[ES6] Fix name enumeration of static functions for Symbol constructor
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [ES6] Fix name enumeration of static functions for Symbol constructor
4         https://bugs.webkit.org/show_bug.cgi?id=143891
5
6         Reviewed by Geoffrey Garen.
7
8         Fix missing symbolPrototypeTable registration to the js class object.
9         This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor.
10
11         * runtime/SymbolConstructor.cpp:
12
13 2015-04-17  Basile Clement  <basile_clement@apple.com>
14
15         Inline JSFunction allocation in DFG
16         https://bugs.webkit.org/show_bug.cgi?id=143858
17
18         Reviewed by Filip Pizlo.
19
20         Followup to my previous patch which inlines JSFunction allocation when
21         using FTL, now also enabled in DFG.
22
23         * dfg/DFGSpeculativeJIT.cpp:
24         (JSC::DFG::SpeculativeJIT::compileNewFunction):
25
26 2015-04-16  Jordan Harband  <ljharb@gmail.com>
27
28         Number.parseInt is not === global parseInt in nightly r182673
29         https://bugs.webkit.org/show_bug.cgi?id=143799
30
31         Reviewed by Darin Adler.
32
33         Ensuring parseInt === Number.parseInt, per spec
34         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
35
36         * runtime/CommonIdentifiers.h:
37         * runtime/JSGlobalObject.cpp:
38         (JSC::JSGlobalObject::init):
39         * runtime/JSGlobalObject.h:
40         (JSC::JSGlobalObject::parseIntFunction):
41         * runtime/NumberConstructor.cpp:
42         (JSC::NumberConstructor::finishCreation):
43
44 2015-04-16  Mark Lam  <mark.lam@apple.com>
45
46         Gardening: fix CLOOP build after r182927.
47
48         Not reviewed.
49
50         * interpreter/StackVisitor.cpp:
51         (JSC::StackVisitor::Frame::print):
52
53 2015-04-16  Basile Clement  <basile_clement@apple.com>
54
55         Inline JSFunction allocation in FTL
56         https://bugs.webkit.org/show_bug.cgi?id=143851
57
58         Reviewed by Filip Pizlo.
59
60         JSFunction allocation is a simple operation that should be inlined when possible.
61
62         * ftl/FTLAbstractHeapRepository.h:
63         * ftl/FTLLowerDFGToLLVM.cpp:
64         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
65         * runtime/JSFunction.h:
66         (JSC::JSFunction::allocationSize):
67
68 2015-04-16  Mark Lam  <mark.lam@apple.com>
69
70         Add $vm debugging tool.
71         https://bugs.webkit.org/show_bug.cgi?id=143809
72
73         Reviewed by Geoffrey Garen.
74
75         For debugging VM bugs, it would be useful to be able to dump VM data structures
76         from JS code that we instrument.  To this end, let's introduce a
77         JS_enableDollarVM option that, if true, installs an $vm property into each JS
78         global object at creation time.  The $vm property refers to an object that
79         provides a collection of useful utility functions.  For this initial
80         implementation, $vm will have the following:
81
82             crash() - trigger an intentional crash.
83
84             dfgTrue() - returns true if the current function is DFG compiled, else returns false.
85             jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
86             llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
87
88             gc() - runs a full GC.
89             edenGC() - runs an eden GC.
90
91             codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
92             printSourceFor(codeBlock) - prints the source code for the codeBlock.
93             printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
94
95             print(str) - prints a string to dataLog output.
96             printCallFrame() - prints the current CallFrame.
97             printStack() - prints the JS stack.
98             printInternal(value) - prints the JSC internal info for the specified value.
99
100         With JS_enableDollarVM=true, JS code can use the above functions like so:
101
102             $vm.print("Using $vm features\n");
103
104         * CMakeLists.txt:
105         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
106         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
107         * JavaScriptCore.xcodeproj/project.pbxproj:
108         * bytecode/CodeBlock.cpp:
109         (JSC::CodeBlock::printCallOp):
110         - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
111           Hence, we skip this step if we're dumping an FTL codeBlock.
112
113         * heap/Heap.cpp:
114         (JSC::Heap::collectAndSweep):
115         (JSC::Heap::collectAllGarbage): Deleted.
116         * heap/Heap.h:
117         (JSC::Heap::collectAllGarbage):
118         - Add ability to do an Eden collection and sweep.
119
120         * interpreter/StackVisitor.cpp:
121         (JSC::printIndents):
122         (JSC::log):
123         (JSC::logF):
124         (JSC::StackVisitor::Frame::print):
125         (JSC::jitTypeName): Deleted.
126         (JSC::printif): Deleted.
127         - Modernize the implementation of StackVisitor::Frame::print(), and remove some
128           now redundant code.
129         - Also fix it so that it downgrades gracefully when encountering inlined DFG
130           and compiled FTL functions.
131
132         (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
133         (DebugPrintFrameFunctor::operator()): Deleted.
134         (debugPrintCallFrame): Deleted.
135         (debugPrintStack): Deleted.
136         - these have been moved into JSDollarVMPrototype.cpp. 
137
138         * interpreter/StackVisitor.h:
139         - StackVisitor::Frame::print() is now enabled for release builds as well so that
140           we can call it from $vm.
141
142         * runtime/JSGlobalObject.cpp:
143         (JSC::JSGlobalObject::init):
144         (JSC::JSGlobalObject::visitChildren):
145         * runtime/JSGlobalObject.h:
146         - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
147           option.
148
149         * runtime/Options.h:
150         - Added the JSC_enableDollarVM option.
151
152         * tools/JSDollarVM.cpp: Added.
153         * tools/JSDollarVM.h: Added.
154         (JSC::JSDollarVM::createStructure):
155         (JSC::JSDollarVM::create):
156         (JSC::JSDollarVM::JSDollarVM):
157
158         * tools/JSDollarVMPrototype.cpp: Added.
159         - This file contains 2 sets of functions:
160
161           a. a C++ implementation of debugging utility functions that are callable when
162              doing debugging from lldb.  To the extent possible, these functions try to
163              be cautious and not cause unintended crashes should the user call them with
164              the wrong info.  Hence, they are designed to be robust rather than speedy.
165
166           b. the native implementations of JS functions in the $vm object.  Where there
167              is overlapping functionality, these are built on top of the C++ functions
168              above to do the work.
169
170           Note: it does not make sense for all of the $vm functions to have a C++
171           counterpart for lldb debugging.  For example, the $vm.dfgTrue() function is
172           only useful for JS code, and works via the DFG intrinsics mechanism.
173           When doing debugging via lldb, the optimization level of the currently
174           executing JS function can be gotten by dumping the current CallFrame instead.
175
176         (JSC::currentThreadOwnsJSLock):
177         (JSC::ensureCurrentThreadOwnsJSLock):
178         (JSC::JSDollarVMPrototype::addFunction):
179         (JSC::functionCrash): - $vm.crash()
180         (JSC::functionDFGTrue): - $vm.dfgTrue()
181         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
182         (JSC::CallerFrameJITTypeFunctor::operator()):
183         (JSC::CallerFrameJITTypeFunctor::jitType):
184         (JSC::functionLLintTrue): - $vm.llintTrue()
185         (JSC::functionJITTrue): - $vm.jitTrue()
186         (JSC::gc):
187         (JSC::functionGC): - $vm.gc()
188         (JSC::edenGC):
189         (JSC::functionEdenGC): - $vm.edenGC()
190         (JSC::isValidCodeBlock):
191         (JSC::codeBlockForFrame):
192         (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
193         (JSC::codeBlockFromArg):
194         (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
195         (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
196         (JSC::functionPrint): - $vm.print(str)
197         (JSC::PrintFrameFunctor::PrintFrameFunctor):
198         (JSC::PrintFrameFunctor::operator()):
199         (JSC::printCallFrame):
200         (JSC::printStack):
201         (JSC::functionPrintCallFrame): - $vm.printCallFrame()
202         (JSC::functionPrintStack): - $vm.printStack()
203         (JSC::printValue):
204         (JSC::functionPrintValue): - $vm.printValue()
205         (JSC::JSDollarVMPrototype::finishCreation):
206         * tools/JSDollarVMPrototype.h: Added.
207         (JSC::JSDollarVMPrototype::create):
208         (JSC::JSDollarVMPrototype::createStructure):
209         (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
210
211 2015-04-16  Geoffrey Garen  <ggaren@apple.com>
212
213         Speculative fix after r182915
214         https://bugs.webkit.org/show_bug.cgi?id=143404
215
216         Reviewed by Alexey Proskuryakov.
217
218         * runtime/SymbolConstructor.h:
219
220 2015-04-16  Mark Lam  <mark.lam@apple.com>
221
222         Fixed some typos in a comment.
223
224         Not reviewed.
225
226         * dfg/DFGGenerationInfo.h:
227
228 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
229
230         [ES6] Implement Symbol.for and Symbol.keyFor
231         https://bugs.webkit.org/show_bug.cgi?id=143404
232
233         Reviewed by Geoffrey Garen.
234
235         This patch implements Symbol.for and Symbol.keyFor.
236         SymbolRegistry maintains registered StringImpl* symbols.
237         And to make this mapping enabled over realms,
238         VM owns this mapping (not JSGlobalObject).
239
240         While there's Default AtomicStringTable per thread,
241         SymbolRegistry should not exist over VMs.
242         So everytime VM is created, SymbolRegistry is also created.
243
244         In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
245         Theres are several reasons.
246         1. StringImpl* which represents identity of Symbols is not GC-managed object.
247            So we cannot use WeakGCMap directly.
248            While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
249            because distinct Symbol* can exist.
250            Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
251
252         2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
253            However there's problem about when we prune staled entries in SymbolRegistry.
254            Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
255            and it is not in GC-heap.
256            While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
257            So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
258            As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
259
260         So instead of using Weak reference, we take relatively easy design.
261         When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
262         And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
263
264         * CMakeLists.txt:
265         * DerivedSources.make:
266         * runtime/SymbolConstructor.cpp:
267         (JSC::SymbolConstructor::getOwnPropertySlot):
268         (JSC::symbolConstructorFor):
269         (JSC::symbolConstructorKeyFor):
270         * runtime/SymbolConstructor.h:
271         * runtime/VM.cpp:
272         * runtime/VM.h:
273         (JSC::VM::symbolRegistry):
274         * tests/stress/symbol-registry.js: Added.
275         (test):
276
277 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
278
279         [ES6] Use specific functions for @@iterator functions
280         https://bugs.webkit.org/show_bug.cgi?id=143838
281
282         Reviewed by Geoffrey Garen.
283
284         In ES6, some methods are defined with the different names.
285
286         For example,
287
288         Map.prototype[Symbol.iterator] === Map.prototype.entries
289         Set.prototype[Symbol.iterator] === Set.prototype.values
290         Array.prototype[Symbol.iterator] === Array.prototype.values
291         %Arguments%[Symbol.iterator] === Array.prototype.values
292
293         However, current implementation creates different function objects per name.
294         This patch fixes it by setting the object that is used for the other method to @@iterator.
295         e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
296
297         And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
298         with Array.prototype.values to conform to the spec.
299
300         * CMakeLists.txt:
301         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
302         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
303         * JavaScriptCore.xcodeproj/project.pbxproj:
304         * inspector/JSInjectedScriptHost.cpp:
305         (Inspector::JSInjectedScriptHost::subtype):
306         (Inspector::JSInjectedScriptHost::getInternalProperties):
307         (Inspector::JSInjectedScriptHost::iteratorEntries):
308         * runtime/ArgumentsIteratorConstructor.cpp: Removed.
309         * runtime/ArgumentsIteratorConstructor.h: Removed.
310         * runtime/ArgumentsIteratorPrototype.cpp: Removed.
311         * runtime/ArgumentsIteratorPrototype.h: Removed.
312         * runtime/ArrayPrototype.cpp:
313         (JSC::ArrayPrototype::finishCreation):
314         * runtime/ArrayPrototype.h:
315         * runtime/ClonedArguments.cpp:
316         (JSC::ClonedArguments::getOwnPropertySlot):
317         (JSC::ClonedArguments::put):
318         (JSC::ClonedArguments::deleteProperty):
319         (JSC::ClonedArguments::defineOwnProperty):
320         (JSC::ClonedArguments::materializeSpecials):
321         * runtime/ClonedArguments.h:
322         * runtime/CommonIdentifiers.h:
323         * runtime/DirectArguments.cpp:
324         (JSC::DirectArguments::overrideThings):
325         * runtime/GenericArgumentsInlines.h:
326         (JSC::GenericArguments<Type>::getOwnPropertySlot):
327         (JSC::GenericArguments<Type>::getOwnPropertyNames):
328         (JSC::GenericArguments<Type>::put):
329         (JSC::GenericArguments<Type>::deleteProperty):
330         (JSC::GenericArguments<Type>::defineOwnProperty):
331         * runtime/JSArgumentsIterator.cpp: Removed.
332         * runtime/JSArgumentsIterator.h: Removed.
333         * runtime/JSGlobalObject.cpp:
334         (JSC::JSGlobalObject::init):
335         (JSC::JSGlobalObject::visitChildren):
336         * runtime/JSGlobalObject.h:
337         (JSC::JSGlobalObject::arrayProtoValuesFunction):
338         * runtime/MapPrototype.cpp:
339         (JSC::MapPrototype::finishCreation):
340         * runtime/ScopedArguments.cpp:
341         (JSC::ScopedArguments::overrideThings):
342         * runtime/SetPrototype.cpp:
343         (JSC::SetPrototype::finishCreation):
344         * tests/stress/arguments-iterator.js: Added.
345         (test):
346         (testArguments):
347         * tests/stress/iterator-functions.js: Added.
348         (test):
349         (argumentsTests):
350
351 2015-04-14  Mark Lam  <mark.lam@apple.com>
352
353         Add JSC_functionOverrides=<overrides file> debugging tool.
354         https://bugs.webkit.org/show_bug.cgi?id=143717
355
356         Reviewed by Geoffrey Garen.
357
358         This tool allows us to do runtime replacement of function bodies with alternatives
359         for debugging purposes.  For example, this is useful when we need to debug VM bugs
360         which manifest in scripts executing in webpages downloaded from remote servers
361         that we don't control.  The tool allows us to augment those scripts with logging
362         or test code to help isolate the bugs.
363
364         This tool works by substituting the SourceCode at FunctionExecutable creation
365         time.  It identifies which SourceCode to substitute by comparing the source
366         string against keys in a set of key value pairs.
367
368         The keys are function body strings defined by 'override' clauses in the overrides
369         file specified by in the JSC_functionOverrides option.  The values are function
370         body strings defines by 'with' clauses in the overrides file.
371         See comment blob at top of FunctionOverrides.cpp on the formatting
372         of the overrides file.
373
374         At FunctionExecutable creation time, if the SourceCode string matches one of the
375         'override' keys from the overrides file, the tool will replace the SourceCode with
376         a new one based on the corresponding 'with' value string.  The FunctionExecutable
377         will then be created with the new SourceCode instead.
378
379         Some design decisions:
380         1. We opted to require that the 'with' clause appear on a separate line than the
381            'override' clause because this makes it easier to read and write when the
382            'override' clause's function body is single lined and long.
383
384         2. The user can use any sequence of characters for the delimiter (except for '{',
385            '}' and white space characters) because this ensures that there can always be
386            some delimiter pattern that does not appear in the function body in the clause
387            e.g. in the body of strings in the JS code.
388
389            '{' and '}' are disallowed because they are used to mark the boundaries of the
390            function body string.  White space characters are disallowed because they can
391            be error prone (the user may not be able to tell between spaces and tabs).
392
393         3. The start and end delimiter must be an identical sequence of characters.
394
395            I had considered allowing the use of complementary characters like <>, [], and
396            () for making delimiter pairs like:
397                [[[[ ... ]]]]
398                <[([( ... )])]>
399
400            But in the end, decided against it because:
401            a. These sequences of complementary characters can exists in JS code.
402               In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
403               code.
404            b. It can be error prone for the user to have to type the exact complement
405               character for the end delimiter in reverse order.
