648         https://bugs.webkit.org/show_bug.cgi?id=140668
2649
2650         Reviewed by Darin Adler.
2651
2652         * Configurations/FeatureDefines.xcconfig:
2653         * bindings/ScriptValue.cpp:
2654         (Deprecated::ScriptValue::toInspectorValue):
2655         * bindings/ScriptValue.h:
2656         * inspector/ConsoleMessage.cpp:
2657         * inspector/ConsoleMessage.h:
2658         * inspector/ContentSearchUtilities.cpp:
2659         * inspector/ContentSearchUtilities.h:
2660         * inspector/IdentifiersFactory.cpp:
2661         * inspector/IdentifiersFactory.h:
2662         * inspector/InjectedScript.cpp:
2663         * inspector/InjectedScript.h:
2664         * inspector/InjectedScriptBase.cpp:
2665         * inspector/InjectedScriptBase.h:
2666         * inspector/InjectedScriptHost.cpp:
2667         * inspector/InjectedScriptHost.h:
2668         * inspector/InjectedScriptManager.cpp:
2669         * inspector/InjectedScriptManager.h:
2670         * inspector/InjectedScriptModule.cpp:
2671         * inspector/InjectedScriptModule.h:
2672         * inspector/InspectorAgentRegistry.cpp:
2673         * inspector/InspectorBackendDispatcher.cpp:
2674         * inspector/InspectorBackendDispatcher.h:
2675         * inspector/InspectorProtocolTypes.h:
2676         * inspector/JSGlobalObjectConsoleClient.cpp:
2677         * inspector/JSGlobalObjectInspectorController.cpp:
2678         * inspector/JSGlobalObjectInspectorController.h:
2679         * inspector/JSGlobalObjectScriptDebugServer.cpp:
2680         * inspector/JSGlobalObjectScriptDebugServer.h:
2681         * inspector/JSInjectedScriptHost.cpp:
2682         * inspector/JSInjectedScriptHost.h:
2683         * inspector/JSInjectedScriptHostPrototype.cpp:
2684         * inspector/JSInjectedScriptHostPrototype.h:
2685         * inspector/JSJavaScriptCallFrame.cpp:
2686         * inspector/JSJavaScriptCallFrame.h:
2687         * inspector/JSJavaScriptCallFramePrototype.cpp:
2688         * inspector/JSJavaScriptCallFramePrototype.h:
2689         * inspector/JavaScriptCallFrame.cpp:
2690         * inspector/JavaScriptCallFrame.h:
2691         * inspector/ScriptCallFrame.cpp:
2692         (Inspector::ScriptCallFrame::buildInspectorObject):
2693         * inspector/ScriptCallFrame.h:
2694         * inspector/ScriptCallStack.cpp:
2695         (Inspector::ScriptCallStack::buildInspectorArray):
2696         * inspector/ScriptCallStack.h:
2697         * inspector/ScriptDebugServer.cpp:
2698         * inspector/agents/InspectorAgent.cpp:
2699         * inspector/agents/InspectorAgent.h:
2700         * inspector/agents/InspectorConsoleAgent.cpp:
2701         * inspector/agents/InspectorConsoleAgent.h:
2702         * inspector/agents/InspectorDebuggerAgent.cpp:
2703         * inspector/agents/InspectorDebuggerAgent.h:
2704         * inspector/agents/InspectorRuntimeAgent.cpp:
2705         * inspector/agents/InspectorRuntimeAgent.h:
2706         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
2707         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2708         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2709         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2710         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2711         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2712         * inspector/scripts/codegen/cpp_generator_templates.py:
2713         (CppGeneratorTemplates):
2714         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2715         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2716         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2717         * inspector/scripts/tests/expected/enum-values.json-result:
2718         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2719         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2720         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2721         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2722         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2723         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2724         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2725         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2726         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2727         * runtime/TypeSet.cpp:
2728         (JSC::TypeSet::inspectorTypeSet):
2729         (JSC::StructureShape::inspectorRepresentation):
