Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
4
5         * runtime/InferredValue.h:
6
7 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
8
9         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
10
11         * runtime/InferredValue.h:
12
13 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
14
15         JSC should detect singleton functions
16         https://bugs.webkit.org/show_bug.cgi?id=143232
17
18         Reviewed by Geoffrey Garen.
19         
20         This started out as an attempt to make constructors faster by detecting when a constructor is a
21         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
22         along with an inferred value - that detects if only one JSFunction has been allocated for that
23         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
24         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
25         we can constant-fold GetCallee.
26         
27         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
28         process I realized a bunch of things:
29         
30         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
31           had even in code where our singleton-closure detection worked. That's because singleton-closure
32           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
33           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
34           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
35           values.
36           
37         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
38           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
39           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
40         
41         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
42           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
43           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
44           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
45           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
46           scope. Ths saves compile times and it allows prediction propagation to benefit from the
47           constant folding. Second, it means that we will detect a singleton scope even if it is
48           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
49           allows us to eliminate the function reentry watchpoint.
50         
51         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
52           constant values in scopes. Previously when the DFG inferred that a closure variable was
53           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
54           value. But now we are first inferring that the function is a singleton, which means that we
55           know exactly what scope it points to, and we can load the value from the scope. Using a
56           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
57           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
58           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
59           FunctionExecutable wants.
60         
61         This also has the effect of simplifying the implementation of block scoping. Prior to this
62         change, block scoping would have needed to have some story for the function reentry watchpoint on
63         any nested symbol table. That's totally weird to think about; it's not really a function reentry
64         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
65         will "just work": if we prove that we know the constant value of the scope then the machinery
66         kicks in, otherwise it doesn't.
67         
68         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
69
70         * CMakeLists.txt:
71         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
72         * JavaScriptCore.xcodeproj/project.pbxproj:
73         * bytecode/BytecodeList.json:
74         * bytecode/BytecodeUseDef.h:
75         (JSC::computeUsesForBytecodeOffset):
76         (JSC::computeDefsForBytecodeOffset):
77         * bytecode/CodeBlock.cpp:
78         (JSC::CodeBlock::dumpBytecode):
79         (JSC::CodeBlock::CodeBlock):
80         (JSC::CodeBlock::finalizeUnconditionally):
81         (JSC::CodeBlock::valueProfileForBytecodeOffset):
82         * bytecode/CodeBlock.h:
83         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
84         * bytecode/CodeOrigin.cpp:
85         (JSC::InlineCallFrame::calleeConstant):
86         (JSC::InlineCallFrame::visitAggregate):
87         * bytecode/CodeOrigin.h:
88         (JSC::InlineCallFrame::calleeConstant): Deleted.
89         (JSC::InlineCallFrame::visitAggregate): Deleted.
90         * bytecode/Instruction.h:
91         * bytecode/VariableWatchpointSet.cpp: Removed.
92         * bytecode/VariableWatchpointSet.h: Removed.
93         * bytecode/VariableWatchpointSetInlines.h: Removed.
94         * bytecode/VariableWriteFireDetail.cpp: Added.
95         (JSC::VariableWriteFireDetail::dump):
96         (JSC::VariableWriteFireDetail::touch):
97         * bytecode/VariableWriteFireDetail.h: Added.
98         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
99         * bytecode/Watchpoint.h:
100         (JSC::WatchpointSet::stateOnJSThread):
101         (JSC::WatchpointSet::startWatching):
102         (JSC::WatchpointSet::fireAll):
103         (JSC::WatchpointSet::touch):
104         (JSC::WatchpointSet::invalidate):
105         (JSC::InlineWatchpointSet::stateOnJSThread):
106         (JSC::InlineWatchpointSet::state):
107         (JSC::InlineWatchpointSet::hasBeenInvalidated):
108         (JSC::InlineWatchpointSet::invalidate):
109         (JSC::InlineWatchpointSet::touch):
110         * bytecompiler/BytecodeGenerator.cpp:
111         (JSC::BytecodeGenerator::BytecodeGenerator):
112         * dfg/DFGAbstractInterpreterInlines.h:
113         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
114         * dfg/DFGByteCodeParser.cpp:
115         (JSC::DFG::ByteCodeParser::get):
116         (JSC::DFG::ByteCodeParser::parseBlock):
117         (JSC::DFG::ByteCodeParser::getScope): Deleted.
118         * dfg/DFGCapabilities.cpp:
119         (JSC::DFG::capabilityLevel):
120         * dfg/DFGClobberize.h:
121         (JSC::DFG::clobberize):
122         * dfg/DFGDesiredWatchpoints.cpp:
123         (JSC::DFG::InferredValueAdaptor::add):
124         (JSC::DFG::DesiredWatchpoints::addLazily):
125         (JSC::DFG::DesiredWatchpoints::reallyAdd):
126         (JSC::DFG::DesiredWatchpoints::areStillValid):
127         * dfg/DFGDesiredWatchpoints.h:
128         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
129         (JSC::DFG::DesiredWatchpoints::isWatched):
130         * dfg/DFGGraph.cpp:
131         (JSC::DFG::Graph::dump):
132         (JSC::DFG::Graph::tryGetConstantClosureVar):
133         * dfg/DFGNode.h:
134         (JSC::DFG::Node::hasWatchpointSet):
135         (JSC::DFG::Node::watchpointSet):
136         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
137         (JSC::DFG::Node::variableWatchpointSet): Deleted.
138         * dfg/DFGOperations.cpp:
139         * dfg/DFGOperations.h:
140         * dfg/DFGSpeculativeJIT.cpp:
141         (JSC::DFG::SpeculativeJIT::compileNewFunction):
142         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
143         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
144         * dfg/DFGSpeculativeJIT.h:
145         (JSC::DFG::SpeculativeJIT::callOperation):
146         * dfg/DFGSpeculativeJIT32_64.cpp:
147         (JSC::DFG::SpeculativeJIT::compile):
148         * dfg/DFGSpeculativeJIT64.cpp:
149         (JSC::DFG::SpeculativeJIT::compile):
150         * dfg/DFGVarargsForwardingPhase.cpp:
151         * ftl/FTLIntrinsicRepository.h:
152         * ftl/FTLLowerDFGToLLVM.cpp:
153         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
154         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
155         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
156         * interpreter/Interpreter.cpp:
157         (JSC::StackFrame::friendlySourceURL):
158         (JSC::StackFrame::friendlyFunctionName):
159         * interpreter/Interpreter.h:
160         (JSC::StackFrame::friendlySourceURL): Deleted.
161         (JSC::StackFrame::friendlyFunctionName): Deleted.
162         * jit/JIT.cpp:
163         (JSC::JIT::emitNotifyWrite):
164         (JSC::JIT::privateCompileMainPass):
165         * jit/JIT.h:
166         * jit/JITOpcodes.cpp:
167         (JSC::JIT::emit_op_touch_entry): Deleted.
168         * jit/JITOperations.cpp:
169         * jit/JITOperations.h:
170         * jit/JITPropertyAccess.cpp:
171         (JSC::JIT::emitPutGlobalVar):
172         (JSC::JIT::emitPutClosureVar):
173         (JSC::JIT::emitNotifyWrite): Deleted.
174         * jit/JITPropertyAccess32_64.cpp:
175         (JSC::JIT::emitPutGlobalVar):
176         (JSC::JIT::emitPutClosureVar):
177         (JSC::JIT::emitNotifyWrite): Deleted.
178         * llint/LLIntSlowPaths.cpp:
179         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
180         * llint/LowLevelInterpreter.asm:
181         * llint/LowLevelInterpreter32_64.asm:
182         * llint/LowLevelInterpreter64.asm:
183         * runtime/CommonSlowPaths.cpp:
184         (JSC::SLOW_PATH_DECL): Deleted.
185         * runtime/CommonSlowPaths.h:
186         * runtime/Executable.cpp:
187         (JSC::FunctionExecutable::finishCreation):
188         (JSC::FunctionExecutable::visitChildren):
189         * runtime/Executable.h:
190         (JSC::FunctionExecutable::singletonFunction):
191         * runtime/InferredValue.cpp: Added.
192         (JSC::InferredValue::create):
193         (JSC::InferredValue::destroy):
194         (JSC::InferredValue::createStructure):
195         (JSC::InferredValue::visitChildren):
196         (JSC::InferredValue::InferredValue):
197         (JSC::InferredValue::~InferredValue):
198         (JSC::InferredValue::notifyWriteSlow):
199         (JSC::InferredValue::ValueCleanup::ValueCleanup):
200         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
201         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
202         * runtime/InferredValue.h: Added.
203         (JSC::InferredValue::inferredValue):
204         (JSC::InferredValue::state):
205         (JSC::InferredValue::isStillValid):
206         (JSC::InferredValue::hasBeenInvalidated):
207         (JSC::InferredValue::add):
208         (JSC::InferredValue::notifyWrite):
209         (JSC::InferredValue::invalidate):
210         * runtime/JSEnvironmentRecord.cpp:
211         (JSC::JSEnvironmentRecord::visitChildren):
212         * runtime/JSEnvironmentRecord.h:
213         (JSC::JSEnvironmentRecord::isValid):
214         (JSC::JSEnvironmentRecord::finishCreation):
215         * runtime/JSFunction.cpp:
216         (JSC::JSFunction::create):
217         * runtime/JSFunction.h:
218         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
219         (JSC::JSFunction::createImpl):
220         (JSC::JSFunction::create): Deleted.
