df29be9b118ed7d7f81c782a2456bfdc5ab6e73a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-16  Basile Clement  <basile_clement@apple.com>
2
3         Inline JSFunction allocation in FTL
4         https://bugs.webkit.org/show_bug.cgi?id=143851
5
6         Reviewed by Filip Pizlo.
7
8         JSFunction allocation is a simple operation that should be inlined when possible.
9
10         * ftl/FTLAbstractHeapRepository.h:
11         * ftl/FTLLowerDFGToLLVM.cpp:
12         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
13         * runtime/JSFunction.h:
14         (JSC::JSFunction::allocationSize):
15
16 2015-04-16  Mark Lam  <mark.lam@apple.com>
17
18         Add $vm debugging tool.
19         https://bugs.webkit.org/show_bug.cgi?id=143809
20
21         Reviewed by Geoffrey Garen.
22
23         For debugging VM bugs, it would be useful to be able to dump VM data structures
24         from JS code that we instrument.  To this end, let's introduce a
25         JS_enableDollarVM option that, if true, installs an $vm property into each JS
26         global object at creation time.  The $vm property refers to an object that
27         provides a collection of useful utility functions.  For this initial
28         implementation, $vm will have the following:
29
30             crash() - trigger an intentional crash.
31
32             dfgTrue() - returns true if the current function is DFG compiled, else returns false.
33             jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
34             llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
35
36             gc() - runs a full GC.
37             edenGC() - runs an eden GC.
38
39             codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
40             printSourceFor(codeBlock) - prints the source code for the codeBlock.
41             printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
42
43             print(str) - prints a string to dataLog output.
44             printCallFrame() - prints the current CallFrame.
45             printStack() - prints the JS stack.
46             printInternal(value) - prints the JSC internal info for the specified value.
47
48         With JS_enableDollarVM=true, JS code can use the above functions like so:
49
50             $vm.print("Using $vm features\n");
51
52         * CMakeLists.txt:
53         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
54         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
55         * JavaScriptCore.xcodeproj/project.pbxproj:
56         * bytecode/CodeBlock.cpp:
57         (JSC::CodeBlock::printCallOp):
58         - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
59           Hence, we skip this step if we're dumping an FTL codeBlock.
60
61         * heap/Heap.cpp:
62         (JSC::Heap::collectAndSweep):
63         (JSC::Heap::collectAllGarbage): Deleted.
64         * heap/Heap.h:
65         (JSC::Heap::collectAllGarbage):
66         - Add ability to do an Eden collection and sweep.
67
68         * interpreter/StackVisitor.cpp:
69         (JSC::printIndents):
70         (JSC::log):
71         (JSC::logF):
72         (JSC::StackVisitor::Frame::print):
73         (JSC::jitTypeName): Deleted.
74         (JSC::printif): Deleted.
75         - Modernize the implementation of StackVisitor::Frame::print(), and remove some
76           now redundant code.
77         - Also fix it so that it downgrades gracefully when encountering inlined DFG
78           and compiled FTL functions.
79
80         (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
81         (DebugPrintFrameFunctor::operator()): Deleted.
82         (debugPrintCallFrame): Deleted.
83         (debugPrintStack): Deleted.
84         - these have been moved into JSDollarVMPrototype.cpp. 
85
86         * interpreter/StackVisitor.h:
87         - StackVisitor::Frame::print() is now enabled for release builds as well so that
88           we can call it from $vm.
89
90         * runtime/JSGlobalObject.cpp:
91         (JSC::JSGlobalObject::init):
92         (JSC::JSGlobalObject::visitChildren):
93         * runtime/JSGlobalObject.h:
94         - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
95           option.
96
97         * runtime/Options.h:
98         - Added the JSC_enableDollarVM option.
99
100         * tools/JSDollarVM.cpp: Added.
101         * tools/JSDollarVM.h: Added.
102         (JSC::JSDollarVM::createStructure):
103         (JSC::JSDollarVM::create):
104         (JSC::JSDollarVM::JSDollarVM):
105
106         * tools/JSDollarVMPrototype.cpp: Added.
107         - This file contains 2 sets of functions:
108
109           a. a C++ implementation of debugging utility functions that are callable when
110              doing debugging from lldb.  To the extent possible, these functions try to
111              be cautious and not cause unintended crashes should the user call them with
112              the wrong info.  Hence, they are designed to be robust rather than speedy.
113
114           b. the native implementations of JS functions in the $vm object.  Where there
115              is overlapping functionality, these are built on top of the C++ functions
116              above to do the work.
117
118           Note: it does not make sense for all of the $vm functions to have a C++
119           counterpart for lldb debugging.  For example, the $vm.dfgTrue() function is
120           only useful for JS code, and works via the DFG intrinsics mechanism.
121           When doing debugging via lldb, the optimization level of the currently
122           executing JS function can be gotten by dumping the current CallFrame instead.
123
124         (JSC::currentThreadOwnsJSLock):
125         (JSC::ensureCurrentThreadOwnsJSLock):
126         (JSC::JSDollarVMPrototype::addFunction):
127         (JSC::functionCrash): - $vm.crash()
128         (JSC::functionDFGTrue): - $vm.dfgTrue()
129         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
130         (JSC::CallerFrameJITTypeFunctor::operator()):
131         (JSC::CallerFrameJITTypeFunctor::jitType):
132         (JSC::functionLLintTrue): - $vm.llintTrue()
133         (JSC::functionJITTrue): - $vm.jitTrue()
134         (JSC::gc):
135         (JSC::functionGC): - $vm.gc()
136         (JSC::edenGC):
137         (JSC::functionEdenGC): - $vm.edenGC()
138         (JSC::isValidCodeBlock):
139         (JSC::codeBlockForFrame):
140         (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
141         (JSC::codeBlockFromArg):
142         (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
143         (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
144         (JSC::functionPrint): - $vm.print(str)
145         (JSC::PrintFrameFunctor::PrintFrameFunctor):
146         (JSC::PrintFrameFunctor::operator()):
147         (JSC::printCallFrame):
148         (JSC::printStack):
149         (JSC::functionPrintCallFrame): - $vm.printCallFrame()
150         (JSC::functionPrintStack): - $vm.printStack()
151         (JSC::printValue):
152         (JSC::functionPrintValue): - $vm.printValue()
153         (JSC::JSDollarVMPrototype::finishCreation):
154         * tools/JSDollarVMPrototype.h: Added.
155         (JSC::JSDollarVMPrototype::create):
156         (JSC::JSDollarVMPrototype::createStructure):
157         (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
158
159 2015-04-16  Geoffrey Garen  <ggaren@apple.com>
160
161         Speculative fix after r182915
162         https://bugs.webkit.org/show_bug.cgi?id=143404
163
164         Reviewed by Alexey Proskuryakov.
165
166         * runtime/SymbolConstructor.h:
167
168 2015-04-16  Mark Lam  <mark.lam@apple.com>
169
170         Fixed some typos in a comment.
171
172         Not reviewed.
173
174         * dfg/DFGGenerationInfo.h:
175
176 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
177
178         [ES6] Implement Symbol.for and Symbol.keyFor
179         https://bugs.webkit.org/show_bug.cgi?id=143404
180
181         Reviewed by Geoffrey Garen.
182
183         This patch implements Symbol.for and Symbol.keyFor.
184         SymbolRegistry maintains registered StringImpl* symbols.
185         And to make this mapping enabled over realms,
186         VM owns this mapping (not JSGlobalObject).
187
188         While there's Default AtomicStringTable per thread,
189         SymbolRegistry should not exist over VMs.
190         So everytime VM is created, SymbolRegistry is also created.
191
192         In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
193         Theres are several reasons.
194         1. StringImpl* which represents identity of Symbols is not GC-managed object.
195            So we cannot use WeakGCMap directly.
196            While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
197            because distinct Symbol* can exist.
198            Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
199
200         2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
201            However there's problem about when we prune staled entries in SymbolRegistry.
202            Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
203            and it is not in GC-heap.
204            While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
205            So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
206            As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
207
208         So instead of using Weak reference, we take relatively easy design.
209         When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
210         And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
211
212         * CMakeLists.txt:
213         * DerivedSources.make:
214         * runtime/SymbolConstructor.cpp:
215         (JSC::SymbolConstructor::getOwnPropertySlot):
216         (JSC::symbolConstructorFor):
217         (JSC::symbolConstructorKeyFor):
218         * runtime/SymbolConstructor.h:
219         * runtime/VM.cpp:
220         * runtime/VM.h:
221         (JSC::VM::symbolRegistry):
222         * tests/stress/symbol-registry.js: Added.
223         (test):
224
225 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
226
227         [ES6] Use specific functions for @@iterator functions
228         https://bugs.webkit.org/show_bug.cgi?id=143838
229
230         Reviewed by Geoffrey Garen.
231
232         In ES6, some methods are defined with the different names.
233
234         For example,
235
236         Map.prototype[Symbol.iterator] === Map.prototype.entries
237         Set.prototype[Symbol.iterator] === Set.prototype.values
238         Array.prototype[Symbol.iterator] === Array.prototype.values
239         %Arguments%[Symbol.iterator] === Array.prototype.values
240
241         However, current implementation creates different function objects per name.
242         This patch fixes it by setting the object that is used for the other method to @@iterator.
243         e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
244
245         And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
246         with Array.prototype.values to conform to the spec.
247
248         * CMakeLists.txt:
249         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
250         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
251         * JavaScriptCore.xcodeproj/project.pbxproj:
252         * inspector/JSInjectedScriptHost.cpp:
253         (Inspector::JSInjectedScriptHost::subtype):
254         (Inspector::JSInjectedScriptHost::getInternalProperties):
255         (Inspector::JSInjectedScriptHost::iteratorEntries):
256         * runtime/ArgumentsIteratorConstructor.cpp: Removed.
257         * runtime/ArgumentsIteratorConstructor.h: Removed.
258         * runtime/ArgumentsIteratorPrototype.cpp: Removed.
259         * runtime/ArgumentsIteratorPrototype.h: Removed.
260         * runtime/ArrayPrototype.cpp:
261         (JSC::ArrayPrototype::finishCreation):
262         * runtime/ArrayPrototype.h:
263         * runtime/ClonedArguments.cpp:
264         (JSC::ClonedArguments::getOwnPropertySlot):
265         (JSC::ClonedArguments::put):
266         (JSC::ClonedArguments::deleteProperty):
267         (JSC::ClonedArguments::defineOwnProperty):
268         (JSC::ClonedArguments::materializeSpecials):
269         * runtime/ClonedArguments.h:
270         * runtime/CommonIdentifiers.h:
271         * runtime/DirectArguments.cpp:
272         (JSC::DirectArguments::overrideThings):
273         * runtime/GenericArgumentsInlines.h:
274         (JSC::GenericArguments<Type>::getOwnPropertySlot):
275         (JSC::GenericArguments<Type>::getOwnPropertyNames):
276         (JSC::GenericArguments<Type>::put):
277         (JSC::GenericArguments<Type>::deleteProperty):
278         (JSC::GenericArguments<Type>::defineOwnProperty):
279         * runtime/JSArgumentsIterator.cpp: Removed.
280         * runtime/JSArgumentsIterator.h: Removed.
281         * runtime/JSGlobalObject.cpp:
282         (JSC::JSGlobalObject::init):
283         (JSC::JSGlobalObject::visitChildren):
284         * runtime/JSGlobalObject.h:
285         (JSC::JSGlobalObject::arrayProtoValuesFunction):
286         * runtime/MapPrototype.cpp:
287         (JSC::MapPrototype::finishCreation):
288         * runtime/ScopedArguments.cpp:
289         (JSC::ScopedArguments::overrideThings):
290         * runtime/SetPrototype.cpp:
291         (JSC::SetPrototype::finishCreation):
292         * tests/stress/arguments-iterator.js: Added.
293         (test):
294         (testArguments):
295         * tests/stress/iterator-functions.js: Added.
296         (test):
297         (argumentsTests):
298
299 2015-04-14  Mark Lam  <mark.lam@apple.com>
300
301         Add JSC_functionOverrides=<overrides file> debugging tool.
302         https://bugs.webkit.org/show_bug.cgi?id=143717
303
304         Reviewed by Geoffrey Garen.
305
306         This tool allows us to do runtime replacement of function bodies with alternatives
307         for debugging purposes.  For example, this is useful when we need to debug VM bugs
308         which manifest in scripts executing in webpages downloaded from remote servers
309         that we don't control.  The tool allows us to augment those scripts with logging
310         or test code to help isolate the bugs.
311
312         This tool works by substituting the SourceCode at FunctionExecutable creation
313         time.  It identifies which SourceCode to substitute by comparing the source
314         string against keys in a set of key value pairs.
315
316         The keys are function body strings defined by 'override' clauses in the overrides
317         file specified by in the JSC_functionOverrides option.  The values are function
318         body strings defines by 'with' clauses in the overrides file.
319         See comment blob at top of FunctionOverrides.cpp on the formatting
320         of the overrides file.
321
322         At FunctionExecutable creation time, if the SourceCode string matches one of the
323         'override' keys from the overrides file, the tool will replace the SourceCode with
324         a new one based on the corresponding 'with' value string.  The FunctionExecutable
325         will then be created with the new SourceCode instead.
326
327         Some design decisions:
328         1. We opted to require that the 'with' clause appear on a separate line than the
329            'override' clause because this makes it easier to read and write when the
330            'override' clause's function body is single lined and long.
331
332         2. The user can use any sequence of characters for the delimiter (except for '{',
333            '}' and white space characters) because this ensures that there can always be
334            some delimiter pattern that does not appear in the function body in the clause
335            e.g. in the body of strings in the JS code.
336
337            '{' and '}' are disallowed because they are used to mark the boundaries of the
338            function body string.  White space characters are disallowed because they can
339            be error prone (the user may not be able to tell between spaces and tabs).
340
341         3. The start and end delimiter must be an identical sequence of characters.
342
343            I had considered allowing the use of complementary characters like <>, [], and
344            () for making delimiter pairs like:
345                [[[[ ... ]]]]
346                <[([( ... )])]>
347
348            But in the end, decided against it because:
349            a. These sequences of complementary characters can exists in JS code.
350               In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
351               code.
352            b. It can be error prone for the user to have to type the exact complement
353               character for the end delimiter in reverse order.
354               In contrast, a repeating delimiter like %%%% is much easier to type and
355               less error prone.  Even a sequence like @#$%^ is less error prone than
356               a complementary sequence because it can be copy-pasted, and need not be
357               typed in reverse order.
358            c. It is easier to parse for the same delimiter string for both start and end.
359
360         4. The tool does a lot of checks for syntax errors in the overrides file because
361            we don't want any overrides to fail silently.  If a syntax error is detected,
362            the tool will print an error message and call exit().  This avoids the user
363            wasting time doing debugging only to be surprised later that their specified
364            overrides did not take effect because of some unnoticed typo.
365
366         * CMakeLists.txt:
367         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
368         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
369         * JavaScriptCore.xcodeproj/project.pbxproj:
370         * bytecode/UnlinkedCodeBlock.cpp:
371         (JSC::UnlinkedFunctionExecutable::link):
372         * runtime/Executable.h:
373         * runtime/Options.h:
374         * tools/FunctionOverrides.cpp: Added.
375         (JSC::FunctionOverrides::overrides):
376         (JSC::FunctionOverrides::FunctionOverrides):
377         (JSC::initializeOverrideInfo):
378         (JSC::FunctionOverrides::initializeOverrideFor):
379         (JSC::hasDisallowedCharacters):
380         (JSC::parseClause):
381         (JSC::FunctionOverrides::parseOverridesInFile):
382         * tools/FunctionOverrides.h: Added.
383
384 2015-04-16  Basile Clement  <basile_clement@apple.com>
385  
386         Extract the allocation profile from JSFunction into a rare object
387         https://bugs.webkit.org/show_bug.cgi?id=143807
388  
389         Reviewed by Filip Pizlo.
390  
391         The allocation profile is only needed for those functions that are used
392         to create objects with [new].
393         Extracting it into its own JSCell removes the need for JSFunction and
394         JSCallee to be JSDestructibleObjects, which should improve performances in most
395         cases at the cost of an extra pointer dereference when the allocation profile
396         is actually needed.
397  
398         * CMakeLists.txt:
399         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
400         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
401         * JavaScriptCore.xcodeproj/project.pbxproj:
402         * dfg/DFGOperations.cpp:
403         * dfg/DFGSpeculativeJIT32_64.cpp:
404         (JSC::DFG::SpeculativeJIT::compile):
405         * dfg/DFGSpeculativeJIT64.cpp:
406         (JSC::DFG::SpeculativeJIT::compile):
407         * jit/JITOpcodes.cpp:
408         (JSC::JIT::emit_op_create_this):
409         * jit/JITOpcodes32_64.cpp:
410         (JSC::JIT::emit_op_create_this):
411         * llint/LowLevelInterpreter32_64.asm:
412         * llint/LowLevelInterpreter64.asm:
413         * runtime/CommonSlowPaths.cpp:
414         (JSC::SLOW_PATH_DECL):
415         * runtime/FunctionRareData.cpp: Added.
416         (JSC::FunctionRareData::create):
417         (JSC::FunctionRareData::destroy):
418         (JSC::FunctionRareData::createStructure):
419         (JSC::FunctionRareData::visitChildren):
420         (JSC::FunctionRareData::FunctionRareData):
421         (JSC::FunctionRareData::~FunctionRareData):
422         (JSC::FunctionRareData::finishCreation):
423         * runtime/FunctionRareData.h: Added.
424         (JSC::FunctionRareData::offsetOfAllocationProfile):
425         (JSC::FunctionRareData::allocationProfile):
426         (JSC::FunctionRareData::allocationStructure):
427         (JSC::FunctionRareData::allocationProfileWatchpointSet):
428         * runtime/JSBoundFunction.cpp:
429         (JSC::JSBoundFunction::destroy): Deleted.
430         * runtime/JSBoundFunction.h:
431         * runtime/JSCallee.cpp:
432         (JSC::JSCallee::destroy): Deleted.
433         * runtime/JSCallee.h:
434         * runtime/JSFunction.cpp:
435         (JSC::JSFunction::JSFunction):
436         (JSC::JSFunction::createRareData):
437         (JSC::JSFunction::visitChildren):
438         (JSC::JSFunction::put):
439         (JSC::JSFunction::defineOwnProperty):
440         (JSC::JSFunction::destroy): Deleted.
441         (JSC::JSFunction::createAllocationProfile): Deleted.
442         * runtime/JSFunction.h:
443         (JSC::JSFunction::offsetOfRareData):
444         (JSC::JSFunction::rareData):
445         (JSC::JSFunction::allocationStructure):
446         (JSC::JSFunction::allocationProfileWatchpointSet):
447         (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
448         (JSC::JSFunction::allocationProfile): Deleted.