2730
2731 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2732
2733         Web Inspector: Clean up InjectedScriptSource.js
2734         https://bugs.webkit.org/show_bug.cgi?id=140709
2735
2736         Reviewed by Timothy Hatcher.
2737
2738         This patch includes some relevant Blink patches and small changes.
2739         
2740         Patch by <aandrey@chromium.org>
2741         DevTools: Remove console last result $_ on console clear.
2742         https://src.chromium.org/viewvc/blink?revision=179179&view=revision
2743
2744         Patch by <eustas@chromium.org>
2745         [Inspect DOM properties] incorrect CSS Selector Syntax
2746         https://src.chromium.org/viewvc/blink?revision=156903&view=revision
2747
2748         * inspector/InjectedScriptSource.js:
2749
2750 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2751
2752         Web Inspector: Cleanup RuntimeAgent a bit
2753         https://bugs.webkit.org/show_bug.cgi?id=140706
2754
2755         Reviewed by Timothy Hatcher.
2756
2757         * inspector/InjectedScript.h:
2758         * inspector/InspectorBackendDispatcher.h:
2759         * inspector/ScriptCallFrame.cpp:
2760         * inspector/agents/InspectorRuntimeAgent.cpp:
2761         (Inspector::InspectorRuntimeAgent::evaluate):
2762         (Inspector::InspectorRuntimeAgent::getProperties):
2763         (Inspector::InspectorRuntimeAgent::run):
2764         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2765         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2766         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
2767
2768 2015-01-20  Matthew Mirman  <mmirman@apple.com>
2769
2770         Made Identity in the DFG allocate a new temp register and move 
2771         the old data to it.
2772         https://bugs.webkit.org/show_bug.cgi?id=140700
2773         <rdar://problem/19339106>
2774
2775         Reviewed by Filip Pizlo.
2776
2777         * dfg/DFGSpeculativeJIT64.cpp:
2778         (JSC::DFG::SpeculativeJIT::compile): 
2779         Added scratch registers for Identity. 
2780         * tests/mozilla/mozilla-tests.yaml: enabled previously failing test
2781
2782 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2783
2784         Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
2785         https://bugs.webkit.org/show_bug.cgi?id=137306
2786
2787         Reviewed by Timothy Hatcher.
2788
2789         Provide another optional parameter to getProperties, to gather a list
2790         of all own and getter properties.
2791
2792         * inspector/InjectedScript.cpp:
2793         (Inspector::InjectedScript::getProperties):
2794         * inspector/InjectedScript.h:
2795         * inspector/InjectedScriptSource.js:
2796         * inspector/agents/InspectorRuntimeAgent.cpp:
2797         (Inspector::InspectorRuntimeAgent::getProperties):
2798         * inspector/agents/InspectorRuntimeAgent.h:
2799         * inspector/protocol/Runtime.json:
2800
2801 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2802
2803         Web Inspector: Should show dynamic specificity values
2804         https://bugs.webkit.org/show_bug.cgi?id=140647
2805
2806         Reviewed by Benjamin Poulain.
2807
2808         * inspector/protocol/CSS.json:
2809         Clarify CSSSelector optional values and add "dynamic" property indicating
2810         if the selector can be dynamic based on the element it is matched against.
2811
2812 2015-01-20  Commit Queue  <commit-queue@webkit.org>
2813
2814         Unreviewed, rolling out r178751.
2815         https://bugs.webkit.org/show_bug.cgi?id=140694
2816
2817         Caused 32-bit JSC test failures (Requested by JoePeck on
2818         #webkit).