221         * runtime/JSGlobalObject.cpp:
222         (JSC::JSGlobalObject::addGlobalVar):
223         (JSC::JSGlobalObject::addFunction):
224         * runtime/JSGlobalObject.h:
225         * runtime/JSLexicalEnvironment.cpp:
226         (JSC::JSLexicalEnvironment::symbolTablePut):
227         * runtime/JSScope.h:
228         (JSC::ResolveOp::ResolveOp):
229         * runtime/JSSegmentedVariableObject.h:
230         (JSC::JSSegmentedVariableObject::finishCreation):
231         * runtime/JSSymbolTableObject.h:
232         (JSC::JSSymbolTableObject::JSSymbolTableObject):
233         (JSC::JSSymbolTableObject::setSymbolTable):
234         (JSC::symbolTablePut):
235         (JSC::symbolTablePutWithAttributes):
236         * runtime/PutPropertySlot.h:
237         * runtime/SymbolTable.cpp:
238         (JSC::SymbolTableEntry::prepareToWatch):
239         (JSC::SymbolTable::SymbolTable):
240         (JSC::SymbolTable::finishCreation):
241         (JSC::SymbolTable::visitChildren):
242         (JSC::SymbolTableEntry::inferredValue): Deleted.
243         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
244         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
245         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
246         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
247         * runtime/SymbolTable.h:
248         (JSC::SymbolTableEntry::disableWatching):
249         (JSC::SymbolTableEntry::watchpointSet):
250         (JSC::SymbolTable::singletonScope):
251         (JSC::SymbolTableEntry::notifyWrite): Deleted.
252         * runtime/TypeProfiler.cpp:
253         * runtime/VM.cpp:
254         (JSC::VM::VM):
255         * runtime/VM.h:
256         * tests/stress/infer-uninitialized-closure-var.js: Added.
257         (foo.f):
258         (foo):
259         * tests/stress/singleton-scope-then-overwrite.js: Added.
260         (foo.f):
261         (foo):
262         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
263         (foo):
264         * tests/stress/singleton-scope-then-realloc.js: Added.
265         (foo):
266
267 2015-04-13  Andreas Kling  <akling@apple.com>
268
269         Don't segregate heap objects based on Structure immortality.
270         <https://webkit.org/b/143638>
271
272         Reviewed by Darin Adler.
273
274         Put all objects that need a destructor call into the same MarkedBlock.
275         This reduces memory consumption in many situations, while improving locality,
276         since much more of the MarkedBlock space can be shared.
277
278         Instead of branching on the MarkedBlock type, we now check a bit in the
279         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
280         to access the cell's Structure during destruction or not.
281
282         Performance benchmarks look mostly neutral. Maybe a small regression on
283         SunSpider's date objects.
284
285         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
286         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
287         end of savings we can get from this, but still a very real improvement.
288
289         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
290         derived classes and passing that responsibility to the StructureIsImmortal flag.
291         StructureFlags is made public so that it's accessible from non-member functions.
292         I made sure to declare it everywhere and make classes final to try to make it
293         explicit what each class is doing to its inherited flags.
294
295         * API/JSCallbackConstructor.h:
296         * API/JSCallbackObject.h:
297         * bytecode/UnlinkedCodeBlock.h:
298         * debugger/DebuggerScope.h:
299         * dfg/DFGSpeculativeJIT.cpp:
300         (JSC::DFG::SpeculativeJIT::compileMakeRope):
301         * ftl/FTLLowerDFGToLLVM.cpp:
302         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
303         * heap/Heap.h:
304         (JSC::Heap::subspaceForObjectDestructor):
305         (JSC::Heap::allocatorForObjectWithDestructor):
306         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
307         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
308         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
309         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
310         * heap/HeapInlines.h:
311         (JSC::Heap::allocateWithDestructor):
312         (JSC::Heap::allocateObjectOfType):
313         (JSC::Heap::subspaceForObjectOfType):
314         (JSC::Heap::allocatorForObjectOfType):
315         (JSC::Heap::allocateWithNormalDestructor): Deleted.
316         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
317         * heap/MarkedAllocator.cpp:
318         (JSC::MarkedAllocator::allocateBlock):
319         * heap/MarkedAllocator.h:
320         (JSC::MarkedAllocator::needsDestruction):
321         (JSC::MarkedAllocator::MarkedAllocator):
322         (JSC::MarkedAllocator::init):
323         (JSC::MarkedAllocator::destructorType): Deleted.
324         * heap/MarkedBlock.cpp:
325         (JSC::MarkedBlock::create):
326         (JSC::MarkedBlock::MarkedBlock):
327         (JSC::MarkedBlock::callDestructor):
328         (JSC::MarkedBlock::specializedSweep):
329         (JSC::MarkedBlock::sweep):
330         (JSC::MarkedBlock::sweepHelper):
331         * heap/MarkedBlock.h:
332         (JSC::MarkedBlock::needsDestruction):
333         (JSC::MarkedBlock::destructorType): Deleted.
334         * heap/MarkedSpace.cpp:
335         (JSC::MarkedSpace::MarkedSpace):
336         (JSC::MarkedSpace::resetAllocators):
337         (JSC::MarkedSpace::forEachAllocator):
338         (JSC::MarkedSpace::isPagedOut):
339         (JSC::MarkedSpace::clearNewlyAllocated):
340         * heap/MarkedSpace.h:
341         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
342         (JSC::MarkedSpace::destructorAllocatorFor):
343         (JSC::MarkedSpace::allocateWithDestructor):
344         (JSC::MarkedSpace::forEachBlock):
345         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
346         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
347         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
348         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
349         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
350         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
351         * inspector/JSInjectedScriptHost.h:
352         * inspector/JSInjectedScriptHostPrototype.h:
353         * inspector/JSJavaScriptCallFrame.h:
354         * inspector/JSJavaScriptCallFramePrototype.h:
355         * jsc.cpp:
356         * runtime/ArrayBufferNeuteringWatchpoint.h:
357         * runtime/ArrayConstructor.h:
358         * runtime/ArrayIteratorPrototype.h:
359         * runtime/BooleanPrototype.h:
360         * runtime/ClonedArguments.h:
361         * runtime/CustomGetterSetter.h:
362         * runtime/DateConstructor.h:
363         * runtime/DatePrototype.h:
364         * runtime/ErrorPrototype.h:
365         * runtime/ExceptionHelpers.h:
366         * runtime/Executable.h:
367         * runtime/GenericArguments.h:
368         * runtime/GetterSetter.h:
369         * runtime/InternalFunction.h:
370         * runtime/JSAPIValueWrapper.h:
371         * runtime/JSArgumentsIterator.h:
372         * runtime/JSArray.h:
373         * runtime/JSArrayBuffer.h:
374         * runtime/JSArrayBufferView.h:
375         * runtime/JSBoundFunction.h:
376         * runtime/JSCallee.h:
377         * runtime/JSCell.h:
378         * runtime/JSCellInlines.h:
379         (JSC::JSCell::classInfo):
380         * runtime/JSDataViewPrototype.h:
381         * runtime/JSEnvironmentRecord.h:
382         * runtime/JSFunction.h:
383         * runtime/JSGenericTypedArrayView.h:
384         * runtime/JSGlobalObject.h:
385         * runtime/JSLexicalEnvironment.h:
386         * runtime/JSNameScope.h:
387         * runtime/JSNotAnObject.h:
388         * runtime/JSONObject.h:
389         * runtime/JSObject.h:
390         (JSC::JSFinalObject::JSFinalObject):
391         * runtime/JSPromiseConstructor.h:
392         * runtime/JSPromiseDeferred.h:
393         * runtime/JSPromisePrototype.h:
394         * runtime/JSPromiseReaction.h:
395         * runtime/JSPropertyNameEnumerator.h:
396         * runtime/JSProxy.h:
397         * runtime/JSScope.h:
398         * runtime/JSString.h:
399         * runtime/JSSymbolTableObject.h:
400         * runtime/JSTypeInfo.h:
401         (JSC::TypeInfo::structureIsImmortal):
402         * runtime/MathObject.h:
403         * runtime/NumberConstructor.h:
404         * runtime/NumberPrototype.h:
405         * runtime/ObjectConstructor.h:
406         * runtime/PropertyMapHashTable.h:
407         * runtime/RegExp.h:
408         * runtime/RegExpConstructor.h:
409         * runtime/RegExpObject.h:
410         * runtime/RegExpPrototype.h:
411         * runtime/ScopedArgumentsTable.h:
412         * runtime/SparseArrayValueMap.h:
413         * runtime/StrictEvalActivation.h:
414         * runtime/StringConstructor.h:
415         * runtime/StringIteratorPrototype.h:
416         * runtime/StringObject.h:
417         * runtime/StringPrototype.h:
418         * runtime/Structure.cpp:
419         (JSC::Structure::Structure):
420         * runtime/Structure.h:
421         * runtime/StructureChain.h:
422         * runtime/StructureRareData.h:
423         * runtime/Symbol.h:
424         * runtime/SymbolPrototype.h:
425         * runtime/SymbolTable.h:
426         * runtime/WeakMapData.h:
427
428 2015-04-13  Mark Lam  <mark.lam@apple.com>
429
430         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
431         https://bugs.webkit.org/show_bug.cgi?id=143407
432
433         Reviewed by Filip Pizlo.
434
435         DFG inlining of a varargs call / construct needs to keep the local
436         containing the callee alive with a Phantom node because the LoadVarargs
437         node may OSR exit.  After the OSR exit, the baseline JIT executes the
438         op_call_varargs with that callee in the local.