449         * runtime/JSFunctionInlines.h:
450         (JSC::JSFunction::JSFunction):
451         * runtime/VM.cpp:
452         (JSC::VM::VM):
453         * runtime/VM.h:
454  
455 2015-04-16  Csaba Osztrogonác  <ossy@webkit.org>
456
457         Remove the unnecessary WTF_CHANGES define
458         https://bugs.webkit.org/show_bug.cgi?id=143825
459
460         Reviewed by Andreas Kling.
461
462         * config.h:
463
464 2015-04-15  Andreas Kling  <akling@apple.com>
465
466         Make MarkedBlock and WeakBlock 4x smaller.
467         <https://webkit.org/b/143802>
468
469         Reviewed by Mark Hahnenberg.
470
471         To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
472         and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
473
474         In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
475         Some examples:
476
477                    apple.com:  6.3MB ->  5.5MB (14.5% smaller)
478                   reddit.com:  4.5MB ->  4.1MB ( 9.7% smaller)
479                  twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
480             cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
481
482         Benchmarks look mostly neutral.
483         Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
484
485         * heap/MarkedBlock.h:
486         * heap/WeakBlock.h:
487         * llint/LLIntData.cpp:
488         (JSC::LLInt::Data::performAssertions):
489         * llint/LowLevelInterpreter.asm:
490
491 2015-04-15  Jordan Harband  <ljharb@gmail.com>
492
493         String.prototype.startsWith/endsWith/includes have wrong length in r182673
494         https://bugs.webkit.org/show_bug.cgi?id=143659
495
496         Reviewed by Benjamin Poulain.
497
498         Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
499         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
500         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
501         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
502
503         * runtime/StringPrototype.cpp:
504         (JSC::StringPrototype::finishCreation):
505
506 2015-04-15  Mark Lam  <mark.lam@apple.com>
507
508         Remove obsolete VMInspector debugging tool.
509         https://bugs.webkit.org/show_bug.cgi?id=143798
510
511         Reviewed by Michael Saboff.
512
513         I added the VMInspector tool 3 years ago to aid in VM hacking work.  Some of it
514         has bit rotted, and now the VM also has better ways to achieve its functionality.
515         Hence this code is now obsolete and should be removed.
516
517         * CMakeLists.txt:
518         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
519         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
520         * JavaScriptCore.xcodeproj/project.pbxproj:
521         * interpreter/CallFrame.h:
522         * interpreter/VMInspector.cpp: Removed.
523         * interpreter/VMInspector.h: Removed.
524         * llint/LowLevelInterpreter.cpp:
525
526 2015-04-15  Jordan Harband  <ljharb@gmail.com>
527
528         Math.imul has wrong length in Safari 8.0.4
529         https://bugs.webkit.org/show_bug.cgi?id=143658
530
531         Reviewed by Benjamin Poulain.
532
533         Correcting function length from 1, to 2, to match spec
534         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
535
536         * runtime/MathObject.cpp:
537         (JSC::MathObject::finishCreation):
538
539 2015-04-15  Jordan Harband  <ljharb@gmail.com>
540
541         Number.parseInt in nightly r182673 has wrong length
542         https://bugs.webkit.org/show_bug.cgi?id=143657
543
544         Reviewed by Benjamin Poulain.
545
546         Correcting function length from 1, to 2, to match spec
547         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
548
549         * runtime/NumberConstructor.cpp:
550         (JSC::NumberConstructor::finishCreation):
551
552 2015-04-15  Filip Pizlo  <fpizlo@apple.com>
553
554         Harden DFGForAllKills
555         https://bugs.webkit.org/show_bug.cgi?id=143792
556
557         Reviewed by Geoffrey Garen.
558         
559         Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
560         bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
561         
562         Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
563         that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
564         
565         - It looks for kill sites at forExit origin boundaries. But, something might have been killed
566           by an operation that was logically in between the forExit origins at the boundary, but was
567           removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
568           gaps.
569         
570         - It overlooked the fact that a MovHint that addresses a local that is always live kills that
571           local. For example, storing to an argument means that the prior value of the argument is
572           killed.
573         
574         This fixes the analysis by making it handle MovHints directly, and making it define kills in
575         the most conservative way possible: it asks if you were live before but dead after. If we
576         have the compile time budget to afford this more direct approach, then it's definitel a good
577         idea since it's so fool-proof.
578
579         * dfg/DFGArgumentsEliminationPhase.cpp:
580         * dfg/DFGForAllKills.h:
581         (JSC::DFG::forAllKilledOperands):
582         (JSC::DFG::forAllKilledNodesAtNodeIndex):
583         (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
584
585 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
586
587         Provide SPI to allow changing whether JSContexts are remote debuggable by default
588         https://bugs.webkit.org/show_bug.cgi?id=143681
589
590         Reviewed by Darin Adler.
591
592         * API/JSRemoteInspector.h:
593         * API/JSRemoteInspector.cpp:
594         (JSRemoteInspectorGetInspectionEnabledByDefault):
595         (JSRemoteInspectorSetInspectionEnabledByDefault):
596         Provide SPI to toggle the default enabled inspection state of debuggables.
597
598         * API/JSContextRef.cpp:
599         (JSGlobalContextCreateInGroup):
600         Respect the default setting.
601
602 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
603
604         JavaScriptCore: Use kCFAllocatorDefault where possible
605         https://bugs.webkit.org/show_bug.cgi?id=143747
606
607         Reviewed by Darin Adler.
608
609         * heap/HeapTimer.cpp:
610         (JSC::HeapTimer::HeapTimer):
611         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
612         (Inspector::RemoteInspectorInitializeGlobalQueue):
613         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
614         For consistency and readability use the constant instead of
615         different representations of null.
616
617 2015-04-14  Michael Saboff  <msaboff@apple.com>
618
619         Remove JavaScriptCoreUseJIT default from JavaScriptCore
620         https://bugs.webkit.org/show_bug.cgi?id=143746
621
622         Reviewed by Mark Lam.
623
624         * runtime/VM.cpp:
625         (JSC::enableAssembler):
626
627 2015-04-14  Chris Dumez  <cdumez@apple.com>
628
629         Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
630         https://bugs.webkit.org/show_bug.cgi?id=143745
631         <rdar://problem/20243916>
632
633         Reviewed by Joseph Pecoraro.
634
635         Add assertion in ContentSearchUtilities::findMagicComment() to make
636         sure the content String is not null or we would crash in
637         JSC::Yarr::interpret() later.
638
639         * inspector/ContentSearchUtilities.cpp:
640         (Inspector::ContentSearchUtilities::findMagicComment):
641
642 2015-04-14  Michael Saboff  <msaboff@apple.com>
643
644         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
645         https://bugs.webkit.org/show_bug.cgi?id=143727
646
647         Reviewed by Geoffrey Garen.
648
649         Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
650         with the requested fill format.  If filter() reports a contradiction, then we force an OSR exit.
651         Removed individual checks made redundant by the new check.
652
653         * dfg/DFGSpeculativeJIT32_64.cpp:
654         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
655         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
656         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
657         * dfg/DFGSpeculativeJIT64.cpp:
658         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
659         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
660         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
661         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
662
663 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
664
665         Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
666         https://bugs.webkit.org/show_bug.cgi?id=143691
667
668         Reviewed by Geoffrey Garen.
669
670         * API/JSRemoteInspector.h:
671         * API/JSRemoteInspector.cpp:
672         (JSRemoteInspectorSetLogToSystemConsole):
673         Add SPI to enable/disable logging to the system console.
674         This only affects JSContext `console` logs and warnings.
675
676         * inspector/JSGlobalObjectConsoleClient.h:
677         * inspector/JSGlobalObjectConsoleClient.cpp:
678         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
679         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
680         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
681         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
682         Simplify access to the setting now that it doesn't need to
683         initialize its value from preferences.
684
685 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
686
687         Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
688         https://bugs.webkit.org/show_bug.cgi?id=143682
689
690         Reviewed by Timothy Hatcher.
691
692         * inspector/remote/RemoteInspector.mm:
693         (Inspector::RemoteInspector::singleton):
694         If we are on the main thread, run the initialization immediately.
695         Otherwise dispatch to the main thread. This way if the first JSContext
696         was created on the main thread it can get auto-attached if applicable.
697
698 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
699
700         Unreviewed build fix for Mavericks.
701
702         Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
703         so the Inspector namespace is not available when compiling this file.
704
705         * API/JSRemoteInspector.cpp:
706
707 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
708
709         Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
710         https://bugs.webkit.org/show_bug.cgi?id=143729
711
712         Reviewed by Timothy Hatcher.
713
714         * API/JSRemoteInspector.h: Added.
715         * API/JSRemoteInspector.cpp: Added.
716         (JSRemoteInspectorDisableAutoStart):
717         (JSRemoteInspectorStart):
718         (JSRemoteInspectorSetParentProcessInformation):
719         Add the new SPIs for basic remote inspection behavior.
720
721         * JavaScriptCore.xcodeproj/project.pbxproj:
722         Add the new files to Mac only, since remote inspection is only
723         enabled there anyways.
724
725 2015-04-14  Mark Lam  <mark.lam@apple.com>
726
727         Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
728         https://bugs.webkit.org/show_bug.cgi?id=143722
729
730         Reviewed by Michael Saboff.
731
732         Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
733         shorter, and easier to remember (without having to look it up) and to
734         type.  JSC options now support descriptions, and one can always look up
735         the description if the option's purpose is not already obvious.
736
737         * dfg/DFGFunctionWhitelist.cpp:
738         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
739         (JSC::DFG::FunctionWhitelist::contains):
740         * runtime/Options.h:
741
742 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
743
744         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
745
746         * runtime/InferredValue.h:
747
748 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
749
750         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
751
752         * runtime/InferredValue.h:
753
754 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
755
756         JSC should detect singleton functions
757         https://bugs.webkit.org/show_bug.cgi?id=143232
758
759         Reviewed by Geoffrey Garen.
760         
761         This started out as an attempt to make constructors faster by detecting when a constructor is a
762         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
763         along with an inferred value - that detects if only one JSFunction has been allocated for that
764         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
765         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
766         we can constant-fold GetCallee.
767         
768         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
769         process I realized a bunch of things:
770         
771         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
772           had even in code where our singleton-closure detection worked. That's because singleton-closure
773           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
774           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
775           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
776           values.
777           
778         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
779           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
780           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
781         
782         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
783           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
784           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
785           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
786           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
787           scope. Ths saves compile times and it allows prediction propagation to benefit from the
788           constant folding. Second, it means that we will detect a singleton scope even if it is
789           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
790           allows us to eliminate the function reentry watchpoint.
791         
792         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
793           constant values in scopes. Previously when the DFG inferred that a closure variable was
794           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
795           value. But now we are first inferring that the function is a singleton, which means that we
796           know exactly what scope it points to, and we can load the value from the scope. Using a
797           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
798           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
799           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
800           FunctionExecutable wants.
801         
802         This also has the effect of simplifying the implementation of block scoping. Prior to this
803         change, block scoping would have needed to have some story for the function reentry watchpoint on
804         any nested symbol table. That's totally weird to think about; it's not really a function reentry
805         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
806         will "just work": if we prove that we know the constant value of the scope then the machinery
807         kicks in, otherwise it doesn't.
808         
809         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
810
811         * CMakeLists.txt:
812         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
813         * JavaScriptCore.xcodeproj/project.pbxproj:
814         * bytecode/BytecodeList.json:
815         * bytecode/BytecodeUseDef.h:
816         (JSC::computeUsesForBytecodeOffset):
817         (JSC::computeDefsForBytecodeOffset):
818         * bytecode/CodeBlock.cpp:
819         (JSC::CodeBlock::dumpBytecode):
820         (JSC::CodeBlock::CodeBlock):
821         (JSC::CodeBlock::finalizeUnconditionally):
822         (JSC::CodeBlock::valueProfileForBytecodeOffset):
823         * bytecode/CodeBlock.h:
824         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
825         * bytecode/CodeOrigin.cpp:
826         (JSC::InlineCallFrame::calleeConstant):
827         (JSC::InlineCallFrame::visitAggregate):
828         * bytecode/CodeOrigin.h:
829         (JSC::InlineCallFrame::calleeConstant): Deleted.
830         (JSC::InlineCallFrame::visitAggregate): Deleted.
831         * bytecode/Instruction.h:
832         * bytecode/VariableWatchpointSet.cpp: Removed.
833         * bytecode/VariableWatchpointSet.h: Removed.
834         * bytecode/VariableWatchpointSetInlines.h: Removed.
835         * bytecode/VariableWriteFireDetail.cpp: Added.
836         (JSC::VariableWriteFireDetail::dump):
837         (JSC::VariableWriteFireDetail::touch):
838         * bytecode/VariableWriteFireDetail.h: Added.
839         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
840         * bytecode/Watchpoint.h:
841         (JSC::WatchpointSet::stateOnJSThread):
842         (JSC::WatchpointSet::startWatching):
843         (JSC::WatchpointSet::fireAll):
844         (JSC::WatchpointSet::touch):
845         (JSC::WatchpointSet::invalidate):
846         (JSC::InlineWatchpointSet::stateOnJSThread):
847         (JSC::InlineWatchpointSet::state):
848         (JSC::InlineWatchpointSet::hasBeenInvalidated):
849         (JSC::InlineWatchpointSet::invalidate):
850         (JSC::InlineWatchpointSet::touch):
851         * bytecompiler/BytecodeGenerator.cpp:
852         (JSC::BytecodeGenerator::BytecodeGenerator):
853         * dfg/DFGAbstractInterpreterInlines.h:
854         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
855         * dfg/DFGByteCodeParser.cpp:
856         (JSC::DFG::ByteCodeParser::get):
857         (JSC::DFG::ByteCodeParser::parseBlock):
858         (JSC::DFG::ByteCodeParser::getScope): Deleted.
859         * dfg/DFGCapabilities.cpp:
860         (JSC::DFG::capabilityLevel):
861         * dfg/DFGClobberize.h:
862         (JSC::DFG::clobberize):
863         * dfg/DFGDesiredWatchpoints.cpp:
864         (JSC::DFG::InferredValueAdaptor::add):
865         (JSC::DFG::DesiredWatchpoints::addLazily):
866         (JSC::DFG::DesiredWatchpoints::reallyAdd):
867         (JSC::DFG::DesiredWatchpoints::areStillValid):
868         * dfg/DFGDesiredWatchpoints.h:
869         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
870         (JSC::DFG::DesiredWatchpoints::isWatched):
871         * dfg/DFGGraph.cpp:
872         (JSC::DFG::Graph::dump):
873         (JSC::DFG::Graph::tryGetConstantClosureVar):
874         * dfg/DFGNode.h:
875         (JSC::DFG::Node::hasWatchpointSet):
876         (JSC::DFG::Node::watchpointSet):
877         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
878         (JSC::DFG::Node::variableWatchpointSet): Deleted.
879         * dfg/DFGOperations.cpp:
880         * dfg/DFGOperations.h:
881         * dfg/DFGSpeculativeJIT.cpp:
882         (JSC::DFG::SpeculativeJIT::compileNewFunction):
883         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
884         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
885         * dfg/DFGSpeculativeJIT.h:
886         (JSC::DFG::SpeculativeJIT::callOperation):
887         * dfg/DFGSpeculativeJIT32_64.cpp:
888         (JSC::DFG::SpeculativeJIT::compile):
889         * dfg/DFGSpeculativeJIT64.cpp:
890         (JSC::DFG::SpeculativeJIT::compile):
891         * dfg/DFGVarargsForwardingPhase.cpp:
892         * ftl/FTLIntrinsicRepository.h:
893         * ftl/FTLLowerDFGToLLVM.cpp:
894         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
895         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
896         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
897         * interpreter/Interpreter.cpp:
898         (JSC::StackFrame::friendlySourceURL):
899         (JSC::StackFrame::friendlyFunctionName):
900         * interpreter/Interpreter.h:
901         (JSC::StackFrame::friendlySourceURL): Deleted.
902         (JSC::StackFrame::friendlyFunctionName): Deleted.
903         * jit/JIT.cpp:
904         (JSC::JIT::emitNotifyWrite):
905         (JSC::JIT::privateCompileMainPass):
906         * jit/JIT.h:
907         * jit/JITOpcodes.cpp:
908         (JSC::JIT::emit_op_touch_entry): Deleted.
909         * jit/JITOperations.cpp:
910         * jit/JITOperations.h:
911         * jit/JITPropertyAccess.cpp:
912         (JSC::JIT::emitPutGlobalVar):
913         (JSC::JIT::emitPutClosureVar):
914         (JSC::JIT::emitNotifyWrite): Deleted.
915         * jit/JITPropertyAccess32_64.cpp:
916         (JSC::JIT::emitPutGlobalVar):
917         (JSC::JIT::emitPutClosureVar):
918         (JSC::JIT::emitNotifyWrite): Deleted.
919         * llint/LLIntSlowPaths.cpp:
920         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
921         * llint/LowLevelInterpreter.asm:
922         * llint/LowLevelInterpreter32_64.asm:
923         * llint/LowLevelInterpreter64.asm:
924         * runtime/CommonSlowPaths.cpp:
925         (JSC::SLOW_PATH_DECL): Deleted.
926         * runtime/CommonSlowPaths.h:
927         * runtime/Executable.cpp:
928         (JSC::FunctionExecutable::finishCreation):
929         (JSC::FunctionExecutable::visitChildren):
930         * runtime/Executable.h:
931         (JSC::FunctionExecutable::singletonFunction):
932         * runtime/InferredValue.cpp: Added.
933         (JSC::InferredValue::create):
934         (JSC::InferredValue::destroy):
935         (JSC::InferredValue::createStructure):
936         (JSC::InferredValue::visitChildren):
937         (JSC::InferredValue::InferredValue):
938         (JSC::InferredValue::~InferredValue):
939         (JSC::InferredValue::notifyWriteSlow):
940         (JSC::InferredValue::ValueCleanup::ValueCleanup):
941         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
942         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
943         * runtime/InferredValue.h: Added.
944         (JSC::InferredValue::inferredValue):
945         (JSC::InferredValue::state):
946         (JSC::InferredValue::isStillValid):
947         (JSC::InferredValue::hasBeenInvalidated):
948         (JSC::InferredValue::add):
949         (JSC::InferredValue::notifyWrite):
950         (JSC::InferredValue::invalidate):
951         * runtime/JSEnvironmentRecord.cpp:
952         (JSC::JSEnvironmentRecord::visitChildren):
953         * runtime/JSEnvironmentRecord.h:
954         (JSC::JSEnvironmentRecord::isValid):
955         (JSC::JSEnvironmentRecord::finishCreation):
956         * runtime/JSFunction.cpp:
957         (JSC::JSFunction::create):
958         * runtime/JSFunction.h:
959         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
960         (JSC::JSFunction::createImpl):
961         (JSC::JSFunction::create): Deleted.