2819
2820         Reverted changeset:
2821
2822         "put_by_val_direct need to check the property is index or not
2823         for using putDirect / putDirectIndex"
2824         https://bugs.webkit.org/show_bug.cgi?id=140426
2825         http://trac.webkit.org/changeset/178751
2826
2827 2015-01-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2828
2829         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
2830         https://bugs.webkit.org/show_bug.cgi?id=140426
2831
2832         Reviewed by Geoffrey Garen.
2833
2834         In the put_by_val_direct operation, we use JSObject::putDirect.
2835         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2836         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
2837         It forces callers to check the value is index or not explicitly.
2838         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2839
2840         * bytecode/GetByIdStatus.cpp:
2841         (JSC::GetByIdStatus::computeFor):
2842         * bytecode/PutByIdStatus.cpp:
2843         (JSC::PutByIdStatus::computeFor):
2844         * bytecompiler/BytecodeGenerator.cpp:
2845         (JSC::BytecodeGenerator::emitDirectPutById):
2846         * dfg/DFGOperations.cpp:
2847         (JSC::DFG::operationPutByValInternal):
2848         * jit/JITOperations.cpp:
2849         * jit/Repatch.cpp:
2850         (JSC::emitPutTransitionStubAndGetOldStructure):
2851         * jsc.cpp:
2852         * llint/LLIntSlowPaths.cpp:
2853         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2854         * runtime/Arguments.cpp:
2855         (JSC::Arguments::getOwnPropertySlot):
2856         (JSC::Arguments::put):
2857         (JSC::Arguments::deleteProperty):
2858         (JSC::Arguments::defineOwnProperty):
2859         * runtime/ArrayPrototype.cpp:
2860         (JSC::arrayProtoFuncSort):
2861         * runtime/JSArray.cpp:
2862         (JSC::JSArray::defineOwnProperty):
2863         * runtime/JSCJSValue.cpp:
2864         (JSC::JSValue::putToPrimitive):
2865         * runtime/JSGenericTypedArrayViewInlines.h:
2866         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2867         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2868         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2869         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2870         * runtime/JSObject.cpp:
2871         (JSC::JSObject::put):
2872         (JSC::JSObject::putDirectAccessor):
2873         (JSC::JSObject::putDirectCustomAccessor):
2874         (JSC::JSObject::deleteProperty):
2875         (JSC::JSObject::putDirectMayBeIndex):
2876         (JSC::JSObject::defineOwnProperty):
2877         * runtime/JSObject.h:
2878         (JSC::JSObject::getOwnPropertySlot):
2879         (JSC::JSObject::getPropertySlot):
2880         (JSC::JSObject::putDirectInternal):
2881         * runtime/JSString.cpp:
2882         (JSC::JSString::getStringPropertyDescriptor):
2883         * runtime/JSString.h:
2884         (JSC::JSString::getStringPropertySlot):
2885         * runtime/LiteralParser.cpp:
2886         (JSC::LiteralParser<CharType>::parse):
2887         * runtime/PropertyName.h:
2888         (JSC::toUInt32FromCharacters):
2889         (JSC::toUInt32FromStringImpl):
2890         (JSC::PropertyName::asIndex):
2891         * runtime/PropertyNameArray.cpp:
2892         (JSC::PropertyNameArray::add):
2893         * runtime/StringObject.cpp:
2894         (JSC::StringObject::deleteProperty):
2895         * runtime/Structure.cpp:
2896         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2897
2898 2015-01-20  Michael Saboff  <msaboff@apple.com>
2899
2900         REGRESSION(178696): Sporadic crashes while garbage collecting
2901         https://bugs.webkit.org/show_bug.cgi?id=140688
2902
2903         Reviewed by Geoffrey Garen.
2904
2905         Added missing visitor.append(&thisObject->m_nullSetterFunction).
2906
2907         * runtime/JSGlobalObject.cpp:
2908         (JSC::JSGlobalObject::visitChildren):
2909
2910 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2911
2912         Web Replay: code generator should take supplemental specifications and allow cross-framework references
2913         https://bugs.webkit.org/show_bug.cgi?id=136312
2914
2915         Reviewed by Joseph Pecoraro.
2916
2917         Some types are shared between replay inputs from different frameworks.
2918         Previously, these type declarations were duplicated in every input
2919         specification file in which they were used. This caused some type encoding
2920         traits to be emitted twice if used from WebCore inputs and WebKit2 inputs.