439
440         Previously, because that callee local was not explicitly kept alive,
441         the op_call_varargs case can OSR exit a DFG function and leave an
442         undefined value in that local.  As a result, the baseline observes the
443         side effect of an op_call_varargs on an undefined value instead of the
444         function it expected.
445
446         Note: this issue does not manifest with op_construct_varargs because
447         the inlined constructor will have an op_create_this which operates on
448         the incoming callee value, thereby keeping it alive.
449
450         * dfg/DFGByteCodeParser.cpp:
451         (JSC::DFG::ByteCodeParser::handleInlining):
452         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
453         (foo):
454         (Foo):
455         (doTest):
456
457 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
458
459         [ES6] Implement Array.prototype.values
460         https://bugs.webkit.org/show_bug.cgi?id=143633
461
462         Reviewed by Darin Adler.
463
464         Symbol.unscopables is implemented, so we can implement Array.prototype.values
465         without largely breaking the web. The following script passes.
466
467         var array = [];
468         var values = 42;
469         with (array) {
470             assert(values, 42);
471         }
472
473         * runtime/ArrayPrototype.cpp:
474         * tests/stress/array-iterators-next.js:
475         * tests/stress/map-iterators-next.js:
476         * tests/stress/set-iterators-next.js:
477         * tests/stress/values-unscopables.js: Added.
478         (test):
479
480 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
481
482         Run flaky conservative GC related test first before polluting stack and registers
483         https://bugs.webkit.org/show_bug.cgi?id=143634
484
485         Reviewed by Ryosuke Niwa.
486
487         After r182653, JSC API tests fail. However, it's not related to the change.
488         After investigating the cause of this failure, I've found that the failed test is flaky
489         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
490         due to conservative roots in C stack and registers, this test fails.
491
492         Since GC marks C stack and registers as roots conservatively,
493         objects not referenced logically can be accidentally marked and alive.
494         To avoid this situation as possible as we can,
495         1. run this test first before stack is polluted,
496         2. extract this test as a function to suppress stack height.
497
498         * API/tests/testapi.mm:
499         (testWeakValue):
500         (testObjectiveCAPIMain):
501         (testObjectiveCAPI):
502
503 2015-04-11  Matt Baker  <mattbaker@apple.com>
504
505         Web Inspector: create content view and details sidebar for Frames timeline
506         https://bugs.webkit.org/show_bug.cgi?id=143533
507
508         Reviewed by Timothy Hatcher.
509
510         Refactoring: RunLoop prefix changed to RenderingFrame.
511
512         * inspector/protocol/Timeline.json:
513
514 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
515
516         [ES6] Enable Symbol in web pages
517         https://bugs.webkit.org/show_bug.cgi?id=143375
518
519         Reviewed by Ryosuke Niwa.
520
521         Expose Symbol to web pages.
522         Symbol was exposed, but it was hidden since it breaks Facebook comments.
523         This is because at that time Symbol is implemented,
524         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
525         and it breaks React.js and immutable.js.
526
527         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
528         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
529
530         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
531         and makes enabling symbols by default.
532
533         * runtime/ArrayPrototype.cpp:
534         (JSC::ArrayPrototype::finishCreation):
535         * runtime/CommonIdentifiers.h:
536         * runtime/JSGlobalObject.cpp:
537         (JSC::JSGlobalObject::init):
538         * runtime/ObjectConstructor.cpp:
539         (JSC::ObjectConstructor::finishCreation):
540         * runtime/RuntimeFlags.h:
541
542 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
543
544         ES6: Iterator toString names should be consistent
545         https://bugs.webkit.org/show_bug.cgi?id=142424
546
547         Reviewed by Geoffrey Garen.
548
549         Iterator Object Names in the spec right now have spaces.
550         In our implementation some do and some don't.
551         This patch aligns JSC to the spec.
552
553         * runtime/JSArrayIterator.cpp:
554         * runtime/JSStringIterator.cpp:
555         * tests/stress/iterator-names.js: Added.
556         (test):
557         (iter):
558         (check):
559
560 2015-04-10  Michael Saboff  <msaboff@apple.com>
561
562         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
563         https://bugs.webkit.org/show_bug.cgi?id=143582
564
565         Reviewed by Mark Lam.
566
567         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
568         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
569         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
570         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
571         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
572         we would still OSR exit after the speculation check.
573
574         * dfg/DFGFixupPhase.cpp:
575         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
576         * dfg/DFGSpeculativeJIT32_64.cpp:
577         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
578
579 2015-04-10  Milan Crha  <mcrha@redhat.com>
580
581         Disable Linux-specific code in a Windows build
582         https://bugs.webkit.org/show_bug.cgi?id=137973
583
584         Reviewed by Joseph Pecoraro.
585
586         * inspector/JSGlobalObjectInspectorController.cpp:
587         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
588
589 2015-04-10  Csaba Osztrogonác  <ossy@webkit.org>
590
591         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
592         https://bugs.webkit.org/show_bug.cgi?id=143368
593
594         Reviewed by Michael Saboff.
595
596         * jit/RegisterSet.cpp:
597         (JSC::RegisterSet::calleeSaveRegisters):
598
599 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
600
601         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
602         https://bugs.webkit.org/show_bug.cgi?id=143430
603
604         Reviewed by Darin Adler.
605
606         * runtime/ExceptionHelpers.cpp:
607         (JSC::errorDescriptionForValue):
608         * runtime/NumberPrototype.cpp:
609         (JSC::numberProtoFuncToExponential):
610         (JSC::numberProtoFuncToPrecision):
611         (JSC::numberProtoFuncToString):
612         * runtime/SymbolPrototype.cpp:
613         (JSC::symbolProtoFuncToString):
614
615 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
616
617         JSArray::sortNumeric should handle ArrayWithUndecided
618         https://bugs.webkit.org/show_bug.cgi?id=143535
619
620         Reviewed by Geoffrey Garen.
621         
622         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
623
624         * runtime/JSArray.cpp:
625         (JSC::JSArray::sortNumeric):
626         * tests/stress/sort-array-with-undecided.js: Added.
627
628 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
629
630         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
631         https://bugs.webkit.org/show_bug.cgi?id=143532
632
633         Reviewed by Gavin Barraclough.
634         
635         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
636         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
637         would think that there never was wrap-around.
638         
639         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
640
641         * dfg/DFGIntegerCheckCombiningPhase.cpp:
642         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
643
644 2015-04-07  Michael Saboff  <msaboff@apple.com>
645
646         Lazily initialize LogToSystemConsole flag to reduce memory usage
647         https://bugs.webkit.org/show_bug.cgi?id=143506
648
649         Reviewed by Mark Lam.
650
651         Only call into CF preferences code when we need to in order to reduce memory usage.
652
653         * inspector/JSGlobalObjectConsoleClient.cpp:
654         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
655         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
656         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
657         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
658
659 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
660
661         Get the features.json files ready for open contributions
662         https://bugs.webkit.org/show_bug.cgi?id=143436
663
664         Reviewed by Darin Adler.
665
666         * features.json:
667
668 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
669
670         Constant folding of typed array properties should be handled by AI rather than strength reduction
671         https://bugs.webkit.org/show_bug.cgi?id=143496
672
673         Reviewed by Geoffrey Garen.
674         
675         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
676         phase and whatever other phase did the folding in order to find all constants.
677         
678         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
679         directly.
680         
681         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
682         found because all of the tests for it involved the property getting constant folded. I found that
683         the codegen was bad because an earlier version of the patch broke that constant folding. This
684         adds a new test for that node type, which makes constant folding impossible by allocating a new
685         typed array every type. The lesson here is: if you write a test for something, run the test with
686         full IR dumps to make sure it's actually testing the thing you want it to test.
687
688         * dfg/DFGAbstractInterpreterInlines.h:
689         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
690         * dfg/DFGClobberize.h:
691         (JSC::DFG::clobberize):
692         * dfg/DFGConstantFoldingPhase.cpp:
693         (JSC::DFG::ConstantFoldingPhase::foldConstants):
694         * dfg/DFGDoesGC.cpp:
695         (JSC::DFG::doesGC):
696         * dfg/DFGFixupPhase.cpp:
697         (JSC::DFG::FixupPhase::fixupNode):
698         * dfg/DFGGraph.cpp:
699         (JSC::DFG::Graph::dump):
700         (JSC::DFG::Graph::tryGetFoldableView):
701         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
702         * dfg/DFGGraph.h:
703         * dfg/DFGNode.h:
704         (JSC::DFG::Node::hasTypedArray): Deleted.
705         (JSC::DFG::Node::typedArray): Deleted.
706         * dfg/DFGNodeType.h:
707         * dfg/DFGPredictionPropagationPhase.cpp:
708         (JSC::DFG::PredictionPropagationPhase::propagate):
709         * dfg/DFGSafeToExecute.h:
710         (JSC::DFG::safeToExecute):
711         * dfg/DFGSpeculativeJIT.cpp:
712         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
713         * dfg/DFGSpeculativeJIT32_64.cpp:
714         (JSC::DFG::SpeculativeJIT::compile):
715         * dfg/DFGSpeculativeJIT64.cpp:
716         (JSC::DFG::SpeculativeJIT::compile):
717         * dfg/DFGStrengthReductionPhase.cpp:
718         (JSC::DFG::StrengthReductionPhase::handleNode):
719         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
720         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
721         * dfg/DFGWatchpointCollectionPhase.cpp:
722         (JSC::DFG::WatchpointCollectionPhase::handle):
723         (JSC::DFG::WatchpointCollectionPhase::addLazily):
724         * ftl/FTLCapabilities.cpp:
725         (JSC::FTL::canCompile):
726         * ftl/FTLLowerDFGToLLVM.cpp:
727         (JSC::FTL::LowerDFGToLLVM::compileNode):
728         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
729         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
730         * tests/stress/fold-typed-array-properties.js:
731         (foo):
732         * tests/stress/typed-array-byte-offset.js: Added.