962         * runtime/JSGlobalObject.cpp:
963         (JSC::JSGlobalObject::addGlobalVar):
964         (JSC::JSGlobalObject::addFunction):
965         * runtime/JSGlobalObject.h:
966         * runtime/JSLexicalEnvironment.cpp:
967         (JSC::JSLexicalEnvironment::symbolTablePut):
968         * runtime/JSScope.h:
969         (JSC::ResolveOp::ResolveOp):
970         * runtime/JSSegmentedVariableObject.h:
971         (JSC::JSSegmentedVariableObject::finishCreation):
972         * runtime/JSSymbolTableObject.h:
973         (JSC::JSSymbolTableObject::JSSymbolTableObject):
974         (JSC::JSSymbolTableObject::setSymbolTable):
975         (JSC::symbolTablePut):
976         (JSC::symbolTablePutWithAttributes):
977         * runtime/PutPropertySlot.h:
978         * runtime/SymbolTable.cpp:
979         (JSC::SymbolTableEntry::prepareToWatch):
980         (JSC::SymbolTable::SymbolTable):
981         (JSC::SymbolTable::finishCreation):
982         (JSC::SymbolTable::visitChildren):
983         (JSC::SymbolTableEntry::inferredValue): Deleted.
984         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
985         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
986         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
987         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
988         * runtime/SymbolTable.h:
989         (JSC::SymbolTableEntry::disableWatching):
990         (JSC::SymbolTableEntry::watchpointSet):
991         (JSC::SymbolTable::singletonScope):
992         (JSC::SymbolTableEntry::notifyWrite): Deleted.
993         * runtime/TypeProfiler.cpp:
994         * runtime/VM.cpp:
995         (JSC::VM::VM):
996         * runtime/VM.h:
997         * tests/stress/infer-uninitialized-closure-var.js: Added.
998         (foo.f):
999         (foo):
1000         * tests/stress/singleton-scope-then-overwrite.js: Added.
1001         (foo.f):
1002         (foo):
1003         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
1004         (foo):
1005         * tests/stress/singleton-scope-then-realloc.js: Added.
1006         (foo):
1007
1008 2015-04-13  Andreas Kling  <akling@apple.com>
1009
1010         Don't segregate heap objects based on Structure immortality.
1011         <https://webkit.org/b/143638>
1012
1013         Reviewed by Darin Adler.
1014
1015         Put all objects that need a destructor call into the same MarkedBlock.
1016         This reduces memory consumption in many situations, while improving locality,
1017         since much more of the MarkedBlock space can be shared.
1018
1019         Instead of branching on the MarkedBlock type, we now check a bit in the
1020         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
1021         to access the cell's Structure during destruction or not.
1022
1023         Performance benchmarks look mostly neutral. Maybe a small regression on
1024         SunSpider's date objects.
1025
1026         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
1027         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
1028         end of savings we can get from this, but still a very real improvement.
1029
1030         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
1031         derived classes and passing that responsibility to the StructureIsImmortal flag.
1032         StructureFlags is made public so that it's accessible from non-member functions.
1033         I made sure to declare it everywhere and make classes final to try to make it
1034         explicit what each class is doing to its inherited flags.
1035
1036         * API/JSCallbackConstructor.h:
1037         * API/JSCallbackObject.h:
1038         * bytecode/UnlinkedCodeBlock.h:
1039         * debugger/DebuggerScope.h:
1040         * dfg/DFGSpeculativeJIT.cpp:
1041         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1042         * ftl/FTLLowerDFGToLLVM.cpp:
1043         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1044         * heap/Heap.h:
1045         (JSC::Heap::subspaceForObjectDestructor):
1046         (JSC::Heap::allocatorForObjectWithDestructor):
1047         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
1048         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
1049         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
1050         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
1051         * heap/HeapInlines.h:
1052         (JSC::Heap::allocateWithDestructor):
1053         (JSC::Heap::allocateObjectOfType):
1054         (JSC::Heap::subspaceForObjectOfType):
1055         (JSC::Heap::allocatorForObjectOfType):
1056         (JSC::Heap::allocateWithNormalDestructor): Deleted.
1057         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
1058         * heap/MarkedAllocator.cpp:
1059         (JSC::MarkedAllocator::allocateBlock):
1060         * heap/MarkedAllocator.h:
1061         (JSC::MarkedAllocator::needsDestruction):
1062         (JSC::MarkedAllocator::MarkedAllocator):
1063         (JSC::MarkedAllocator::init):
1064         (JSC::MarkedAllocator::destructorType): Deleted.
1065         * heap/MarkedBlock.cpp:
1066         (JSC::MarkedBlock::create):
1067         (JSC::MarkedBlock::MarkedBlock):
1068         (JSC::MarkedBlock::callDestructor):
1069         (JSC::MarkedBlock::specializedSweep):
1070         (JSC::MarkedBlock::sweep):
1071         (JSC::MarkedBlock::sweepHelper):
1072         * heap/MarkedBlock.h:
1073         (JSC::MarkedBlock::needsDestruction):
1074         (JSC::MarkedBlock::destructorType): Deleted.
1075         * heap/MarkedSpace.cpp:
1076         (JSC::MarkedSpace::MarkedSpace):
1077         (JSC::MarkedSpace::resetAllocators):
1078         (JSC::MarkedSpace::forEachAllocator):
1079         (JSC::MarkedSpace::isPagedOut):
1080         (JSC::MarkedSpace::clearNewlyAllocated):
1081         * heap/MarkedSpace.h:
1082         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1083         (JSC::MarkedSpace::destructorAllocatorFor):
1084         (JSC::MarkedSpace::allocateWithDestructor):
1085         (JSC::MarkedSpace::forEachBlock):
1086         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
1087         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
1088         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
1089         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
1090         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
1091         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
1092         * inspector/JSInjectedScriptHost.h:
1093         * inspector/JSInjectedScriptHostPrototype.h:
1094         * inspector/JSJavaScriptCallFrame.h:
1095         * inspector/JSJavaScriptCallFramePrototype.h:
1096         * jsc.cpp:
1097         * runtime/ArrayBufferNeuteringWatchpoint.h:
1098         * runtime/ArrayConstructor.h:
1099         * runtime/ArrayIteratorPrototype.h:
1100         * runtime/BooleanPrototype.h:
1101         * runtime/ClonedArguments.h:
1102         * runtime/CustomGetterSetter.h:
1103         * runtime/DateConstructor.h:
1104         * runtime/DatePrototype.h:
1105         * runtime/ErrorPrototype.h:
1106         * runtime/ExceptionHelpers.h:
1107         * runtime/Executable.h:
1108         * runtime/GenericArguments.h:
1109         * runtime/GetterSetter.h:
1110         * runtime/InternalFunction.h:
1111         * runtime/JSAPIValueWrapper.h:
1112         * runtime/JSArgumentsIterator.h:
1113         * runtime/JSArray.h:
1114         * runtime/JSArrayBuffer.h:
1115         * runtime/JSArrayBufferView.h:
1116         * runtime/JSBoundFunction.h:
1117         * runtime/JSCallee.h:
1118         * runtime/JSCell.h:
1119         * runtime/JSCellInlines.h:
1120         (JSC::JSCell::classInfo):
1121         * runtime/JSDataViewPrototype.h:
1122         * runtime/JSEnvironmentRecord.h:
1123         * runtime/JSFunction.h:
1124         * runtime/JSGenericTypedArrayView.h:
1125         * runtime/JSGlobalObject.h:
1126         * runtime/JSLexicalEnvironment.h:
1127         * runtime/JSNameScope.h:
1128         * runtime/JSNotAnObject.h:
1129         * runtime/JSONObject.h:
1130         * runtime/JSObject.h:
1131         (JSC::JSFinalObject::JSFinalObject):
1132         * runtime/JSPromiseConstructor.h:
1133         * runtime/JSPromiseDeferred.h:
1134         * runtime/JSPromisePrototype.h:
1135         * runtime/JSPromiseReaction.h:
1136         * runtime/JSPropertyNameEnumerator.h:
1137         * runtime/JSProxy.h:
1138         * runtime/JSScope.h:
1139         * runtime/JSString.h:
1140         * runtime/JSSymbolTableObject.h:
1141         * runtime/JSTypeInfo.h:
1142         (JSC::TypeInfo::structureIsImmortal):
1143         * runtime/MathObject.h:
1144         * runtime/NumberConstructor.h:
1145         * runtime/NumberPrototype.h:
1146         * runtime/ObjectConstructor.h:
1147         * runtime/PropertyMapHashTable.h:
1148         * runtime/RegExp.h:
1149         * runtime/RegExpConstructor.h:
1150         * runtime/RegExpObject.h:
1151         * runtime/RegExpPrototype.h:
1152         * runtime/ScopedArgumentsTable.h:
1153         * runtime/SparseArrayValueMap.h:
1154         * runtime/StrictEvalActivation.h:
1155         * runtime/StringConstructor.h:
1156         * runtime/StringIteratorPrototype.h:
1157         * runtime/StringObject.h:
1158         * runtime/StringPrototype.h:
1159         * runtime/Structure.cpp:
1160         (JSC::Structure::Structure):
1161         * runtime/Structure.h:
1162         * runtime/StructureChain.h:
1163         * runtime/StructureRareData.h:
1164         * runtime/Symbol.h:
1165         * runtime/SymbolPrototype.h:
1166         * runtime/SymbolTable.h:
1167         * runtime/WeakMapData.h:
1168
1169 2015-04-13  Mark Lam  <mark.lam@apple.com>
1170
1171         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
1172         https://bugs.webkit.org/show_bug.cgi?id=143407
1173
1174         Reviewed by Filip Pizlo.
1175
1176         DFG inlining of a varargs call / construct needs to keep the local
1177         containing the callee alive with a Phantom node because the LoadVarargs
1178         node may OSR exit.  After the OSR exit, the baseline JIT executes the
1179         op_call_varargs with that callee in the local.
1180
1181         Previously, because that callee local was not explicitly kept alive,
1182         the op_call_varargs case can OSR exit a DFG function and leave an
1183         undefined value in that local.  As a result, the baseline observes the
1184         side effect of an op_call_varargs on an undefined value instead of the
1185         function it expected.
1186
1187         Note: this issue does not manifest with op_construct_varargs because
1188         the inlined constructor will have an op_create_this which operates on
1189         the incoming callee value, thereby keeping it alive.
1190
1191         * dfg/DFGByteCodeParser.cpp:
1192         (JSC::DFG::ByteCodeParser::handleInlining):
1193         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
1194         (foo):
1195         (Foo):
1196         (doTest):
1197
1198 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1199
1200         [ES6] Implement Array.prototype.values
1201         https://bugs.webkit.org/show_bug.cgi?id=143633
1202
1203         Reviewed by Darin Adler.
1204
1205         Symbol.unscopables is implemented, so we can implement Array.prototype.values
1206         without largely breaking the web. The following script passes.
1207
1208         var array = [];
1209         var values = 42;
1210         with (array) {
1211             assert(values, 42);
1212         }
1213
1214         * runtime/ArrayPrototype.cpp:
1215         * tests/stress/array-iterators-next.js:
1216         * tests/stress/map-iterators-next.js:
1217         * tests/stress/set-iterators-next.js:
1218         * tests/stress/values-unscopables.js: Added.
1219         (test):
1220
1221 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1222
1223         Run flaky conservative GC related test first before polluting stack and registers
1224         https://bugs.webkit.org/show_bug.cgi?id=143634
1225
1226         Reviewed by Ryosuke Niwa.
1227
1228         After r182653, JSC API tests fail. However, it's not related to the change.
1229         After investigating the cause of this failure, I've found that the failed test is flaky
1230         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
1231         due to conservative roots in C stack and registers, this test fails.
1232
1233         Since GC marks C stack and registers as roots conservatively,
1234         objects not referenced logically can be accidentally marked and alive.
1235         To avoid this situation as possible as we can,
1236         1. run this test first before stack is polluted,
1237         2. extract this test as a function to suppress stack height.
1238
1239         * API/tests/testapi.mm:
1240         (testWeakValue):
1241         (testObjectiveCAPIMain):
1242         (testObjectiveCAPI):
1243
1244 2015-04-11  Matt Baker  <mattbaker@apple.com>
1245
1246         Web Inspector: create content view and details sidebar for Frames timeline
1247         https://bugs.webkit.org/show_bug.cgi?id=143533
1248
1249         Reviewed by Timothy Hatcher.
1250
1251         Refactoring: RunLoop prefix changed to RenderingFrame.
1252
1253         * inspector/protocol/Timeline.json:
1254
1255 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1256
1257         [ES6] Enable Symbol in web pages
1258         https://bugs.webkit.org/show_bug.cgi?id=143375
1259
1260         Reviewed by Ryosuke Niwa.
1261
1262         Expose Symbol to web pages.
1263         Symbol was exposed, but it was hidden since it breaks Facebook comments.
1264         This is because at that time Symbol is implemented,
1265         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
1266         and it breaks React.js and immutable.js.
1267
1268         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
1269         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
1270
1271         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
1272         and makes enabling symbols by default.
1273
1274         * runtime/ArrayPrototype.cpp:
1275         (JSC::ArrayPrototype::finishCreation):
1276         * runtime/CommonIdentifiers.h:
1277         * runtime/JSGlobalObject.cpp:
1278         (JSC::JSGlobalObject::init):
1279         * runtime/ObjectConstructor.cpp:
1280         (JSC::ObjectConstructor::finishCreation):
1281         * runtime/RuntimeFlags.h:
1282
1283 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1284
1285         ES6: Iterator toString names should be consistent
1286         https://bugs.webkit.org/show_bug.cgi?id=142424
1287
1288         Reviewed by Geoffrey Garen.
1289
1290         Iterator Object Names in the spec right now have spaces.
1291         In our implementation some do and some don't.
1292         This patch aligns JSC to the spec.
1293
1294         * runtime/JSArrayIterator.cpp:
1295         * runtime/JSStringIterator.cpp:
1296         * tests/stress/iterator-names.js: Added.
1297         (test):
1298         (iter):
1299         (check):
1300
1301 2015-04-10  Michael Saboff  <msaboff@apple.com>
1302
1303         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
1304         https://bugs.webkit.org/show_bug.cgi?id=143582
1305
1306         Reviewed by Mark Lam.
1307
1308         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
1309         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
1310         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
1311         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
1312         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
1313         we would still OSR exit after the speculation check.
1314
1315         * dfg/DFGFixupPhase.cpp:
1316         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
1317         * dfg/DFGSpeculativeJIT32_64.cpp:
1318         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1319
1320 2015-04-10  Milan Crha  <mcrha@redhat.com>
1321
1322         Disable Linux-specific code in a Windows build
1323         https://bugs.webkit.org/show_bug.cgi?id=137973
1324
1325         Reviewed by Joseph Pecoraro.
1326
1327         * inspector/JSGlobalObjectInspectorController.cpp:
1328         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1329
1330 2015-04-10  Csaba Osztrogonác  <ossy@webkit.org>
1331
1332         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
1333         https://bugs.webkit.org/show_bug.cgi?id=143368
1334
1335         Reviewed by Michael Saboff.
1336
1337         * jit/RegisterSet.cpp:
1338         (JSC::RegisterSet::calleeSaveRegisters):
1339
1340 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
1341
1342         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
1343         https://bugs.webkit.org/show_bug.cgi?id=143430
1344
1345         Reviewed by Darin Adler.
1346
1347         * runtime/ExceptionHelpers.cpp:
1348         (JSC::errorDescriptionForValue):
1349         * runtime/NumberPrototype.cpp:
1350         (JSC::numberProtoFuncToExponential):
1351         (JSC::numberProtoFuncToPrecision):
1352         (JSC::numberProtoFuncToString):
1353         * runtime/SymbolPrototype.cpp:
1354         (JSC::symbolProtoFuncToString):
1355
1356 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1357
1358         JSArray::sortNumeric should handle ArrayWithUndecided
1359         https://bugs.webkit.org/show_bug.cgi?id=143535
1360
1361         Reviewed by Geoffrey Garen.
1362         
1363         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
1364
1365         * runtime/JSArray.cpp:
1366         (JSC::JSArray::sortNumeric):
1367         * tests/stress/sort-array-with-undecided.js: Added.
1368
1369 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1370
1371         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
1372         https://bugs.webkit.org/show_bug.cgi?id=143532
1373
1374         Reviewed by Gavin Barraclough.
1375         
1376         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
1377         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
1378         would think that there never was wrap-around.
1379         
1380         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
1381
1382         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1383         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
1384
1385 2015-04-07  Michael Saboff  <msaboff@apple.com>
1386
1387         Lazily initialize LogToSystemConsole flag to reduce memory usage
1388         https://bugs.webkit.org/show_bug.cgi?id=143506
1389
1390         Reviewed by Mark Lam.
1391
1392         Only call into CF preferences code when we need to in order to reduce memory usage.
1393
1394         * inspector/JSGlobalObjectConsoleClient.cpp:
1395         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
1396         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
1397         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
1398         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
1399
1400 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
1401
1402         Get the features.json files ready for open contributions
1403         https://bugs.webkit.org/show_bug.cgi?id=143436
1404
1405         Reviewed by Darin Adler.
1406
1407         * features.json:
1408
1409 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
1410
1411         Constant folding of typed array properties should be handled by AI rather than strength reduction
1412         https://bugs.webkit.org/show_bug.cgi?id=143496
1413
1414         Reviewed by Geoffrey Garen.
1415         
1416         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
1417         phase and whatever other phase did the folding in order to find all constants.
1418         
1419         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
1420         directly.
1421         
1422         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
1423         found because all of the tests for it involved the property getting constant folded. I found that
1424         the codegen was bad because an earlier version of the patch broke that constant folding. This
1425         adds a new test for that node type, which makes constant folding impossible by allocating a new
1426         typed array every type. The lesson here is: if you write a test for something, run the test with
1427         full IR dumps to make sure it's actually testing the thing you want it to test.
1428
1429         * dfg/DFGAbstractInterpreterInlines.h:
1430         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1431         * dfg/DFGClobberize.h:
1432         (JSC::DFG::clobberize):
1433         * dfg/DFGConstantFoldingPhase.cpp:
1434         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1435         * dfg/DFGDoesGC.cpp:
1436         (JSC::DFG::doesGC):
1437         * dfg/DFGFixupPhase.cpp:
1438         (JSC::DFG::FixupPhase::fixupNode):
1439         * dfg/DFGGraph.cpp:
1440         (JSC::DFG::Graph::dump):
1441         (JSC::DFG::Graph::tryGetFoldableView):
1442         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
1443         * dfg/DFGGraph.h:
1444         * dfg/DFGNode.h:
1445         (JSC::DFG::Node::hasTypedArray): Deleted.
1446         (JSC::DFG::Node::typedArray): Deleted.