2921
2922         This patch teaches the replay inputs code generator to accept multiple
2923         input specification files. Inputs can freely reference types from other
2924         frameworks without duplicating declarations.
2925
2926         On the code generation side, the model could contain types and inputs from
2927         frameworks that are not the target framework. Only generate code for the
2928         target framework.
2929
2930         To properly generate cross-framework type encoding traits, use
2931         Type.encoding_type_argument in more places, and add the export macro for WebCore
2932         and the Test framework.
2933
2934         Adjust some tests so that enum coverage is preserved by moving the enum types
2935         into "Test" (the target framework for tests).
2936
2937         * JavaScriptCore.vcxproj/copy-files.cmd:
2938         For Windows, copy over JSInputs.json as if it were a private header.
2939
2940         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSInputs.json a private header.
2941         * replay/JSInputs.json:
2942         Put all primitive types and WTF types in this specification file.
2943
2944         * replay/scripts/CodeGeneratorReplayInputs.py:
2945         (Input.__init__):
2946         (InputsModel.__init__): Keep track of the input's framework.
2947         (InputsModel.parse_specification): Parse the framework here. Adjust to new format,
2948         and allow either types or inputs to be missing from a single file.
2949
2950         (InputsModel.parse_type_with_framework):
2951         (InputsModel.parse_input_with_framework):
2952         (Generator.should_generate_item): Added helper method.
2953         (Generator.generate_header): Filter inputs to generate.
2954         (Generator.generate_implementation): Filter inputs to generate.
2955         (Generator.generate_enum_trait_declaration): Filter enums to generate.
2956         Add WEBCORE_EXPORT macro to enum encoding traits.
2957
2958         (Generator.generate_for_each_macro): Filter inputs to generate.
2959         (Generator.generate_enum_trait_implementation): Filter enums to generate.
2960         (generate_from_specifications): Added.
2961         (generate_from_specifications.parse_json_from_file):
2962         (InputsModel.parse_toplevel): Deleted.
2963         (InputsModel.parse_type_with_framework_name): Deleted.
2964         (InputsModel.parse_input): Deleted.
2965         (generate_from_specification): Deleted.
2966         * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
2967         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Removed.
2968         * replay/scripts/tests/expected/fail-on-no-types.json-error: Removed.
2969         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
2970         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2971         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
2972         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2973         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
2974         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2975         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
2976         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2977         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2978         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2979         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2980         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2981         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json:
2982         * replay/scripts/tests/fail-on-duplicate-enum-type.json:
2983         * replay/scripts/tests/fail-on-duplicate-input-names.json:
2984         * replay/scripts/tests/fail-on-duplicate-type-names.json:
2985         * replay/scripts/tests/fail-on-enum-type-missing-values.json:
2986         * replay/scripts/tests/fail-on-missing-input-member-name.json:
2987         * replay/scripts/tests/fail-on-missing-input-name.json:
2988         * replay/scripts/tests/fail-on-missing-input-queue.json:
2989         * replay/scripts/tests/fail-on-missing-type-mode.json:
2990         * replay/scripts/tests/fail-on-missing-type-name.json:
2991         * replay/scripts/tests/fail-on-no-inputs.json:
2992         Removed, no longer required to be in a single file.
2993
2994         * replay/scripts/tests/fail-on-no-types.json:
2995         Removed, no longer required to be in a single file.
2996
2997         * replay/scripts/tests/fail-on-unknown-input-queue.json:
2998         * replay/scripts/tests/fail-on-unknown-member-type.json:
2999         * replay/scripts/tests/fail-on-unknown-type-mode.json:
3000         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json:
3001         * replay/scripts/tests/generate-enum-encoding-helpers.json:
3002         * replay/scripts/tests/generate-enum-with-guard.json:
3003         Include enums that are and are not generated.
3004
3005         * replay/scripts/tests/generate-enums-with-same-base-name.json:
3006         * replay/scripts/tests/generate-event-loop-shape-types.json:
3007         * replay/scripts/tests/generate-input-with-guard.json:
3008         * replay/scripts/tests/generate-input-with-vector-members.json:
3009         * replay/scripts/tests/generate-inputs-with-flags.json:
3010         * replay/scripts/tests/generate-memoized-type-modes.json:
3011
3012 2015-01-20  Tomas Popela  <tpopela@redhat.com>
3013
3014         [GTK] Cannot compile 2.7.3 on PowerPC machines
3015         https://bugs.webkit.org/show_bug.cgi?id=140616
3016
3017         Include climits for INT_MAX and wtf/DataLog.h for dataLogF
3018
3019         Reviewed by Csaba Osztrogonác.
3020
3021         * runtime/BasicBlockLocation.cpp:
3022
3023 2015-01-19  Michael Saboff  <msaboff@apple.com>
3024
3025         A "cached" null setter should throw a TypeException when called in strict mode and doesn't
3026         https://bugs.webkit.org/show_bug.cgi?id=139418
3027
3028         Reviewed by Filip Pizlo.
3029
3030         Made a new NullSetterFunction class similar to NullGetterFunction.  The difference is that 
3031         NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller.
3032
3033         * CMakeLists.txt:
3034         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3035         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3036         * JavaScriptCore.xcodeproj/project.pbxproj:
3037         Added new files NullSetterFunction.cpp and NullSetterFunction.h.
3038
3039         * runtime/GetterSetter.h:
3040         (JSC::GetterSetter::GetterSetter):
3041         (JSC::GetterSetter::isSetterNull):
3042         (JSC::GetterSetter::setSetter):
3043         Change setter instances from using NullGetterFunction to using NullSetterFunction.
3044
3045         * runtime/JSGlobalObject.cpp:
3046         (JSC::JSGlobalObject::init):
3047         * runtime/JSGlobalObject.h:
3048         (JSC::JSGlobalObject::nullSetterFunction):
3049         Added m_nullSetterFunction and accessor.
3050
3051         * runtime/NullSetterFunction.cpp: Added.
3052         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
3053         (JSC::GetCallerStrictnessFunctor::operator()):
3054         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
3055         (JSC::callerIsStrict):
3056         Method to determine if the caller is in strict mode.
3057
3058         (JSC::callReturnUndefined):
3059         (JSC::constructReturnUndefined):
3060         (JSC::NullSetterFunction::getCallData):
3061         (JSC::NullSetterFunction::getConstructData):
3062         * runtime/NullSetterFunction.h: Added.
3063         (JSC::NullSetterFunction::create):
3064         (JSC::NullSetterFunction::createStructure):
3065         (JSC::NullSetterFunction::NullSetterFunction):
3066         Class with handlers for a null setter.
3067
3068 2015-01-19  Saam Barati  <saambarati1@gmail.com>
3069
3070         Web Inspector: Provide a front end for JSC's Control Flow Profiler
3071         https://bugs.webkit.org/show_bug.cgi?id=138454
3072
3073         Reviewed by Timothy Hatcher.
3074
3075         This patch puts the final touches on what JSC needs to provide
3076         for the Web Inspector to show a UI for the control flow profiler.
3077
3078         * inspector/agents/InspectorRuntimeAgent.cpp:
3079         (Inspector::recompileAllJSFunctionsForTypeProfiling):
3080         * runtime/ControlFlowProfiler.cpp:
3081         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
3082         * runtime/FunctionHasExecutedCache.cpp:
3083         (JSC::FunctionHasExecutedCache::getFunctionRanges):
3084         (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): Deleted.