733         (foo):
734
735 2015-04-07  Matthew Mirman  <mmirman@apple.com>
736
737         Source and stack information should get appended only to native errors
738         and should be added directly after construction rather than when thrown. 
739         This fixes frozen objects being unfrozen when thrown while conforming to 
740         ecma script standard and other browser behavior.
741         rdar://problem/19927293
742         https://bugs.webkit.org/show_bug.cgi?id=141871
743         
744         Reviewed by Geoffrey Garen.
745
746         Appending stack, source, line, and column information to an object whenever that object is thrown 
747         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
748         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
749         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
750         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
751         a control flow construct rather than just an error reporting mechanism.  
752         
753         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
754         appending the error properties as a seperate call after construction of the error is required 
755         to avoid having to manually truncate the stack and gather local source information due to 
756         the stack being extended by a nested call to construct one of the native jsc error.
757         
758         * interpreter/Interpreter.cpp:
759         (JSC::Interpreter::execute):
760         * interpreter/Interpreter.h:
761         * parser/ParserError.h:
762         (JSC::ParserError::toErrorObject):
763         * runtime/CommonIdentifiers.h:
764         * runtime/Error.cpp:
765         (JSC::createError):
766         (JSC::createEvalError):
767         (JSC::createRangeError):
768         (JSC::createReferenceError):
769         (JSC::createSyntaxError):
770         (JSC::createTypeError):
771         (JSC::createNotEnoughArgumentsError):
772         (JSC::createURIError):
773         (JSC::createOutOfMemoryError):
774         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
775         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
776         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
777         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
778         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
779         (JSC::addErrorInfo): Added special case for appending complete error info 
780         to a newly constructed error object.
781         * runtime/Error.h:
782         * runtime/ErrorConstructor.cpp:
783         (JSC::Interpreter::constructWithErrorConstructor):
784         (JSC::Interpreter::callErrorConstructor):
785         * runtime/ErrorInstance.cpp:
786         (JSC::appendSourceToError): Moved from VM.cpp
787         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
788         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
789         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
790         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
791         (JSC::addErrorInfoAndGetBytecodeOffset):
792         (JSC::ErrorInstance::finishCreation):
793         * runtime/ErrorInstance.h:
794         (JSC::ErrorInstance::create):
795         * runtime/ErrorPrototype.cpp:
796         (JSC::ErrorPrototype::finishCreation):
797         * runtime/ExceptionFuzz.cpp:
798         (JSC::doExceptionFuzzing):
799         * runtime/ExceptionHelpers.cpp:
800         (JSC::createError):
801         (JSC::createInvalidFunctionApplyParameterError):
802         (JSC::createInvalidInParameterError):
803         (JSC::createInvalidInstanceofParameterError):
804         (JSC::createNotAConstructorError):
805         (JSC::createNotAFunctionError):
806         (JSC::createNotAnObjectError):
807         (JSC::throwOutOfMemoryError):
808         (JSC::createStackOverflowError): Deleted.
809         (JSC::createOutOfMemoryError): Deleted.
810         * runtime/ExceptionHelpers.h:
811         * runtime/JSArrayBufferConstructor.cpp:
812         (JSC::constructArrayBuffer):
813         * runtime/JSArrayBufferPrototype.cpp:
814         (JSC::arrayBufferProtoFuncSlice):
815         * runtime/JSGenericTypedArrayViewInlines.h:
816         (JSC::JSGenericTypedArrayView<Adaptor>::create):
817         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
818         * runtime/NativeErrorConstructor.cpp:
819         (JSC::Interpreter::constructWithNativeErrorConstructor):
820         (JSC::Interpreter::callNativeErrorConstructor):
821         * runtime/VM.cpp:
822         (JSC::VM::throwException):
823         (JSC::appendSourceToError): Moved to Error.cpp
824         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
825         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
826         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
827         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
828         * tests/stress/freeze_leek.js: Added.
829
830 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
831
832         Web Inspector: ES6: Show Symbol properties on Objects
833         https://bugs.webkit.org/show_bug.cgi?id=141279
834
835         Reviewed by Timothy Hatcher.
836
837         * inspector/protocol/Runtime.json:
838         Give PropertyDescriptor a reference to the Symbol RemoteObject
839         if the property is a symbol property.
840
841         * inspector/InjectedScriptSource.js:
842         Enumerate symbol properties on objects.
843
844 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
845
846         Make it possible to enable LLVM FastISel
847         https://bugs.webkit.org/show_bug.cgi?id=143489
848
849         Reviewed by Michael Saboff.
850
851         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
852         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
853         if we should enable it.
854
855         * ftl/FTLCompile.cpp:
856         (JSC::FTL::mmAllocateDataSection):
857         * llvm/InitializeLLVM.cpp:
858         (JSC::initializeLLVMImpl):
859         * llvm/InitializeLLVM.h:
860         * llvm/InitializeLLVMLinux.cpp:
861         (JSC::getLLVMInitializerFunction):
862         (JSC::initializeLLVMImpl): Deleted.
863         * llvm/InitializeLLVMMac.cpp:
864         (JSC::getLLVMInitializerFunction):
865         (JSC::initializeLLVMImpl): Deleted.
866         * llvm/InitializeLLVMPOSIX.cpp:
867         (JSC::getLLVMInitializerFunctionPOSIX):
868         (JSC::initializeLLVMPOSIX): Deleted.
869         * llvm/InitializeLLVMPOSIX.h:
870         * llvm/InitializeLLVMWin.cpp:
871         (JSC::getLLVMInitializerFunction):
872         (JSC::initializeLLVMImpl): Deleted.
873         * llvm/LLVMAPI.cpp:
874         * llvm/LLVMAPI.h:
875         * llvm/library/LLVMExports.cpp:
876         (initCommandLine):
877         (initializeAndGetJSCLLVMAPI):
878         * runtime/Options.cpp:
879         (JSC::Options::initialize):
880
881 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
882
883         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
884         https://bugs.webkit.org/show_bug.cgi?id=140426
885
886         Reviewed by Darin Adler.
887
888         In the put_by_val_direct operation, we use JSObject::putDirect.
889         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
890         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
891
892         * dfg/DFGOperations.cpp:
893         (JSC::DFG::putByVal):
894         (JSC::DFG::operationPutByValInternal):
895         * jit/JITOperations.cpp:
896         * llint/LLIntSlowPaths.cpp:
897         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
898         * runtime/Identifier.h:
899         (JSC::isIndex):
900         (JSC::parseIndex):
901         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
902         (lookupWithKey):
903         (toStringThrowsError.toString):
904
905 2015-04-06  Alberto Garcia  <berto@igalia.com>
906
907         [GTK] Fix HPPA build
908         https://bugs.webkit.org/show_bug.cgi?id=143453
909
910         Reviewed by Darin Adler.
911
912         Add HPPA to the list of supported CPUs.
913
914         * CMakeLists.txt:
915
916 2015-04-06  Mark Lam  <mark.lam@apple.com>
917
918         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
919         <https://webkit.org/b/143396>
920
921         Reviewed by Filip Pizlo.
922
923         The DFG was neglecting to set the result boolean.  The FTL was setting it with
924         an inverted value.  Both of these are now resolved.
925
926         * dfg/DFGSpeculativeJIT64.cpp:
927         (JSC::DFG::SpeculativeJIT::compile):
928         * ftl/FTLLowerDFGToLLVM.cpp:
929         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
930         * tests/stress/for-in-array-mode.js: Added.
931         (.):
932         (test):
933
934 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
935
936         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
937         https://bugs.webkit.org/show_bug.cgi?id=143424
938
939         Reviewed by Geoffrey Garen.
940
941         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
942
943         ToString(symbol) throws a type error.
944         However, String(symbol) produces SymbolDescriptiveString(symbol).
945
946         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
947
948         Now, in the template literals patch, ToString DFG operation is planned to be used.
949         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
950         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
951         In CallStringConstructor, all behavior in DFG analysis is the same.
952         Only the difference from ToString is, when calling DFG operation functions, it calls
953         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
954         operationToStringOnCell and operationToString.
955
956         * dfg/DFGAbstractInterpreterInlines.h:
957         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
958         * dfg/DFGBackwardsPropagationPhase.cpp:
959         (JSC::DFG::BackwardsPropagationPhase::propagate):
960         * dfg/DFGByteCodeParser.cpp:
961         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
962         * dfg/DFGClobberize.h:
963         (JSC::DFG::clobberize):
964         * dfg/DFGDoesGC.cpp:
965         (JSC::DFG::doesGC):
966         * dfg/DFGFixupPhase.cpp:
967         (JSC::DFG::FixupPhase::fixupNode):
968         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
969         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
970         (JSC::DFG::FixupPhase::fixupToString): Deleted.