1447         * dfg/DFGNodeType.h:
1448         * dfg/DFGPredictionPropagationPhase.cpp:
1449         (JSC::DFG::PredictionPropagationPhase::propagate):
1450         * dfg/DFGSafeToExecute.h:
1451         (JSC::DFG::safeToExecute):
1452         * dfg/DFGSpeculativeJIT.cpp:
1453         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
1454         * dfg/DFGSpeculativeJIT32_64.cpp:
1455         (JSC::DFG::SpeculativeJIT::compile):
1456         * dfg/DFGSpeculativeJIT64.cpp:
1457         (JSC::DFG::SpeculativeJIT::compile):
1458         * dfg/DFGStrengthReductionPhase.cpp:
1459         (JSC::DFG::StrengthReductionPhase::handleNode):
1460         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
1461         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
1462         * dfg/DFGWatchpointCollectionPhase.cpp:
1463         (JSC::DFG::WatchpointCollectionPhase::handle):
1464         (JSC::DFG::WatchpointCollectionPhase::addLazily):
1465         * ftl/FTLCapabilities.cpp:
1466         (JSC::FTL::canCompile):
1467         * ftl/FTLLowerDFGToLLVM.cpp:
1468         (JSC::FTL::LowerDFGToLLVM::compileNode):
1469         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
1470         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
1471         * tests/stress/fold-typed-array-properties.js:
1472         (foo):
1473         * tests/stress/typed-array-byte-offset.js: Added.
1474         (foo):
1475
1476 2015-04-07  Matthew Mirman  <mmirman@apple.com>
1477
1478         Source and stack information should get appended only to native errors
1479         and should be added directly after construction rather than when thrown. 
1480         This fixes frozen objects being unfrozen when thrown while conforming to 
1481         ecma script standard and other browser behavior.
1482         rdar://problem/19927293
1483         https://bugs.webkit.org/show_bug.cgi?id=141871
1484         
1485         Reviewed by Geoffrey Garen.
1486
1487         Appending stack, source, line, and column information to an object whenever that object is thrown 
1488         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
1489         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
1490         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
1491         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
1492         a control flow construct rather than just an error reporting mechanism.  
1493         
1494         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
1495         appending the error properties as a seperate call after construction of the error is required 
1496         to avoid having to manually truncate the stack and gather local source information due to 
1497         the stack being extended by a nested call to construct one of the native jsc error.
1498         
1499         * interpreter/Interpreter.cpp:
1500         (JSC::Interpreter::execute):
1501         * interpreter/Interpreter.h:
1502         * parser/ParserError.h:
1503         (JSC::ParserError::toErrorObject):
1504         * runtime/CommonIdentifiers.h:
1505         * runtime/Error.cpp:
1506         (JSC::createError):
1507         (JSC::createEvalError):
1508         (JSC::createRangeError):
1509         (JSC::createReferenceError):
1510         (JSC::createSyntaxError):
1511         (JSC::createTypeError):
1512         (JSC::createNotEnoughArgumentsError):
1513         (JSC::createURIError):
1514         (JSC::createOutOfMemoryError):
1515         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1516         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1517         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
1518         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
1519         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
1520         (JSC::addErrorInfo): Added special case for appending complete error info 
1521         to a newly constructed error object.
1522         * runtime/Error.h:
1523         * runtime/ErrorConstructor.cpp:
1524         (JSC::Interpreter::constructWithErrorConstructor):
1525         (JSC::Interpreter::callErrorConstructor):
1526         * runtime/ErrorInstance.cpp:
1527         (JSC::appendSourceToError): Moved from VM.cpp
1528         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1529         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1530         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
1531         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
1532         (JSC::addErrorInfoAndGetBytecodeOffset):
1533         (JSC::ErrorInstance::finishCreation):
1534         * runtime/ErrorInstance.h:
1535         (JSC::ErrorInstance::create):
1536         * runtime/ErrorPrototype.cpp:
1537         (JSC::ErrorPrototype::finishCreation):
1538         * runtime/ExceptionFuzz.cpp:
1539         (JSC::doExceptionFuzzing):
1540         * runtime/ExceptionHelpers.cpp:
1541         (JSC::createError):
1542         (JSC::createInvalidFunctionApplyParameterError):
1543         (JSC::createInvalidInParameterError):
1544         (JSC::createInvalidInstanceofParameterError):
1545         (JSC::createNotAConstructorError):
1546         (JSC::createNotAFunctionError):
1547         (JSC::createNotAnObjectError):
1548         (JSC::throwOutOfMemoryError):
1549         (JSC::createStackOverflowError): Deleted.
1550         (JSC::createOutOfMemoryError): Deleted.
1551         * runtime/ExceptionHelpers.h:
1552         * runtime/JSArrayBufferConstructor.cpp:
1553         (JSC::constructArrayBuffer):
1554         * runtime/JSArrayBufferPrototype.cpp:
1555         (JSC::arrayBufferProtoFuncSlice):
1556         * runtime/JSGenericTypedArrayViewInlines.h:
1557         (JSC::JSGenericTypedArrayView<Adaptor>::create):
1558         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
1559         * runtime/NativeErrorConstructor.cpp:
1560         (JSC::Interpreter::constructWithNativeErrorConstructor):
1561         (JSC::Interpreter::callNativeErrorConstructor):
1562         * runtime/VM.cpp:
1563         (JSC::VM::throwException):
1564         (JSC::appendSourceToError): Moved to Error.cpp
1565         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
1566         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
1567         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
1568         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
1569         * tests/stress/freeze_leek.js: Added.
1570
1571 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
1572
1573         Web Inspector: ES6: Show Symbol properties on Objects
1574         https://bugs.webkit.org/show_bug.cgi?id=141279
1575
1576         Reviewed by Timothy Hatcher.
1577
1578         * inspector/protocol/Runtime.json:
1579         Give PropertyDescriptor a reference to the Symbol RemoteObject
1580         if the property is a symbol property.
1581
1582         * inspector/InjectedScriptSource.js:
1583         Enumerate symbol properties on objects.
1584
1585 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
1586
1587         Make it possible to enable LLVM FastISel
1588         https://bugs.webkit.org/show_bug.cgi?id=143489
1589
1590         Reviewed by Michael Saboff.
1591
1592         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
1593         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
1594         if we should enable it.
1595
1596         * ftl/FTLCompile.cpp:
1597         (JSC::FTL::mmAllocateDataSection):
1598         * llvm/InitializeLLVM.cpp:
1599         (JSC::initializeLLVMImpl):
1600         * llvm/InitializeLLVM.h:
1601         * llvm/InitializeLLVMLinux.cpp:
1602         (JSC::getLLVMInitializerFunction):
1603         (JSC::initializeLLVMImpl): Deleted.
1604         * llvm/InitializeLLVMMac.cpp:
1605         (JSC::getLLVMInitializerFunction):
1606         (JSC::initializeLLVMImpl): Deleted.
1607         * llvm/InitializeLLVMPOSIX.cpp:
1608         (JSC::getLLVMInitializerFunctionPOSIX):
1609         (JSC::initializeLLVMPOSIX): Deleted.
1610         * llvm/InitializeLLVMPOSIX.h:
1611         * llvm/InitializeLLVMWin.cpp:
1612         (JSC::getLLVMInitializerFunction):
1613         (JSC::initializeLLVMImpl): Deleted.
1614         * llvm/LLVMAPI.cpp:
1615         * llvm/LLVMAPI.h:
1616         * llvm/library/LLVMExports.cpp:
1617         (initCommandLine):
1618         (initializeAndGetJSCLLVMAPI):
1619         * runtime/Options.cpp:
1620         (JSC::Options::initialize):
1621
1622 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1623
1624         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1625         https://bugs.webkit.org/show_bug.cgi?id=140426
1626
1627         Reviewed by Darin Adler.
1628
1629         In the put_by_val_direct operation, we use JSObject::putDirect.
1630         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
1631         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
1632
1633         * dfg/DFGOperations.cpp:
1634         (JSC::DFG::putByVal):
1635         (JSC::DFG::operationPutByValInternal):
1636         * jit/JITOperations.cpp:
1637         * llint/LLIntSlowPaths.cpp:
1638         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1639         * runtime/Identifier.h:
1640         (JSC::isIndex):
1641         (JSC::parseIndex):
1642         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
1643         (lookupWithKey):
1644         (toStringThrowsError.toString):
1645
1646 2015-04-06  Alberto Garcia  <berto@igalia.com>
1647
1648         [GTK] Fix HPPA build
1649         https://bugs.webkit.org/show_bug.cgi?id=143453
1650
1651         Reviewed by Darin Adler.
1652
1653         Add HPPA to the list of supported CPUs.
1654
1655         * CMakeLists.txt:
1656
1657 2015-04-06  Mark Lam  <mark.lam@apple.com>
1658
1659         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
1660         <https://webkit.org/b/143396>
1661
1662         Reviewed by Filip Pizlo.
1663
1664         The DFG was neglecting to set the result boolean.  The FTL was setting it with
1665         an inverted value.  Both of these are now resolved.
1666
1667         * dfg/DFGSpeculativeJIT64.cpp:
1668         (JSC::DFG::SpeculativeJIT::compile):
1669         * ftl/FTLLowerDFGToLLVM.cpp:
1670         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
1671         * tests/stress/for-in-array-mode.js: Added.
1672         (.):
1673         (test):
1674
1675 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1676
1677         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
1678         https://bugs.webkit.org/show_bug.cgi?id=143424
1679
1680         Reviewed by Geoffrey Garen.
1681
1682         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
1683
1684         ToString(symbol) throws a type error.
1685         However, String(symbol) produces SymbolDescriptiveString(symbol).
1686
1687         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
1688
1689         Now, in the template literals patch, ToString DFG operation is planned to be used.
1690         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
1691         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
1692         In CallStringConstructor, all behavior in DFG analysis is the same.
1693         Only the difference from ToString is, when calling DFG operation functions, it calls
1694         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
1695         operationToStringOnCell and operationToString.
1696
1697         * dfg/DFGAbstractInterpreterInlines.h:
1698         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1699         * dfg/DFGBackwardsPropagationPhase.cpp:
1700         (JSC::DFG::BackwardsPropagationPhase::propagate):
1701         * dfg/DFGByteCodeParser.cpp:
1702         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1703         * dfg/DFGClobberize.h:
1704         (JSC::DFG::clobberize):
1705         * dfg/DFGDoesGC.cpp:
1706         (JSC::DFG::doesGC):
1707         * dfg/DFGFixupPhase.cpp:
1708         (JSC::DFG::FixupPhase::fixupNode):
1709         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1710         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1711         (JSC::DFG::FixupPhase::fixupToString): Deleted.
1712         * dfg/DFGNodeType.h:
1713         * dfg/DFGOperations.cpp:
1714         * dfg/DFGOperations.h:
1715         * dfg/DFGPredictionPropagationPhase.cpp:
1716         (JSC::DFG::PredictionPropagationPhase::propagate):
1717         * dfg/DFGSafeToExecute.h:
1718         (JSC::DFG::safeToExecute):
1719         * dfg/DFGSpeculativeJIT.cpp:
1720         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1721         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
1722         * dfg/DFGSpeculativeJIT.h:
1723         * dfg/DFGSpeculativeJIT32_64.cpp:
1724         (JSC::DFG::SpeculativeJIT::compile):
1725         * dfg/DFGSpeculativeJIT64.cpp:
1726         (JSC::DFG::SpeculativeJIT::compile):
1727         * dfg/DFGStructureRegistrationPhase.cpp:
1728         (JSC::DFG::StructureRegistrationPhase::run):
1729         * ftl/FTLCapabilities.cpp:
1730         (JSC::FTL::canCompile):
1731         * ftl/FTLLowerDFGToLLVM.cpp:
1732         (JSC::FTL::LowerDFGToLLVM::compileNode):
1733         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
1734         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
1735         * runtime/StringConstructor.cpp:
1736         (JSC::stringConstructor):
1737         (JSC::callStringConstructor):
1738         * runtime/StringConstructor.h:
1739         * tests/stress/symbol-and-string-constructor.js: Added.
1740         (performString):
1741
1742 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1743
1744         Return Optional<uint32_t> from PropertyName::asIndex
1745         https://bugs.webkit.org/show_bug.cgi?id=143422
1746
1747         Reviewed by Darin Adler.
1748
1749         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
1750         But it's not obvious to callers.
1751
1752         This patch changes
1753         1. PropertyName::asIndex() to return Optional<uint32_t> and
1754         2. function name `asIndex()` to `parseIndex()`.
1755         It forces callers to check the value is index or not explicitly.
1756
1757         * bytecode/GetByIdStatus.cpp:
1758         (JSC::GetByIdStatus::computeFor):
1759         * bytecode/PutByIdStatus.cpp:
1760         (JSC::PutByIdStatus::computeFor):
1761         * bytecompiler/BytecodeGenerator.cpp:
1762         (JSC::BytecodeGenerator::emitDirectPutById):
1763         * jit/Repatch.cpp:
1764         (JSC::emitPutTransitionStubAndGetOldStructure):
1765         * jsc.cpp:
1766         * runtime/ArrayPrototype.cpp:
1767         (JSC::arrayProtoFuncSort):
1768         * runtime/GenericArgumentsInlines.h:
1769         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1770         (JSC::GenericArguments<Type>::put):
1771         (JSC::GenericArguments<Type>::deleteProperty):
1772         (JSC::GenericArguments<Type>::defineOwnProperty):
1773         * runtime/Identifier.h:
1774         (JSC::parseIndex):
1775         (JSC::Identifier::isSymbol):
1776         * runtime/JSArray.cpp:
1777         (JSC::JSArray::defineOwnProperty):
1778         * runtime/JSCJSValue.cpp:
1779         (JSC::JSValue::putToPrimitive):
1780         * runtime/JSGenericTypedArrayViewInlines.h:
1781         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1782         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1783         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1784         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1785         * runtime/JSObject.cpp:
1786         (JSC::JSObject::put):
1787         (JSC::JSObject::putDirectAccessor):
1788         (JSC::JSObject::putDirectCustomAccessor):
1789         (JSC::JSObject::deleteProperty):
1790         (JSC::JSObject::putDirectMayBeIndex):
1791         (JSC::JSObject::defineOwnProperty):
1792         * runtime/JSObject.h:
1793         (JSC::JSObject::getOwnPropertySlot):
1794         (JSC::JSObject::getPropertySlot):
1795         (JSC::JSObject::putDirectInternal):
1796         * runtime/JSString.cpp:
1797         (JSC::JSString::getStringPropertyDescriptor):
1798         * runtime/JSString.h:
1799         (JSC::JSString::getStringPropertySlot):
1800         * runtime/LiteralParser.cpp:
1801         (JSC::LiteralParser<CharType>::parse):
1802         * runtime/PropertyName.h:
1803         (JSC::parseIndex):
1804         (JSC::toUInt32FromCharacters): Deleted.
1805         (JSC::toUInt32FromStringImpl): Deleted.
1806         (JSC::PropertyName::asIndex): Deleted.
1807         * runtime/PropertyNameArray.cpp:
1808         (JSC::PropertyNameArray::add):
1809         * runtime/StringObject.cpp:
1810         (JSC::StringObject::deleteProperty):
1811         * runtime/Structure.cpp:
1812         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1813
1814 2015-04-05  Andreas Kling  <akling@apple.com>
1815
1816         URI encoding/escaping should use efficient string building instead of calling snprintf().
1817         <https://webkit.org/b/143426>
1818
1819         Reviewed by Gavin Barraclough.
1820
1821         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
1822         which seemed pretty silly. This change gets that down to nothing in favor of using our
1823         existing JSStringBuilder and HexNumber.h facilities.
1824
1825         These APIs are well-exercised by our existing test suite.
1826
1827         * runtime/JSGlobalObjectFunctions.cpp:
1828         (JSC::encode):
1829         (JSC::globalFuncEscape):
1830
1831 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
1832
1833         documentation for ES Promises points to the wrong one
1834         https://bugs.webkit.org/show_bug.cgi?id=143263
1835
1836         Reviewed by Darin Adler.
1837
1838         * features.json:
1839
1840 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
1841
1842         Remove "go ahead and" from comments
1843         https://bugs.webkit.org/show_bug.cgi?id=143421
1844
1845         Reviewed by Darin Adler, Benjamin Poulain.
1846
1847         Remove the phrase "go ahead and" from comments where it doesn't add
1848         anything (which is almost all of them).
1849
1850         * interpreter/JSStack.cpp:
1851         (JSC::JSStack::growSlowCase):
1852
1853 2015-04-04  Andreas Kling  <akling@apple.com>
1854
1855         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1856         <https://webkit.org/b/143210>
1857
1858         Reviewed by Geoffrey Garen.
1859
1860         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1861         we had a little problem where WeakBlocks with only null pointers would still keep their
1862         MarkedBlock alive.
1863
1864         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1865         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1866         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1867         destroying them once they're fully dead.
1868
1869         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1870         a mysterious issue where doing two full garbage collections back-to-back would free additional
1871         memory in the second collection.
1872
1873         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1874         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1875         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1876
1877         * heap/Heap.h:
1878         * heap/Heap.cpp:
1879         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1880         owned by Heap, after everything else has been swept.
1881
1882         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1883         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1884         they are unlikely to cause entire WeakBlocks to go empty.
1885
1886         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1887         to the Heap when it's detached from a WeakSet.
1888
1889         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1890         of the logically empty WeakBlocks owned by Heap.
1891
1892         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1893         and updates the next-logically-empty-weak-block-to-sweep index.
1894
1895         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1896         won't be another chance after this.
1897
1898         * heap/IncrementalSweeper.h:
1899         (JSC::IncrementalSweeper::hasWork): Deleted.
1900
1901         * heap/IncrementalSweeper.cpp:
1902         (JSC::IncrementalSweeper::fullSweep):
1903         (JSC::IncrementalSweeper::doSweep):
1904         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1905         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1906         changed to return a bool (true if there's more work to be done.)
1907
1908         * heap/WeakBlock.cpp:
1909         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1910         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1911
1912         * heap/WeakBlock.h:
1913         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1914         if the WeakBlock could be detached from the MarkedBlock.
1915
1916         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1917         when declaring them.
1918
1919 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1920
1921         Implement ES6 Object.getOwnPropertySymbols
1922         https://bugs.webkit.org/show_bug.cgi?id=141106
1923
1924         Reviewed by Geoffrey Garen.
1925
1926         This patch implements `Object.getOwnPropertySymbols`.
1927         One technical issue is that, since we use private symbols (such as `@Object`) in the
1928         privileged JS code in `builtins/`, they should not be exposed.
1929         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
1930         before adding it into PropertyNameArray.
1931
1932         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
1933         since all private symbols are held in this map.
1934
1935         * builtins/BuiltinExecutables.cpp:
1936         (JSC::BuiltinExecutables::createExecutableInternal):
1937         * builtins/BuiltinNames.h:
1938         (JSC::BuiltinNames::isPrivateName):
1939         * runtime/CommonIdentifiers.cpp:
1940         (JSC::CommonIdentifiers::isPrivateName):
1941         * runtime/CommonIdentifiers.h:
1942         * runtime/EnumerationMode.h:
1943         (JSC::EnumerationMode::EnumerationMode):
1944         (JSC::EnumerationMode::includeSymbolProperties):
1945         * runtime/ExceptionHelpers.cpp:
1946         (JSC::createUndefinedVariableError):
1947         * runtime/JSGlobalObject.cpp:
1948         (JSC::JSGlobalObject::init):
1949         * runtime/JSLexicalEnvironment.cpp:
1950         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1951         * runtime/JSSymbolTableObject.cpp:
1952         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1953         * runtime/ObjectConstructor.cpp:
1954         (JSC::ObjectConstructor::finishCreation):
1955         (JSC::objectConstructorGetOwnPropertySymbols):
1956         (JSC::defineProperties):
1957         (JSC::objectConstructorSeal):
1958         (JSC::objectConstructorFreeze):
1959         (JSC::objectConstructorIsSealed):
1960         (JSC::objectConstructorIsFrozen):
1961         * runtime/ObjectConstructor.h:
1962         (JSC::ObjectConstructor::create):
1963         * runtime/Structure.cpp:
1964         (JSC::Structure::getPropertyNamesFromStructure):
1965         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
1966         (compare):
1967         * tests/stress/object-get-own-property-symbols.js: Added.