3085         * runtime/FunctionHasExecutedCache.h:
3086
3087 2015-01-19  David Kilzer  <ddkilzer@apple.com>
3088
3089         [iOS] Only use LLVM static library arguments on 64-bit builds of libllvmForJSC.dylib
3090         <http://webkit.org/b/140658>
3091
3092         Reviewed by Filip Pizlo.
3093
3094         * Configurations/LLVMForJSC.xcconfig: Set OTHER_LDFLAGS_LLVM
3095         only when building for 64-bit architectures.
3096
3097 2015-01-19  Filip Pizlo  <fpizlo@apple.com>
3098
3099         ClosureCallStubRoutine no longer needs codeOrigin
3100         https://bugs.webkit.org/show_bug.cgi?id=140659
3101
3102         Reviewed by Michael Saboff.
3103         
3104         Once upon a time, we would look for the CodeOrigin associated with a return PC. This search
3105         would start with the CodeBlock according to the caller frame's call frame header. But if the
3106         call was a closure call, the return PC would be inside some closure call stub. So if the
3107         CodeBlock search failed, we would search *all* closure call stub routines to see which one
3108         encompasses the return PC. Then, we would use the CodeOrigin stored in the stub routine
3109         object. This was all a bunch of madness, and we actually got rid of it - we now determine
3110         the CodeOrigin for a call frame using the encoded code origin bits inside the tag of the
3111         argument count.
3112         
3113         This patch removes the final vestiges of the madness:
3114         
3115         - Remove the totally unused method declaration for the thing that did the closure call stub
3116           search.
3117         
3118         - Remove the CodeOrigin field from the ClosureCallStubRoutine. Except for that crazy search
3119           that we no longer do, everyone else who finds a ClosureCallStubRoutine will find it via
3120           the CallLinkInfo. The CallLinkInfo also has the CodeOrigin, so we don't need this field
3121           anymore.
3122
3123         * bytecode/CodeBlock.h:
3124         * jit/ClosureCallStubRoutine.cpp:
3125         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
3126         * jit/ClosureCallStubRoutine.h:
3127         (JSC::ClosureCallStubRoutine::executable):
3128         (JSC::ClosureCallStubRoutine::codeOrigin): Deleted.
3129         * jit/Repatch.cpp:
3130         (JSC::linkClosureCall):
3131
3132 2015-01-19  Saam Barati  <saambarati1@gmail.com>
3133
3134         Basic block start offsets should never be larger than end offsets in the control flow profiler
3135         https://bugs.webkit.org/show_bug.cgi?id=140377
3136
3137         Reviewed by Filip Pizlo.
3138
3139         The bytecode generator will emit code more than once for some AST nodes. For instance, 
3140         the finally block of TryNode will emit two code paths for its finally block: one for 
3141         the normal path, and another for the path where an exception is thrown in the catch block. 
3142         
3143         This repeated code emission of the same AST node previously broke how the control 
3144         flow profiler computed text ranges of basic blocks because when the same AST node 
3145         is emitted multiple times, there is a good chance that there are ranges that span 
3146         from the end offset of one of these duplicated nodes back to the start offset of 
3147         the same duplicated node. This caused a basic block range to report a larger start 
3148         offset than end offset. This was incorrect. Now, when this situation is encountered 
3149         while linking a CodeBlock, the faulty range in question is ignored.
3150
3151         * bytecode/CodeBlock.cpp:
3152         (JSC::CodeBlock::CodeBlock):
3153         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3154         * bytecode/CodeBlock.h:
3155         * bytecompiler/NodesCodegen.cpp:
3156         (JSC::ForInNode::emitMultiLoopBytecode):
3157         (JSC::ForOfNode::emitBytecode):
3158         (JSC::TryNode::emitBytecode):
3159         * parser/Parser.cpp:
3160         (JSC::Parser<LexerType>::parseConditionalExpression):
3161         * runtime/ControlFlowProfiler.cpp:
3162         (JSC::ControlFlowProfiler::ControlFlowProfiler):
3163         * runtime/ControlFlowProfiler.h:
3164         (JSC::ControlFlowProfiler::dummyBasicBlock):