971         * dfg/DFGNodeType.h:
972         * dfg/DFGOperations.cpp:
973         * dfg/DFGOperations.h:
974         * dfg/DFGPredictionPropagationPhase.cpp:
975         (JSC::DFG::PredictionPropagationPhase::propagate):
976         * dfg/DFGSafeToExecute.h:
977         (JSC::DFG::safeToExecute):
978         * dfg/DFGSpeculativeJIT.cpp:
979         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
980         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
981         * dfg/DFGSpeculativeJIT.h:
982         * dfg/DFGSpeculativeJIT32_64.cpp:
983         (JSC::DFG::SpeculativeJIT::compile):
984         * dfg/DFGSpeculativeJIT64.cpp:
985         (JSC::DFG::SpeculativeJIT::compile):
986         * dfg/DFGStructureRegistrationPhase.cpp:
987         (JSC::DFG::StructureRegistrationPhase::run):
988         * ftl/FTLCapabilities.cpp:
989         (JSC::FTL::canCompile):
990         * ftl/FTLLowerDFGToLLVM.cpp:
991         (JSC::FTL::LowerDFGToLLVM::compileNode):
992         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
993         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
994         * runtime/StringConstructor.cpp:
995         (JSC::stringConstructor):
996         (JSC::callStringConstructor):
997         * runtime/StringConstructor.h:
998         * tests/stress/symbol-and-string-constructor.js: Added.
999         (performString):
1000
1001 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1002
1003         Return Optional<uint32_t> from PropertyName::asIndex
1004         https://bugs.webkit.org/show_bug.cgi?id=143422
1005
1006         Reviewed by Darin Adler.
1007
1008         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
1009         But it's not obvious to callers.
1010
1011         This patch changes
1012         1. PropertyName::asIndex() to return Optional<uint32_t> and
1013         2. function name `asIndex()` to `parseIndex()`.
1014         It forces callers to check the value is index or not explicitly.
1015
1016         * bytecode/GetByIdStatus.cpp:
1017         (JSC::GetByIdStatus::computeFor):
1018         * bytecode/PutByIdStatus.cpp:
1019         (JSC::PutByIdStatus::computeFor):
1020         * bytecompiler/BytecodeGenerator.cpp:
1021         (JSC::BytecodeGenerator::emitDirectPutById):
1022         * jit/Repatch.cpp:
1023         (JSC::emitPutTransitionStubAndGetOldStructure):
1024         * jsc.cpp:
1025         * runtime/ArrayPrototype.cpp:
1026         (JSC::arrayProtoFuncSort):
1027         * runtime/GenericArgumentsInlines.h:
1028         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1029         (JSC::GenericArguments<Type>::put):
1030         (JSC::GenericArguments<Type>::deleteProperty):
1031         (JSC::GenericArguments<Type>::defineOwnProperty):
1032         * runtime/Identifier.h:
1033         (JSC::parseIndex):
1034         (JSC::Identifier::isSymbol):
1035         * runtime/JSArray.cpp:
1036         (JSC::JSArray::defineOwnProperty):
1037         * runtime/JSCJSValue.cpp:
1038         (JSC::JSValue::putToPrimitive):
1039         * runtime/JSGenericTypedArrayViewInlines.h:
1040         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1041         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1042         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1043         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1044         * runtime/JSObject.cpp:
1045         (JSC::JSObject::put):
1046         (JSC::JSObject::putDirectAccessor):
1047         (JSC::JSObject::putDirectCustomAccessor):
1048         (JSC::JSObject::deleteProperty):
1049         (JSC::JSObject::putDirectMayBeIndex):
1050         (JSC::JSObject::defineOwnProperty):
1051         * runtime/JSObject.h:
1052         (JSC::JSObject::getOwnPropertySlot):
1053         (JSC::JSObject::getPropertySlot):
1054         (JSC::JSObject::putDirectInternal):
1055         * runtime/JSString.cpp:
1056         (JSC::JSString::getStringPropertyDescriptor):
1057         * runtime/JSString.h:
1058         (JSC::JSString::getStringPropertySlot):
1059         * runtime/LiteralParser.cpp:
1060         (JSC::LiteralParser<CharType>::parse):
1061         * runtime/PropertyName.h:
1062         (JSC::parseIndex):
1063         (JSC::toUInt32FromCharacters): Deleted.
1064         (JSC::toUInt32FromStringImpl): Deleted.
1065         (JSC::PropertyName::asIndex): Deleted.
1066         * runtime/PropertyNameArray.cpp:
1067         (JSC::PropertyNameArray::add):
1068         * runtime/StringObject.cpp:
1069         (JSC::StringObject::deleteProperty):
1070         * runtime/Structure.cpp:
1071         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1072
1073 2015-04-05  Andreas Kling  <akling@apple.com>
1074
1075         URI encoding/escaping should use efficient string building instead of calling snprintf().
1076         <https://webkit.org/b/143426>
1077
1078         Reviewed by Gavin Barraclough.
1079
1080         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
1081         which seemed pretty silly. This change gets that down to nothing in favor of using our
1082         existing JSStringBuilder and HexNumber.h facilities.
1083
1084         These APIs are well-exercised by our existing test suite.
1085
1086         * runtime/JSGlobalObjectFunctions.cpp:
1087         (JSC::encode):
1088         (JSC::globalFuncEscape):
1089
1090 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
1091
1092         documentation for ES Promises points to the wrong one
1093         https://bugs.webkit.org/show_bug.cgi?id=143263
1094
1095         Reviewed by Darin Adler.
1096
1097         * features.json:
1098
1099 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
1100
1101         Remove "go ahead and" from comments
1102         https://bugs.webkit.org/show_bug.cgi?id=143421
1103
1104         Reviewed by Darin Adler, Benjamin Poulain.
1105
1106         Remove the phrase "go ahead and" from comments where it doesn't add
1107         anything (which is almost all of them).
1108
1109         * interpreter/JSStack.cpp:
1110         (JSC::JSStack::growSlowCase):
1111
1112 2015-04-04  Andreas Kling  <akling@apple.com>
1113
1114         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1115         <https://webkit.org/b/143210>
1116
1117         Reviewed by Geoffrey Garen.
1118
1119         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1120         we had a little problem where WeakBlocks with only null pointers would still keep their
1121         MarkedBlock alive.
1122
1123         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1124         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1125         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1126         destroying them once they're fully dead.
1127
1128         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1129         a mysterious issue where doing two full garbage collections back-to-back would free additional
1130         memory in the second collection.
1131
1132         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1133         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1134         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1135
1136         * heap/Heap.h:
1137         * heap/Heap.cpp:
1138         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1139         owned by Heap, after everything else has been swept.
1140
1141         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1142         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1143         they are unlikely to cause entire WeakBlocks to go empty.
1144
1145         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1146         to the Heap when it's detached from a WeakSet.
1147
1148         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1149         of the logically empty WeakBlocks owned by Heap.
1150
1151         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1152         and updates the next-logically-empty-weak-block-to-sweep index.
1153
1154         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1155         won't be another chance after this.
1156
1157         * heap/IncrementalSweeper.h:
1158         (JSC::IncrementalSweeper::hasWork): Deleted.
1159
1160         * heap/IncrementalSweeper.cpp:
1161         (JSC::IncrementalSweeper::fullSweep):
1162         (JSC::IncrementalSweeper::doSweep):
1163         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1164         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1165         changed to return a bool (true if there's more work to be done.)
1166
1167         * heap/WeakBlock.cpp:
1168         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1169         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1170
1171         * heap/WeakBlock.h:
1172         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1173         if the WeakBlock could be detached from the MarkedBlock.
1174
1175         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1176         when declaring them.
1177
1178 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1179
1180         Implement ES6 Object.getOwnPropertySymbols
1181         https://bugs.webkit.org/show_bug.cgi?id=141106
1182
1183         Reviewed by Geoffrey Garen.
1184
1185         This patch implements `Object.getOwnPropertySymbols`.
1186         One technical issue is that, since we use private symbols (such as `@Object`) in the
1187         privileged JS code in `builtins/`, they should not be exposed.
1188         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
1189         before adding it into PropertyNameArray.
1190
1191         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
1192         since all private symbols are held in this map.
1193
1194         * builtins/BuiltinExecutables.cpp:
1195         (JSC::BuiltinExecutables::createExecutableInternal):
1196         * builtins/BuiltinNames.h:
1197         (JSC::BuiltinNames::isPrivateName):
1198         * runtime/CommonIdentifiers.cpp:
1199         (JSC::CommonIdentifiers::isPrivateName):
1200         * runtime/CommonIdentifiers.h:
1201         * runtime/EnumerationMode.h:
1202         (JSC::EnumerationMode::EnumerationMode):
1203         (JSC::EnumerationMode::includeSymbolProperties):
1204         * runtime/ExceptionHelpers.cpp:
1205         (JSC::createUndefinedVariableError):
1206         * runtime/JSGlobalObject.cpp:
1207         (JSC::JSGlobalObject::init):
1208         * runtime/JSLexicalEnvironment.cpp:
1209         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1210         * runtime/JSSymbolTableObject.cpp:
1211         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1212         * runtime/ObjectConstructor.cpp:
1213         (JSC::ObjectConstructor::finishCreation):
1214         (JSC::objectConstructorGetOwnPropertySymbols):
1215         (JSC::defineProperties):
1216         (JSC::objectConstructorSeal):
1217         (JSC::objectConstructorFreeze):
1218         (JSC::objectConstructorIsSealed):
1219         (JSC::objectConstructorIsFrozen):
1220         * runtime/ObjectConstructor.h:
1221         (JSC::ObjectConstructor::create):
1222         * runtime/Structure.cpp:
1223         (JSC::Structure::getPropertyNamesFromStructure):
1224         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
1225         (compare):
1226         * tests/stress/object-get-own-property-symbols.js: Added.