1968         (forIn):
1969         * tests/stress/symbol-define-property.js: Added.
1970         (testSymbol):
1971         * tests/stress/symbol-seal-and-freeze.js: Added.
1972         * tests/stress/symbol-with-json.js: Added.
1973
1974 2015-04-03  Mark Lam  <mark.lam@apple.com>
1975
1976         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
1977         <https://webkit.org/b/143385>
1978
1979         Reviewed by Geoffrey Garen.
1980
1981         For debugging purposes, sometimes, we want to be able to make compilation happen
1982         sooner to see if we can accelerate the manifestation of certain events / bugs.
1983         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
1984         which make up the compilation policy.  Let's add a single knob that can tune all
1985         the thresholds up / down in one go proportionately so that we can easily tweak
1986         how soon compilation occurs.
1987
1988         * runtime/Options.cpp:
1989         (JSC::scaleJITPolicy):
1990         (JSC::recomputeDependentOptions):
1991         * runtime/Options.h:
1992
1993 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
1994
1995         is* API methods should be @properties
1996         https://bugs.webkit.org/show_bug.cgi?id=143388
1997
1998         Reviewed by Mark Lam.
1999
2000         This appears to be the preferred idiom in WebKit, CA, AppKit, and
2001         Foundation.
2002
2003         * API/JSValue.h: Be @properties.
2004
2005         * API/tests/testapi.mm:
2006         (testObjectiveCAPI): Use the @properties.
2007
2008 2015-04-03  Mark Lam  <mark.lam@apple.com>
2009
2010         Some JSC Options refactoring and enhancements.
2011         <https://webkit.org/b/143384>
2012
2013         Rubber stamped by Benjamin Poulain.
2014
2015         Create a better encapsulated Option class to make working with options easier.  This
2016         is a building block towards a JIT policy scaling debugging option I will introduce later.
2017
2018         This work entails:
2019         1. Convert Options::Option into a public class Option (who works closely with Options).
2020         2. Convert Options::EntryType into an enum class Options::Type and make it public.
2021         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
2022         4. Add misc methods to class Option to make it more useable.
2023
2024         * runtime/Options.cpp:
2025         (JSC::Options::dumpOption):
2026         (JSC::Option::dump):
2027         (JSC::Option::operator==):
2028         (JSC::Options::Option::dump): Deleted.
2029         (JSC::Options::Option::operator==): Deleted.
2030         * runtime/Options.h:
2031         (JSC::Option::Option):
2032         (JSC::Option::operator!=):
2033         (JSC::Option::name):
2034         (JSC::Option::description):
2035         (JSC::Option::type):
2036         (JSC::Option::isOverridden):
2037         (JSC::Option::defaultOption):
2038         (JSC::Option::boolVal):
2039         (JSC::Option::unsignedVal):
2040         (JSC::Option::doubleVal):
2041         (JSC::Option::int32Val):
2042         (JSC::Option::optionRangeVal):
2043         (JSC::Option::optionStringVal):
2044         (JSC::Option::gcLogLevelVal):
2045         (JSC::Options::Option::Option): Deleted.
2046         (JSC::Options::Option::operator!=): Deleted.
2047
2048 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2049
2050         JavaScriptCore API should support type checking for Array and Date
2051         https://bugs.webkit.org/show_bug.cgi?id=143324
2052
2053         Follow-up to address a comment by Dan.
2054
2055         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
2056         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
2057         is equal to 101100.
2058
2059 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2060
2061         JavaScriptCore API should support type checking for Array and Date
2062         https://bugs.webkit.org/show_bug.cgi?id=143324
2063
2064         Follow-up to address a comment by Dan.
2065
2066         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
2067         Added a comment explaining why.
2068
2069 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
2070
2071         FTL JIT tests should fail if LLVM library isn't available
2072         https://bugs.webkit.org/show_bug.cgi?id=143374
2073
2074         Reviewed by Mark Lam.
2075
2076         * dfg/DFGPlan.cpp:
2077         (JSC::DFG::Plan::compileInThreadImpl):
2078         * runtime/Options.h:
2079
2080 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2081
2082         Fix the EFL and GTK build after r182243
2083         https://bugs.webkit.org/show_bug.cgi?id=143361
2084
2085         Reviewed by Csaba Osztrogonác.
2086
2087         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
2088         DerivedSources/JavaScriptCore/inspector/ directory.
2089
2090 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2091
2092         Unreviewed, fixing Clang builds of the GTK port on Linux.
2093
2094         * runtime/Options.cpp:
2095         Include the <math.h> header for isnan().
2096
2097 2015-04-02  Mark Lam  <mark.lam@apple.com>
2098
2099         Enhance ability to dump JSC Options.
2100         <https://webkit.org/b/143357>
2101
2102         Reviewed by Benjamin Poulain.
2103
2104         Some enhancements to how the JSC options work:
2105
2106         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
2107            2 = All, 3 = Verbose.
2108
2109            The default is 0 (None).  This dumps nothing.
2110            With the Overridden setting, at VM initialization time, we will dump all
2111            option values that have been changed from their default.
2112            With the All setting, at VM initialization time, we will dump all option values.
2113            With the Verbose setting, at VM initialization time, we will dump all option
2114            values along with their descriptions (if available).
2115
2116         2. We now store a copy of the default option values.
2117
2118            We later use this for comparison to tell if an option has been overridden, and
2119            print the default value for reference.  As a result, we no longer need the
2120            didOverride flag since we can compute whether the option is overridden at any time.
2121
2122         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
2123
2124            This will come in handy later when we want to rename some of the options to more sane
2125            names that are easier to remember.  For example, we can change
2126            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
2127            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
2128            of the description, we can afford to use shorter and less descriptive option names,
2129            but they will be easier to remember and use for day to day debugging work.
2130
2131            In this patch, I did not change the names of any of the options yet.  I only added
2132            description strings for options that I know about, and where I think the option name
2133            isn't already descriptive enough.
2134
2135         4. Also deleted some unused code.
2136
2137         * jsc.cpp:
2138         (CommandLine::parseArguments):
2139         * runtime/Options.cpp:
2140         (JSC::Options::initialize):
2141         (JSC::Options::setOption):
2142         (JSC::Options::dumpAllOptions):
2143         (JSC::Options::dumpOption):
2144         (JSC::Options::Option::dump):
2145         (JSC::Options::Option::operator==):
2146         * runtime/Options.h:
2147         (JSC::OptionRange::rangeString):
2148         (JSC::Options::Option::Option):
2149         (JSC::Options::Option::operator!=):
2150
2151 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
2152
2153         JavaScriptCore API should support type checking for Array and Date
2154         https://bugs.webkit.org/show_bug.cgi?id=143324
2155
2156         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
2157
2158         * API/JSValue.h:
2159         * API/JSValue.mm:
2160         (-[JSValue isArray]):
2161         (-[JSValue isDate]): Added an ObjC API.
2162
2163         * API/JSValueRef.cpp:
2164         (JSValueIsArray):
2165         (JSValueIsDate):
2166         * API/JSValueRef.h: Added a C API.
2167
2168         * API/WebKitAvailability.h: Brought our availability macros up to date
2169         and fixed a harmless bug where "10_10" translated to "10.0".
2170
2171         * API/tests/testapi.c:
2172         (main): Added a test and corrected a pre-existing leak.
2173
2174         * API/tests/testapi.mm:
2175         (testObjectiveCAPI): Added a test.
2176
2177 2015-04-02  Mark Lam  <mark.lam@apple.com>
2178
2179         Add Options::dumpSourceAtDFGTime().
2180         <https://webkit.org/b/143349>
2181
2182         Reviewed by Oliver Hunt, and Michael Saboff.
2183
2184         Sometimes, we will want to see the JS source code that we're compiling, and it
2185         would be nice to be able to do this without having to jump thru a lot of hoops.
2186         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
2187         Options::dumpBytecodeAtDFGTime() option.
2188
2189         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
2190         that explicitly take no arguments (instead of relying on the version that takes
2191         the default argument).  These versions are friendlier to use when we want to call
2192         them from an interactive debugging session.
2193
2194         * bytecode/CodeBlock.cpp:
2195         (JSC::CodeBlock::dumpSource):
2196         (JSC::CodeBlock::dumpBytecode):
2197         * bytecode/CodeBlock.h:
2198         * dfg/DFGByteCodeParser.cpp:
2199         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2200         * runtime/Options.h:
2201
2202 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2203
2204         Clean up EnumerationMode to easily extend
2205         https://bugs.webkit.org/show_bug.cgi?id=143276
2206
2207         Reviewed by Geoffrey Garen.
2208
2209         To make the followings easily,
2210         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
2211         2. Make ExcludeSymbols implicitly default for the existing flags
2212         we encapsulate EnumerationMode flags into EnumerationMode class.
2213
2214         And this class manages 2 flags. Later it will be extended to 3.
2215         1. DontEnumPropertiesMode (default is Exclude)
2216         2. JSObjectPropertiesMode (default is Include)
2217         3. SymbolPropertiesMode (default is Exclude)
2218             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
2219
2220         This patch replaces places using ExcludeDontEnumProperties
2221         to EnumerationMode() value which represents default mode.
2222
2223         * API/JSCallbackObjectFunctions.h:
2224         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2225         * API/JSObjectRef.cpp:
2226         (JSObjectCopyPropertyNames):
2227         * bindings/ScriptValue.cpp:
2228         (Deprecated::jsToInspectorValue):
2229         * bytecode/ObjectAllocationProfile.h:
2230         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2231         * runtime/ArrayPrototype.cpp:
2232         (JSC::arrayProtoFuncSort):
2233         * runtime/EnumerationMode.h:
2234         (JSC::EnumerationMode::EnumerationMode):
2235         (JSC::EnumerationMode::includeDontEnumProperties):
2236         (JSC::EnumerationMode::includeJSObjectProperties):
2237         (JSC::shouldIncludeDontEnumProperties): Deleted.
2238         (JSC::shouldExcludeDontEnumProperties): Deleted.
2239         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
2240         (JSC::modeThatSkipsJSObject): Deleted.
2241         * runtime/GenericArgumentsInlines.h:
2242         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2243         * runtime/JSArray.cpp:
2244         (JSC::JSArray::getOwnNonIndexPropertyNames):
2245         * runtime/JSArrayBuffer.cpp:
2246         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2247         * runtime/JSArrayBufferView.cpp:
2248         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2249         * runtime/JSFunction.cpp:
2250         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2251         * runtime/JSFunction.h:
2252         * runtime/JSGenericTypedArrayViewInlines.h:
2253         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
2254         * runtime/JSLexicalEnvironment.cpp:
2255         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2256         * runtime/JSONObject.cpp:
2257         (JSC::Stringifier::Holder::appendNextProperty):
2258         (JSC::Walker::walk):
2259         * runtime/JSObject.cpp:
2260         (JSC::getClassPropertyNames):
2261         (JSC::JSObject::getOwnPropertyNames):
2262         (JSC::JSObject::getOwnNonIndexPropertyNames):
2263         (JSC::JSObject::getGenericPropertyNames):
2264         * runtime/JSPropertyNameEnumerator.h:
2265         (JSC::propertyNameEnumerator):
2266         * runtime/JSSymbolTableObject.cpp:
2267         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2268         * runtime/ObjectConstructor.cpp:
2269         (JSC::objectConstructorGetOwnPropertyNames):
2270         (JSC::objectConstructorKeys):
2271         (JSC::defineProperties):
2272         (JSC::objectConstructorSeal):
2273         (JSC::objectConstructorFreeze):
2274         (JSC::objectConstructorIsSealed):
2275         (JSC::objectConstructorIsFrozen):
2276         * runtime/RegExpObject.cpp:
2277         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2278         (JSC::RegExpObject::getPropertyNames):
2279         (JSC::RegExpObject::getGenericPropertyNames):
2280         * runtime/StringObject.cpp:
2281         (JSC::StringObject::getOwnPropertyNames):
2282         * runtime/Structure.cpp:
2283         (JSC::Structure::getPropertyNamesFromStructure):
2284
2285 2015-04-01  Alex Christensen  <achristensen@webkit.org>
2286
2287         Progress towards CMake on Windows and Mac.
2288         https://bugs.webkit.org/show_bug.cgi?id=143293
2289
2290         Reviewed by Filip Pizlo.
2291
2292         * CMakeLists.txt:
2293         Enabled using assembly on Windows.
2294         Replaced unix commands with CMake commands.
2295         * PlatformMac.cmake:
2296         Tell open source builders where to find unicode headers.
2297
2298 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2299
2300         IteratorClose should be called when jumping over the target for-of loop
2301         https://bugs.webkit.org/show_bug.cgi?id=143140
2302
2303         Reviewed by Geoffrey Garen.
2304
2305         This patch fixes labeled break/continue behaviors with for-of and iterators.
2306
2307         1. Support IteratorClose beyond multiple loop contexts
2308         Previously, IteratorClose is only executed in for-of's breakTarget().
2309         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
2310         For example,
2311         outer: for (var e1 of outer) {
2312             inner: for (var e2 of inner) {
2313                 break outer;
2314             }
2315         }
2316         In this case, return method of inner should be called.
2317         We leverage the existing system for `finally` to execute inner.return method correctly.
2318         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
2319         `throw` case is already supported by emitting try-catch handlers in for-of.
2320
2321         2. Incorrect LabelScope creation is done in ForOfNode
2322         ForOfNode creates duplicated LabelScope.
2323         It causes infinite loop when executing the following program that contains
2324         explicitly labeled for-of loop.
2325         For example,
2326         inner: for (var elm of array) {
2327             continue inner;
2328         }
2329
2330         * bytecompiler/BytecodeGenerator.cpp:
2331         (JSC::BytecodeGenerator::pushFinallyContext):
2332         (JSC::BytecodeGenerator::pushIteratorCloseContext):
2333         (JSC::BytecodeGenerator::popFinallyContext):
2334         (JSC::BytecodeGenerator::popIteratorCloseContext):
2335         (JSC::BytecodeGenerator::emitComplexPopScopes):
2336         (JSC::BytecodeGenerator::emitEnumeration):
2337         (JSC::BytecodeGenerator::emitIteratorClose):
2338         * bytecompiler/BytecodeGenerator.h:
2339         * bytecompiler/NodesCodegen.cpp:
2340         (JSC::ForOfNode::emitBytecode):
2341         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
2342         (createIterator.iterator.return):
2343         (createIterator):
2344         * tests/stress/raise-error-in-iterator-close.js: Added.
2345         (createIterator.iterator.return):
2346         (createIterator):
2347
2348 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2349
2350         [ES6] Implement Symbol.unscopables
2351         https://bugs.webkit.org/show_bug.cgi?id=142829
2352
2353         Reviewed by Geoffrey Garen.
2354
2355         This patch introduces Symbol.unscopables functionality.
2356         In ES6, some generic names (like keys, values) are introduced
2357         as Array's method name. And this breaks the web since some web sites
2358         use like the following code.
2359
2360         var values = ...;
2361         with (array) {
2362             values;  // This values is trapped by array's method "values".
2363         }
2364
2365         To fix this, Symbol.unscopables introduces blacklist
2366         for with scope's trapping. When resolving scope,
2367         if name is found in the target scope and the target scope is with scope,
2368         we check Symbol.unscopables object to filter generic names.
2369
2370         This functionality is only active for with scopes.
2371         Global scope does not have unscopables functionality.
2372
2373         And since
2374         1) op_resolve_scope for with scope always return Dynamic resolve type,
2375         2) in that case, JSScope::resolve is always used in JIT and LLInt,
2376         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
2377         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
2378         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
2379
2380         * runtime/ArrayPrototype.cpp:
2381         (JSC::ArrayPrototype::finishCreation):
2382         * runtime/CommonIdentifiers.h:
2383         * runtime/JSGlobalObject.h:
2384         (JSC::JSGlobalObject::runtimeFlags):
2385         * runtime/JSScope.cpp:
2386         (JSC::isUnscopable):
2387         (JSC::JSScope::resolve):
2388         * runtime/JSScope.h:
2389         (JSC::ScopeChainIterator::scope):
2390         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
2391         (test):
2392         * tests/stress/unscopables.js: Added.
2393         (test):
2394         (.):
2395
2396 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2397
2398         ES6 class syntax should allow static setters and getters
2399         https://bugs.webkit.org/show_bug.cgi?id=143180
2400
2401         Reviewed by Filip Pizlo
2402
2403         Apparently I misread the spec when I initially implemented parseClass.
2404         ES6 class syntax allows static getters and setters so just allow that.
2405
2406         * parser/Parser.cpp:
2407         (JSC::Parser<LexerType>::parseClass):
2408
2409 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
2410
2411         PutClosureVar CSE def() rule has a wrong base
2412         https://bugs.webkit.org/show_bug.cgi?id=143280
2413
2414         Reviewed by Michael Saboff.
2415         
2416         I think that this code was incorrect in a benign way, since the base of a
2417         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
2418
2419         * dfg/DFGClobberize.h:
2420         (JSC::DFG::clobberize):
2421
2422 2015-03-31  Commit Queue  <commit-queue@webkit.org>
2423
2424         Unreviewed, rolling out r182200.
2425         https://bugs.webkit.org/show_bug.cgi?id=143279
2426
2427         Probably causing assertion extravaganza on bots. (Requested by
2428         kling on #webkit).
2429
2430         Reverted changeset:
2431
2432         "Logically empty WeakBlocks should not pin down their
2433         MarkedBlocks indefinitely."
2434         https://bugs.webkit.org/show_bug.cgi?id=143210
2435         http://trac.webkit.org/changeset/182200
2436
2437 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2438
2439         Clean up Identifier factories to clarify the meaning of StringImpl*
2440         https://bugs.webkit.org/show_bug.cgi?id=143146
2441
2442         Reviewed by Filip Pizlo.
2443
2444         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
2445         However, it's ambiguous because `StringImpl*` has 2 different meanings.
2446         1) normal string, it is replacable with `WTFString` and
2447         2) `uid`, which holds `isSymbol` information to represent Symbols.
2448         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
2449         + `Identifier::fromString(VM*/ExecState*, const String&)`.