406               In contrast, a repeating delimiter like %%%% is much easier to type and
407               less error prone.  Even a sequence like @#$%^ is less error prone than
408               a complementary sequence because it can be copy-pasted, and need not be
409               typed in reverse order.
410            c. It is easier to parse for the same delimiter string for both start and end.
411
412         4. The tool does a lot of checks for syntax errors in the overrides file because
413            we don't want any overrides to fail silently.  If a syntax error is detected,
414            the tool will print an error message and call exit().  This avoids the user
415            wasting time doing debugging only to be surprised later that their specified
416            overrides did not take effect because of some unnoticed typo.
417
418         * CMakeLists.txt:
419         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
420         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
421         * JavaScriptCore.xcodeproj/project.pbxproj:
422         * bytecode/UnlinkedCodeBlock.cpp:
423         (JSC::UnlinkedFunctionExecutable::link):
424         * runtime/Executable.h:
425         * runtime/Options.h:
426         * tools/FunctionOverrides.cpp: Added.
427         (JSC::FunctionOverrides::overrides):
428         (JSC::FunctionOverrides::FunctionOverrides):
429         (JSC::initializeOverrideInfo):
430         (JSC::FunctionOverrides::initializeOverrideFor):
431         (JSC::hasDisallowedCharacters):
432         (JSC::parseClause):
433         (JSC::FunctionOverrides::parseOverridesInFile):
434         * tools/FunctionOverrides.h: Added.
435
436 2015-04-16  Basile Clement  <basile_clement@apple.com>
437  
438         Extract the allocation profile from JSFunction into a rare object
439         https://bugs.webkit.org/show_bug.cgi?id=143807
440  
441         Reviewed by Filip Pizlo.
442  
443         The allocation profile is only needed for those functions that are used
444         to create objects with [new].
445         Extracting it into its own JSCell removes the need for JSFunction and
446         JSCallee to be JSDestructibleObjects, which should improve performances in most
447         cases at the cost of an extra pointer dereference when the allocation profile
448         is actually needed.
449  
450         * CMakeLists.txt:
451         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
452         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
453         * JavaScriptCore.xcodeproj/project.pbxproj:
454         * dfg/DFGOperations.cpp:
455         * dfg/DFGSpeculativeJIT32_64.cpp:
456         (JSC::DFG::SpeculativeJIT::compile):
457         * dfg/DFGSpeculativeJIT64.cpp:
458         (JSC::DFG::SpeculativeJIT::compile):
459         * jit/JITOpcodes.cpp:
460         (JSC::JIT::emit_op_create_this):
461         * jit/JITOpcodes32_64.cpp:
462         (JSC::JIT::emit_op_create_this):
463         * llint/LowLevelInterpreter32_64.asm:
464         * llint/LowLevelInterpreter64.asm:
465         * runtime/CommonSlowPaths.cpp:
466         (JSC::SLOW_PATH_DECL):
467         * runtime/FunctionRareData.cpp: Added.
468         (JSC::FunctionRareData::create):
469         (JSC::FunctionRareData::destroy):
470         (JSC::FunctionRareData::createStructure):
471         (JSC::FunctionRareData::visitChildren):
472         (JSC::FunctionRareData::FunctionRareData):
473         (JSC::FunctionRareData::~FunctionRareData):
474         (JSC::FunctionRareData::finishCreation):
475         * runtime/FunctionRareData.h: Added.
476         (JSC::FunctionRareData::offsetOfAllocationProfile):
477         (JSC::FunctionRareData::allocationProfile):
478         (JSC::FunctionRareData::allocationStructure):
479         (JSC::FunctionRareData::allocationProfileWatchpointSet):
480         * runtime/JSBoundFunction.cpp:
481         (JSC::JSBoundFunction::destroy): Deleted.
482         * runtime/JSBoundFunction.h:
483         * runtime/JSCallee.cpp:
484         (JSC::JSCallee::destroy): Deleted.
485         * runtime/JSCallee.h:
486         * runtime/JSFunction.cpp:
487         (JSC::JSFunction::JSFunction):
488         (JSC::JSFunction::createRareData):
489         (JSC::JSFunction::visitChildren):
490         (JSC::JSFunction::put):
491         (JSC::JSFunction::defineOwnProperty):
492         (JSC::JSFunction::destroy): Deleted.
493         (JSC::JSFunction::createAllocationProfile): Deleted.
494         * runtime/JSFunction.h:
495         (JSC::JSFunction::offsetOfRareData):
496         (JSC::JSFunction::rareData):
497         (JSC::JSFunction::allocationStructure):
498         (JSC::JSFunction::allocationProfileWatchpointSet):
499         (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
500         (JSC::JSFunction::allocationProfile): Deleted.
501         * runtime/JSFunctionInlines.h:
502         (JSC::JSFunction::JSFunction):
503         * runtime/VM.cpp:
504         (JSC::VM::VM):
505         * runtime/VM.h:
506  
507 2015-04-16  Csaba Osztrogonác  <ossy@webkit.org>
508
509         Remove the unnecessary WTF_CHANGES define
510         https://bugs.webkit.org/show_bug.cgi?id=143825
511
512         Reviewed by Andreas Kling.
513
514         * config.h:
515
516 2015-04-15  Andreas Kling  <akling@apple.com>
517
518         Make MarkedBlock and WeakBlock 4x smaller.
519         <https://webkit.org/b/143802>
520
521         Reviewed by Mark Hahnenberg.
522
523         To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
524         and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
525
526         In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
527         Some examples:
528
529                    apple.com:  6.3MB ->  5.5MB (14.5% smaller)
530                   reddit.com:  4.5MB ->  4.1MB ( 9.7% smaller)
531                  twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
532             cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
533
534         Benchmarks look mostly neutral.
535         Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
536
537         * heap/MarkedBlock.h:
538         * heap/WeakBlock.h:
539         * llint/LLIntData.cpp:
540         (JSC::LLInt::Data::performAssertions):
541         * llint/LowLevelInterpreter.asm:
542
543 2015-04-15  Jordan Harband  <ljharb@gmail.com>
544
545         String.prototype.startsWith/endsWith/includes have wrong length in r182673
546         https://bugs.webkit.org/show_bug.cgi?id=143659
547
548         Reviewed by Benjamin Poulain.
549
550         Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
551         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
552         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
553         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
554
555         * runtime/StringPrototype.cpp:
556         (JSC::StringPrototype::finishCreation):
557
558 2015-04-15  Mark Lam  <mark.lam@apple.com>
559
560         Remove obsolete VMInspector debugging tool.
561         https://bugs.webkit.org/show_bug.cgi?id=143798
562
563         Reviewed by Michael Saboff.
564
565         I added the VMInspector tool 3 years ago to aid in VM hacking work.  Some of it
566         has bit rotted, and now the VM also has better ways to achieve its functionality.
567         Hence this code is now obsolete and should be removed.
568
569         * CMakeLists.txt:
570         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
571         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
572         * JavaScriptCore.xcodeproj/project.pbxproj:
573         * interpreter/CallFrame.h:
574         * interpreter/VMInspector.cpp: Removed.
575         * interpreter/VMInspector.h: Removed.
576         * llint/LowLevelInterpreter.cpp:
577
578 2015-04-15  Jordan Harband  <ljharb@gmail.com>
579
580         Math.imul has wrong length in Safari 8.0.4
581         https://bugs.webkit.org/show_bug.cgi?id=143658
582
583         Reviewed by Benjamin Poulain.
584
585         Correcting function length from 1, to 2, to match spec
586         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
587
588         * runtime/MathObject.cpp:
589         (JSC::MathObject::finishCreation):
590
591 2015-04-15  Jordan Harband  <ljharb@gmail.com>
592
593         Number.parseInt in nightly r182673 has wrong length
594         https://bugs.webkit.org/show_bug.cgi?id=143657
595
596         Reviewed by Benjamin Poulain.
597
598         Correcting function length from 1, to 2, to match spec
599         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
600
601         * runtime/NumberConstructor.cpp:
602         (JSC::NumberConstructor::finishCreation):
603
604 2015-04-15  Filip Pizlo  <fpizlo@apple.com>
605
606         Harden DFGForAllKills
607         https://bugs.webkit.org/show_bug.cgi?id=143792
608
609         Reviewed by Geoffrey Garen.
610         
611         Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
612         bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
613         
614         Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
615         that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
616         
617         - It looks for kill sites at forExit origin boundaries. But, something might have been killed
618           by an operation that was logically in between the forExit origins at the boundary, but was
619           removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
620           gaps.
621         
622         - It overlooked the fact that a MovHint that addresses a local that is always live kills that
623           local. For example, storing to an argument means that the prior value of the argument is
624           killed.
625         
626         This fixes the analysis by making it handle MovHints directly, and making it define kills in
627         the most conservative way possible: it asks if you were live before but dead after. If we
628         have the compile time budget to afford this more direct approach, then it's definitel a good
629         idea since it's so fool-proof.
630
631         * dfg/DFGArgumentsEliminationPhase.cpp:
632         * dfg/DFGForAllKills.h:
633         (JSC::DFG::forAllKilledOperands):
634         (JSC::DFG::forAllKilledNodesAtNodeIndex):
635         (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
636
637 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
638
639         Provide SPI to allow changing whether JSContexts are remote debuggable by default
640         https://bugs.webkit.org/show_bug.cgi?id=143681
641
642         Reviewed by Darin Adler.
643
644         * API/JSRemoteInspector.h:
645         * API/JSRemoteInspector.cpp:
646         (JSRemoteInspectorGetInspectionEnabledByDefault):
647         (JSRemoteInspectorSetInspectionEnabledByDefault):
648         Provide SPI to toggle the default enabled inspection state of debuggables.
649
650         * API/JSContextRef.cpp:
651         (JSGlobalContextCreateInGroup):
652         Respect the default setting.
653
654 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
655
656         JavaScriptCore: Use kCFAllocatorDefault where possible
657         https://bugs.webkit.org/show_bug.cgi?id=143747
658
659         Reviewed by Darin Adler.
660
661         * heap/HeapTimer.cpp:
662         (JSC::HeapTimer::HeapTimer):
663         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
664         (Inspector::RemoteInspectorInitializeGlobalQueue):
665         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
666         For consistency and readability use the constant instead of
667         different representations of null.
668
669 2015-04-14  Michael Saboff  <msaboff@apple.com>
670
671         Remove JavaScriptCoreUseJIT default from JavaScriptCore
672         https://bugs.webkit.org/show_bug.cgi?id=143746
673
674         Reviewed by Mark Lam.
675
676         * runtime/VM.cpp:
677         (JSC::enableAssembler):
678
679 2015-04-14  Chris Dumez  <cdumez@apple.com>
680
681         Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
682         https://bugs.webkit.org/show_bug.cgi?id=143745
683         <rdar://problem/20243916>
684
685         Reviewed by Joseph Pecoraro.
686
687         Add assertion in ContentSearchUtilities::findMagicComment() to make
688         sure the content String is not null or we would crash in
689         JSC::Yarr::interpret() later.
690
691         * inspector/ContentSearchUtilities.cpp:
692         (Inspector::ContentSearchUtilities::findMagicComment):
693
694 2015-04-14  Michael Saboff  <msaboff@apple.com>
695
696         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
697         https://bugs.webkit.org/show_bug.cgi?id=143727
698
699         Reviewed by Geoffrey Garen.
700
701         Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
702         with the requested fill format.  If filter() reports a contradiction, then we force an OSR exit.
703         Removed individual checks made redundant by the new check.
704
705         * dfg/DFGSpeculativeJIT32_64.cpp:
706         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
707         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
708         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
709         * dfg/DFGSpeculativeJIT64.cpp:
710         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
711         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
712         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
713         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
714
715 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
716
717         Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
718         https://bugs.webkit.org/show_bug.cgi?id=143691
719
720         Reviewed by Geoffrey Garen.
721
722         * API/JSRemoteInspector.h:
723         * API/JSRemoteInspector.cpp:
724         (JSRemoteInspectorSetLogToSystemConsole):
725         Add SPI to enable/disable logging to the system console.
726         This only affects JSContext `console` logs and warnings.
727
728         * inspector/JSGlobalObjectConsoleClient.h:
729         * inspector/JSGlobalObjectConsoleClient.cpp:
730         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
731         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
732         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
733         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
734         Simplify access to the setting now that it doesn't need to
735         initialize its value from preferences.
736
737 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
738
739         Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
740         https://bugs.webkit.org/show_bug.cgi?id=143682
741
742         Reviewed by Timothy Hatcher.
743
744         * inspector/remote/RemoteInspector.mm:
745         (Inspector::RemoteInspector::singleton):
746         If we are on the main thread, run the initialization immediately.
747         Otherwise dispatch to the main thread. This way if the first JSContext
748         was created on the main thread it can get auto-attached if applicable.
749
750 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
751
752         Unreviewed build fix for Mavericks.
753
754         Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
755         so the Inspector namespace is not available when compiling this file.
756
757         * API/JSRemoteInspector.cpp:
758
759 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
760
761         Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
762         https://bugs.webkit.org/show_bug.cgi?id=143729
763
764         Reviewed by Timothy Hatcher.
765
766         * API/JSRemoteInspector.h: Added.
767         * API/JSRemoteInspector.cpp: Added.
768         (JSRemoteInspectorDisableAutoStart):
769         (JSRemoteInspectorStart):
770         (JSRemoteInspectorSetParentProcessInformation):
771         Add the new SPIs for basic remote inspection behavior.
772
773         * JavaScriptCore.xcodeproj/project.pbxproj:
774         Add the new files to Mac only, since remote inspection is only
775         enabled there anyways.
776
777 2015-04-14  Mark Lam  <mark.lam@apple.com>
778
779         Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
780         https://bugs.webkit.org/show_bug.cgi?id=143722
781
782         Reviewed by Michael Saboff.
783
784         Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
785         shorter, and easier to remember (without having to look it up) and to
786         type.  JSC options now support descriptions, and one can always look up
787         the description if the option's purpose is not already obvious.
788
789         * dfg/DFGFunctionWhitelist.cpp:
790         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
791         (JSC::DFG::FunctionWhitelist::contains):
792         * runtime/Options.h:
793
794 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
795
796         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
797
798         * runtime/InferredValue.h:
799
800 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
801
802         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
803
804         * runtime/InferredValue.h:
805
806 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
807
808         JSC should detect singleton functions
809         https://bugs.webkit.org/show_bug.cgi?id=143232
810
811         Reviewed by Geoffrey Garen.
812         
813         This started out as an attempt to make constructors faster by detecting when a constructor is a
814         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
815         along with an inferred value - that detects if only one JSFunction has been allocated for that
816         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
817         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
818         we can constant-fold GetCallee.
819         
820         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
821         process I realized a bunch of things:
822         
823         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
824           had even in code where our singleton-closure detection worked. That's because singleton-closure
825           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
826           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
827           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
828           values.
829           
830         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
831           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
832           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
833         
834         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
835           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
836           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
837           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
838           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
839           scope. Ths saves compile times and it allows prediction propagation to benefit from the
840           constant folding. Second, it means that we will detect a singleton scope even if it is
841           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
842           allows us to eliminate the function reentry watchpoint.
843         
844         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
845           constant values in scopes. Previously when the DFG inferred that a closure variable was
846           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
847           value. But now we are first inferring that the function is a singleton, which means that we
848           know exactly what scope it points to, and we can load the value from the scope. Using a
849           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
850           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
851           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
852           FunctionExecutable wants.
853         
854         This also has the effect of simplifying the implementation of block scoping. Prior to this
855         change, block scoping would have needed to have some story for the function reentry watchpoint on
856         any nested symbol table. That's totally weird to think about; it's not really a function reentry
857         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
858         will "just work": if we prove that we know the constant value of the scope then the machinery
859         kicks in, otherwise it doesn't.