1227         (forIn):
1228         * tests/stress/symbol-define-property.js: Added.
1229         (testSymbol):
1230         * tests/stress/symbol-seal-and-freeze.js: Added.
1231         * tests/stress/symbol-with-json.js: Added.
1232
1233 2015-04-03  Mark Lam  <mark.lam@apple.com>
1234
1235         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
1236         <https://webkit.org/b/143385>
1237
1238         Reviewed by Geoffrey Garen.
1239
1240         For debugging purposes, sometimes, we want to be able to make compilation happen
1241         sooner to see if we can accelerate the manifestation of certain events / bugs.
1242         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
1243         which make up the compilation policy.  Let's add a single knob that can tune all
1244         the thresholds up / down in one go proportionately so that we can easily tweak
1245         how soon compilation occurs.
1246
1247         * runtime/Options.cpp:
1248         (JSC::scaleJITPolicy):
1249         (JSC::recomputeDependentOptions):
1250         * runtime/Options.h:
1251
1252 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
1253
1254         is* API methods should be @properties
1255         https://bugs.webkit.org/show_bug.cgi?id=143388
1256
1257         Reviewed by Mark Lam.
1258
1259         This appears to be the preferred idiom in WebKit, CA, AppKit, and
1260         Foundation.
1261
1262         * API/JSValue.h: Be @properties.
1263
1264         * API/tests/testapi.mm:
1265         (testObjectiveCAPI): Use the @properties.
1266
1267 2015-04-03  Mark Lam  <mark.lam@apple.com>
1268
1269         Some JSC Options refactoring and enhancements.
1270         <https://webkit.org/b/143384>
1271
1272         Rubber stamped by Benjamin Poulain.
1273
1274         Create a better encapsulated Option class to make working with options easier.  This
1275         is a building block towards a JIT policy scaling debugging option I will introduce later.
1276
1277         This work entails:
1278         1. Convert Options::Option into a public class Option (who works closely with Options).
1279         2. Convert Options::EntryType into an enum class Options::Type and make it public.
1280         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
1281         4. Add misc methods to class Option to make it more useable.
1282
1283         * runtime/Options.cpp:
1284         (JSC::Options::dumpOption):
1285         (JSC::Option::dump):
1286         (JSC::Option::operator==):
1287         (JSC::Options::Option::dump): Deleted.
1288         (JSC::Options::Option::operator==): Deleted.
1289         * runtime/Options.h:
1290         (JSC::Option::Option):
1291         (JSC::Option::operator!=):
1292         (JSC::Option::name):
1293         (JSC::Option::description):
1294         (JSC::Option::type):
1295         (JSC::Option::isOverridden):
1296         (JSC::Option::defaultOption):
1297         (JSC::Option::boolVal):
1298         (JSC::Option::unsignedVal):
1299         (JSC::Option::doubleVal):
1300         (JSC::Option::int32Val):
1301         (JSC::Option::optionRangeVal):
1302         (JSC::Option::optionStringVal):
1303         (JSC::Option::gcLogLevelVal):
1304         (JSC::Options::Option::Option): Deleted.
1305         (JSC::Options::Option::operator!=): Deleted.
1306
1307 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
1308
1309         JavaScriptCore API should support type checking for Array and Date
1310         https://bugs.webkit.org/show_bug.cgi?id=143324
1311
1312         Follow-up to address a comment by Dan.
1313
1314         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
1315         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
1316         is equal to 101100.
1317
1318 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
1319
1320         JavaScriptCore API should support type checking for Array and Date
1321         https://bugs.webkit.org/show_bug.cgi?id=143324
1322
1323         Follow-up to address a comment by Dan.
1324
1325         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
1326         Added a comment explaining why.
1327
1328 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
1329
1330         FTL JIT tests should fail if LLVM library isn't available
1331         https://bugs.webkit.org/show_bug.cgi?id=143374
1332
1333         Reviewed by Mark Lam.
1334
1335         * dfg/DFGPlan.cpp:
1336         (JSC::DFG::Plan::compileInThreadImpl):
1337         * runtime/Options.h:
1338
1339 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
1340
1341         Fix the EFL and GTK build after r182243
1342         https://bugs.webkit.org/show_bug.cgi?id=143361
1343
1344         Reviewed by Csaba Osztrogonác.
1345
1346         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
1347         DerivedSources/JavaScriptCore/inspector/ directory.
1348
1349 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
1350
1351         Unreviewed, fixing Clang builds of the GTK port on Linux.
1352
1353         * runtime/Options.cpp:
1354         Include the <math.h> header for isnan().
1355
1356 2015-04-02  Mark Lam  <mark.lam@apple.com>
1357
1358         Enhance ability to dump JSC Options.
1359         <https://webkit.org/b/143357>
1360
1361         Reviewed by Benjamin Poulain.
1362
1363         Some enhancements to how the JSC options work:
1364
1365         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
1366            2 = All, 3 = Verbose.
1367
1368            The default is 0 (None).  This dumps nothing.
1369            With the Overridden setting, at VM initialization time, we will dump all
1370            option values that have been changed from their default.
1371            With the All setting, at VM initialization time, we will dump all option values.
1372            With the Verbose setting, at VM initialization time, we will dump all option
1373            values along with their descriptions (if available).
1374
1375         2. We now store a copy of the default option values.
1376
1377            We later use this for comparison to tell if an option has been overridden, and
1378            print the default value for reference.  As a result, we no longer need the
1379            didOverride flag since we can compute whether the option is overridden at any time.
1380
1381         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
1382
1383            This will come in handy later when we want to rename some of the options to more sane
1384            names that are easier to remember.  For example, we can change
1385            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
1386            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
1387            of the description, we can afford to use shorter and less descriptive option names,
1388            but they will be easier to remember and use for day to day debugging work.
1389
1390            In this patch, I did not change the names of any of the options yet.  I only added
1391            description strings for options that I know about, and where I think the option name
1392            isn't already descriptive enough.
1393
1394         4. Also deleted some unused code.
1395
1396         * jsc.cpp:
1397         (CommandLine::parseArguments):
1398         * runtime/Options.cpp:
1399         (JSC::Options::initialize):
1400         (JSC::Options::setOption):
1401         (JSC::Options::dumpAllOptions):
1402         (JSC::Options::dumpOption):
1403         (JSC::Options::Option::dump):
1404         (JSC::Options::Option::operator==):
1405         * runtime/Options.h:
1406         (JSC::OptionRange::rangeString):
1407         (JSC::Options::Option::Option):
1408         (JSC::Options::Option::operator!=):
1409
1410 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
1411
1412         JavaScriptCore API should support type checking for Array and Date
1413         https://bugs.webkit.org/show_bug.cgi?id=143324
1414
1415         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
1416
1417         * API/JSValue.h:
1418         * API/JSValue.mm:
1419         (-[JSValue isArray]):
1420         (-[JSValue isDate]): Added an ObjC API.
1421
1422         * API/JSValueRef.cpp:
1423         (JSValueIsArray):
1424         (JSValueIsDate):
1425         * API/JSValueRef.h: Added a C API.
1426
1427         * API/WebKitAvailability.h: Brought our availability macros up to date
1428         and fixed a harmless bug where "10_10" translated to "10.0".
1429
1430         * API/tests/testapi.c:
1431         (main): Added a test and corrected a pre-existing leak.
1432
1433         * API/tests/testapi.mm:
1434         (testObjectiveCAPI): Added a test.
1435
1436 2015-04-02  Mark Lam  <mark.lam@apple.com>
1437
1438         Add Options::dumpSourceAtDFGTime().
1439         <https://webkit.org/b/143349>
1440
1441         Reviewed by Oliver Hunt, and Michael Saboff.
1442
1443         Sometimes, we will want to see the JS source code that we're compiling, and it
1444         would be nice to be able to do this without having to jump thru a lot of hoops.
1445         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
1446         Options::dumpBytecodeAtDFGTime() option.
1447
1448         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
1449         that explicitly take no arguments (instead of relying on the version that takes
1450         the default argument).  These versions are friendlier to use when we want to call
1451         them from an interactive debugging session.
1452
1453         * bytecode/CodeBlock.cpp:
1454         (JSC::CodeBlock::dumpSource):
1455         (JSC::CodeBlock::dumpBytecode):
1456         * bytecode/CodeBlock.h:
1457         * dfg/DFGByteCodeParser.cpp:
1458         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1459         * runtime/Options.h:
1460
1461 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1462
1463         Clean up EnumerationMode to easily extend
1464         https://bugs.webkit.org/show_bug.cgi?id=143276
1465
1466         Reviewed by Geoffrey Garen.
1467
1468         To make the followings easily,
1469         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
1470         2. Make ExcludeSymbols implicitly default for the existing flags
1471         we encapsulate EnumerationMode flags into EnumerationMode class.
1472
1473         And this class manages 2 flags. Later it will be extended to 3.
1474         1. DontEnumPropertiesMode (default is Exclude)
1475         2. JSObjectPropertiesMode (default is Include)
1476         3. SymbolPropertiesMode (default is Exclude)
1477             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
1478
1479         This patch replaces places using ExcludeDontEnumProperties
1480         to EnumerationMode() value which represents default mode.