3165
3166 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
3167
3168         [SVG -> OTF Converter] Flip the switch on
3169         https://bugs.webkit.org/show_bug.cgi?id=140592
3170
3171         Reviewed by Antti Koivisto.
3172
3173         * Configurations/FeatureDefines.xcconfig:
3174
3175 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
3176
3177         Web Replay: convert to is<T> and downcast<T> for decoding replay inputs
3178         https://bugs.webkit.org/show_bug.cgi?id=140512
3179
3180         Reviewed by Chris Dumez.
3181
3182         Generate a SPECIALIZE_TYPE_TRAITS_* chunk of code for each input. This cannot
3183         be done using REPLAY_INPUT_NAMES_FOR_EACH macro since that doesn't fully qualify
3184         input types, and the type traits macro is defined in namespace WTF.
3185
3186         * replay/NondeterministicInput.h: Make overridden methods public.
3187         * replay/scripts/CodeGeneratorReplayInputs.py:
3188         (Generator.generate_header):
3189         (Generator.qualified_input_name): Allow forcing qualification. WTF is never a target framework.
3190         (Generator.generate_input_type_trait_declaration): Added.
3191         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Add a template.
3192         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
3193         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
3194         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
3195         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
3196         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
3197         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
3198         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
3199         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
3200
3201 2015-01-19  Commit Queue  <commit-queue@webkit.org>
3202
3203         Unreviewed, rolling out r178653.
3204         https://bugs.webkit.org/show_bug.cgi?id=140634
3205
3206         Broke multiple SVG tests on Mountain Lion (Requested by ap on
3207         #webkit).
3208
3209         Reverted changeset:
3210
3211         "[SVG -> OTF Converter] Flip the switch on"
3212         https://bugs.webkit.org/show_bug.cgi?id=140592
3213         http://trac.webkit.org/changeset/178653
3214
3215 2015-01-18  Dean Jackson  <dino@apple.com>
3216
3217         ES6: Support Array.of construction
3218         https://bugs.webkit.org/show_bug.cgi?id=140605
3219         <rdar://problem/19513655>
3220
3221         Reviewed by Geoffrey Garen.
3222
3223         Add and implementation of Array.of, described in 22.1.2.3 of the ES6
3224         specification (15 Jan 2015). The Array.of() method creates a new Array
3225         instance with a variable number of arguments, regardless of number or type
3226         of the arguments.
3227
3228         * runtime/ArrayConstructor.cpp:
3229         (JSC::arrayConstructorOf): Create a new empty Array, then iterate
3230         over the arguments, setting them to the appropriate index.
3231
3232 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
3233
3234         [SVG -> OTF Converter] Flip the switch on
3235         https://bugs.webkit.org/show_bug.cgi?id=140592
3236
3237         Reviewed by Antti Koivisto.
3238
3239         * Configurations/FeatureDefines.xcconfig:
3240
3241 2015-01-17  Brian J. Burg  <burg@cs.washington.edu>
3242
3243         Web Inspector: highlight data for overlay should use protocol type builders
3244         https://bugs.webkit.org/show_bug.cgi?id=129441
3245
3246         Reviewed by Timothy Hatcher.
3247
3248         Add a new domain for overlay types.
3249
3250         * CMakeLists.txt:
3251         * DerivedSources.make:
3252         * inspector/protocol/OverlayTypes.json: Added.
3253
3254 2015-01-17  Michael Saboff  <msaboff@apple.com>
3255
3256         Crash in JSScope::resolve() on tools.ups.com
3257         https://bugs.webkit.org/show_bug.cgi?id=140579
3258
3259         Reviewed by Geoffrey Garen.
3260
3261         For op_resolve_scope of a global property or variable that needs to check for the var
3262         injection check watchpoint, we need to keep the scope around with a Phantom.  The
3263         baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
3264         fired.