860         
861         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
862
863         * CMakeLists.txt:
864         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
865         * JavaScriptCore.xcodeproj/project.pbxproj:
866         * bytecode/BytecodeList.json:
867         * bytecode/BytecodeUseDef.h:
868         (JSC::computeUsesForBytecodeOffset):
869         (JSC::computeDefsForBytecodeOffset):
870         * bytecode/CodeBlock.cpp:
871         (JSC::CodeBlock::dumpBytecode):
872         (JSC::CodeBlock::CodeBlock):
873         (JSC::CodeBlock::finalizeUnconditionally):
874         (JSC::CodeBlock::valueProfileForBytecodeOffset):
875         * bytecode/CodeBlock.h:
876         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
877         * bytecode/CodeOrigin.cpp:
878         (JSC::InlineCallFrame::calleeConstant):
879         (JSC::InlineCallFrame::visitAggregate):
880         * bytecode/CodeOrigin.h:
881         (JSC::InlineCallFrame::calleeConstant): Deleted.
882         (JSC::InlineCallFrame::visitAggregate): Deleted.
883         * bytecode/Instruction.h:
884         * bytecode/VariableWatchpointSet.cpp: Removed.
885         * bytecode/VariableWatchpointSet.h: Removed.
886         * bytecode/VariableWatchpointSetInlines.h: Removed.
887         * bytecode/VariableWriteFireDetail.cpp: Added.
888         (JSC::VariableWriteFireDetail::dump):
889         (JSC::VariableWriteFireDetail::touch):
890         * bytecode/VariableWriteFireDetail.h: Added.
891         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
892         * bytecode/Watchpoint.h:
893         (JSC::WatchpointSet::stateOnJSThread):
894         (JSC::WatchpointSet::startWatching):
895         (JSC::WatchpointSet::fireAll):
896         (JSC::WatchpointSet::touch):
897         (JSC::WatchpointSet::invalidate):
898         (JSC::InlineWatchpointSet::stateOnJSThread):
899         (JSC::InlineWatchpointSet::state):
900         (JSC::InlineWatchpointSet::hasBeenInvalidated):
901         (JSC::InlineWatchpointSet::invalidate):
902         (JSC::InlineWatchpointSet::touch):
903         * bytecompiler/BytecodeGenerator.cpp:
904         (JSC::BytecodeGenerator::BytecodeGenerator):
905         * dfg/DFGAbstractInterpreterInlines.h:
906         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
907         * dfg/DFGByteCodeParser.cpp:
908         (JSC::DFG::ByteCodeParser::get):
909         (JSC::DFG::ByteCodeParser::parseBlock):
910         (JSC::DFG::ByteCodeParser::getScope): Deleted.
911         * dfg/DFGCapabilities.cpp:
912         (JSC::DFG::capabilityLevel):
913         * dfg/DFGClobberize.h:
914         (JSC::DFG::clobberize):
915         * dfg/DFGDesiredWatchpoints.cpp:
916         (JSC::DFG::InferredValueAdaptor::add):
917         (JSC::DFG::DesiredWatchpoints::addLazily):
918         (JSC::DFG::DesiredWatchpoints::reallyAdd):
919         (JSC::DFG::DesiredWatchpoints::areStillValid):
920         * dfg/DFGDesiredWatchpoints.h:
921         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
922         (JSC::DFG::DesiredWatchpoints::isWatched):
923         * dfg/DFGGraph.cpp:
924         (JSC::DFG::Graph::dump):
925         (JSC::DFG::Graph::tryGetConstantClosureVar):
926         * dfg/DFGNode.h:
927         (JSC::DFG::Node::hasWatchpointSet):
928         (JSC::DFG::Node::watchpointSet):
929         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
930         (JSC::DFG::Node::variableWatchpointSet): Deleted.
931         * dfg/DFGOperations.cpp:
932         * dfg/DFGOperations.h:
933         * dfg/DFGSpeculativeJIT.cpp:
934         (JSC::DFG::SpeculativeJIT::compileNewFunction):
935         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
936         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
937         * dfg/DFGSpeculativeJIT.h:
938         (JSC::DFG::SpeculativeJIT::callOperation):
939         * dfg/DFGSpeculativeJIT32_64.cpp:
940         (JSC::DFG::SpeculativeJIT::compile):
941         * dfg/DFGSpeculativeJIT64.cpp:
942         (JSC::DFG::SpeculativeJIT::compile):
943         * dfg/DFGVarargsForwardingPhase.cpp:
944         * ftl/FTLIntrinsicRepository.h:
945         * ftl/FTLLowerDFGToLLVM.cpp:
946         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
947         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
948         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
949         * interpreter/Interpreter.cpp:
950         (JSC::StackFrame::friendlySourceURL):
951         (JSC::StackFrame::friendlyFunctionName):
952         * interpreter/Interpreter.h:
953         (JSC::StackFrame::friendlySourceURL): Deleted.
954         (JSC::StackFrame::friendlyFunctionName): Deleted.
955         * jit/JIT.cpp:
956         (JSC::JIT::emitNotifyWrite):
957         (JSC::JIT::privateCompileMainPass):
958         * jit/JIT.h:
959         * jit/JITOpcodes.cpp:
960         (JSC::JIT::emit_op_touch_entry): Deleted.
961         * jit/JITOperations.cpp:
962         * jit/JITOperations.h:
963         * jit/JITPropertyAccess.cpp:
964         (JSC::JIT::emitPutGlobalVar):
965         (JSC::JIT::emitPutClosureVar):
966         (JSC::JIT::emitNotifyWrite): Deleted.
967         * jit/JITPropertyAccess32_64.cpp:
968         (JSC::JIT::emitPutGlobalVar):
969         (JSC::JIT::emitPutClosureVar):
970         (JSC::JIT::emitNotifyWrite): Deleted.
971         * llint/LLIntSlowPaths.cpp:
972         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
973         * llint/LowLevelInterpreter.asm:
974         * llint/LowLevelInterpreter32_64.asm:
975         * llint/LowLevelInterpreter64.asm:
976         * runtime/CommonSlowPaths.cpp:
977         (JSC::SLOW_PATH_DECL): Deleted.
978         * runtime/CommonSlowPaths.h:
979         * runtime/Executable.cpp:
980         (JSC::FunctionExecutable::finishCreation):
981         (JSC::FunctionExecutable::visitChildren):
982         * runtime/Executable.h:
983         (JSC::FunctionExecutable::singletonFunction):
984         * runtime/InferredValue.cpp: Added.
985         (JSC::InferredValue::create):
986         (JSC::InferredValue::destroy):
987         (JSC::InferredValue::createStructure):
988         (JSC::InferredValue::visitChildren):
989         (JSC::InferredValue::InferredValue):
990         (JSC::InferredValue::~InferredValue):
991         (JSC::InferredValue::notifyWriteSlow):
992         (JSC::InferredValue::ValueCleanup::ValueCleanup):
993         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
994         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
995         * runtime/InferredValue.h: Added.
996         (JSC::InferredValue::inferredValue):
997         (JSC::InferredValue::state):
998         (JSC::InferredValue::isStillValid):
999         (JSC::InferredValue::hasBeenInvalidated):
1000         (JSC::InferredValue::add):
1001         (JSC::InferredValue::notifyWrite):
1002         (JSC::InferredValue::invalidate):
1003         * runtime/JSEnvironmentRecord.cpp:
1004         (JSC::JSEnvironmentRecord::visitChildren):
1005         * runtime/JSEnvironmentRecord.h:
1006         (JSC::JSEnvironmentRecord::isValid):
1007         (JSC::JSEnvironmentRecord::finishCreation):
1008         * runtime/JSFunction.cpp:
1009         (JSC::JSFunction::create):
1010         * runtime/JSFunction.h:
1011         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1012         (JSC::JSFunction::createImpl):
1013         (JSC::JSFunction::create): Deleted.
1014         * runtime/JSGlobalObject.cpp:
1015         (JSC::JSGlobalObject::addGlobalVar):
1016         (JSC::JSGlobalObject::addFunction):
1017         * runtime/JSGlobalObject.h:
1018         * runtime/JSLexicalEnvironment.cpp:
1019         (JSC::JSLexicalEnvironment::symbolTablePut):
1020         * runtime/JSScope.h:
1021         (JSC::ResolveOp::ResolveOp):
1022         * runtime/JSSegmentedVariableObject.h:
1023         (JSC::JSSegmentedVariableObject::finishCreation):
1024         * runtime/JSSymbolTableObject.h:
1025         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1026         (JSC::JSSymbolTableObject::setSymbolTable):
1027         (JSC::symbolTablePut):
1028         (JSC::symbolTablePutWithAttributes):
1029         * runtime/PutPropertySlot.h:
1030         * runtime/SymbolTable.cpp:
1031         (JSC::SymbolTableEntry::prepareToWatch):
1032         (JSC::SymbolTable::SymbolTable):
1033         (JSC::SymbolTable::finishCreation):
1034         (JSC::SymbolTable::visitChildren):
1035         (JSC::SymbolTableEntry::inferredValue): Deleted.
1036         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
1037         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
1038         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
1039         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
1040         * runtime/SymbolTable.h:
1041         (JSC::SymbolTableEntry::disableWatching):
1042         (JSC::SymbolTableEntry::watchpointSet):
1043         (JSC::SymbolTable::singletonScope):
1044         (JSC::SymbolTableEntry::notifyWrite): Deleted.
1045         * runtime/TypeProfiler.cpp:
1046         * runtime/VM.cpp:
1047         (JSC::VM::VM):
1048         * runtime/VM.h:
1049         * tests/stress/infer-uninitialized-closure-var.js: Added.
1050         (foo.f):
1051         (foo):
1052         * tests/stress/singleton-scope-then-overwrite.js: Added.
1053         (foo.f):
1054         (foo):
1055         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
1056         (foo):
1057         * tests/stress/singleton-scope-then-realloc.js: Added.
1058         (foo):
1059
1060 2015-04-13  Andreas Kling  <akling@apple.com>
1061
1062         Don't segregate heap objects based on Structure immortality.
1063         <https://webkit.org/b/143638>
1064
1065         Reviewed by Darin Adler.
1066
1067         Put all objects that need a destructor call into the same MarkedBlock.
1068         This reduces memory consumption in many situations, while improving locality,
1069         since much more of the MarkedBlock space can be shared.
1070
1071         Instead of branching on the MarkedBlock type, we now check a bit in the
1072         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
1073         to access the cell's Structure during destruction or not.
1074
1075         Performance benchmarks look mostly neutral. Maybe a small regression on
1076         SunSpider's date objects.
1077
1078         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
1079         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
1080         end of savings we can get from this, but still a very real improvement.
1081
1082         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
1083         derived classes and passing that responsibility to the StructureIsImmortal flag.
1084         StructureFlags is made public so that it's accessible from non-member functions.
1085         I made sure to declare it everywhere and make classes final to try to make it
1086         explicit what each class is doing to its inherited flags.
1087
1088         * API/JSCallbackConstructor.h:
1089         * API/JSCallbackObject.h:
1090         * bytecode/UnlinkedCodeBlock.h:
1091         * debugger/DebuggerScope.h:
1092         * dfg/DFGSpeculativeJIT.cpp:
1093         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1094         * ftl/FTLLowerDFGToLLVM.cpp:
1095         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1096         * heap/Heap.h:
1097         (JSC::Heap::subspaceForObjectDestructor):
1098         (JSC::Heap::allocatorForObjectWithDestructor):
1099         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
1100         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
1101         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
1102         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
1103         * heap/HeapInlines.h:
1104         (JSC::Heap::allocateWithDestructor):
1105         (JSC::Heap::allocateObjectOfType):
1106         (JSC::Heap::subspaceForObjectOfType):
1107         (JSC::Heap::allocatorForObjectOfType):
1108         (JSC::Heap::allocateWithNormalDestructor): Deleted.
1109         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
1110         * heap/MarkedAllocator.cpp:
1111         (JSC::MarkedAllocator::allocateBlock):
1112         * heap/MarkedAllocator.h:
1113         (JSC::MarkedAllocator::needsDestruction):
1114         (JSC::MarkedAllocator::MarkedAllocator):
1115         (JSC::MarkedAllocator::init):
1116         (JSC::MarkedAllocator::destructorType): Deleted.
1117         * heap/MarkedBlock.cpp:
1118         (JSC::MarkedBlock::create):
1119         (JSC::MarkedBlock::MarkedBlock):
1120         (JSC::MarkedBlock::callDestructor):
1121         (JSC::MarkedBlock::specializedSweep):
1122         (JSC::MarkedBlock::sweep):
1123         (JSC::MarkedBlock::sweepHelper):
1124         * heap/MarkedBlock.h:
1125         (JSC::MarkedBlock::needsDestruction):
1126         (JSC::MarkedBlock::destructorType): Deleted.
1127         * heap/MarkedSpace.cpp:
1128         (JSC::MarkedSpace::MarkedSpace):
1129         (JSC::MarkedSpace::resetAllocators):
1130         (JSC::MarkedSpace::forEachAllocator):
1131         (JSC::MarkedSpace::isPagedOut):
1132         (JSC::MarkedSpace::clearNewlyAllocated):
1133         * heap/MarkedSpace.h:
1134         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1135         (JSC::MarkedSpace::destructorAllocatorFor):
1136         (JSC::MarkedSpace::allocateWithDestructor):
1137         (JSC::MarkedSpace::forEachBlock):
1138         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
1139         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
1140         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
1141         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
1142         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
1143         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
1144         * inspector/JSInjectedScriptHost.h:
1145         * inspector/JSInjectedScriptHostPrototype.h:
1146         * inspector/JSJavaScriptCallFrame.h:
1147         * inspector/JSJavaScriptCallFramePrototype.h:
1148         * jsc.cpp:
1149         * runtime/ArrayBufferNeuteringWatchpoint.h:
1150         * runtime/ArrayConstructor.h:
1151         * runtime/ArrayIteratorPrototype.h:
1152         * runtime/BooleanPrototype.h:
1153         * runtime/ClonedArguments.h:
1154         * runtime/CustomGetterSetter.h:
1155         * runtime/DateConstructor.h:
1156         * runtime/DatePrototype.h:
1157         * runtime/ErrorPrototype.h:
1158         * runtime/ExceptionHelpers.h:
1159         * runtime/Executable.h:
1160         * runtime/GenericArguments.h:
1161         * runtime/GetterSetter.h:
1162         * runtime/InternalFunction.h:
1163         * runtime/JSAPIValueWrapper.h:
1164         * runtime/JSArgumentsIterator.h:
1165         * runtime/JSArray.h:
1166         * runtime/JSArrayBuffer.h:
1167         * runtime/JSArrayBufferView.h:
1168         * runtime/JSBoundFunction.h:
1169         * runtime/JSCallee.h:
1170         * runtime/JSCell.h:
1171         * runtime/JSCellInlines.h:
1172         (JSC::JSCell::classInfo):
1173         * runtime/JSDataViewPrototype.h:
1174         * runtime/JSEnvironmentRecord.h:
1175         * runtime/JSFunction.h:
1176         * runtime/JSGenericTypedArrayView.h:
1177         * runtime/JSGlobalObject.h:
1178         * runtime/JSLexicalEnvironment.h:
1179         * runtime/JSNameScope.h:
1180         * runtime/JSNotAnObject.h:
1181         * runtime/JSONObject.h:
1182         * runtime/JSObject.h:
1183         (JSC::JSFinalObject::JSFinalObject):
1184         * runtime/JSPromiseConstructor.h:
1185         * runtime/JSPromiseDeferred.h:
1186         * runtime/JSPromisePrototype.h:
1187         * runtime/JSPromiseReaction.h:
1188         * runtime/JSPropertyNameEnumerator.h:
1189         * runtime/JSProxy.h:
1190         * runtime/JSScope.h:
1191         * runtime/JSString.h:
1192         * runtime/JSSymbolTableObject.h:
1193         * runtime/JSTypeInfo.h:
1194         (JSC::TypeInfo::structureIsImmortal):
1195         * runtime/MathObject.h:
1196         * runtime/NumberConstructor.h:
1197         * runtime/NumberPrototype.h:
1198         * runtime/ObjectConstructor.h:
1199         * runtime/PropertyMapHashTable.h:
1200         * runtime/RegExp.h:
1201         * runtime/RegExpConstructor.h:
1202         * runtime/RegExpObject.h:
1203         * runtime/RegExpPrototype.h:
1204         * runtime/ScopedArgumentsTable.h:
1205         * runtime/SparseArrayValueMap.h:
1206         * runtime/StrictEvalActivation.h:
1207         * runtime/StringConstructor.h:
1208         * runtime/StringIteratorPrototype.h:
1209         * runtime/StringObject.h:
1210         * runtime/StringPrototype.h:
1211         * runtime/Structure.cpp:
1212         (JSC::Structure::Structure):
1213         * runtime/Structure.h:
1214         * runtime/StructureChain.h:
1215         * runtime/StructureRareData.h:
1216         * runtime/Symbol.h:
1217         * runtime/SymbolPrototype.h:
1218         * runtime/SymbolTable.h:
1219         * runtime/WeakMapData.h:
1220
1221 2015-04-13  Mark Lam  <mark.lam@apple.com>
1222
1223         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
1224         https://bugs.webkit.org/show_bug.cgi?id=143407
1225
1226         Reviewed by Filip Pizlo.
1227
1228         DFG inlining of a varargs call / construct needs to keep the local
1229         containing the callee alive with a Phantom node because the LoadVarargs
1230         node may OSR exit.  After the OSR exit, the baseline JIT executes the
1231         op_call_varargs with that callee in the local.