1481
1482         * API/JSCallbackObjectFunctions.h:
1483         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1484         * API/JSObjectRef.cpp:
1485         (JSObjectCopyPropertyNames):
1486         * bindings/ScriptValue.cpp:
1487         (Deprecated::jsToInspectorValue):
1488         * bytecode/ObjectAllocationProfile.h:
1489         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1490         * runtime/ArrayPrototype.cpp:
1491         (JSC::arrayProtoFuncSort):
1492         * runtime/EnumerationMode.h:
1493         (JSC::EnumerationMode::EnumerationMode):
1494         (JSC::EnumerationMode::includeDontEnumProperties):
1495         (JSC::EnumerationMode::includeJSObjectProperties):
1496         (JSC::shouldIncludeDontEnumProperties): Deleted.
1497         (JSC::shouldExcludeDontEnumProperties): Deleted.
1498         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
1499         (JSC::modeThatSkipsJSObject): Deleted.
1500         * runtime/GenericArgumentsInlines.h:
1501         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1502         * runtime/JSArray.cpp:
1503         (JSC::JSArray::getOwnNonIndexPropertyNames):
1504         * runtime/JSArrayBuffer.cpp:
1505         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1506         * runtime/JSArrayBufferView.cpp:
1507         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1508         * runtime/JSFunction.cpp:
1509         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1510         * runtime/JSFunction.h:
1511         * runtime/JSGenericTypedArrayViewInlines.h:
1512         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
1513         * runtime/JSLexicalEnvironment.cpp:
1514         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1515         * runtime/JSONObject.cpp:
1516         (JSC::Stringifier::Holder::appendNextProperty):
1517         (JSC::Walker::walk):
1518         * runtime/JSObject.cpp:
1519         (JSC::getClassPropertyNames):
1520         (JSC::JSObject::getOwnPropertyNames):
1521         (JSC::JSObject::getOwnNonIndexPropertyNames):
1522         (JSC::JSObject::getGenericPropertyNames):
1523         * runtime/JSPropertyNameEnumerator.h:
1524         (JSC::propertyNameEnumerator):
1525         * runtime/JSSymbolTableObject.cpp:
1526         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1527         * runtime/ObjectConstructor.cpp:
1528         (JSC::objectConstructorGetOwnPropertyNames):
1529         (JSC::objectConstructorKeys):
1530         (JSC::defineProperties):
1531         (JSC::objectConstructorSeal):
1532         (JSC::objectConstructorFreeze):
1533         (JSC::objectConstructorIsSealed):
1534         (JSC::objectConstructorIsFrozen):
1535         * runtime/RegExpObject.cpp:
1536         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
1537         (JSC::RegExpObject::getPropertyNames):
1538         (JSC::RegExpObject::getGenericPropertyNames):
1539         * runtime/StringObject.cpp:
1540         (JSC::StringObject::getOwnPropertyNames):
1541         * runtime/Structure.cpp:
1542         (JSC::Structure::getPropertyNamesFromStructure):
1543
1544 2015-04-01  Alex Christensen  <achristensen@webkit.org>
1545
1546         Progress towards CMake on Windows and Mac.
1547         https://bugs.webkit.org/show_bug.cgi?id=143293
1548
1549         Reviewed by Filip Pizlo.
1550
1551         * CMakeLists.txt:
1552         Enabled using assembly on Windows.
1553         Replaced unix commands with CMake commands.
1554         * PlatformMac.cmake:
1555         Tell open source builders where to find unicode headers.
1556
1557 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1558
1559         IteratorClose should be called when jumping over the target for-of loop
1560         https://bugs.webkit.org/show_bug.cgi?id=143140
1561
1562         Reviewed by Geoffrey Garen.
1563
1564         This patch fixes labeled break/continue behaviors with for-of and iterators.
1565
1566         1. Support IteratorClose beyond multiple loop contexts
1567         Previously, IteratorClose is only executed in for-of's breakTarget().
1568         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
1569         For example,
1570         outer: for (var e1 of outer) {
1571             inner: for (var e2 of inner) {
1572                 break outer;
1573             }
1574         }
1575         In this case, return method of inner should be called.
1576         We leverage the existing system for `finally` to execute inner.return method correctly.
1577         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
1578         `throw` case is already supported by emitting try-catch handlers in for-of.
1579
1580         2. Incorrect LabelScope creation is done in ForOfNode
1581         ForOfNode creates duplicated LabelScope.
1582         It causes infinite loop when executing the following program that contains
1583         explicitly labeled for-of loop.
1584         For example,
1585         inner: for (var elm of array) {
1586             continue inner;
1587         }
1588
1589         * bytecompiler/BytecodeGenerator.cpp:
1590         (JSC::BytecodeGenerator::pushFinallyContext):
1591         (JSC::BytecodeGenerator::pushIteratorCloseContext):
1592         (JSC::BytecodeGenerator::popFinallyContext):
1593         (JSC::BytecodeGenerator::popIteratorCloseContext):
1594         (JSC::BytecodeGenerator::emitComplexPopScopes):
1595         (JSC::BytecodeGenerator::emitEnumeration):
1596         (JSC::BytecodeGenerator::emitIteratorClose):
1597         * bytecompiler/BytecodeGenerator.h:
1598         * bytecompiler/NodesCodegen.cpp:
1599         (JSC::ForOfNode::emitBytecode):
1600         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
1601         (createIterator.iterator.return):
1602         (createIterator):
1603         * tests/stress/raise-error-in-iterator-close.js: Added.
1604         (createIterator.iterator.return):
1605         (createIterator):
1606
1607 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1608
1609         [ES6] Implement Symbol.unscopables
1610         https://bugs.webkit.org/show_bug.cgi?id=142829
1611
1612         Reviewed by Geoffrey Garen.
1613
1614         This patch introduces Symbol.unscopables functionality.
1615         In ES6, some generic names (like keys, values) are introduced
1616         as Array's method name. And this breaks the web since some web sites
1617         use like the following code.
1618
1619         var values = ...;
1620         with (array) {
1621             values;  // This values is trapped by array's method "values".
1622         }
1623
1624         To fix this, Symbol.unscopables introduces blacklist
1625         for with scope's trapping. When resolving scope,
1626         if name is found in the target scope and the target scope is with scope,
1627         we check Symbol.unscopables object to filter generic names.
1628
1629         This functionality is only active for with scopes.
1630         Global scope does not have unscopables functionality.
1631
1632         And since
1633         1) op_resolve_scope for with scope always return Dynamic resolve type,
1634         2) in that case, JSScope::resolve is always used in JIT and LLInt,
1635         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
1636         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
1637         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
1638
1639         * runtime/ArrayPrototype.cpp:
1640         (JSC::ArrayPrototype::finishCreation):
1641         * runtime/CommonIdentifiers.h:
1642         * runtime/JSGlobalObject.h:
1643         (JSC::JSGlobalObject::runtimeFlags):
1644         * runtime/JSScope.cpp:
1645         (JSC::isUnscopable):
1646         (JSC::JSScope::resolve):
1647         * runtime/JSScope.h:
1648         (JSC::ScopeChainIterator::scope):
1649         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
1650         (test):
1651         * tests/stress/unscopables.js: Added.
1652         (test):
1653         (.):
1654
1655 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1656
1657         ES6 class syntax should allow static setters and getters
1658         https://bugs.webkit.org/show_bug.cgi?id=143180
1659
1660         Reviewed by Filip Pizlo
1661
1662         Apparently I misread the spec when I initially implemented parseClass.
1663         ES6 class syntax allows static getters and setters so just allow that.
1664
1665         * parser/Parser.cpp:
1666         (JSC::Parser<LexerType>::parseClass):
1667
1668 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
1669
1670         PutClosureVar CSE def() rule has a wrong base
1671         https://bugs.webkit.org/show_bug.cgi?id=143280
1672
1673         Reviewed by Michael Saboff.
1674         
1675         I think that this code was incorrect in a benign way, since the base of a
1676         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
1677
1678         * dfg/DFGClobberize.h:
1679         (JSC::DFG::clobberize):
1680
1681 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1682
1683         Unreviewed, rolling out r182200.
1684         https://bugs.webkit.org/show_bug.cgi?id=143279
1685
1686         Probably causing assertion extravaganza on bots. (Requested by
1687         kling on #webkit).
1688
1689         Reverted changeset:
1690
1691         "Logically empty WeakBlocks should not pin down their
1692         MarkedBlocks indefinitely."
1693         https://bugs.webkit.org/show_bug.cgi?id=143210
1694         http://trac.webkit.org/changeset/182200
1695
1696 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1697
1698         Clean up Identifier factories to clarify the meaning of StringImpl*
1699         https://bugs.webkit.org/show_bug.cgi?id=143146
1700
1701         Reviewed by Filip Pizlo.
1702
1703         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
1704         However, it's ambiguous because `StringImpl*` has 2 different meanings.
1705         1) normal string, it is replacable with `WTFString` and
1706         2) `uid`, which holds `isSymbol` information to represent Symbols.
1707         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
1708         + `Identifier::fromString(VM*/ExecState*, const String&)`.