2450         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
2451         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
2452         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
2453
2454         And to clean up `StringImpl` which is used as uid,
2455         we introduce `StringKind` into `StringImpl`. There's 3 kinds
2456         1. StringNormal (non-atomic, non-symbol)
2457         2. StringAtomic (atomic, non-symbol)
2458         3. StringSymbol (non-atomic, symbol)
2459         They are mutually exclusive. And (atomic, symbol) case should not exist.
2460
2461         * API/JSCallbackObjectFunctions.h:
2462         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2463         * API/JSObjectRef.cpp:
2464         (JSObjectMakeFunction):
2465         * API/OpaqueJSString.cpp:
2466         (OpaqueJSString::identifier):
2467         * bindings/ScriptFunctionCall.cpp:
2468         (Deprecated::ScriptFunctionCall::call):
2469         * builtins/BuiltinExecutables.cpp:
2470         (JSC::BuiltinExecutables::createExecutableInternal):
2471         * builtins/BuiltinNames.h:
2472         (JSC::BuiltinNames::BuiltinNames):
2473         * bytecompiler/BytecodeGenerator.cpp:
2474         (JSC::BytecodeGenerator::BytecodeGenerator):
2475         (JSC::BytecodeGenerator::emitThrowReferenceError):
2476         (JSC::BytecodeGenerator::emitThrowTypeError):
2477         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2478         (JSC::BytecodeGenerator::emitEnumeration):
2479         * dfg/DFGDesiredIdentifiers.cpp:
2480         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2481         * inspector/JSInjectedScriptHost.cpp:
2482         (Inspector::JSInjectedScriptHost::functionDetails):
2483         (Inspector::constructInternalProperty):
2484         (Inspector::JSInjectedScriptHost::weakMapEntries):
2485         (Inspector::JSInjectedScriptHost::iteratorEntries):
2486         * inspector/JSInjectedScriptHostPrototype.cpp:
2487         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2488         * inspector/JSJavaScriptCallFramePrototype.cpp:
2489         * inspector/ScriptCallStackFactory.cpp:
2490         (Inspector::extractSourceInformationFromException):
2491         * jit/JITOperations.cpp:
2492         * jsc.cpp:
2493         (GlobalObject::finishCreation):
2494         (GlobalObject::addFunction):
2495         (GlobalObject::addConstructableFunction):
2496         (functionRun):
2497         (runWithScripts):
2498         * llint/LLIntData.cpp:
2499         (JSC::LLInt::Data::performAssertions):
2500         * llint/LowLevelInterpreter.asm:
2501         * parser/ASTBuilder.h:
2502         (JSC::ASTBuilder::addVar):
2503         * parser/Parser.cpp:
2504         (JSC::Parser<LexerType>::parseInner):
2505         (JSC::Parser<LexerType>::createBindingPattern):
2506         * parser/ParserArena.h:
2507         (JSC::IdentifierArena::makeIdentifier):
2508         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
2509         (JSC::IdentifierArena::makeNumericIdentifier):
2510         * runtime/ArgumentsIteratorPrototype.cpp:
2511         (JSC::ArgumentsIteratorPrototype::finishCreation):
2512         * runtime/ArrayIteratorPrototype.cpp:
2513         (JSC::ArrayIteratorPrototype::finishCreation):
2514         * runtime/ArrayPrototype.cpp:
2515         (JSC::ArrayPrototype::finishCreation):
2516         (JSC::arrayProtoFuncPush):
2517         * runtime/ClonedArguments.cpp:
2518         (JSC::ClonedArguments::getOwnPropertySlot):
2519         * runtime/CommonIdentifiers.cpp:
2520         (JSC::CommonIdentifiers::CommonIdentifiers):
2521         * runtime/CommonIdentifiers.h:
2522         * runtime/Error.cpp:
2523         (JSC::addErrorInfo):
2524         (JSC::hasErrorInfo):
2525         * runtime/ExceptionHelpers.cpp:
2526         (JSC::createUndefinedVariableError):
2527         * runtime/GenericArgumentsInlines.h:
2528         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2529         * runtime/Identifier.h:
2530         (JSC::Identifier::isSymbol):
2531         (JSC::Identifier::Identifier):
2532         (JSC::Identifier::from): Deleted.
2533         * runtime/IdentifierInlines.h:
2534         (JSC::Identifier::Identifier):
2535         (JSC::Identifier::fromUid):
2536         (JSC::Identifier::fromString):
2537         * runtime/JSCJSValue.cpp:
2538         (JSC::JSValue::dumpInContextAssumingStructure):
2539         * runtime/JSCJSValueInlines.h:
2540         (JSC::JSValue::toPropertyKey):
2541         * runtime/JSGlobalObject.cpp:
2542         (JSC::JSGlobalObject::init):
2543         * runtime/JSLexicalEnvironment.cpp:
2544         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2545         * runtime/JSObject.cpp:
2546         (JSC::getClassPropertyNames):
2547         (JSC::JSObject::reifyStaticFunctionsForDelete):
2548         * runtime/JSObject.h:
2549         (JSC::makeIdentifier):
2550         * runtime/JSPromiseConstructor.cpp:
2551         (JSC::JSPromiseConstructorFuncRace):
2552         (JSC::JSPromiseConstructorFuncAll):
2553         * runtime/JSString.h:
2554         (JSC::JSString::toIdentifier):
2555         * runtime/JSSymbolTableObject.cpp:
2556         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2557         * runtime/LiteralParser.cpp:
2558         (JSC::LiteralParser<CharType>::tryJSONPParse):
2559         (JSC::LiteralParser<CharType>::makeIdentifier):
2560         * runtime/Lookup.h:
2561         (JSC::reifyStaticProperties):
2562         * runtime/MapConstructor.cpp:
2563         (JSC::constructMap):
2564         * runtime/MapIteratorPrototype.cpp:
2565         (JSC::MapIteratorPrototype::finishCreation):
2566         * runtime/MapPrototype.cpp:
2567         (JSC::MapPrototype::finishCreation):
2568         * runtime/MathObject.cpp:
2569         (JSC::MathObject::finishCreation):
2570         * runtime/NumberConstructor.cpp:
2571         (JSC::NumberConstructor::finishCreation):
2572         * runtime/ObjectConstructor.cpp:
2573         (JSC::ObjectConstructor::finishCreation):
2574         * runtime/PrivateName.h:
2575         (JSC::PrivateName::PrivateName):
2576         * runtime/PropertyMapHashTable.h:
2577         (JSC::PropertyTable::find):
2578         (JSC::PropertyTable::get):
2579         * runtime/PropertyName.h:
2580         (JSC::PropertyName::PropertyName):
2581         (JSC::PropertyName::publicName):
2582         (JSC::PropertyName::asIndex):
2583         * runtime/PropertyNameArray.cpp:
2584         (JSC::PropertyNameArray::add):
2585         * runtime/PropertyNameArray.h:
2586         (JSC::PropertyNameArray::addKnownUnique):
2587         * runtime/RegExpConstructor.cpp:
2588         (JSC::RegExpConstructor::finishCreation):
2589         * runtime/SetConstructor.cpp:
2590         (JSC::constructSet):
2591         * runtime/SetIteratorPrototype.cpp:
2592         (JSC::SetIteratorPrototype::finishCreation):
2593         * runtime/SetPrototype.cpp:
2594         (JSC::SetPrototype::finishCreation):
2595         * runtime/StringIteratorPrototype.cpp:
2596         (JSC::StringIteratorPrototype::finishCreation):
2597         * runtime/StringPrototype.cpp:
2598         (JSC::StringPrototype::finishCreation):
2599         * runtime/Structure.cpp:
2600         (JSC::Structure::getPropertyNamesFromStructure):
2601         * runtime/SymbolConstructor.cpp:
2602         * runtime/VM.cpp:
2603         (JSC::VM::throwException):
2604         * runtime/WeakMapConstructor.cpp:
2605         (JSC::constructWeakMap):
2606
2607 2015-03-31  Andreas Kling  <akling@apple.com>
2608
2609         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
2610         <https://webkit.org/b/143210>
2611
2612         Reviewed by Geoffrey Garen.
2613
2614         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
2615         we had a little problem where WeakBlocks with only null pointers would still keep their
2616         MarkedBlock alive.
2617
2618         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
2619         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
2620         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
2621         destroying them once they're fully dead.
2622
2623         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
2624         a mysterious issue where doing two full garbage collections back-to-back would free additional
2625         memory in the second collection.
2626
2627         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
2628         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
2629         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
2630
2631         * heap/Heap.h:
2632         * heap/Heap.cpp:
2633         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
2634         owned by Heap, after everything else has been swept.
2635
2636         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
2637         after a full garbage collection ends. Note that we don't do this after Eden collections, since
2638         they are unlikely to cause entire WeakBlocks to go empty.
2639
2640         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
2641         to the Heap when it's detached from a WeakSet.
2642
2643         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
2644         of the logically empty WeakBlocks owned by Heap.
2645
2646         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
2647         and updates the next-logically-empty-weak-block-to-sweep index.
2648
2649         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
2650         won't be another chance after this.
2651
2652         * heap/IncrementalSweeper.h:
2653         (JSC::IncrementalSweeper::hasWork): Deleted.
2654
2655         * heap/IncrementalSweeper.cpp:
2656         (JSC::IncrementalSweeper::fullSweep):
2657         (JSC::IncrementalSweeper::doSweep):
2658         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
2659         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
2660         changed to return a bool (true if there's more work to be done.)
2661
2662         * heap/WeakBlock.cpp:
2663         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
2664         contain any pointers to live objects. The answer is stored in a new SweepResult member.
2665
2666         * heap/WeakBlock.h:
2667         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
2668         if the WeakBlock could be detached from the MarkedBlock.
2669
2670         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
2671         when declaring them.
2672
2673 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2674
2675         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
2676         https://bugs.webkit.org/show_bug.cgi?id=142883
2677
2678         Reviewed by Filip Pizlo.
2679
2680         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
2681
2682         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
2683         in eval inside a derived class' constructor.
2684
2685         * bytecode/EvalCodeCache.h:
2686         (JSC::EvalCodeCache::getSlow):
2687         * bytecompiler/NodesCodegen.cpp:
2688         (JSC::ThisNode::emitBytecode):
2689         * debugger/DebuggerCallFrame.cpp:
2690         (JSC::DebuggerCallFrame::evaluate):
2691         * interpreter/Interpreter.cpp:
2692         (JSC::eval):
2693         * parser/ASTBuilder.h:
2694         (JSC::ASTBuilder::thisExpr):
2695         * parser/NodeConstructors.h:
2696         (JSC::ThisNode::ThisNode):
2697         * parser/Nodes.h:
2698         * parser/Parser.cpp:
2699         (JSC::Parser<LexerType>::Parser):
2700         (JSC::Parser<LexerType>::parsePrimaryExpression):
2701         * parser/Parser.h:
2702         (JSC::parse):
2703         * parser/ParserModes.h:
2704         * parser/SyntaxChecker.h:
2705         (JSC::SyntaxChecker::thisExpr):
2706         * runtime/CodeCache.cpp:
2707         (JSC::CodeCache::getGlobalCodeBlock):
2708         (JSC::CodeCache::getProgramCodeBlock):
2709         (JSC::CodeCache::getEvalCodeBlock):
2710         * runtime/CodeCache.h:
2711         (JSC::SourceCodeKey::SourceCodeKey):
2712         * runtime/Executable.cpp:
2713         (JSC::EvalExecutable::create):
2714         * runtime/Executable.h:
2715         * runtime/JSGlobalObject.cpp:
2716         (JSC::JSGlobalObject::createEvalCodeBlock):
2717         * runtime/JSGlobalObject.h:
2718         * runtime/JSGlobalObjectFunctions.cpp:
2719         (JSC::globalFuncEval):
2720         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
2721         * tests/stress/class-syntax-tdz-in-eval.js: Added.
2722
2723 2015-03-31  Commit Queue  <commit-queue@webkit.org>
2724
2725         Unreviewed, rolling out r182186.
2726         https://bugs.webkit.org/show_bug.cgi?id=143270
2727
2728         it crashes all the WebGL tests on the Debug bots (Requested by
2729         dino on #webkit).
2730
2731         Reverted changeset:
2732
2733         "Web Inspector: add 2D/WebGL canvas instrumentation
2734         infrastructure"
2735         https://bugs.webkit.org/show_bug.cgi?id=137278
2736         http://trac.webkit.org/changeset/182186
2737
2738 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2739
2740         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
2741         https://bugs.webkit.org/show_bug.cgi?id=142937
2742
2743         Reviewed by Darin Adler.
2744
2745         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
2746         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
2747         But now, several functions perform ToObject onto a non-object parameter.
2748         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
2749         It is described in ES6 Annex E.
2750         Functions different from ES5 are following.
2751
2752         1. An attempt is make to coerce the argument using ToObject.
2753             Object.getOwnPropertyDescriptor
2754             Object.getOwnPropertyNames
2755             Object.getPrototypeOf
2756             Object.keys
2757
2758         2. Treated as if it was a non-extensible ordinary object with no own properties.
2759             Object.freeze
2760             Object.isExtensible
2761             Object.isFrozen
2762             Object.isSealed
2763             Object.preventExtensions
2764             Object.seal
2765
2766         * runtime/ObjectConstructor.cpp:
2767         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2768         (JSC::objectConstructorGetPrototypeOf):
2769         (JSC::objectConstructorGetOwnPropertyDescriptor):
2770         (JSC::objectConstructorGetOwnPropertyNames):
2771         (JSC::objectConstructorKeys):
2772         (JSC::objectConstructorSeal):
2773         (JSC::objectConstructorFreeze):
2774         (JSC::objectConstructorPreventExtensions):
2775         (JSC::objectConstructorIsSealed):
2776         (JSC::objectConstructorIsFrozen):
2777         (JSC::objectConstructorIsExtensible):
2778         * tests/stress/object-freeze-accept-non-object.js: Added.
2779         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
2780         (canary):
2781         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
2782         (compare):
2783         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
2784         * tests/stress/object-is-extensible-accept-non-object.js: Added.
2785         * tests/stress/object-is-frozen-accept-non-object.js: Added.
2786         * tests/stress/object-is-sealed-accept-non-object.js: Added.
2787         * tests/stress/object-keys-perform-to-object.js: Added.
2788         (compare):
2789         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
2790         * tests/stress/object-seal-accept-non-object.js: Added.
2791
2792 2015-03-31  Matt Baker  <mattbaker@apple.com>
2793
2794         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
2795         https://bugs.webkit.org/show_bug.cgi?id=137278
2796
2797         Reviewed by Timothy Hatcher.
2798
2799         Added Canvas protocol which defines types used by InspectorCanvasAgent.
2800
2801         * CMakeLists.txt:
2802         * DerivedSources.make:
2803         * inspector/protocol/Canvas.json: Added.
2804
2805         * inspector/scripts/codegen/generator.py:
2806         (Generator.stylized_name_for_enum_value):
2807         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
2808
2809 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
2810
2811         Extending null should set __proto__ to null
2812         https://bugs.webkit.org/show_bug.cgi?id=142882
2813
2814         Reviewed by Geoffrey Garen and Benjamin Poulain.
2815
2816         Set Derived.prototype.__proto__ to null when extending null.
2817
2818         * bytecompiler/NodesCodegen.cpp:
2819         (JSC::ClassExprNode::emitBytecode):
2820
2821 2015-03-30  Mark Lam  <mark.lam@apple.com>
2822
2823         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
2824         <https://webkit.org/b/143105>
2825
2826         Reviewed by Filip Pizlo.
2827
2828         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
2829         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
2830         JIT frames that may have its scope register not set.  The Debugger's current implementation
2831         which relies on the scope register is not happy about this.  For example, this results in a
2832         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
2833
2834         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
2835         ensure that the scope register value is flushed to the register in the stack frame.
2836
2837         * dfg/DFGByteCodeParser.cpp:
2838         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2839         (JSC::DFG::ByteCodeParser::setLocal):
2840         (JSC::DFG::ByteCodeParser::flush):
2841         - Add code to flush the scope register.
2842         (JSC::DFG::ByteCodeParser::inliningCost):
2843         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
2844           disabling inlining whenever the debugger is in use.
2845         * dfg/DFGGraph.cpp:
2846         (JSC::DFG::Graph::Graph):
2847         * dfg/DFGGraph.h:
2848         (JSC::DFG::Graph::hasDebuggerEnabled):
2849         * dfg/DFGStackLayoutPhase.cpp:
2850         (JSC::DFG::StackLayoutPhase::run):
2851         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
2852         * ftl/FTLCompile.cpp:
2853         (JSC::FTL::mmAllocateDataSection):
2854         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
2855
2856 2015-03-30  Michael Saboff  <msaboff@apple.com>
2857
2858         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
2859         https://bugs.webkit.org/show_bug.cgi?id=138391
2860
2861         Reviewed by Mark Lam.
2862
2863         Re-enabling these tests as I can't get them to fail on local iOS test devices.
2864         There have been many changes since these tests were disabled.
2865         I'll watch automated test results for failures.  If there are failures running automated
2866         testing, it might be due to the device's relative CPU performance.
2867         
2868         * tests/stress/float32-repeat-out-of-bounds.js:
2869         * tests/stress/int8-repeat-out-of-bounds.js:
2870
2871 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2872
2873         Web Inspector: Regression: Preview for [[null]] shouldn't be []
2874         https://bugs.webkit.org/show_bug.cgi?id=143208
2875
2876         Reviewed by Mark Lam.
2877
2878         * inspector/InjectedScriptSource.js:
2879         Handle null when generating simple object previews.
2880
2881 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
2882
2883         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
2884         https://bugs.webkit.org/show_bug.cgi?id=143134
2885
2886         Reviewed by Geoffrey Garen.
2887
2888         * jit/JSInterfaceJIT.h:
2889         * jit/Repatch.cpp:
2890         (JSC::tryCacheGetByID):
2891
2892 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
2893
2894         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
2895         https://bugs.webkit.org/show_bug.cgi?id=143104
2896
2897         Reviewed by Geoffrey Garen.
2898         
2899         Created a test that is a 100% repro of the flaky failure. This test is called
2900         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
2901         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
2902         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
2903         
2904         Also created three more tests for three similar, but not identical, failures.
2905         
2906         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
2907         only reading those parts of the stack that are relevant to the current semantic code origin.
2908         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
2909         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
2910         read parts of the stack associated with the inline call frame for the phantom arguments. This
2911         may not be subsumed by the current semantic origin's stack area in cases that the arguments
2912         were allowed to "locally" escape.
2913         
2914         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
2915         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
2916         the stack due to function.arguments, but there are a bunch of other ways that we could also
2917         read the stack and those operations may read any stack slot. I believe that this change makes
2918         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
2919         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
2920         readTop() in PreciseLocalClobberize does the right thing.
2921
2922         * dfg/DFGClobberize.h:
2923         (JSC::DFG::clobberize):
2924         * dfg/DFGPreciseLocalClobberize.h:
2925         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2926         * dfg/DFGPutStackSinkingPhase.cpp:
2927         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
2928         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
2929         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
2930         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
2931         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
2932
2933 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
2934
2935         Start the features.json files
2936         https://bugs.webkit.org/show_bug.cgi?id=143207
2937
2938         Reviewed by Darin Adler.
2939
2940         Start the features.json files to have something to experiment
2941         with for the UI.
2942
2943         * features.json: Added.