1232
1233         Previously, because that callee local was not explicitly kept alive,
1234         the op_call_varargs case can OSR exit a DFG function and leave an
1235         undefined value in that local.  As a result, the baseline observes the
1236         side effect of an op_call_varargs on an undefined value instead of the
1237         function it expected.
1238
1239         Note: this issue does not manifest with op_construct_varargs because
1240         the inlined constructor will have an op_create_this which operates on
1241         the incoming callee value, thereby keeping it alive.
1242
1243         * dfg/DFGByteCodeParser.cpp:
1244         (JSC::DFG::ByteCodeParser::handleInlining):
1245         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
1246         (foo):
1247         (Foo):
1248         (doTest):
1249
1250 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1251
1252         [ES6] Implement Array.prototype.values
1253         https://bugs.webkit.org/show_bug.cgi?id=143633
1254
1255         Reviewed by Darin Adler.
1256
1257         Symbol.unscopables is implemented, so we can implement Array.prototype.values
1258         without largely breaking the web. The following script passes.
1259
1260         var array = [];
1261         var values = 42;
1262         with (array) {
1263             assert(values, 42);
1264         }
1265
1266         * runtime/ArrayPrototype.cpp:
1267         * tests/stress/array-iterators-next.js:
1268         * tests/stress/map-iterators-next.js:
1269         * tests/stress/set-iterators-next.js:
1270         * tests/stress/values-unscopables.js: Added.
1271         (test):
1272
1273 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1274
1275         Run flaky conservative GC related test first before polluting stack and registers
1276         https://bugs.webkit.org/show_bug.cgi?id=143634
1277
1278         Reviewed by Ryosuke Niwa.
1279
1280         After r182653, JSC API tests fail. However, it's not related to the change.
1281         After investigating the cause of this failure, I've found that the failed test is flaky
1282         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
1283         due to conservative roots in C stack and registers, this test fails.
1284
1285         Since GC marks C stack and registers as roots conservatively,
1286         objects not referenced logically can be accidentally marked and alive.
1287         To avoid this situation as possible as we can,
1288         1. run this test first before stack is polluted,
1289         2. extract this test as a function to suppress stack height.
1290
1291         * API/tests/testapi.mm:
1292         (testWeakValue):
1293         (testObjectiveCAPIMain):
1294         (testObjectiveCAPI):
1295
1296 2015-04-11  Matt Baker  <mattbaker@apple.com>
1297
1298         Web Inspector: create content view and details sidebar for Frames timeline
1299         https://bugs.webkit.org/show_bug.cgi?id=143533
1300
1301         Reviewed by Timothy Hatcher.
1302
1303         Refactoring: RunLoop prefix changed to RenderingFrame.
1304
1305         * inspector/protocol/Timeline.json:
1306
1307 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1308
1309         [ES6] Enable Symbol in web pages
1310         https://bugs.webkit.org/show_bug.cgi?id=143375
1311
1312         Reviewed by Ryosuke Niwa.
1313
1314         Expose Symbol to web pages.
1315         Symbol was exposed, but it was hidden since it breaks Facebook comments.
1316         This is because at that time Symbol is implemented,
1317         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
1318         and it breaks React.js and immutable.js.
1319
1320         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
1321         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
1322
1323         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
1324         and makes enabling symbols by default.
1325
1326         * runtime/ArrayPrototype.cpp:
1327         (JSC::ArrayPrototype::finishCreation):
1328         * runtime/CommonIdentifiers.h:
1329         * runtime/JSGlobalObject.cpp:
1330         (JSC::JSGlobalObject::init):
1331         * runtime/ObjectConstructor.cpp:
1332         (JSC::ObjectConstructor::finishCreation):
1333         * runtime/RuntimeFlags.h:
1334
1335 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1336
1337         ES6: Iterator toString names should be consistent
1338         https://bugs.webkit.org/show_bug.cgi?id=142424
1339
1340         Reviewed by Geoffrey Garen.
1341
1342         Iterator Object Names in the spec right now have spaces.
1343         In our implementation some do and some don't.
1344         This patch aligns JSC to the spec.
1345
1346         * runtime/JSArrayIterator.cpp:
1347         * runtime/JSStringIterator.cpp:
1348         * tests/stress/iterator-names.js: Added.
1349         (test):
1350         (iter):
1351         (check):
1352
1353 2015-04-10  Michael Saboff  <msaboff@apple.com>
1354
1355         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
1356         https://bugs.webkit.org/show_bug.cgi?id=143582
1357
1358         Reviewed by Mark Lam.
1359
1360         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
1361         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
1362         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
1363         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
1364         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
1365         we would still OSR exit after the speculation check.
1366
1367         * dfg/DFGFixupPhase.cpp:
1368         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
1369         * dfg/DFGSpeculativeJIT32_64.cpp:
1370         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1371
1372 2015-04-10  Milan Crha  <mcrha@redhat.com>
1373
1374         Disable Linux-specific code in a Windows build
1375         https://bugs.webkit.org/show_bug.cgi?id=137973
1376
1377         Reviewed by Joseph Pecoraro.
1378
1379         * inspector/JSGlobalObjectInspectorController.cpp:
1380         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1381
1382 2015-04-10  Csaba Osztrogonác  <ossy@webkit.org>
1383
1384         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
1385         https://bugs.webkit.org/show_bug.cgi?id=143368
1386
1387         Reviewed by Michael Saboff.
1388
1389         * jit/RegisterSet.cpp:
1390         (JSC::RegisterSet::calleeSaveRegisters):
1391
1392 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
1393
1394         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
1395         https://bugs.webkit.org/show_bug.cgi?id=143430
1396
1397         Reviewed by Darin Adler.
1398
1399         * runtime/ExceptionHelpers.cpp:
1400         (JSC::errorDescriptionForValue):
1401         * runtime/NumberPrototype.cpp:
1402         (JSC::numberProtoFuncToExponential):
1403         (JSC::numberProtoFuncToPrecision):
1404         (JSC::numberProtoFuncToString):
1405         * runtime/SymbolPrototype.cpp:
1406         (JSC::symbolProtoFuncToString):
1407
1408 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1409
1410         JSArray::sortNumeric should handle ArrayWithUndecided
1411         https://bugs.webkit.org/show_bug.cgi?id=143535
1412
1413         Reviewed by Geoffrey Garen.
1414         
1415         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
1416
1417         * runtime/JSArray.cpp:
1418         (JSC::JSArray::sortNumeric):
1419         * tests/stress/sort-array-with-undecided.js: Added.
1420
1421 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1422
1423         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
1424         https://bugs.webkit.org/show_bug.cgi?id=143532
1425
1426         Reviewed by Gavin Barraclough.
1427         
1428         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
1429         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
1430         would think that there never was wrap-around.
1431         
1432         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
1433
1434         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1435         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
1436
1437 2015-04-07  Michael Saboff  <msaboff@apple.com>
1438
1439         Lazily initialize LogToSystemConsole flag to reduce memory usage
1440         https://bugs.webkit.org/show_bug.cgi?id=143506
1441
1442         Reviewed by Mark Lam.
1443
1444         Only call into CF preferences code when we need to in order to reduce memory usage.
1445
1446         * inspector/JSGlobalObjectConsoleClient.cpp:
1447         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
1448         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
1449         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
1450         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
1451
1452 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
1453
1454         Get the features.json files ready for open contributions
1455         https://bugs.webkit.org/show_bug.cgi?id=143436
1456
1457         Reviewed by Darin Adler.
1458
1459         * features.json:
1460
1461 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
1462
1463         Constant folding of typed array properties should be handled by AI rather than strength reduction
1464         https://bugs.webkit.org/show_bug.cgi?id=143496
1465
1466         Reviewed by Geoffrey Garen.
1467         
1468         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
1469         phase and whatever other phase did the folding in order to find all constants.
1470         
1471         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
1472         directly.
1473         
1474         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
1475         found because all of the tests for it involved the property getting constant folded. I found that
1476         the codegen was bad because an earlier version of the patch broke that constant folding. This
1477         adds a new test for that node type, which makes constant folding impossible by allocating a new
1478         typed array every type. The lesson here is: if you write a test for something, run the test with
1479         full IR dumps to make sure it's actually testing the thing you want it to test.
1480
1481         * dfg/DFGAbstractInterpreterInlines.h:
1482         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1483         * dfg/DFGClobberize.h:
1484         (JSC::DFG::clobberize):
1485         * dfg/DFGConstantFoldingPhase.cpp:
1486         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1487         * dfg/DFGDoesGC.cpp:
1488         (JSC::DFG::doesGC):
1489         * dfg/DFGFixupPhase.cpp:
1490         (JSC::DFG::FixupPhase::fixupNode):
1491         * dfg/DFGGraph.cpp:
1492         (JSC::DFG::Graph::dump):
1493         (JSC::DFG::Graph::tryGetFoldableView):
1494         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
1495         * dfg/DFGGraph.h:
1496         * dfg/DFGNode.h:
1497         (JSC::DFG::Node::hasTypedArray): Deleted.
1498         (JSC::DFG::Node::typedArray): Deleted.
1499         * dfg/DFGNodeType.h:
1500         * dfg/DFGPredictionPropagationPhase.cpp:
1501         (JSC::DFG::PredictionPropagationPhase::propagate):
1502         * dfg/DFGSafeToExecute.h:
1503         (JSC::DFG::safeToExecute):
1504         * dfg/DFGSpeculativeJIT.cpp:
1505         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
1506         * dfg/DFGSpeculativeJIT32_64.cpp:
1507         (JSC::DFG::SpeculativeJIT::compile):
1508         * dfg/DFGSpeculativeJIT64.cpp:
1509         (JSC::DFG::SpeculativeJIT::compile):
1510         * dfg/DFGStrengthReductionPhase.cpp:
1511         (JSC::DFG::StrengthReductionPhase::handleNode):
1512         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
1513         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
1514         * dfg/DFGWatchpointCollectionPhase.cpp:
1515         (JSC::DFG::WatchpointCollectionPhase::handle):
1516         (JSC::DFG::WatchpointCollectionPhase::addLazily):
1517         * ftl/FTLCapabilities.cpp:
1518         (JSC::FTL::canCompile):
1519         * ftl/FTLLowerDFGToLLVM.cpp:
1520         (JSC::FTL::LowerDFGToLLVM::compileNode):
1521         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
1522         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
1523         * tests/stress/fold-typed-array-properties.js:
1524         (foo):
1525         * tests/stress/typed-array-byte-offset.js: Added.
1526         (foo):
1527
1528 2015-04-07  Matthew Mirman  <mmirman@apple.com>
1529
1530         Source and stack information should get appended only to native errors
1531         and should be added directly after construction rather than when thrown. 
1532         This fixes frozen objects being unfrozen when thrown while conforming to 
1533         ecma script standard and other browser behavior.
1534         rdar://problem/19927293
1535         https://bugs.webkit.org/show_bug.cgi?id=141871
1536         
1537         Reviewed by Geoffrey Garen.
1538
1539         Appending stack, source, line, and column information to an object whenever that object is thrown 
1540         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
1541         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
1542         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
1543         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
1544         a control flow construct rather than just an error reporting mechanism.  
1545         
1546         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
1547         appending the error properties as a seperate call after construction of the error is required 
1548         to avoid having to manually truncate the stack and gather local source information due to 
1549         the stack being extended by a nested call to construct one of the native jsc error.
1550         
1551         * interpreter/Interpreter.cpp:
1552         (JSC::Interpreter::execute):
1553         * interpreter/Interpreter.h:
1554         * parser/ParserError.h:
1555         (JSC::ParserError::toErrorObject):
1556         * runtime/CommonIdentifiers.h:
1557         * runtime/Error.cpp:
1558         (JSC::createError):
1559         (JSC::createEvalError):
1560         (JSC::createRangeError):
1561         (JSC::createReferenceError):
1562         (JSC::createSyntaxError):
1563         (JSC::createTypeError):
1564         (JSC::createNotEnoughArgumentsError):
1565         (JSC::createURIError):
1566         (JSC::createOutOfMemoryError):
1567         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1568         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1569         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
1570         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
1571         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
1572         (JSC::addErrorInfo): Added special case for appending complete error info 
1573         to a newly constructed error object.
1574         * runtime/Error.h:
1575         * runtime/ErrorConstructor.cpp:
1576         (JSC::Interpreter::constructWithErrorConstructor):
1577         (JSC::Interpreter::callErrorConstructor):
1578         * runtime/ErrorInstance.cpp:
1579         (JSC::appendSourceToError): Moved from VM.cpp
1580         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1581         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1582         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
1583         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
1584         (JSC::addErrorInfoAndGetBytecodeOffset):
1585         (JSC::ErrorInstance::finishCreation):
1586         * runtime/ErrorInstance.h:
1587         (JSC::ErrorInstance::create):
1588         * runtime/ErrorPrototype.cpp:
1589         (JSC::ErrorPrototype::finishCreation):
1590         * runtime/ExceptionFuzz.cpp:
1591         (JSC::doExceptionFuzzing):
1592         * runtime/ExceptionHelpers.cpp:
1593         (JSC::createError):
1594         (JSC::createInvalidFunctionApplyParameterError):
1595         (JSC::createInvalidInParameterError):
1596         (JSC::createInvalidInstanceofParameterError):
1597         (JSC::createNotAConstructorError):
1598         (JSC::createNotAFunctionError):
1599         (JSC::createNotAnObjectError):
1600         (JSC::throwOutOfMemoryError):
1601         (JSC::createStackOverflowError): Deleted.
1602         (JSC::createOutOfMemoryError): Deleted.
1603         * runtime/ExceptionHelpers.h:
1604         * runtime/JSArrayBufferConstructor.cpp:
1605         (JSC::constructArrayBuffer):
1606         * runtime/JSArrayBufferPrototype.cpp:
1607         (JSC::arrayBufferProtoFuncSlice):
1608         * runtime/JSGenericTypedArrayViewInlines.h:
1609         (JSC::JSGenericTypedArrayView<Adaptor>::create):
1610         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
1611         * runtime/NativeErrorConstructor.cpp:
1612         (JSC::Interpreter::constructWithNativeErrorConstructor):
1613         (JSC::Interpreter::callNativeErrorConstructor):
1614         * runtime/VM.cpp:
1615         (JSC::VM::throwException):
1616         (JSC::appendSourceToError): Moved to Error.cpp
1617         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
1618         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
1619         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
1620         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
1621         * tests/stress/freeze_leek.js: Added.
1622
1623 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
1624
1625         Web Inspector: ES6: Show Symbol properties on Objects
1626         https://bugs.webkit.org/show_bug.cgi?id=141279
1627
1628         Reviewed by Timothy Hatcher.
1629
1630         * inspector/protocol/Runtime.json:
1631         Give PropertyDescriptor a reference to the Symbol RemoteObject
1632         if the property is a symbol property.