3265
3266         * dfg/DFGByteCodeParser.cpp:
3267         (JSC::DFG::ByteCodeParser::parseBlock):
3268
3269 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
3270
3271         Web Inspector: code generator should introduce typedefs for protocol types that are arrays
3272         https://bugs.webkit.org/show_bug.cgi?id=140557
3273
3274         Reviewed by Joseph Pecoraro.
3275
3276         Currently, there is no generated type name for "array" type declarations such as Console.CallStack.
3277         This makes it longwinded and confusing to use the type in C++ code.
3278
3279         This patch adds a typedef for array type declarations, so types such as Console::CallStack
3280         can be referred to directly, rather than using Inspector::Protocol::Array<Console::CallFrame>.
3281
3282         Some tests were updated to cover array type declarations used as parameters and type members.
3283
3284         * inspector/ScriptCallStack.cpp: Use the new typedef.
3285         (Inspector::ScriptCallStack::buildInspectorArray):
3286         * inspector/ScriptCallStack.h:
3287         * inspector/scripts/codegen/cpp_generator.py:
3288         (CppGenerator.cpp_protocol_type_for_type): If an ArrayType is nominal, use the typedef'd name instead.
3289         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3290         (_generate_typedefs_for_domain): Also generate typedefs for array type declarations.
3291         (_generate_typedefs_for_domain.Inspector):
3292         * inspector/scripts/codegen/models.py: Save the name of an ArrayType when it is a type declaration.
3293         (ArrayType.__init__):
3294         (Protocol.resolve_types):
3295         (Protocol.lookup_type_reference):
3296         * inspector/scripts/tests/commands-with-async-attribute.json:
3297         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json:
3298         * inspector/scripts/tests/events-with-optional-parameters.json:
3299         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3300         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3301         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3302         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3303         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3304         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3305         * inspector/scripts/tests/type-declaration-object-type.json:
3306
3307 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
3308
3309         Web Replay: purge remaining PassRefPtr uses and minor cleanup
3310         https://bugs.webkit.org/show_bug.cgi?id=140456
3311
3312         Reviewed by Andreas Kling.
3313
3314         Get rid of PassRefPtr. Introduce default initializers where it makes sense.
3315         Remove mistaken uses of AtomicString that were not removed as part of r174113.
3316
3317         * replay/EmptyInputCursor.h:
3318         * replay/InputCursor.h:
3319         (JSC::InputCursor::InputCursor):
3320
3321 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
3322
3323         Web Inspector: code generator should fail on duplicate parameter and member names
3324         https://bugs.webkit.org/show_bug.cgi?id=140555
3325
3326         Reviewed by Timothy Hatcher.
3327
3328         * inspector/scripts/codegen/models.py:
3329         (find_duplicates): Add a helper function to find duplicates in a list.
3330         (Protocol.parse_type_declaration):
3331         (Protocol.parse_command):
3332         (Protocol.parse_event):
3333         * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Added.
3334         * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Added.
3335         * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Added.
3336         * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Added.
3337         * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Added.
3338         * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Added.
3339         * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Added.
3340         * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Added.
3341
3342 2015-01-16  Michael Saboff  <msaboff@apple.com>
3343
3344         REGRESSION (r174226): Header on huffingtonpost.com is too large
3345         https://bugs.webkit.org/show_bug.cgi?id=140306
3346
3347         Reviewed by Filip Pizlo.
3348
3349         BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the
3350         arguments register or whether we need to resolve "arguments".  If the arguments have
3351         been captured, then they are stored in the lexical environment and the arguments
3352         register is not used.
3353
3354         Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments
3355         register is captured.  Renamed the function to willResolveToArgumentsRegister() to
3356         better indicate what we are checking.
3357
3358         Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating
3359         an arguments object that was optimized out of an inlined callFrame.  The 32 bit path
3360         incorrectly calculated the location of the reified callee frame.  This&n