2944
2945 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2946
2947         [Win] Addresing post-review comment after r182122
2948         https://bugs.webkit.org/show_bug.cgi?id=143189
2949
2950         Unreviewed.
2951
2952 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2953
2954         [Win] Allow building JavaScriptCore without Cygwin
2955         https://bugs.webkit.org/show_bug.cgi?id=143189
2956
2957         Reviewed by Brent Fulgham.
2958
2959         Paths like /usr/bin/ don't exist on Windows.
2960         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
2961         Prefixing commands with environment variables doesn't work on Windows.
2962         Windows doesn't have 'cmp'
2963         Windows uses 'del' instead of 'rm'
2964         Windows uses 'type NUL' intead of 'touch'
2965
2966         * DerivedSources.make:
2967         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2968         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2969         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
2970         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2971         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
2972         * JavaScriptCore.vcxproj/build-generated-files.pl:
2973         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
2974
2975 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
2976
2977         Clean up JavaScriptCore/builtins
2978         https://bugs.webkit.org/show_bug.cgi?id=143177
2979
2980         Reviewed by Ryosuke Niwa.
2981
2982         * builtins/ArrayConstructor.js:
2983         (from):
2984         - We can compare to undefined instead of using a typeof undefined check.
2985         - Converge on double quoted strings everywhere.
2986
2987         * builtins/ArrayIterator.prototype.js:
2988         (next):
2989         * builtins/StringIterator.prototype.js:
2990         (next):
2991         - Use shorthand object construction to avoid duplication.
2992         - Improve grammar in error messages.
2993
2994         * tests/stress/array-iterators-next-with-call.js:
2995         * tests/stress/string-iterators.js:
2996         - Update for new error message strings.
2997
2998 2015-03-28  Saam Barati  <saambarati1@gmail.com>
2999
3000         Web Inspector: ES6: Better support for Symbol types in Type Profiler
3001         https://bugs.webkit.org/show_bug.cgi?id=141257
3002
3003         Reviewed by Joseph Pecoraro.
3004
3005         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
3006         type profiler support this new primitive type.
3007
3008         * dfg/DFGFixupPhase.cpp:
3009         (JSC::DFG::FixupPhase::fixupNode):
3010         * inspector/protocol/Runtime.json:
3011         * runtime/RuntimeType.cpp:
3012         (JSC::runtimeTypeForValue):
3013         * runtime/RuntimeType.h:
3014         (JSC::runtimeTypeIsPrimitive):
3015         * runtime/TypeSet.cpp:
3016         (JSC::TypeSet::addTypeInformation):
3017         (JSC::TypeSet::dumpTypes):
3018         (JSC::TypeSet::doesTypeConformTo):
3019         (JSC::TypeSet::displayName):
3020         (JSC::TypeSet::inspectorTypeSet):
3021         (JSC::TypeSet::toJSONString):
3022         * runtime/TypeSet.h:
3023         (JSC::TypeSet::seenTypes):
3024         * tests/typeProfiler/driver/driver.js:
3025         * tests/typeProfiler/symbol.js: Added.
3026         (wrapper.foo):
3027         (wrapper.bar):
3028         (wrapper.bar.bar.baz):
3029         (wrapper):
3030
3031 2015-03-27  Saam Barati  <saambarati1@gmail.com>
3032
3033         Deconstruction parameters are bound too late
3034         https://bugs.webkit.org/show_bug.cgi?id=143148
3035
3036         Reviewed by Filip Pizlo.
3037
3038         Currently, a deconstruction pattern named with the same
3039         name as a function will shadow the function. This is
3040         wrong. It should be the other way around.
3041
3042         * bytecompiler/BytecodeGenerator.cpp:
3043         (JSC::BytecodeGenerator::generate):
3044
3045 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
3046
3047         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
3048         https://bugs.webkit.org/show_bug.cgi?id=143170
3049
3050         Reviewed by Benjamin Poulain.
3051
3052         Assert that we never use 16-bit version of the parser to parse a default constructor
3053         since both base and derived default constructors should be using a 8-bit string.
3054
3055         * parser/Parser.h:
3056         (JSC::parse):
3057
3058 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
3059
3060         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
3061         https://bugs.webkit.org/show_bug.cgi?id=142862
3062
3063         Reviewed by Benjamin Poulain.
3064
3065         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
3066
3067         * tests/stress/class-syntax-derived-default-constructor.js: Added.
3068
3069 2015-03-27  Michael Saboff  <msaboff@apple.com>
3070
3071         load8Signed() and load16Signed() should be renamed to avoid confusion
3072         https://bugs.webkit.org/show_bug.cgi?id=143168
3073
3074         Reviewed by Benjamin Poulain.
3075
3076         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
3077
3078         * assembler/MacroAssemblerARM.h:
3079         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
3080         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
3081         (JSC::MacroAssemblerARM::load8Signed): Deleted.
3082         (JSC::MacroAssemblerARM::load16Signed): Deleted.
3083         * assembler/MacroAssemblerARM64.h:
3084         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
3085         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
3086         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
3087         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
3088         * assembler/MacroAssemblerARMv7.h:
3089         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
3090         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
3091         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
3092         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
3093         * assembler/MacroAssemblerMIPS.h:
3094         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
3095         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
3096         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
3097         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
3098         * assembler/MacroAssemblerSH4.h:
3099         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
3100         (JSC::MacroAssemblerSH4::load8):
3101         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
3102         (JSC::MacroAssemblerSH4::load16):
3103         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
3104         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
3105         * assembler/MacroAssemblerX86Common.h:
3106         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
3107         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
3108         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
3109         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
3110         * dfg/DFGSpeculativeJIT.cpp:
3111         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3112         * jit/JITPropertyAccess.cpp:
3113         (JSC::JIT::emitIntTypedArrayGetByVal):
3114
3115 2015-03-27  Michael Saboff  <msaboff@apple.com>
3116
3117         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
3118         https://bugs.webkit.org/show_bug.cgi?id=138390
3119
3120         Reviewed by Mark Lam.
3121
3122         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
3123         instead of 64 bits.  This is what X86-64 does.
3124
3125         * assembler/MacroAssemblerARM64.h:
3126         (JSC::MacroAssemblerARM64::load16Signed):
3127         (JSC::MacroAssemblerARM64::load8Signed):
3128
3129 2015-03-27  Saam Barati  <saambarati1@gmail.com>
3130
3131         Add back previously broken assert from bug 141869
3132         https://bugs.webkit.org/show_bug.cgi?id=143005
3133
3134         Reviewed by Michael Saboff.
3135
3136         * runtime/ExceptionHelpers.cpp:
3137         (JSC::invalidParameterInSourceAppender):
3138
3139 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3140
3141         Make some more objects use FastMalloc
3142         https://bugs.webkit.org/show_bug.cgi?id=143122
3143
3144         Reviewed by Csaba Osztrogonác.
3145
3146         * API/JSCallbackObject.h:
3147         * heap/IncrementalSweeper.h:
3148         * jit/JITThunks.h:
3149         * runtime/JSGlobalObjectDebuggable.h:
3150         * runtime/RegExpCache.h:
3151
3152 2015-03-27  Michael Saboff  <msaboff@apple.com>
3153
3154         Objects with numeric properties intermittently get a phantom 'length' property
3155         https://bugs.webkit.org/show_bug.cgi?id=142792
3156
3157         Reviewed by Csaba Osztrogonác.
3158
3159         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
3160         test and branch instructions.  This function is used for linking tbz/tbnz branches between
3161         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
3162         the failure case checks in the GetById array length stub created for "obj.length" access.
3163         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
3164         being set when we should have been looking for bit 0.
3165
3166         * assembler/ARM64Assembler.h:
3167         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
3168
3169 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3170
3171         Insert exception check around toPropertyKey call
3172         https://bugs.webkit.org/show_bug.cgi?id=142922
3173
3174         Reviewed by Geoffrey Garen.
3175
3176         In some places, exception check is missing after/before toPropertyKey.
3177         However, since it calls toString, it's observable to users,
3178
3179         Missing exception checks in Object.prototype methods can be
3180         observed since it would be overridden with toObject(null/undefined) errors.
3181         We inserted exception checks after toPropertyKey.
3182
3183         Missing exception checks in GetById related code can be
3184         observed since it would be overridden with toObject(null/undefined) errors.
3185         In this case, we need to insert exception checks before/after toPropertyKey
3186         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
3187
3188         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
3189         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
3190         According to the spec, we first perform RequireObjectCoercible and check the exception.
3191         And second, we perform ToPropertyKey and check the exception.
3192         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
3193         For example, if the target is not object coercible,
3194         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
3195         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
3196
3197         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
3198
3199         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
3200
3201         toObject converts primitive types into wrapper objects.
3202         But it is not efficient since wrapper objects are not necessary
3203         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
3204
3205         2. Using the result of toObject is not correct to the spec.
3206
3207         To align to the spec correctly, we cannot use JSObject::get
3208         by using the wrapper object produced by the toObject suggested in (1).
3209         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
3210         It is not correct since getter should be called with the original |this| value that may be primitive types.
3211
3212         So in this patch, we use JSValue::requireObjectCoercible
3213         to check the target is object coercible and raise an error if it's not.
3214
3215         * dfg/DFGOperations.cpp:
3216         * jit/JITOperations.cpp:
3217         (JSC::getByVal):
3218         * llint/LLIntSlowPaths.cpp:
3219         (JSC::LLInt::getByVal):
3220         * runtime/CommonSlowPaths.cpp:
3221         (JSC::SLOW_PATH_DECL):
3222         * runtime/JSCJSValue.h:
3223         * runtime/JSCJSValueInlines.h:
3224         (JSC::JSValue::requireObjectCoercible):
3225         * runtime/ObjectPrototype.cpp:
3226         (JSC::objectProtoFuncHasOwnProperty):
3227         (JSC::objectProtoFuncDefineGetter):
3228         (JSC::objectProtoFuncDefineSetter):
3229         (JSC::objectProtoFuncLookupGetter):
3230         (JSC::objectProtoFuncLookupSetter):
3231         (JSC::objectProtoFuncPropertyIsEnumerable):
3232         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
3233         (shouldThrow):
3234         (if):
3235         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
3236         (shouldThrow):
3237         (.):
3238
3239 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
3240
3241         WebContent Crash when instantiating class with Type Profiling enabled
3242         https://bugs.webkit.org/show_bug.cgi?id=143037
3243
3244         Reviewed by Ryosuke Niwa.
3245
3246         * bytecompiler/BytecodeGenerator.h:
3247         * bytecompiler/BytecodeGenerator.cpp:
3248         (JSC::BytecodeGenerator::BytecodeGenerator):
3249         (JSC::BytecodeGenerator::emitMoveEmptyValue):
3250         We cannot profile the type of an uninitialized empty JSValue.
3251         Nor do we expect this to be necessary, since it is effectively
3252         an unseen undefined value. So add a way to put the empty value
3253         without profiling.
3254
3255         (JSC::BytecodeGenerator::emitMove):
3256         Add an assert to try to catch this issue early on, and force
3257         callers to explicitly use emitMoveEmptyValue instead.
3258
3259         * tests/typeProfiler/classes.js: Added.
3260         (wrapper.Base):
3261         (wrapper.Derived):
3262         (wrapper):
3263         Add test coverage both for this case and classes in general.
3264
3265 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
3266
3267         Web Inspector: ES6: Provide a better view for Classes in the console
3268         https://bugs.webkit.org/show_bug.cgi?id=142999
3269
3270         Reviewed by Timothy Hatcher.
3271
3272         * inspector/protocol/Runtime.json:
3273         Provide a new `subtype` enum "class". This is a subtype of `type`
3274         "function", all other subtypes are subtypes of `object` types.
3275         For a class, the frontend will immediately want to get the prototype
3276         to enumerate its methods, so include the `classPrototype`.
3277
3278         * inspector/JSInjectedScriptHost.cpp:
3279         (Inspector::JSInjectedScriptHost::subtype):
3280         Denote class construction functions as "class" subtypes.
3281
3282         * inspector/InjectedScriptSource.js:
3283         Handling for the new "class" type.
3284
3285         * bytecode/UnlinkedCodeBlock.h:
3286         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
3287         * runtime/Executable.h:
3288         (JSC::FunctionExecutable::isClassConstructorFunction):
3289         * runtime/JSFunction.h:
3290         * runtime/JSFunctionInlines.h:
3291         (JSC::JSFunction::isClassConstructorFunction):
3292         Check if this function is a class constructor function. That information
3293         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
3294
3295 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3296
3297         Function.prototype.toString should not decompile the AST
3298         https://bugs.webkit.org/show_bug.cgi?id=142853
3299
3300         Reviewed by Darin Adler.
3301
3302         Following up on Darin's review comments.
3303
3304         * runtime/FunctionConstructor.cpp:
3305         (JSC::constructFunctionSkippingEvalEnabledCheck):
3306
3307 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3308
3309         "lineNo" does not match WebKit coding style guidelines
3310         https://bugs.webkit.org/show_bug.cgi?id=143119
3311
3312         Reviewed by Michael Saboff.
3313
3314         We can afford to use whole words.
3315
3316         * bytecode/CodeBlock.cpp:
3317         (JSC::CodeBlock::lineNumberForBytecodeOffset):
3318         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
3319         * bytecode/UnlinkedCodeBlock.cpp:
3320         (JSC::UnlinkedFunctionExecutable::link):
3321         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
3322         * bytecode/UnlinkedCodeBlock.h:
3323         * bytecompiler/NodesCodegen.cpp:
3324         (JSC::WhileNode::emitBytecode):
3325         * debugger/Debugger.cpp:
3326         (JSC::Debugger::toggleBreakpoint):
3327         * interpreter/Interpreter.cpp:
3328         (JSC::StackFrame::computeLineAndColumn):
3329         (JSC::GetStackTraceFunctor::operator()):
3330         (JSC::Interpreter::execute):
3331         * interpreter/StackVisitor.cpp:
3332         (JSC::StackVisitor::Frame::computeLineAndColumn):
3333         * parser/Nodes.h:
3334         (JSC::Node::firstLine):
3335         (JSC::Node::lineNo): Deleted.
3336         (JSC::StatementNode::firstLine): Deleted.
3337         * parser/ParserError.h:
3338         (JSC::ParserError::toErrorObject):
3339         * profiler/LegacyProfiler.cpp:
3340         (JSC::createCallIdentifierFromFunctionImp):
3341         * runtime/CodeCache.cpp:
3342         (JSC::CodeCache::getGlobalCodeBlock):
3343         * runtime/Executable.cpp:
3344         (JSC::ScriptExecutable::ScriptExecutable):
3345         (JSC::ScriptExecutable::newCodeBlockFor):
3346         (JSC::FunctionExecutable::fromGlobalCode):
3347         * runtime/Executable.h:
3348         (JSC::ScriptExecutable::firstLine):
3349         (JSC::ScriptExecutable::setOverrideLineNumber):
3350         (JSC::ScriptExecutable::hasOverrideLineNumber):
3351         (JSC::ScriptExecutable::overrideLineNumber):
3352         (JSC::ScriptExecutable::lineNo): Deleted.
3353         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
3354         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
3355         (JSC::ScriptExecutable::overrideLineNo): Deleted.
3356         * runtime/FunctionConstructor.cpp:
3357         (JSC::constructFunctionSkippingEvalEnabledCheck):
3358         * runtime/FunctionConstructor.h:
3359         * tools/CodeProfile.cpp:
3360         (JSC::CodeProfile::report):
3361         * tools/CodeProfile.h:
3362         (JSC::CodeProfile::CodeProfile):
3363
3364 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3365
3366         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
3367         https://bugs.webkit.org/show_bug.cgi?id=142974
3368
3369         Reviewed by Joseph Pecoraro.
3370
3371         This patch does two things:
3372
3373         (1) Restore JavaScriptCore's sanitization of line and column numbers to
3374         one-based values.
3375
3376         We need this because WebCore sometimes provides huge negative column
3377         numbers.
3378
3379         (2) Solve the attribute event listener line numbering problem a different
3380         way: Rather than offseting all line numbers by -1 in an attribute event
3381         listener in order to arrange for a custom result, instead use an explicit
3382         feature for saying "all errors in this code should map to this line number".
3383
3384         * bytecode/UnlinkedCodeBlock.cpp:
3385         (JSC::UnlinkedFunctionExecutable::link):
3386         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
3387         * bytecode/UnlinkedCodeBlock.h:
3388         * interpreter/Interpreter.cpp:
3389         (JSC::StackFrame::computeLineAndColumn):
3390         (JSC::GetStackTraceFunctor::operator()):
3391         * interpreter/Interpreter.h:
3392         * interpreter/StackVisitor.cpp:
3393         (JSC::StackVisitor::Frame::computeLineAndColumn):
3394         * parser/ParserError.h:
3395         (JSC::ParserError::toErrorObject): Plumb through an override line number.
3396         When a function has an override line number, all syntax and runtime
3397         errors in the function will map to it. This is useful for attribute event
3398         listeners.
3399  
3400         * parser/SourceCode.h:
3401         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
3402         column numbers to one-based integers. It was kind of a hack to remove this.
3403
3404         * runtime/Executable.cpp:
3405         (JSC::ScriptExecutable::ScriptExecutable):
3406         (JSC::FunctionExecutable::fromGlobalCode):
3407         * runtime/Executable.h:
3408         (JSC::ScriptExecutable::setOverrideLineNo):
3409         (JSC::ScriptExecutable::hasOverrideLineNo):
3410         (JSC::ScriptExecutable::overrideLineNo):
3411         * runtime/FunctionConstructor.cpp:
3412         (JSC::constructFunctionSkippingEvalEnabledCheck):
3413         * runtime/FunctionConstructor.h: Plumb through an override line number.
3414
3415 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
3416
3417         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
3418
3419         Reviewed by Michael Saboff.
3420
3421         * jit/JITPropertyAccess.cpp:
3422         (JSC::JIT::emitScopedArgumentsGetByVal):
3423         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
3424
3425 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
3426
3427         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
3428         https://bugs.webkit.org/show_bug.cgi?id=143098
3429
3430         Reviewed by Csaba Osztrogonác.
3431
3432         * ftl/FTLLowerDFGToLLVM.cpp:
3433         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
3434         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
3435
3436 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
3437
3438         Unreviewed gardening, skip failing tests on AArch64 Linux.
3439
3440         * tests/mozilla/mozilla-tests.yaml:
3441         * tests/stress/cached-prototype-setter.js:
3442
3443 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
3444
3445         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
3446
3447         * dfg/DFGConstantFoldingPhase.cpp:
3448         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
3449         * ftl/FTLCompile.cpp:
3450         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
3451         * ftl/FTLState.cpp:
3452         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
3453         * ftl/FTLState.h:
3454
3455 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3456
3457         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
3458         right, so this just makes 32-bit do the same.