1633
1634         * inspector/InjectedScriptSource.js:
1635         Enumerate symbol properties on objects.
1636
1637 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
1638
1639         Make it possible to enable LLVM FastISel
1640         https://bugs.webkit.org/show_bug.cgi?id=143489
1641
1642         Reviewed by Michael Saboff.
1643
1644         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
1645         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
1646         if we should enable it.
1647
1648         * ftl/FTLCompile.cpp:
1649         (JSC::FTL::mmAllocateDataSection):
1650         * llvm/InitializeLLVM.cpp:
1651         (JSC::initializeLLVMImpl):
1652         * llvm/InitializeLLVM.h:
1653         * llvm/InitializeLLVMLinux.cpp:
1654         (JSC::getLLVMInitializerFunction):
1655         (JSC::initializeLLVMImpl): Deleted.
1656         * llvm/InitializeLLVMMac.cpp:
1657         (JSC::getLLVMInitializerFunction):
1658         (JSC::initializeLLVMImpl): Deleted.
1659         * llvm/InitializeLLVMPOSIX.cpp:
1660         (JSC::getLLVMInitializerFunctionPOSIX):
1661         (JSC::initializeLLVMPOSIX): Deleted.
1662         * llvm/InitializeLLVMPOSIX.h:
1663         * llvm/InitializeLLVMWin.cpp:
1664         (JSC::getLLVMInitializerFunction):
1665         (JSC::initializeLLVMImpl): Deleted.
1666         * llvm/LLVMAPI.cpp:
1667         * llvm/LLVMAPI.h:
1668         * llvm/library/LLVMExports.cpp:
1669         (initCommandLine):
1670         (initializeAndGetJSCLLVMAPI):
1671         * runtime/Options.cpp:
1672         (JSC::Options::initialize):
1673
1674 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1675
1676         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1677         https://bugs.webkit.org/show_bug.cgi?id=140426
1678
1679         Reviewed by Darin Adler.
1680
1681         In the put_by_val_direct operation, we use JSObject::putDirect.
1682         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
1683         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
1684
1685         * dfg/DFGOperations.cpp:
1686         (JSC::DFG::putByVal):
1687         (JSC::DFG::operationPutByValInternal):
1688         * jit/JITOperations.cpp:
1689         * llint/LLIntSlowPaths.cpp:
1690         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1691         * runtime/Identifier.h:
1692         (JSC::isIndex):
1693         (JSC::parseIndex):
1694         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
1695         (lookupWithKey):
1696         (toStringThrowsError.toString):
1697
1698 2015-04-06  Alberto Garcia  <berto@igalia.com>
1699
1700         [GTK] Fix HPPA build
1701         https://bugs.webkit.org/show_bug.cgi?id=143453
1702
1703         Reviewed by Darin Adler.
1704
1705         Add HPPA to the list of supported CPUs.
1706
1707         * CMakeLists.txt:
1708
1709 2015-04-06  Mark Lam  <mark.lam@apple.com>
1710
1711         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
1712         <https://webkit.org/b/143396>
1713
1714         Reviewed by Filip Pizlo.
1715
1716         The DFG was neglecting to set the result boolean.  The FTL was setting it with
1717         an inverted value.  Both of these are now resolved.
1718
1719         * dfg/DFGSpeculativeJIT64.cpp:
1720         (JSC::DFG::SpeculativeJIT::compile):
1721         * ftl/FTLLowerDFGToLLVM.cpp:
1722         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
1723         * tests/stress/for-in-array-mode.js: Added.
1724         (.):
1725         (test):
1726
1727 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1728
1729         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
1730         https://bugs.webkit.org/show_bug.cgi?id=143424
1731
1732         Reviewed by Geoffrey Garen.
1733
1734         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
1735
1736         ToString(symbol) throws a type error.
1737         However, String(symbol) produces SymbolDescriptiveString(symbol).
1738
1739         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
1740
1741         Now, in the template literals patch, ToString DFG operation is planned to be used.
1742         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
1743         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
1744         In CallStringConstructor, all behavior in DFG analysis is the same.
1745         Only the difference from ToString is, when calling DFG operation functions, it calls
1746         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
1747         operationToStringOnCell and operationToString.
1748
1749         * dfg/DFGAbstractInterpreterInlines.h:
1750         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1751         * dfg/DFGBackwardsPropagationPhase.cpp:
1752         (JSC::DFG::BackwardsPropagationPhase::propagate):
1753         * dfg/DFGByteCodeParser.cpp:
1754         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1755         * dfg/DFGClobberize.h:
1756         (JSC::DFG::clobberize):
1757         * dfg/DFGDoesGC.cpp:
1758         (JSC::DFG::doesGC):
1759         * dfg/DFGFixupPhase.cpp:
1760         (JSC::DFG::FixupPhase::fixupNode):
1761         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1762         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1763         (JSC::DFG::FixupPhase::fixupToString): Deleted.
1764         * dfg/DFGNodeType.h:
1765         * dfg/DFGOperations.cpp:
1766         * dfg/DFGOperations.h:
1767         * dfg/DFGPredictionPropagationPhase.cpp:
1768         (JSC::DFG::PredictionPropagationPhase::propagate):
1769         * dfg/DFGSafeToExecute.h:
1770         (JSC::DFG::safeToExecute):
1771         * dfg/DFGSpeculativeJIT.cpp:
1772         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1773         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
1774         * dfg/DFGSpeculativeJIT.h:
1775         * dfg/DFGSpeculativeJIT32_64.cpp:
1776         (JSC::DFG::SpeculativeJIT::compile):
1777         * dfg/DFGSpeculativeJIT64.cpp:
1778         (JSC::DFG::SpeculativeJIT::compile):
1779         * dfg/DFGStructureRegistrationPhase.cpp:
1780         (JSC::DFG::StructureRegistrationPhase::run):
1781         * ftl/FTLCapabilities.cpp:
1782         (JSC::FTL::canCompile):
1783         * ftl/FTLLowerDFGToLLVM.cpp:
1784         (JSC::FTL::LowerDFGToLLVM::compileNode):
1785         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
1786         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
1787         * runtime/StringConstructor.cpp:
1788         (JSC::stringConstructor):
1789         (JSC::callStringConstructor):
1790         * runtime/StringConstructor.h:
1791         * tests/stress/symbol-and-string-constructor.js: Added.
1792         (performString):
1793
1794 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1795
1796         Return Optional<uint32_t> from PropertyName::asIndex
1797         https://bugs.webkit.org/show_bug.cgi?id=143422
1798
1799         Reviewed by Darin Adler.
1800
1801         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
1802         But it's not obvious to callers.
1803
1804         This patch changes
1805         1. PropertyName::asIndex() to return Optional<uint32_t> and
1806         2. function name `asIndex()` to `parseIndex()`.
1807         It forces callers to check the value is index or not explicitly.
1808
1809         * bytecode/GetByIdStatus.cpp:
1810         (JSC::GetByIdStatus::computeFor):
1811         * bytecode/PutByIdStatus.cpp:
1812         (JSC::PutByIdStatus::computeFor):
1813         * bytecompiler/BytecodeGenerator.cpp:
1814         (JSC::BytecodeGenerator::emitDirectPutById):
1815         * jit/Repatch.cpp:
1816         (JSC::emitPutTransitionStubAndGetOldStructure):
1817         * jsc.cpp:
1818         * runtime/ArrayPrototype.cpp:
1819         (JSC::arrayProtoFuncSort):
1820         * runtime/GenericArgumentsInlines.h:
1821         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1822         (JSC::GenericArguments<Type>::put):
1823         (JSC::GenericArguments<Type>::deleteProperty):
1824         (JSC::GenericArguments<Type>::defineOwnProperty):
1825         * runtime/Identifier.h:
1826         (JSC::parseIndex):
1827         (JSC::Identifier::isSymbol):
1828         * runtime/JSArray.cpp:
1829         (JSC::JSArray::defineOwnProperty):
1830         * runtime/JSCJSValue.cpp:
1831         (JSC::JSValue::putToPrimitive):
1832         * runtime/JSGenericTypedArrayViewInlines.h:
1833         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1834         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1835         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1836         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1837         * runtime/JSObject.cpp:
1838         (JSC::JSObject::put):
1839         (JSC::JSObject::putDirectAccessor):
1840         (JSC::JSObject::putDirectCustomAccessor):
1841         (JSC::JSObject::deleteProperty):
1842         (JSC::JSObject::putDirectMayBeIndex):
1843         (JSC::JSObject::defineOwnProperty):
1844         * runtime/JSObject.h:
1845         (JSC::JSObject::getOwnPropertySlot):
1846         (JSC::JSObject::getPropertySlot):
1847         (JSC::JSObject::putDirectInternal):
1848         * runtime/JSString.cpp:
1849         (JSC::JSString::getStringPropertyDescriptor):
1850         * runtime/JSString.h:
1851         (JSC::JSString::getStringPropertySlot):
1852         * runtime/LiteralParser.cpp:
1853         (JSC::LiteralParser<CharType>::parse):
1854         * runtime/PropertyName.h:
1855         (JSC::parseIndex):
1856         (JSC::toUInt32FromCharacters): Deleted.
1857         (JSC::toUInt32FromStringImpl): Deleted.
1858         (JSC::PropertyName::asIndex): Deleted.
1859         * runtime/PropertyNameArray.cpp:
1860         (JSC::PropertyNameArray::add):
1861         * runtime/StringObject.cpp:
1862         (JSC::StringObject::deleteProperty):
1863         * runtime/Structure.cpp:
1864         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1865
1866 2015-04-05  Andreas Kling  <akling@apple.com>
1867
1868         URI encoding/escaping should use efficient string building instead of calling snprintf().
1869         <https://webkit.org/b/143426>
1870
1871         Reviewed by Gavin Barraclough.
1872
1873         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
1874         which seemed pretty silly. This change gets that down to nothing in favor of using our
1875         existing JSStringBuilder and HexNumber.h facilities.
1876
1877         These APIs are well-exercised by our existing test suite.
1878
1879         * runtime/JSGlobalObjectFunctions.cpp:
1880         (JSC::encode):
1881         (JSC::globalFuncEscape):
1882
1883 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
1884
1885         documentation for ES Promises points to the wrong one
1886         https://bugs.webkit.org/show_bug.cgi?id=143263
1887
1888         Reviewed by Darin Adler.
1889
1890         * features.json:
1891
1892 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
1893
1894         Remove "go ahead and" from comments
1895         https://bugs.webkit.org/show_bug.cgi?id=143421
1896
1897         Reviewed by Darin Adler, Benjamin Poulain.
1898
1899         Remove the phrase "go ahead and" from comments where it doesn't add
1900         anything (which is almost all of them).
1901
1902         * interpreter/JSStack.cpp:
1903         (JSC::JSStack::growSlowCase):
1904
1905 2015-04-04  Andreas Kling  <akling@apple.com>
1906
1907         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1908         <https://webkit.org/b/143210>
1909
1910         Reviewed by Geoffrey Garen.
1911
1912         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1913         we had a little problem where WeakBlocks with only null pointers would still keep their
1914         MarkedBlock alive.
1915
1916         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1917         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1918         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1919         destroying them once they're fully dead.
1920
1921         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1922         a mysterious issue where doing two full garbage collections back-to-back would free additional
1923         memory in the second collection.
1924
1925         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1926         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1927         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1928
1929         * heap/Heap.h:
1930         * heap/Heap.cpp:
1931         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1932         owned by Heap, after everything else has been swept.
1933
1934         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1935         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1936         they are unlikely to cause entire WeakBlocks to go empty.
1937
1938         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1939         to the Heap when it's detached from a WeakSet.
1940
1941         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1942         of the logically empty WeakBlocks owned by Heap.
1943
1944         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1945         and updates the next-logically-empty-weak-block-to-sweep index.
1946
1947         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1948         won't be another chance after this.
1949
1950         * heap/IncrementalSweeper.h:
1951         (JSC::IncrementalSweeper::hasWork): Deleted.
1952
1953         * heap/IncrementalSweeper.cpp:
1954         (JSC::IncrementalSweeper::fullSweep):
1955         (JSC::IncrementalSweeper::doSweep):
1956         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1957         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1958         changed to return a bool (true if there's more work to be done.)
1959
1960         * heap/WeakBlock.cpp:
1961         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1962         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1963
1964         * heap/WeakBlock.h:
1965         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1966         if the WeakBlock could be detached from the MarkedBlock.
1967
1968         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1969         when declaring them.
1970
1971 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1972
1973         Implement ES6 Object.getOwnPropertySymbols
1974         https://bugs.webkit.org/show_bug.cgi?id=141106
1975
1976         Reviewed by Geoffrey Garen.
1977
1978         This patch implements `Object.getOwnPropertySymbols`.
1979         One technical issue is that, since we use private symbols (such as `@Object`) in the
1980         privileged JS code in `builtins/`, they should not be exposed.
1981         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
1982         before adding it into PropertyNameArray.
1983
1984         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
1985         since all private symbols are held in this map.
1986
1987         * builtins/BuiltinExecutables.cpp:
1988         (JSC::BuiltinExecutables::createExecutableInternal):
1989         * builtins/BuiltinNames.h:
1990         (JSC::BuiltinNames::isPrivateName):
1991         * runtime/CommonIdentifiers.cpp:
1992         (JSC::CommonIdentifiers::isPrivateName):
1993         * runtime/CommonIdentifiers.h:
1994         * runtime/EnumerationMode.h:
1995         (JSC::EnumerationMode::EnumerationMode):
1996         (JSC::EnumerationMode::includeSymbolProperties):
1997         * runtime/ExceptionHelpers.cpp:
1998         (JSC::createUndefinedVariableError):
1999         * runtime/JSGlobalObject.cpp:
2000         (JSC::JSGlobalObject::init):
2001         * runtime/JSLexicalEnvironment.cpp:
2002         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2003         * runtime/JSSymbolTableObject.cpp:
2004         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2005         * runtime/ObjectConstructor.cpp:
2006         (JSC::ObjectConstructor::finishCreation):
2007         (JSC::objectConstructorGetOwnPropertySymbols):
2008         (JSC::defineProperties):
2009         (JSC::objectConstructorSeal):
2010         (JSC::objectConstructorFreeze):
2011         (JSC::objectConstructorIsSealed):
2012         (JSC::objectConstructorIsFrozen):
2013         * runtime/ObjectConstructor.h:
2014         (JSC::ObjectConstructor::create):
2015         * runtime/Structure.cpp:
2016         (JSC::Structure::getPropertyNamesFromStructure):
2017         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
2018         (compare):
2019         * tests/stress/object-get-own-property-symbols.js: Added.
2020         (forIn):
2021         * tests/stress/symbol-define-property.js: Added.
2022         (testSymbol):
2023         * tests/stress/symbol-seal-and-freeze.js: Added.
2024         * tests/stress/symbol-with-json.js: Added.
2025
2026 2015-04-03  Mark Lam  <mark.lam@apple.com>
2027
2028         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
2029         <https://webkit.org/b/143385>
2030
2031         Reviewed by Geoffrey Garen.
2032
2033         For debugging purposes, sometimes, we want to be able to make compilation happen
2034         sooner to see if we can accelerate the manifestation of certain events / bugs.
2035         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
2036         which make up the compilation policy.  Let's add a single knob that can tune all
2037         the thresholds up / down in one go proportionately so that we can easily tweak
2038         how soon compilation occurs.
2039
2040         * runtime/Options.cpp:
2041         (JSC::scaleJITPolicy):
2042         (JSC::recomputeDependentOptions):
2043         * runtime/Options.h:
2044
2045 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2046
2047         is* API methods should be @properties
2048         https://bugs.webkit.org/show_bug.cgi?id=143388
2049
2050         Reviewed by Mark Lam.
2051
2052         This appears to be the preferred idiom in WebKit, CA, AppKit, and
2053         Foundation.
2054
2055         * API/JSValue.h: Be @properties.
2056
2057         * API/tests/testapi.mm:
2058         (testObjectiveCAPI): Use the @properties.
2059
2060 2015-04-03  Mark Lam  <mark.lam@apple.com>
2061
2062         Some JSC Options refactoring and enhancements.
2063         <https://webkit.org/b/143384>
2064
2065         Rubber stamped by Benjamin Poulain.
2066
2067         Create a better encapsulated Option class to make working with options easier.  This
2068         is a building block towards a JIT policy scaling debugging option I will introduce later.
2069
2070         This work entails:
2071         1. Convert Options::Option into a public class Option (who works closely with Options).
2072         2. Convert Options::EntryType into an enum class Options::Type and make it public.
2073         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
2074         4. Add misc methods to class Option to make it more useable.
2075
2076         * runtime/Options.cpp:
2077         (JSC::Options::dumpOption):
2078         (JSC::Option::dump):
2079         (JSC::Option::operator==):
2080         (JSC::Options::Option::dump): Deleted.
2081         (JSC::Options::Option::operator==): Deleted.
2082         * runtime/Options.h:
2083         (JSC::Option::Option):
2084         (JSC::Option::operator!=):
2085         (JSC::Option::name):
2086         (JSC::Option::description):
2087         (JSC::Option::type):
2088         (JSC::Option::isOverridden):
2089         (JSC::Option::defaultOption):
2090         (JSC::Option::boolVal):
2091         (JSC::Option::unsignedVal):
2092         (JSC::Option::doubleVal):
2093         (JSC::Option::int32Val):
2094         (JSC::Option::optionRangeVal):
2095         (JSC::Option::optionStringVal):
2096         (JSC::Option::gcLogLevelVal):
2097         (JSC::Options::Option::Option): Deleted.
2098         (JSC::Options::Option::operator!=): Deleted.
2099
2100 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2101
2102         JavaScriptCore API should support type checking for Array and Date
2103         https://bugs.webkit.org/show_bug.cgi?id=143324
2104
2105         Follow-up to address a comment by Dan.
2106
2107         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
2108         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
2109         is equal to 101100.
2110
2111 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2112
2113         JavaScriptCore API should support type checking for Array and Date
2114         https://bugs.webkit.org/show_bug.cgi?id=143324
2115
2116         Follow-up to address a comment by Dan.
2117
2118         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
2119         Added a comment explaining why.
2120
2121 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
2122
2123         FTL JIT tests should fail if LLVM library isn't available
2124         https://bugs.webkit.org/show_bug.cgi?id=143374
2125
2126         Reviewed by Mark Lam.
2127
2128         * dfg/DFGPlan.cpp:
2129         (JSC::DFG::Plan::compileInThreadImpl):
2130         * runtime/Options.h:
2131
2132 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2133
2134         Fix the EFL and GTK build after r182243
2135         https://bugs.webkit.org/show_bug.cgi?id=143361
2136
2137         Reviewed by Csaba Osztrogonác.
2138
2139         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
2140         DerivedSources/JavaScriptCore/inspector/ directory.
2141
2142 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2143
2144         Unreviewed, fixing Clang builds of the GTK port on Linux.
2145
2146         * runtime/Options.cpp:
2147         Include the <math.h> header for isnan().
2148
2149 2015-04-02  Mark Lam  <mark.lam@apple.com>
2150
2151         Enhance ability to dump JSC Options.
2152         <https://webkit.org/b/143357>
2153
2154         Reviewed by Benjamin Poulain.
2155
2156         Some enhancements to how the JSC options work:
2157
2158         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
2159            2 = All, 3 = Verbose.
2160
2161            The default is 0 (None).  This dumps nothing.
2162            With the Overridden setting, at VM initialization time, we will dump all
2163            option values that have been changed from their default.
2164            With the All setting, at VM initialization time, we will dump all option values.
2165            With the Verbose setting, at VM initialization time, we will dump all option
2166            values along with their descriptions (if available).
2167
2168         2. We now store a copy of the default option values.
2169
2170            We later use this for comparison to tell if an option has been overridden, and
2171            print the default value for reference.  As a result, we no longer need the
2172            didOverride flag since we can compute whether the option is overridden at any time.
2173
2174         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
2175
2176            This will come in handy later when we want to rename some of the options to more sane
2177            names that are easier to remember.  For example, we can change
2178            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
2179            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
2180            of the description, we can afford to use shorter and less descriptive option names,
2181            but they will be easier to remember and use for day to day debugging work.
2182
2183            In this patch, I did not change the names of any of the options yet.  I only added
2184            description strings for options that I know about, and where I think the option name
2185            isn't already descriptive enough.
2186
2187         4. Also deleted some unused code.
2188
2189         * jsc.cpp:
2190         (CommandLine::parseArguments):
2191         * runtime/Options.cpp:
2192         (JSC::Options::initialize):
2193         (JSC::Options::setOption):
2194         (JSC::Options::dumpAllOptions):
2195         (JSC::Options::dumpOption):
2196         (JSC::Options::Option::dump):
2197         (JSC::Options::Option::operator==):
2198         * runtime/Options.h:
2199         (JSC::OptionRange::rangeString):
2200         (JSC::Options::Option::Option):
2201         (JSC::Options::Option::operator!=):
2202
2203 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
2204
2205         JavaScriptCore API should support type checking for Array and Date
2206         https://bugs.webkit.org/show_bug.cgi?id=143324
2207
2208         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
2209
2210         * API/JSValue.h:
2211         * API/JSValue.mm:
2212         (-[JSValue isArray]):
2213         (-[JSValue isDate]): Added an ObjC API.
2214
2215         * API/JSValueRef.cpp:
2216         (JSValueIsArray):
2217         (JSValueIsDate):
2218         * API/JSValueRef.h: Added a C API.
2219
2220         * API/WebKitAvailability.h: Brought our availability macros up to date
2221         and fixed a harmless bug where "10_10" translated to "10.0".
2222
2223         * API/tests/testapi.c:
2224         (main): Added a test and corrected a pre-existing leak.
2225
2226         * API/tests/testapi.mm:
2227         (testObjectiveCAPI): Added a test.
2228
2229 2015-04-02  Mark Lam  <mark.lam@apple.com>
2230
2231         Add Options::dumpSourceAtDFGTime().
2232         <https://webkit.org/b/143349>
2233
2234         Reviewed by Oliver Hunt, and Michael Saboff.
2235
2236         Sometimes, we will want to see the JS source code that we're compiling, and it
2237         would be nice to be able to do this without having to jump thru a lot of hoops.
2238         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
2239         Options::dumpBytecodeAtDFGTime() option.
2240
2241         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
2242         that explicitly take no arguments (instead of relying on the version that takes
2243         the default argument).  These versions are friendlier to use when we want to call
2244         them from an interactive debugging session.
2245
2246         * bytecode/CodeBlock.cpp:
2247         (JSC::CodeBlock::dumpSource):
2248         (JSC::CodeBlock::dumpBytecode):
2249         * bytecode/CodeBlock.h:
2250         * dfg/DFGByteCodeParser.cpp:
2251         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2252         * runtime/Options.h:
2253
2254 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2255
2256         Clean up EnumerationMode to easily extend
2257         https://bugs.webkit.org/show_bug.cgi?id=143276
2258
2259         Reviewed by Geoffrey Garen.
2260
2261         To make the followings easily,
2262         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
2263         2. Make ExcludeSymbols implicitly default for the existing flags
2264         we encapsulate EnumerationMode flags into EnumerationMode class.
2265
2266         And this class manages 2 flags. Later it will be extended to 3.
2267         1. DontEnumPropertiesMode (default is Exclude)
2268         2. JSObjectPropertiesMode (default is Include)
2269         3. SymbolPropertiesMode (default is Exclude)
2270             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
2271
2272         This patch replaces places using ExcludeDontEnumProperties
2273         to EnumerationMode() value which represents default mode.
2274
2275         * API/JSCallbackObjectFunctions.h:
2276         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2277         * API/JSObjectRef.cpp:
2278         (JSObjectCopyPropertyNames):
2279         * bindings/ScriptValue.cpp:
2280         (Deprecated::jsToInspectorValue):
2281         * bytecode/ObjectAllocationProfile.h:
2282         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2283         * runtime/ArrayPrototype.cpp:
2284         (JSC::arrayProtoFuncSort):
2285         * runtime/EnumerationMode.h:
2286         (JSC::EnumerationMode::EnumerationMode):
2287         (JSC::EnumerationMode::includeDontEnumProperties):
2288         (JSC::EnumerationMode::includeJSObjectProperties):
2289         (JSC::shouldIncludeDontEnumProperties): Deleted.
2290         (JSC::shouldExcludeDontEnumProperties): Deleted.
2291         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
2292         (JSC::modeThatSkipsJSObject): Deleted.
2293         * runtime/GenericArgumentsInlines.h:
2294         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2295         * runtime/JSArray.cpp:
2296         (JSC::JSArray::getOwnNonIndexPropertyNames):
2297         * runtime/JSArrayBuffer.cpp:
2298         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2299         * runtime/JSArrayBufferView.cpp:
2300         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2301         * runtime/JSFunction.cpp:
2302         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2303         * runtime/JSFunction.h:
2304         * runtime/JSGenericTypedArrayViewInlines.h:
2305         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
2306         * runtime/JSLexicalEnvironment.cpp:
2307         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2308         * runtime/JSONObject.cpp:
2309         (JSC::Stringifier::Holder::appendNextProperty):
2310         (JSC::Walker::walk):
2311         * runtime/JSObject.cpp:
2312         (JSC::getClassPropertyNames):
2313         (JSC::JSObject::getOwnPropertyNames):
2314         (JSC::JSObject::getOwnNonIndexPropertyNames):
2315         (JSC::JSObject::getGenericPropertyNames):
2316         * runtime/JSPropertyNameEnumerator.h:
2317         (JSC::propertyNameEnumerator):
2318         * runtime/JSSymbolTableObject.cpp:
2319         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2320         * runtime/ObjectConstructor.cpp:
2321         (JSC::objectConstructorGetOwnPropertyNames):
2322         (JSC::objectConstructorKeys):
2323         (JSC::defineProperties):
2324         (JSC::objectConstructorSeal):
2325         (JSC::objectConstructorFreeze):
2326         (JSC::objectConstructorIsSealed):
2327         (JSC::objectConstructorIsFrozen):
2328         * runtime/RegExpObject.cpp:
2329         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2330         (JSC::RegExpObject::getPropertyNames):
2331         (JSC::RegExpObject::getGenericPropertyNames):
2332         * runtime/StringObject.cpp:
2333         (JSC::StringObject::getOwnPropertyNames):
2334         * runtime/Structure.cpp:
2335         (JSC::Structure::getPropertyNamesFromStructure):
2336
2337 2015-04-01  Alex Christensen  <achristensen@webkit.org>
2338
2339         Progress towards CMake on Windows and Mac.
2340         https://bugs.webkit.org/show_bug.cgi?id=143293
2341
2342         Reviewed by Filip Pizlo.
2343
2344         * CMakeLists.txt:
2345         Enabled using assembly on Windows.
2346         Replaced unix commands with CMake commands.
2347         * PlatformMac.cmake:
2348         Tell open source builders where to find unicode headers.
2349
2350 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2351
2352         IteratorClose should be called when jumping over the target for-of loop
2353         https://bugs.webkit.org/show_bug.cgi?id=143140
2354
2355         Reviewed by Geoffrey Garen.
2356
2357         This patch fixes labeled break/continue behaviors with for-of and iterators.
2358
2359         1. Support IteratorClose beyond multiple loop contexts
2360         Previously, IteratorClose is only executed in for-of's breakTarget().
2361         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
2362         For example,
2363         outer: for (var e1 of outer) {
2364             inner: for (var e2 of inner) {
2365                 break outer;
2366             }
2367         }
2368         In this case, return method of inner should be called.
2369         We leverage the existing system for `finally` to execute inner.return method correctly.
2370         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
2371         `throw` case is already supported by emitting try-catch handlers in for-of.
2372
2373         2. Incorrect LabelScope creation is done in ForOfNode
2374         ForOfNode creates duplicated LabelScope.
2375         It causes infinite loop when executing the following program that contains
2376         explicitly labeled for-of loop.
2377         For example,
2378         inner: for (var elm of array) {
2379             continue inner;
2380         }
2381
2382         * bytecompiler/BytecodeGenerator.cpp:
2383         (JSC::BytecodeGenerator::pushFinallyContext):
2384         (JSC::BytecodeGenerator::pushIteratorCloseContext):
2385         (JSC::BytecodeGenerator::popFinallyContext):
2386         (JSC::BytecodeGenerator::popIteratorCloseContext):
2387         (JSC::BytecodeGenerator::emitComplexPopScopes):
2388         (JSC::BytecodeGenerator::emitEnumeration):
2389         (JSC::BytecodeGenerator::emitIteratorClose):
2390         * bytecompiler/BytecodeGenerator.h:
2391         * bytecompiler/NodesCodegen.cpp:
2392         (JSC::ForOfNode::emitBytecode):
2393         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
2394         (createIterator.iterator.return):
2395         (createIterator):
2396         * tests/stress/raise-error-in-iterator-close.js: Added.
2397         (createIterator.iterator.return):
2398         (createIterator):
2399
2400 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2401
2402         [ES6] Implement Symbol.unscopables
2403         https://bugs.webkit.org/show_bug.cgi?id=142829
2404
2405         Reviewed by Geoffrey Garen.
2406
2407         This patch introduces Symbol.unscopables functionality.
2408         In ES6, some generic names (like keys, values) are introduced
2409         as Array's method name. And this breaks the web since some web sites
2410         use like the following code.
2411
2412         var values = ...;
2413         with (array) {
2414             values;  // This values is trapped by array's method "values".
2415         }
2416
2417         To fix this, Symbol.unscopables introduces blacklist
2418         for with scope's trapping. When resolving scope,
2419         if name is found in the target scope and the target scope is with scope,
2420         we check Symbol.unscopables object to filter generic names.
2421
2422         This functionality is only active for with scopes.
2423         Global scope does not have unscopables functionality.
2424
2425         And since
2426         1) op_resolve_scope for with scope always return Dynamic resolve type,
2427         2) in that case, JSScope::resolve is always used in JIT and LLInt,
2428         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
2429         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
2430         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
2431
2432         * runtime/ArrayPrototype.cpp:
2433         (JSC::ArrayPrototype::finishCreation):
2434         * runtime/CommonIdentifiers.h:
2435         * runtime/JSGlobalObject.h:
2436         (JSC::JSGlobalObject::runtimeFlags):
2437         * runtime/JSScope.cpp:
2438         (JSC::isUnscopable):
2439         (JSC::JSScope::resolve):
2440         * runtime/JSScope.h:
2441         (JSC::ScopeChainIterator::scope):
2442         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
2443         (test):
2444         * tests/stress/unscopables.js: Added.
2445         (test):
2446         (.):
2447
2448 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2449
2450         ES6 class syntax should allow static setters and getters
2451         https://bugs.webkit.org/show_bug.cgi?id=143180
2452
2453         Reviewed by Filip Pizlo
2454
2455         Apparently I misread the spec when I initially implemented parseClass.
2456         ES6 class syntax allows static getters and setters so just allow that.
2457
2458         * parser/Parser.cpp:
2459         (JSC::Parser<LexerType>::parseClass):
2460
2461 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
2462
2463         PutClosureVar CSE def() rule has a wrong base
2464         https://bugs.webkit.org/show_bug.cgi?id=143280
2465
2466         Reviewed by Michael Saboff.
2467         
2468         I think that this code was incorrect in a benign way, since the base of a
2469         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
2470
2471         * dfg/DFGClobberize.h:
2472         (JSC::DFG::clobberize):
2473
2474 2015-03-31  Commit Queue  <commit-queue@webkit.org>
2475
2476         Unreviewed, rolling out r182200.
2477         https://bugs.webkit.org/show_bug.cgi?id=143279
2478
2479         Probably causing assertion extravaganza on bots. (Requested by
2480         kling on #webkit).