3459
3460         * dfg/DFGSpeculativeJIT32_64.cpp:
3461         (JSC::DFG::SpeculativeJIT::emitCall):
3462
3463 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3464
3465         Fix a typo that ggaren found but that I didn't fix before.
3466
3467         * runtime/DirectArgumentsOffset.h:
3468
3469 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3470
3471         Unreviewed, VC found a bug. This fixes the bug.
3472
3473         * dfg/DFGConstantFoldingPhase.cpp:
3474         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3475
3476 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3477
3478         Unreviewed, try to fix Windows build.
3479
3480         * runtime/ClonedArguments.cpp:
3481         (JSC::ClonedArguments::createWithInlineFrame):
3482
3483 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3484
3485         Unreviewed, fix debug build.
3486
3487         * bytecompiler/NodesCodegen.cpp:
3488         (JSC::ConstDeclNode::emitCodeSingle):
3489
3490 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3491
3492         Unreviewed, fix CLOOP build.
3493
3494         * dfg/DFGMinifiedID.h:
3495
3496 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3497
3498         Heap variables shouldn't end up in the stack frame
3499         https://bugs.webkit.org/show_bug.cgi?id=141174
3500
3501         Reviewed by Geoffrey Garen.
3502         
3503         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
3504         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
3505         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
3506         simplifications:
3507         
3508         - Accesses to variables no longer need checks or indirections to determine where the variable is
3509           at that moment in time. For example, loading a closure variable now takes just one load instead
3510           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
3511           (when no arguments object allocation is required) while previously that same operation required
3512           a "did I allocate arguments yet" check, a bounds check, and then the load.
3513         
3514         - Reasoning about the allocation of an activation or arguments object now follows the same simple
3515           logic as the allocation of any other kind of object. Previously, those objects were lazily
3516           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
3517           allocate anything at all. This made the implementation of traditional escape analyses really
3518           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
3519           arguments object using the usual SSA tricks which allows for more comprehensive removal.
3520         
3521         - The allocations of arguments objects, functions, and activations are now much faster. While
3522           this patch generally expands our ability to eliminate arguments object allocations, an earlier
3523           version of the patch - which lacked that functionality - was a progression on some arguments-
3524           and closure-happy benchmarks because although no allocations were eliminated, all allocations
3525           were faster.
3526         
3527         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
3528           its arguments objects or activations. The runtime doesn't have to do things to the arguments
3529           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
3530           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
3531           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
3532           now gone. This also enables implementing block-scoping. Without this change, block-scope
3533           support would require telling CodeBlock and all of the rest of the runtime about all of the
3534           variables that store currently-live scopes. That would have been so disastrously hard that it
3535           might as well be impossible. With this change, it's fair game for the bytecode generator to
3536           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
3537           however long it wants. This all works, because after bytecode generation, an activation is just
3538           an object and variables that refer to it are just normal variables.
3539         
3540         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
3541           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
3542           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
3543           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
3544           an arguments object.
3545         
3546         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
3547           using activations used to prevent inlining; now functions that use activations can be inlined
3548           just fine.
3549         
3550         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
3551         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
3552         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
3553         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
3554         
3555         The easiest way of understanding this change is to start by looking at the changes in runtime/,
3556         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
3557
3558         * CMakeLists.txt:
3559         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3560         * JavaScriptCore.xcodeproj/project.pbxproj:
3561         * assembler/AbortReason.h:
3562         * assembler/AbstractMacroAssembler.h:
3563         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
3564         * bytecode/ByValInfo.h:
3565         (JSC::hasOptimizableIndexingForJSType):
3566         (JSC::hasOptimizableIndexing):
3567         (JSC::jitArrayModeForJSType):
3568         (JSC::jitArrayModePermitsPut):
3569         (JSC::jitArrayModeForStructure):
3570         * bytecode/BytecodeKills.h: Added.
3571         (JSC::BytecodeKills::BytecodeKills):
3572         (JSC::BytecodeKills::operandIsKilled):
3573         (JSC::BytecodeKills::forEachOperandKilledAt):
3574         (JSC::BytecodeKills::KillSet::KillSet):
3575         (JSC::BytecodeKills::KillSet::add):
3576         (JSC::BytecodeKills::KillSet::forEachLocal):
3577         (JSC::BytecodeKills::KillSet::contains):
3578         * bytecode/BytecodeList.json:
3579         * bytecode/BytecodeLivenessAnalysis.cpp:
3580         (JSC::isValidRegisterForLiveness):
3581         (JSC::stepOverInstruction):
3582         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
3583         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
3584         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
3585         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
3586         (JSC::BytecodeLivenessAnalysis::computeKills):
3587         (JSC::indexForOperand): Deleted.
3588         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
3589         (JSC::getLivenessInfo): Deleted.
3590         * bytecode/BytecodeLivenessAnalysis.h:
3591         * bytecode/BytecodeLivenessAnalysisInlines.h:
3592         (JSC::operandIsAlwaysLive):
3593         (JSC::operandThatIsNotAlwaysLiveIsLive):
3594         (JSC::operandIsLive):
3595         * bytecode/BytecodeUseDef.h:
3596         (JSC::computeUsesForBytecodeOffset):
3597         (JSC::computeDefsForBytecodeOffset):
3598         * bytecode/CodeBlock.cpp:
3599         (JSC::CodeBlock::dumpBytecode):
3600         (JSC::CodeBlock::CodeBlock):
3601         (JSC::CodeBlock::nameForRegister):
3602         (JSC::CodeBlock::validate):
3603         (JSC::CodeBlock::isCaptured): Deleted.
3604         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
3605         (JSC::CodeBlock::machineSlowArguments): Deleted.
3606         * bytecode/CodeBlock.h:
3607         (JSC::unmodifiedArgumentsRegister): Deleted.
3608         (JSC::CodeBlock::setArgumentsRegister): Deleted.
3609         (JSC::CodeBlock::argumentsRegister): Deleted.
3610         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
3611         (JSC::CodeBlock::usesArguments): Deleted.
3612         (JSC::CodeBlock::captureCount): Deleted.
3613         (JSC::CodeBlock::captureStart): Deleted.
3614         (JSC::CodeBlock::captureEnd): Deleted.
3615         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
3616         (JSC::CodeBlock::hasSlowArguments): Deleted.
3617         (JSC::ExecState::argumentAfterCapture): Deleted.
3618         * bytecode/CodeOrigin.h:
3619         * bytecode/DataFormat.h:
3620         (JSC::dataFormatToString):
3621         * bytecode/FullBytecodeLiveness.h:
3622         (JSC::FullBytecodeLiveness::getLiveness):
3623         (JSC::FullBytecodeLiveness::operandIsLive):
3624         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
3625         (JSC::FullBytecodeLiveness::getOut): Deleted.
3626         * bytecode/Instruction.h:
3627         (JSC::Instruction::Instruction):
3628         * bytecode/Operands.h:
3629         (JSC::Operands::virtualRegisterForIndex):
3630         * bytecode/SpeculatedType.cpp:
3631         (JSC::dumpSpeculation):
3632         (JSC::speculationToAbbreviatedString):
3633         (JSC::speculationFromClassInfo):
3634         * bytecode/SpeculatedType.h:
3635         (JSC::isDirectArgumentsSpeculation):
3636         (JSC::isScopedArgumentsSpeculation):
3637         (JSC::isActionableMutableArraySpeculation):
3638         (JSC::isActionableArraySpeculation):
3639         (JSC::isArgumentsSpeculation): Deleted.
3640         * bytecode/UnlinkedCodeBlock.cpp:
3641         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3642         * bytecode/UnlinkedCodeBlock.h:
3643         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
3644         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
3645         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
3646         * bytecode/ValueRecovery.cpp:
3647         (JSC::ValueRecovery::dumpInContext):
3648         * bytecode/ValueRecovery.h:
3649         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
3650         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
3651         (JSC::ValueRecovery::nodeID):
3652         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
3653         * bytecode/VirtualRegister.h:
3654         (JSC::VirtualRegister::operator==):
3655         (JSC::VirtualRegister::operator!=):
3656         (JSC::VirtualRegister::operator<):
3657         (JSC::VirtualRegister::operator>):
3658         (JSC::VirtualRegister::operator<=):
3659         (JSC::VirtualRegister::operator>=):
3660         * bytecompiler/BytecodeGenerator.cpp:
3661         (JSC::BytecodeGenerator::generate):
3662         (JSC::BytecodeGenerator::BytecodeGenerator):
3663         (JSC::BytecodeGenerator::initializeNextParameter):
3664         (JSC::BytecodeGenerator::visibleNameForParameter):
3665         (JSC::BytecodeGenerator::emitMove):
3666         (JSC::BytecodeGenerator::variable):
3667         (JSC::BytecodeGenerator::createVariable):
3668         (JSC::BytecodeGenerator::emitResolveScope):
3669         (JSC::BytecodeGenerator::emitGetFromScope):
3670         (JSC::BytecodeGenerator::emitPutToScope):
3671         (JSC::BytecodeGenerator::initializeVariable):
3672         (JSC::BytecodeGenerator::emitInstanceOf):
3673         (JSC::BytecodeGenerator::emitNewFunction):
3674         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3675         (JSC::BytecodeGenerator::emitCall):
3676         (JSC::BytecodeGenerator::emitReturn):
3677         (JSC::BytecodeGenerator::emitConstruct):
3678         (JSC::BytecodeGenerator::isArgumentNumber):
3679         (JSC::BytecodeGenerator::emitEnumeration):
3680         (JSC::BytecodeGenerator::addVar): Deleted.
3681         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
3682         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
3683         (JSC::BytecodeGenerator::resolveCallee): Deleted.
3684         (JSC::BytecodeGenerator::addCallee): Deleted.
3685         (JSC::BytecodeGenerator::addParameter): Deleted.
3686         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
3687         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
3688         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
3689         (JSC::BytecodeGenerator::isCaptured): Deleted.
3690         (JSC::BytecodeGenerator::local): Deleted.
3691         (JSC::BytecodeGenerator::constLocal): Deleted.
3692         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
3693         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
3694         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
3695         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
3696         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
3697         * bytecompiler/BytecodeGenerator.h:
3698         (JSC::Variable::Variable):
3699         (JSC::Variable::isResolved):
3700         (JSC::Variable::ident):
3701         (JSC::Variable::offset):
3702         (JSC::Variable::isLocal):
3703         (JSC::Variable::local):
3704         (JSC::Variable::isSpecial):
3705         (JSC::BytecodeGenerator::argumentsRegister):
3706         (JSC::BytecodeGenerator::emitNode):
3707         (JSC::BytecodeGenerator::registerFor):
3708         (JSC::Local::Local): Deleted.
3709         (JSC::Local::operator bool): Deleted.
3710         (JSC::Local::get): Deleted.
3711         (JSC::Local::isSpecial): Deleted.
3712         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
3713         (JSC::ResolveScopeInfo::isLocal): Deleted.
3714         (JSC::ResolveScopeInfo::localIndex): Deleted.
3715         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
3716         (JSC::BytecodeGenerator::captureMode): Deleted.
3717         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
3718         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
3719         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
3720         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
3721         * bytecompiler/NodesCodegen.cpp:
3722         (JSC::ResolveNode::isPure):
3723         (JSC::ResolveNode::emitBytecode):
3724         (JSC::BracketAccessorNode::emitBytecode):
3725         (JSC::DotAccessorNode::emitBytecode):
3726         (JSC::EvalFunctionCallNode::emitBytecode):
3727         (JSC::FunctionCallResolveNode::emitBytecode):
3728         (JSC::CallFunctionCallDotNode::emitBytecode):
3729         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3730         (JSC::PostfixNode::emitResolve):
3731         (JSC::DeleteResolveNode::emitBytecode):
3732         (JSC::TypeOfResolveNode::emitBytecode):
3733         (JSC::PrefixNode::emitResolve):
3734         (JSC::ReadModifyResolveNode::emitBytecode):
3735         (JSC::AssignResolveNode::emitBytecode):
3736         (JSC::ConstDeclNode::emitCodeSingle):
3737         (JSC::EmptyVarExpression::emitBytecode):
3738         (JSC::ForInNode::tryGetBoundLocal):
3739         (JSC::ForInNode::emitLoopHeader):
3740         (JSC::ForOfNode::emitBytecode):
3741         (JSC::ArrayPatternNode::emitDirectBinding):
3742         (JSC::BindingNode::bindValue):
3743         (JSC::getArgumentByVal): Deleted.
3744         * dfg/DFGAbstractHeap.h:
3745         * dfg/DFGAbstractInterpreter.h:
3746         * dfg/DFGAbstractInterpreterInlines.h:
3747         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3748         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
3749         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
3750         * dfg/DFGAbstractValue.h:
3751         * dfg/DFGArgumentPosition.h:
3752         (JSC::DFG::ArgumentPosition::addVariable):
3753         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
3754         (JSC::DFG::performArgumentsElimination):
3755         * dfg/DFGArgumentsEliminationPhase.h: Added.
3756         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
3757         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
3758         * dfg/DFGArgumentsUtilities.cpp: Added.
3759         (JSC::DFG::argumentsInvolveStackSlot):
3760         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3761         * dfg/DFGArgumentsUtilities.h: Added.
3762         * dfg/DFGArrayMode.cpp:
3763         (JSC::DFG::ArrayMode::refine):
3764         (JSC::DFG::ArrayMode::alreadyChecked):
3765         (JSC::DFG::arrayTypeToString):
3766         * dfg/DFGArrayMode.h:
3767         (JSC::DFG::ArrayMode::canCSEStorage):
3768         (JSC::DFG::ArrayMode::modeForPut):
3769         * dfg/DFGAvailabilityMap.cpp:
3770         (JSC::DFG::AvailabilityMap::prune):
3771         * dfg/DFGAvailabilityMap.h:
3772         (JSC::DFG::AvailabilityMap::closeOverNodes):
3773         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
3774         * dfg/DFGBackwardsPropagationPhase.cpp:
3775         (JSC::DFG::BackwardsPropagationPhase::propagate):
3776         * dfg/DFGByteCodeParser.cpp:
3777         (JSC::DFG::ByteCodeParser::newVariableAccessData):
3778         (JSC::DFG::ByteCodeParser::getLocal):
3779         (JSC::DFG::ByteCodeParser::setLocal):
3780         (JSC::DFG::ByteCodeParser::getArgument):
3781         (JSC::DFG::ByteCodeParser::setArgument):
3782         (JSC::DFG::ByteCodeParser::flushDirect):
3783         (JSC::DFG::ByteCodeParser::flush):
3784         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
3785         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3786         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3787         (JSC::DFG::ByteCodeParser::handleInlining):
3788         (JSC::DFG::ByteCodeParser::parseBlock):
3789         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3790         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3791         * dfg/DFGCPSRethreadingPhase.cpp:
3792         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3793         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3794         * dfg/DFGCSEPhase.cpp:
3795         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
3796         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3797         * dfg/DFGCapabilities.cpp:
3798         (JSC::DFG::isSupportedForInlining):
3799         (JSC::DFG::capabilityLevel):
3800         * dfg/DFGClobberize.h:
3801         (JSC::DFG::clobberize):
3802         * dfg/DFGCommon.h:
3803         * dfg/DFGCommonData.h:
3804         (JSC::DFG::CommonData::CommonData):
3805         * dfg/DFGConstantFoldingPhase.cpp:
3806         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3807         * dfg/DFGDCEPhase.cpp:
3808         (JSC::DFG::DCEPhase::cleanVariables):
3809         * dfg/DFGDisassembler.h:
3810         * dfg/DFGDoesGC.cpp:
3811         (JSC::DFG::doesGC):
3812         * dfg/DFGFixupPhase.cpp:
3813         (JSC::DFG::FixupPhase::fixupNode):
3814         * dfg/DFGFlushFormat.cpp:
3815         (WTF::printInternal):
3816         * dfg/DFGFlushFormat.h:
3817         (JSC::DFG::resultFor):
3818         (JSC::DFG::useKindFor):
3819         (JSC::DFG::dataFormatFor):
3820         * dfg/DFGForAllKills.h: Added.
3821         (JSC::DFG::forAllLiveNodesAtTail):
3822         (JSC::DFG::forAllDirectlyKilledOperands):
3823         (JSC::DFG::forAllKilledOperands):
3824         (JSC::DFG::forAllKilledNodesAtNodeIndex):
3825         (JSC::DFG::forAllKillsInBlock):
3826         * dfg/DFGGraph.cpp:
3827         (JSC::DFG::Graph::Graph):
3828         (JSC::DFG::Graph::dump):
3829         (JSC::DFG::Graph::substituteGetLocal):
3830         (JSC::DFG::Graph::livenessFor):
3831         (JSC::DFG::Graph::killsFor):
3832         (JSC::DFG::Graph::tryGetConstantClosureVar):
3833         (JSC::DFG::Graph::tryGetRegisters): Deleted.
3834         * dfg/DFGGraph.h:
3835         (JSC::DFG::Graph::symbolTableFor):
3836         (JSC::DFG::Graph::uses):
3837         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
3838         (JSC::DFG::Graph::capturedVarsFor): Deleted.
3839         (JSC::DFG::Graph::usesArguments): Deleted.
3840         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
3841         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
3842         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
3843         * dfg/DFGHeapLocation.cpp:
3844         (WTF::printInternal):
3845         * dfg/DFGHeapLocation.h:
3846         * dfg/DFGInPlaceAbstractState.cpp:
3847         (JSC::DFG::InPlaceAbstractState::initialize):
3848         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3849         * dfg/DFGJITCompiler.cpp:
3850         (JSC::DFG::JITCompiler::link):
3851         * dfg/DFGMayExit.cpp:
3852         (JSC::DFG::mayExit):
3853         * dfg/DFGMinifiedID.h:
3854         * dfg/DFGMinifiedNode.cpp:
3855         (JSC::DFG::MinifiedNode::fromNode):
3856         * dfg/DFGMinifiedNode.h:
3857         (JSC::DFG::belongsInMinifiedGraph):
3858         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
3859         (JSC::DFG::MinifiedNode::inlineCallFrame):
3860         * dfg/DFGNode.cpp:
3861         (JSC::DFG::Node::convertToIdentityOn):
3862         * dfg/DFGNode.h:
3863         (JSC::DFG::Node::hasConstant):
3864         (JSC::DFG::Node::constant):
3865         (JSC::DFG::Node::hasScopeOffset):
3866         (JSC::DFG::Node::scopeOffset):
3867         (JSC::DFG::Node::hasDirectArgumentsOffset):
3868         (JSC::DFG::Node::capturedArgumentsOffset):
3869         (JSC::DFG::Node::variablePointer):
3870         (JSC::DFG::Node::hasCallVarargsData):
3871         (JSC::DFG::Node::hasLoadVarargsData):
3872         (JSC::DFG::Node::hasHeapPrediction):
3873         (JSC::DFG::Node::hasCellOperand):
3874         (JSC::DFG::Node::objectMaterializationData):
3875         (JSC::DFG::Node::isPhantomAllocation):
3876         (JSC::DFG::Node::willHaveCodeGenOrOSR):
3877         (JSC::DFG::Node::shouldSpeculateDirectArguments):
3878         (JSC::DFG::Node::shouldSpeculateScopedArguments):
3879         (JSC::DFG::Node::isPhantomArguments): Deleted.
<