2481
2482         Reverted changeset:
2483
2484         "Logically empty WeakBlocks should not pin down their
2485         MarkedBlocks indefinitely."
2486         https://bugs.webkit.org/show_bug.cgi?id=143210
2487         http://trac.webkit.org/changeset/182200
2488
2489 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2490
2491         Clean up Identifier factories to clarify the meaning of StringImpl*
2492         https://bugs.webkit.org/show_bug.cgi?id=143146
2493
2494         Reviewed by Filip Pizlo.
2495
2496         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
2497         However, it's ambiguous because `StringImpl*` has 2 different meanings.
2498         1) normal string, it is replacable with `WTFString` and
2499         2) `uid`, which holds `isSymbol` information to represent Symbols.
2500         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
2501         + `Identifier::fromString(VM*/ExecState*, const String&)`.
2502         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
2503         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
2504         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
2505
2506         And to clean up `StringImpl` which is used as uid,
2507         we introduce `StringKind` into `StringImpl`. There's 3 kinds
2508         1. StringNormal (non-atomic, non-symbol)
2509         2. StringAtomic (atomic, non-symbol)
2510         3. StringSymbol (non-atomic, symbol)
2511         They are mutually exclusive. And (atomic, symbol) case should not exist.
2512
2513         * API/JSCallbackObjectFunctions.h:
2514         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2515         * API/JSObjectRef.cpp:
2516         (JSObjectMakeFunction):
2517         * API/OpaqueJSString.cpp:
2518         (OpaqueJSString::identifier):
2519         * bindings/ScriptFunctionCall.cpp:
2520         (Deprecated::ScriptFunctionCall::call):
2521         * builtins/BuiltinExecutables.cpp:
2522         (JSC::BuiltinExecutables::createExecutableInternal):
2523         * builtins/BuiltinNames.h:
2524         (JSC::BuiltinNames::BuiltinNames):
2525         * bytecompiler/BytecodeGenerator.cpp:
2526         (JSC::BytecodeGenerator::BytecodeGenerator):
2527         (JSC::BytecodeGenerator::emitThrowReferenceError):
2528         (JSC::BytecodeGenerator::emitThrowTypeError):
2529         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2530         (JSC::BytecodeGenerator::emitEnumeration):
2531         * dfg/DFGDesiredIdentifiers.cpp:
2532         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2533         * inspector/JSInjectedScriptHost.cpp:
2534         (Inspector::JSInjectedScriptHost::functionDetails):
2535         (Inspector::constructInternalProperty):
2536         (Inspector::JSInjectedScriptHost::weakMapEntries):
2537         (Inspector::JSInjectedScriptHost::iteratorEntries):
2538         * inspector/JSInjectedScriptHostPrototype.cpp:
2539         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2540         * inspector/JSJavaScriptCallFramePrototype.cpp:
2541         * inspector/ScriptCallStackFactory.cpp:
2542         (Inspector::extractSourceInformationFromException):
2543         * jit/JITOperations.cpp:
2544         * jsc.cpp:
2545         (GlobalObject::finishCreation):
2546         (GlobalObject::addFunction):
2547         (GlobalObject::addConstructableFunction):
2548         (functionRun):
2549         (runWithScripts):
2550         * llint/LLIntData.cpp:
2551         (JSC::LLInt::Data::performAssertions):
2552         * llint/LowLevelInterpreter.asm:
2553         * parser/ASTBuilder.h:
2554         (JSC::ASTBuilder::addVar):
2555         * parser/Parser.cpp:
2556         (JSC::Parser<LexerType>::parseInner):
2557         (JSC::Parser<LexerType>::createBindingPattern):
2558         * parser/ParserArena.h:
2559         (JSC::IdentifierArena::makeIdentifier):
2560         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
2561         (JSC::IdentifierArena::makeNumericIdentifier):
2562         * runtime/ArgumentsIteratorPrototype.cpp:
2563         (JSC::ArgumentsIteratorPrototype::finishCreation):
2564         * runtime/ArrayIteratorPrototype.cpp:
2565         (JSC::ArrayIteratorPrototype::finishCreation):
2566         * runtime/ArrayPrototype.cpp:
2567         (JSC::ArrayPrototype::finishCreation):
2568         (JSC::arrayProtoFuncPush):
2569         * runtime/ClonedArguments.cpp:
2570         (JSC::ClonedArguments::getOwnPropertySlot):
2571         * runtime/CommonIdentifiers.cpp:
2572         (JSC::CommonIdentifiers::CommonIdentifiers):
2573         * runtime/CommonIdentifiers.h:
2574         * runtime/Error.cpp:
2575         (JSC::addErrorInfo):
2576         (JSC::hasErrorInfo):
2577         * runtime/ExceptionHelpers.cpp:
2578         (JSC::createUndefinedVariableError):
2579         * runtime/GenericArgumentsInlines.h:
2580         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2581         * runtime/Identifier.h:
2582         (JSC::Identifier::isSymbol):
2583         (JSC::Identifier::Identifier):
2584         (JSC::Identifier::from): Deleted.
2585         * runtime/IdentifierInlines.h:
2586         (JSC::Identifier::Identifier):
2587         (JSC::Identifier::fromUid):
2588         (JSC::Identifier::fromString):
2589         * runtime/JSCJSValue.cpp:
2590         (JSC::JSValue::dumpInContextAssumingStructure):
2591         * runtime/JSCJSValueInlines.h:
2592         (JSC::JSValue::toPropertyKey):
2593         * runtime/JSGlobalObject.cpp:
2594         (JSC::JSGlobalObject::init):
2595         * runtime/JSLexicalEnvironment.cpp:
2596         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2597         * runtime/JSObject.cpp:
2598         (JSC::getClassPropertyNames):
2599         (JSC::JSObject::reifyStaticFunctionsForDelete):
2600         * runtime/JSObject.h:
2601         (JSC::makeIdentifier):
2602         * runtime/JSPromiseConstructor.cpp:
2603         (JSC::JSPromiseConstructorFuncRace):
2604         (JSC::JSPromiseConstructorFuncAll):
2605         * runtime/JSString.h:
2606         (JSC::JSString::toIdentifier):
2607         * runtime/JSSymbolTableObject.cpp:
2608         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2609         * runtime/LiteralParser.cpp:
2610         (JSC::LiteralParser<CharType>::tryJSONPParse):
2611         (JSC::LiteralParser<CharType>::makeIdentifier):
2612         * runtime/Lookup.h:
2613         (JSC::reifyStaticProperties):
2614         * runtime/MapConstructor.cpp:
2615         (JSC::constructMap):
2616         * runtime/MapIteratorPrototype.cpp:
2617         (JSC::MapIteratorPrototype::finishCreation):
2618         * runtime/MapPrototype.cpp:
2619         (JSC::MapPrototype::finishCreation):
2620         * runtime/MathObject.cpp:
2621         (JSC::MathObject::finishCreation):
2622         * runtime/NumberConstructor.cpp:
2623         (JSC::NumberConstructor::finishCreation):
2624         * runtime/ObjectConstructor.cpp:
2625         (JSC::ObjectConstructor::finishCreation):
2626         * runtime/PrivateName.h:
2627         (JSC::PrivateName::PrivateName):
2628         * runtime/PropertyMapHashTable.h:
2629         (JSC::PropertyTable::find):
2630         (JSC::PropertyTable::get):
2631         * runtime/PropertyName.h:
2632         (JSC::PropertyName::PropertyName):
2633         (JSC::PropertyName::publicName):
2634         (JSC::PropertyName::asIndex):
2635         * runtime/PropertyNameArray.cpp:
2636         (JSC::PropertyNameArray::add):
2637         * runtime/PropertyNameArray.h:
2638         (JSC::PropertyNameArray::addKnownUnique):
2639         * runtime/RegExpConstructor.cpp:
2640         (JSC::RegExpConstructor::finishCreation):
2641         * runtime/SetConstructor.cpp:
2642         (JSC::constructSet):
2643         * runtime/SetIteratorPrototype.cpp:
2644         (JSC::SetIteratorPrototype::finishCreation):
2645         * runtime/SetPrototype.cpp:
2646         (JSC::SetPrototype::finishCreation):
2647         * runtime/StringIteratorPrototype.cpp:
2648         (JSC::StringIteratorPrototype::finishCreation):
2649         * runtime/StringPrototype.cpp:
2650         (JSC::StringPrototype::finishCreation):
2651         * runtime/Structure.cpp:
2652         (JSC::Structure::getPropertyNamesFromStructure):
2653         * runtime/SymbolConstructor.cpp:
2654         * runtime/VM.cpp:
2655         (JSC::VM::throwException):
2656         * runtime/WeakMapConstructor.cpp:
2657         (JSC::constructWeakMap):
2658
2659 2015-03-31  Andreas Kling  <akling@apple.com>
2660
2661         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
2662         <https://webkit.org/b/143210>
2663
2664         Reviewed by Geoffrey Garen.
2665
2666         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
2667         we had a little problem where WeakBlocks with only null pointers would still keep their
2668         MarkedBlock alive.
2669
2670         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
2671         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
2672         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
2673         destroying them once they're fully dead.
2674
2675         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
2676         a mysterious issue where doing two full garbage collections back-to-back would free additional
2677         memory in the second collection.
2678
2679         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
2680         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
2681         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
2682
2683         * heap/Heap.h:
2684         * heap/Heap.cpp:
2685         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
2686         owned by Heap, after everything else has been swept.
2687
2688         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
2689         after a full garbage collection ends. Note that we don't do this after Eden collections, since
2690         they are unlikely to cause entire WeakBlocks to go empty.
2691
2692         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
2693         to the Heap when it's detached from a WeakSet.
2694
2695         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
2696         of the logically empty WeakBlocks owned by Heap.
2697
2698         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
2699         and updates the next-logically-empty-weak-block-to-sweep index.
2700
2701         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
2702         won't be another chance after this.
2703
2704         * heap/IncrementalSweeper.h:
2705         (JSC::IncrementalSweeper::hasWork): Deleted.
2706
2707         * heap/IncrementalSweeper.cpp:
2708         (JSC::IncrementalSweeper::fullSweep):
2709         (JSC::IncrementalSweeper::doSweep):
2710         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
2711         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
2712         changed to return a bool (true if there's more work to be done.)
2713
2714         * heap/WeakBlock.cpp:
2715         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
2716         contain any pointers to live objects. The answer is stored in a new SweepResult member.
2717
2718         * heap/WeakBlock.h:
2719         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
2720         if the WeakBlock could be detached from the MarkedBlock.
2721
2722         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
2723         when declaring them.
2724
2725 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2726
2727         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
2728         https://bugs.webkit.org/show_bug.cgi?id=142883
2729
2730         Reviewed by Filip Pizlo.
2731
2732         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
2733
2734         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
2735         in eval inside a derived class' constructor.
2736
2737         * bytecode/EvalCodeCache.h:
2738         (JSC::EvalCodeCache::getSlow):
2739         * bytecompiler/NodesCodegen.cpp:
2740         (JSC::ThisNode::emitBytecode):
2741         * debugger/DebuggerCallFrame.cpp:
2742         (JSC::DebuggerCallFrame::evaluate):
2743         * interpreter/Interpreter.cpp:
2744         (JSC::eval):
2745         * parser/ASTBuilder.h:
2746         (JSC::ASTBuilder::thisExpr):
2747         * parser/NodeConstructors.h:
2748         (JSC::ThisNode::ThisNode):
2749         * parser/Nodes.h:
2750         * parser/Parser.cpp:
2751         (JSC::Parser<LexerType>::Parser):
2752         (JSC::Parser<LexerType>::parsePrimaryExpression):
2753         * parser/Parser.h:
2754         (JSC::parse):
2755         * parser/ParserModes.h:
2756         * parser/SyntaxChecker.h:
2757         (JSC::SyntaxChecker::thisExpr):
2758         * runtime/CodeCache.cpp:
2759         (JSC::CodeCache::getGlobalCodeBlock):
2760         (JSC::CodeCache::getProgramCodeBlock):
2761         (JSC::CodeCache::getEvalCodeBlock):
2762         * runtime/CodeCache.h:
2763         (JSC::SourceCodeKey::SourceCodeKey):
2764         * runtime/Executable.cpp:
2765         (JSC::EvalExecutable::create):
2766         * runtime/Executable.h:
2767         * runtime/JSGlobalObject.cpp:
2768         (JSC::JSGlobalObject::createEvalCodeBlock):
2769         * runtime/JSGlobalObject.h:
2770         * runtime/JSGlobalObjectFunctions.cpp:
2771         (JSC::globalFuncEval):
2772         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
2773         * tests/stress/class-syntax-tdz-in-eval.js: Added.
2774
2775 2015-03-31  Commit Queue  <commit-queue@webkit.org>
2776
2777         Unreviewed, rolling out r182186.
2778         https://bugs.webkit.org/show_bug.cgi?id=143270
2779
2780         it crashes all the WebGL tests on the Debug bots (Requested by
2781         dino on #webkit).
2782
2783         Reverted changeset:
2784
2785         "Web Inspector: add 2D/WebGL canvas instrumentation
2786         infrastructure"
2787         https://bugs.webkit.org/show_bug.cgi?id=137278
2788         http://trac.webkit.org/changeset/182186
2789
2790 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2791
2792         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
2793         https://bugs.webkit.org/show_bug.cgi?id=142937
2794
2795         Reviewed by Darin Adler.
2796
2797         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
2798         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
2799         But now, several functions perform ToObject onto a non-object parameter.
2800         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
2801         It is described in ES6 Annex E.
2802         Functions different from ES5 are following.
2803
2804         1. An attempt is make to coerce the argument using ToObject.
2805             Object.getOwnPropertyDescriptor
2806             Object.getOwnPropertyNames
2807             Object.getPrototypeOf
2808             Object.keys
2809
2810         2. Treated as if it was a non-extensible ordinary object with no own properties.
2811             Object.freeze
2812             Object.isExtensible
2813             Object.isFrozen
2814             Object.isSealed
2815             Object.preventExtensions
2816             Object.seal
2817
2818         * runtime/ObjectConstructor.cpp:
2819         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2820         (JSC::objectConstructorGetPrototypeOf):
2821         (JSC::objectConstructorGetOwnPropertyDescriptor):
2822         (JSC::objectConstructorGetOwnPropertyNames):
2823         (JSC::objectConstructorKeys):
2824         (JSC::objectConstructorSeal):
2825         (JSC::objectConstructorFreeze):
2826         (JSC::objectConstructorPreventExtensions):
2827         (JSC::objectConstructorIsSealed):
2828         (JSC::objectConstructorIsFrozen):
2829         (JSC::objectConstructorIsExtensible):
2830         * tests/stress/object-freeze-accept-non-object.js: Added.
2831         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
2832         (canary):
2833         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
2834         (compare):
2835         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
2836         * tests/stress/object-is-extensible-accept-non-object.js: Added.
2837         * tests/stress/object-is-frozen-accept-non-object.js: Added.
2838         * tests/stress/object-is-sealed-accept-non-object.js: Added.
2839         * tests/stress/object-keys-perform-to-object.js: Added.
2840         (compare):
2841         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
2842         * tests/stress/object-seal-accept-non-object.js: Added.
2843
2844 2015-03-31  Matt Baker  <mattbaker@apple.com>
2845
2846         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
2847         https://bugs.webkit.org/show_bug.cgi?id=137278
2848
2849         Reviewed by Timothy Hatcher.
2850
2851         Added Canvas protocol which defines types used by InspectorCanvasAgent.
2852
2853         * CMakeLists.txt:
2854         * DerivedSources.make:
2855         * inspector/protocol/Canvas.json: Added.
2856
2857         * inspector/scripts/codegen/generator.py:
2858         (Generator.stylized_name_for_enum_value):
2859         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
2860
2861 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
2862
2863         Extending null should set __proto__ to null
2864         https://bugs.webkit.org/show_bug.cgi?id=142882
2865
2866         Reviewed by Geoffrey Garen and Benjamin Poulain.
2867
2868         Set Derived.prototype.__proto__ to null when extending null.
2869
2870         * bytecompiler/NodesCodegen.cpp:
2871         (JSC::ClassExprNode::emitBytecode):
2872
2873 2015-03-30  Mark Lam  <mark.lam@apple.com>
2874
2875         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
2876         <https://webkit.org/b/143105>
2877
2878         Reviewed by Filip Pizlo.
2879
2880         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
2881         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
2882         JIT frames that may have its scope register not set.  The Debugger's current implementation
2883         which relies on the scope register is not happy about this.  For example, this results in a
2884         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
2885
2886         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
2887         ensure that the scope register value is flushed to the register in the stack frame.
2888
2889         * dfg/DFGByteCodeParser.cpp:
2890         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2891         (JSC::DFG::ByteCodeParser::setLocal):
2892         (JSC::DFG::ByteCodeParser::flush):
2893         - Add code to flush the scope register.
2894         (JSC::DFG::ByteCodeParser::inliningCost):
2895         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
2896           disabling inlining whenever the debugger is in use.
2897         * dfg/DFGGraph.cpp:
2898         (JSC::DFG::Graph::Graph):
2899         * dfg/DFGGraph.h:
2900         (JSC::DFG::Graph::hasDebuggerEnabled):
2901         * dfg/DFGStackLayoutPhase.cpp:
2902         (JSC::DFG::StackLayoutPhase::run):
2903         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
2904         * ftl/FTLCompile.cpp:
2905         (JSC::FTL::mmAllocateDataSection):
2906         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
2907
2908 2015-03-30  Michael Saboff  <msaboff@apple.com>
2909
2910         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
2911         https://bugs.webkit.org/show_bug.cgi?id=138391
2912
2913         Reviewed by Mark Lam.
2914
2915         Re-enabling these tests as I can't get them to fail on local iOS test devices.
2916         There have been many changes since these tests were disabled.
2917         I'll watch automated test results for failures.  If there are failures running automated
2918         testing, it might be due to the device's relative CPU performance.
2919         
2920         * tests/stress/float32-repeat-out-of-bounds.js:
2921         * tests/stress/int8-repeat-out-of-bounds.js:
2922
2923 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2924
2925         Web Inspector: Regression: Preview for [[null]] shouldn't be []
2926         https://bugs.webkit.org/show_bug.cgi?id=143208
2927
2928         Reviewed by Mark Lam.
2929
2930         * inspector/InjectedScriptSource.js:
2931         Handle null when generating simple object previews.
2932
2933 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
2934
2935         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
2936         https://bugs.webkit.org/show_bug.cgi?id=143134
2937
2938         Reviewed by Geoffrey Garen.
2939
2940         * jit/JSInterfaceJIT.h:
2941         * jit/Repatch.cpp:
2942         (JSC::tryCacheGetByID):
2943
2944 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
2945
2946         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
2947         https://bugs.webkit.org/show_bug.cgi?id=143104
2948
2949         Reviewed by Geoffrey Garen.
2950         
2951         Created a test that is a 100% repro of the flaky failure. This test is called
2952         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
2953         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
2954         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
2955         
2956         Also created three more tests for three similar, but not identical, failures.
2957         
2958         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
2959         only reading those parts of the stack that are relevant to the current semantic code origin.
2960         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
2961         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
2962         read parts of the stack associated with the inline call frame for the phantom arguments. This
2963         may not be subsumed by the current semantic origin's stack area in cases that the arguments
2964         were allowed to "locally" escape.
2965         
2966         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
2967         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
2968         the stack due to function.arguments, but there are a bunch of other ways that we could also
2969         read the stack and those operations may read any stack slot. I believe that this change makes
2970         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
2971         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
2972         readTop() in PreciseLocalClobberize does the right thing.
2973
2974         * dfg/DFGClobberize.h:
2975         (JSC::DFG::clobberize):
2976         * dfg/DFGPreciseLocalClobberize.h:
2977         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2978         * dfg/DFGPutStackSinkingPhase.cpp:
2979         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
2980         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
2981         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
2982         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
2983         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
2984
2985 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
2986
2987         Start the features.json files
2988         https://bugs.webkit.org/show_bug.cgi?id=143207
2989
2990         Reviewed by Darin Adler.
2991
2992         Start the features.json files to have something to experiment
2993         with for the UI.
2994
2995         * features.json: Added.
2996
2997 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2998
2999         [Win] Addresing post-review comment after r182122
3000         https://bugs.webkit.org/show_bug.cgi?id=143189
3001
3002         Unreviewed.
3003
3004 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
3005
3006         [Win] Allow building JavaScriptCore without Cygwin
3007         https://bugs.webkit.org/show_bug.cgi?id=143189
3008
3009         Reviewed by Brent Fulgham.
3010
3011         Paths like /usr/bin/ don't exist on Windows.
3012         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
3013         Prefixing commands with environment variables doesn't work on Windows.
3014         Windows doesn't have 'cmp'
3015         Windows uses 'del' instead of 'rm'
3016         Windows uses 'type NUL' intead of 'touch'
3017
3018         * DerivedSources.make:
3019         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
3020         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
3021         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
3022         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
3023         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
3024         * JavaScriptCore.vcxproj/build-generated-files.pl:
3025         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
3026
3027 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
3028
3029         Clean up JavaScriptCore/builtins
3030         https://bugs.webkit.org/show_bug.cgi?id=143177
3031
3032         Reviewed by Ryosuke Niwa.
3033
3034         * builtins/ArrayConstructor.js:
3035         (from):
3036         - We can compare to undefined instead of using a typeof undefined check.
3037         - Converge on double quoted strings everywhere.
3038
3039         * builtins/ArrayIterator.prototype.js:
3040         (next):
3041         * builtins/StringIterator.prototype.js:
3042         (next):
3043         - Use shorthand object construction to avoid duplication.
3044         - Improve grammar in error messages.
3045
3046         * tests/stress/array-iterators-next-with-call.js:
3047         * tests/stress/string-iterators.js:
3048         - Update for new error message strings.
3049
3050 2015-03-28  Saam Barati  <saambarati1@gmail.com>
3051
3052         Web Inspector: ES6: Better support for Symbol types in Type Profiler
3053         https://bugs.webkit.org/show_bug.cgi?id=141257
3054
3055         Reviewed by Joseph Pecoraro.
3056
3057         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
3058         type profiler support this new primitive type.
3059
3060         * dfg/DFGFixupPhase.cpp:
3061         (JSC::DFG::FixupPhase::fixupNode):
3062         * inspector/protocol/Runtime.json:
3063         * runtime/RuntimeType.cpp:
3064         (JSC::runtimeTypeForValue):
3065         * runtime/RuntimeType.h:
3066         (JSC::runtimeTypeIsPrimitive):
3067         * runtime/TypeSet.cpp:
3068         (JSC::TypeSet::addTypeInformation):
3069         (JSC::TypeSet::dumpTypes):
3070         (JSC::TypeSet::doesTypeConformTo):
3071         (JSC::TypeSet::displayName):
3072         (JSC::TypeSet::inspectorTypeSet):
3073         (JSC::TypeSet::toJSONString):
3074         * runtime/TypeSet.h:
3075         (JSC::TypeSet::seenTypes):
3076         * tests/typeProfiler/driver/driver.js:
3077         * tests/typeProfiler/symbol.js: Added.
3078         (wrapper.foo):
3079         (wrapper.bar):
3080         (wrapper.bar.bar.baz):
3081         (wrapper):
3082
3083 2015-03-27  Saam Barati  <saambarati1@gmail.com>
3084
3085         Deconstruction parameters are bound too late
3086         https://bugs.webkit.org/show_bug.cgi?id=143148
3087
3088         Reviewed by Filip Pizlo.
3089
3090         Currently, a deconstruction pattern named with the same
3091         name as a function will shadow the function. This is
3092         wrong. It should be the other way around.
3093
3094         * bytecompiler/BytecodeGenerator.cpp:
3095         (JSC::BytecodeGenerator::generate):
3096
3097 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
3098
3099         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
3100         https://bugs.webkit.org/show_bug.cgi?id=143170
3101
3102         Reviewed by Benjamin Poulain.
3103
3104         Assert that we never use 16-bit version of the parser to parse a default constructor
3105         since both base and derived default constructors should be using a 8-bit string.
3106
3107         * parser/Parser.h:
3108         (JSC::parse):
3109
3110 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
3111
3112         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
3113         https://bugs.webkit.org/show_bug.cgi?id=142862
3114
3115         Reviewed by Benjamin Poulain.
3116
3117         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
3118
3119         * tests/stress/class-syntax-derived-default-constructor.js: Added.
3120
3121 2015-03-27  Michael Saboff  <msaboff@apple.com>
3122
3123         load8Signed() and load16Signed() should be renamed to avoid confusion
3124         https://bugs.webkit.org/show_bug.cgi?id=143168
3125
3126         Reviewed by Benjamin Poulain.
3127
3128         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
3129
3130         * assembler/MacroAssemblerARM.h:
3131         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
3132         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
3133         (JSC::MacroAssemblerARM::load8Signed): Deleted.
3134         (JSC::MacroAssemblerARM::load16Signed): Deleted.
3135         * assembler/MacroAssemblerARM64.h:
3136         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
3137         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
3138         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
3139         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
3140         * assembler/MacroAssemblerARMv7.h:
3141         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
3142         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
3143         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
3144         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
3145         * assembler/MacroAssemblerMIPS.h:
3146         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
3147         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
3148         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
3149         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
3150         * assembler/MacroAssemblerSH4.h:
3151         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
3152         (JSC::MacroAssemblerSH4::load8):
3153         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
3154         (JSC::MacroAssemblerSH4::load16):
3155         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
3156         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
3157         * assembler/MacroAssemblerX86Common.h:
3158         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
3159         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
3160         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
3161         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
3162         * dfg/DFGSpeculativeJIT.cpp:
3163         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3164         * jit/JITPropertyAccess.cpp:
3165         (JSC::JIT::emitIntTypedArrayGetByVal):
3166
3167 2015-03-27  Michael Saboff  <msaboff@apple.com>
3168
3169         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
3170         https://bugs.webkit.org/show_bug.cgi?id=138390
3171
3172         Reviewed by Mark Lam.
3173
3174         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
3175         instead of 64 bits.  This is what X86-64 does.
3176
3177         * assembler/MacroAssemblerARM64.h:
3178         (JSC::MacroAssemblerARM64::load16Signed):
3179         (JSC::MacroAssemblerARM64::load8Signed):
3180
3181 2015-03-27  Saam Barati  <saambarati1@gmail.com>
3182
3183         Add back previously broken assert from bug 141869
3184         https://bugs.webkit.org/show_bug.cgi?id=143005
3185
3186         Reviewed by Michael Saboff.
3187
3188         * runtime/ExceptionHelpers.cpp:
3189         (JSC::invalidParameterInSourceAppender):
3190
3191 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3192
3193         Make some more objects use FastMalloc
3194         https://bugs.webkit.org/show_bug.cgi?id=143122
3195
3196         Reviewed by Csaba Osztrogonác.
3197
3198         * API/JSCallbackObject.h:
3199         * heap/IncrementalSweeper.h:
3200         * jit/JITThunks.h:
3201         * runtime/JSGlobalObjectDebuggable.h:
3202         * runtime/RegExpCache.h:
3203
3204 2015-03-27  Michael Saboff  <msaboff@apple.com>
3205
3206         Objects with numeric properties intermittently get a phantom 'length' property
3207         https://bugs.webkit.org/show_bug.cgi?id=142792
3208
3209         Reviewed by Csaba Osztrogonác.
3210
3211         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
3212         test and branch instructions.  This function is used for linking tbz/tbnz branches between
3213         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
3214         the failure case checks in the GetById array length stub created for "obj.length" access.
3215         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
3216         being set when we should have been looking for bit 0.
3217
3218         * assembler/ARM64Assembler.h:
3219         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
3220
3221 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3222
3223         Insert exception check around toPropertyKey call
3224         https://bugs.webkit.org/show_bug.cgi?id=142922
3225
3226         Reviewed by Geoffrey Garen.
3227
3228         In some places, exception check is missing after/before toPropertyKey.
3229         However, since it calls toString, it's observable to users,
3230
3231         Missing exception checks in Object.prototype methods can be
3232         observed since it would be overridden with toObject(null/undefined) errors.
3233         We inserted exception checks after toPropertyKey.
3234
3235         Missing exception checks in GetById related code can be
3236         observed since it would be overridden with toObject(null/undefined) errors.
3237         In this case, we need to insert exception checks before/after toPropertyKey
3238         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
3239
3240         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
3241         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
3242         According to the spec, we first perform RequireObjectCoercible and check the exception.
3243         And second, we perform ToPropertyKey and check the exception.
3244         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
3245         For example, if the target is not object coercible,
3246         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
3247         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
3248
3249         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
3250
3251         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
3252
3253         toObject converts primitive types into wrapper objects.
3254         But it is not efficient since wrapper objects are not necessary
3255         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
3256
3257         2. Using the result of toObject is not correct to the spec.
3258
3259         To align to the spec correctly, we cannot use JSObject::get
3260         by using the wrapper object produced by the toObject suggested in (1).
3261         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
3262         It is not correct since getter should be called with the original |this| value that may be primitive types.
3263
3264         So in this patch, we use JSValue::requireObjectCoercible
3265         to check the target is object coercible and raise an error if it's not.
3266
3267         * dfg/DFGOperations.cpp:
3268         * jit/JITOperations.cpp:
3269         (JSC::getByVal):
3270         * llint/LLIntSlowPaths.cpp:
3271         (JSC::LLInt::getByVal):
3272         * runtime/CommonSlowPaths.cpp:
3273         (JSC::SLOW_PATH_DECL):
3274         * runtime/JSCJSValue.h:
3275         * runtime/JSCJSValueInlines.h:
3276         (JSC::JSValue::requireObjectCoercible):
3277         * runtime/ObjectPrototype.cpp:
3278         (JSC::objectProtoFuncHasOwnProperty):
3279         (JSC::objectProtoFuncDefineGetter):
3280         (JSC::objectProtoFuncDefineSetter):
3281         (JSC::objectProtoFuncLookupGetter):
3282         (JSC::objectProtoFuncLookupSetter):
3283         (JSC::objectProtoFuncPropertyIsEnumerable):
3284         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
3285         (shouldThrow):
3286         (if):
3287         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
3288         (shouldThrow):
3289         (.):
3290
3291 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
3292
3293         WebContent Crash when instantiating class with Type Profiling enabled
3294         https://bugs.webkit.org/show_bug.cgi?id=143037
3295
3296         Reviewed by Ryosuke Niwa.
3297
3298         * bytecompiler/BytecodeGenerator.h:
3299         * bytecompiler/BytecodeGenerator.cpp:
3300         (JSC::BytecodeGenerator::BytecodeGenerator):
3301         (JSC::BytecodeGenerator::emitMoveEmptyValue):
3302         We cannot profile the type of an uninitialized empty JSValue.
3303         Nor do we expect this to be necessary, since it is effectively
3304         an unseen undefined value. So add a way to put the empty value
3305         without profiling.
3306
3307         (JSC::BytecodeGenerator::emitMove):
3308         Add an assert to try to catch this issue early on, and force
3309         callers to explicitly use emitMoveEmptyValue instead.
3310
3311         * tests/typeProfiler/classes.js: Added.
3312         (wrapper.Base):
3313         (wrapper.Derived):
3314         (wrapper):
3315         Add test coverage both for this case and classes in general.
3316
3317 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
3318
3319         Web Inspector: ES6: Provide a better view for Classes in the console
3320         https://bugs.webkit.org/show_bug.cgi?id=142999
3321
3322         Reviewed by Timothy Hatcher.
3323
3324         * inspector/protocol/Runtime.json:
3325         Provide a new `subtype` enum "class". This is a subtype of `type`
3326         "function", all other subtypes are subtypes of `object` types.
3327         For a class, the frontend will immediately want to get the prototype
3328         to enumerate its methods, so include the `classPrototype`.
3329
3330         * inspector/JSInjectedScriptHost.cpp:
3331         (Inspector::JSInjectedScriptHost::subtype):
3332         Denote class construction functions as "class" subtypes.
3333
3334         * inspector/InjectedScriptSource.js:
3335         Handling for the new "class" type.
3336
3337         * bytecode/UnlinkedCodeBlock.h:
3338         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
3339         * runtime/Executable.h:
3340         (JSC::FunctionExecutable::isClassConstructorFunction):
3341         * runtime/JSFunction.h:
3342