1709         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
1710         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
1711         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
1712
1713         And to clean up `StringImpl` which is used as uid,
1714         we introduce `StringKind` into `StringImpl`. There's 3 kinds
1715         1. StringNormal (non-atomic, non-symbol)
1716         2. StringAtomic (atomic, non-symbol)
1717         3. StringSymbol (non-atomic, symbol)
1718         They are mutually exclusive. And (atomic, symbol) case should not exist.
1719
1720         * API/JSCallbackObjectFunctions.h:
1721         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1722         * API/JSObjectRef.cpp:
1723         (JSObjectMakeFunction):
1724         * API/OpaqueJSString.cpp:
1725         (OpaqueJSString::identifier):
1726         * bindings/ScriptFunctionCall.cpp:
1727         (Deprecated::ScriptFunctionCall::call):
1728         * builtins/BuiltinExecutables.cpp:
1729         (JSC::BuiltinExecutables::createExecutableInternal):
1730         * builtins/BuiltinNames.h:
1731         (JSC::BuiltinNames::BuiltinNames):
1732         * bytecompiler/BytecodeGenerator.cpp:
1733         (JSC::BytecodeGenerator::BytecodeGenerator):
1734         (JSC::BytecodeGenerator::emitThrowReferenceError):
1735         (JSC::BytecodeGenerator::emitThrowTypeError):
1736         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1737         (JSC::BytecodeGenerator::emitEnumeration):
1738         * dfg/DFGDesiredIdentifiers.cpp:
1739         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1740         * inspector/JSInjectedScriptHost.cpp:
1741         (Inspector::JSInjectedScriptHost::functionDetails):
1742         (Inspector::constructInternalProperty):
1743         (Inspector::JSInjectedScriptHost::weakMapEntries):
1744         (Inspector::JSInjectedScriptHost::iteratorEntries):
1745         * inspector/JSInjectedScriptHostPrototype.cpp:
1746         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1747         * inspector/JSJavaScriptCallFramePrototype.cpp:
1748         * inspector/ScriptCallStackFactory.cpp:
1749         (Inspector::extractSourceInformationFromException):
1750         * jit/JITOperations.cpp:
1751         * jsc.cpp:
1752         (GlobalObject::finishCreation):
1753         (GlobalObject::addFunction):
1754         (GlobalObject::addConstructableFunction):
1755         (functionRun):
1756         (runWithScripts):
1757         * llint/LLIntData.cpp:
1758         (JSC::LLInt::Data::performAssertions):
1759         * llint/LowLevelInterpreter.asm:
1760         * parser/ASTBuilder.h:
1761         (JSC::ASTBuilder::addVar):
1762         * parser/Parser.cpp:
1763         (JSC::Parser<LexerType>::parseInner):
1764         (JSC::Parser<LexerType>::createBindingPattern):
1765         * parser/ParserArena.h:
1766         (JSC::IdentifierArena::makeIdentifier):
1767         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
1768         (JSC::IdentifierArena::makeNumericIdentifier):
1769         * runtime/ArgumentsIteratorPrototype.cpp:
1770         (JSC::ArgumentsIteratorPrototype::finishCreation):
1771         * runtime/ArrayIteratorPrototype.cpp:
1772         (JSC::ArrayIteratorPrototype::finishCreation):
1773         * runtime/ArrayPrototype.cpp:
1774         (JSC::ArrayPrototype::finishCreation):
1775         (JSC::arrayProtoFuncPush):
1776         * runtime/ClonedArguments.cpp:
1777         (JSC::ClonedArguments::getOwnPropertySlot):
1778         * runtime/CommonIdentifiers.cpp:
1779         (JSC::CommonIdentifiers::CommonIdentifiers):
1780         * runtime/CommonIdentifiers.h:
1781         * runtime/Error.cpp:
1782         (JSC::addErrorInfo):
1783         (JSC::hasErrorInfo):
1784         * runtime/ExceptionHelpers.cpp:
1785         (JSC::createUndefinedVariableError):
1786         * runtime/GenericArgumentsInlines.h:
1787         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1788         * runtime/Identifier.h:
1789         (JSC::Identifier::isSymbol):
1790         (JSC::Identifier::Identifier):
1791         (JSC::Identifier::from): Deleted.
1792         * runtime/IdentifierInlines.h:
1793         (JSC::Identifier::Identifier):
1794         (JSC::Identifier::fromUid):
1795         (JSC::Identifier::fromString):
1796         * runtime/JSCJSValue.cpp:
1797         (JSC::JSValue::dumpInContextAssumingStructure):
1798         * runtime/JSCJSValueInlines.h:
1799         (JSC::JSValue::toPropertyKey):
1800         * runtime/JSGlobalObject.cpp:
1801         (JSC::JSGlobalObject::init):
1802         * runtime/JSLexicalEnvironment.cpp:
1803         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1804         * runtime/JSObject.cpp:
1805         (JSC::getClassPropertyNames):
1806         (JSC::JSObject::reifyStaticFunctionsForDelete):
1807         * runtime/JSObject.h:
1808         (JSC::makeIdentifier):
1809         * runtime/JSPromiseConstructor.cpp:
1810         (JSC::JSPromiseConstructorFuncRace):
1811         (JSC::JSPromiseConstructorFuncAll):
1812         * runtime/JSString.h:
1813         (JSC::JSString::toIdentifier):
1814         * runtime/JSSymbolTableObject.cpp:
1815         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1816         * runtime/LiteralParser.cpp:
1817         (JSC::LiteralParser<CharType>::tryJSONPParse):
1818         (JSC::LiteralParser<CharType>::makeIdentifier):
1819         * runtime/Lookup.h:
1820         (JSC::reifyStaticProperties):
1821         * runtime/MapConstructor.cpp:
1822         (JSC::constructMap):
1823         * runtime/MapIteratorPrototype.cpp:
1824         (JSC::MapIteratorPrototype::finishCreation):
1825         * runtime/MapPrototype.cpp:
1826         (JSC::MapPrototype::finishCreation):
1827         * runtime/MathObject.cpp:
1828         (JSC::MathObject::finishCreation):
1829         * runtime/NumberConstructor.cpp:
1830         (JSC::NumberConstructor::finishCreation):
1831         * runtime/ObjectConstructor.cpp:
1832         (JSC::ObjectConstructor::finishCreation):
1833         * runtime/PrivateName.h:
1834         (JSC::PrivateName::PrivateName):
1835         * runtime/PropertyMapHashTable.h:
1836         (JSC::PropertyTable::find):
1837         (JSC::PropertyTable::get):
1838         * runtime/PropertyName.h:
1839         (JSC::PropertyName::PropertyName):
1840         (JSC::PropertyName::publicName):
1841         (JSC::PropertyName::asIndex):
1842         * runtime/PropertyNameArray.cpp:
1843         (JSC::PropertyNameArray::add):
1844         * runtime/PropertyNameArray.h:
1845         (JSC::PropertyNameArray::addKnownUnique):
1846         * runtime/RegExpConstructor.cpp:
1847         (JSC::RegExpConstructor::finishCreation):
1848         * runtime/SetConstructor.cpp:
1849         (JSC::constructSet):
1850         * runtime/SetIteratorPrototype.cpp:
1851         (JSC::SetIteratorPrototype::finishCreation):
1852         * runtime/SetPrototype.cpp:
1853         (JSC::SetPrototype::finishCreation):
1854         * runtime/StringIteratorPrototype.cpp:
1855         (JSC::StringIteratorPrototype::finishCreation):
1856         * runtime/StringPrototype.cpp:
1857         (JSC::StringPrototype::finishCreation):
1858         * runtime/Structure.cpp:
1859         (JSC::Structure::getPropertyNamesFromStructure):
1860         * runtime/SymbolConstructor.cpp:
1861         * runtime/VM.cpp:
1862         (JSC::VM::throwException):
1863         * runtime/WeakMapConstructor.cpp:
1864         (JSC::constructWeakMap):
1865
1866 2015-03-31  Andreas Kling  <akling@apple.com>
1867
1868         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1869         <https://webkit.org/b/143210>
1870
1871         Reviewed by Geoffrey Garen.
1872
1873         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1874         we had a little problem where WeakBlocks with only null pointers would still keep their
1875         MarkedBlock alive.
1876
1877         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1878         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1879         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1880         destroying them once they're fully dead.
1881
1882         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1883         a mysterious issue where doing two full garbage collections back-to-back would free additional
1884         memory in the second collection.
1885
1886         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1887         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1888         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1889
1890         * heap/Heap.h:
1891         * heap/Heap.cpp:
1892         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1893         owned by Heap, after everything else has been swept.
1894
1895         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1896         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1897         they are unlikely to cause entire WeakBlocks to go empty.
1898
1899         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1900         to the Heap when it's detached from a WeakSet.
1901
1902         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1903         of the logically empty WeakBlocks owned by Heap.
1904
1905         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1906         and updates the next-logically-empty-weak-block-to-sweep index.
1907
1908         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1909         won't be another chance after this.
1910
1911         * heap/IncrementalSweeper.h:
1912         (JSC::IncrementalSweeper::hasWork): Deleted.
1913
1914         * heap/IncrementalSweeper.cpp:
1915         (JSC::IncrementalSweeper::fullSweep):
1916         (JSC::IncrementalSweeper::doSweep):
1917         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1918         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1919         changed to return a bool (true if there's more work to be done.)
1920
1921         * heap/WeakBlock.cpp:
1922         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1923         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1924
1925         * heap/WeakBlock.h:
1926         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1927         if the WeakBlock could be detached from the MarkedBlock.
1928
1929         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1930         when declaring them.
1931
1932 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1933
1934         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
1935         https://bugs.webkit.org/show_bug.cgi?id=142883
1936
1937         Reviewed by Filip Pizlo.
1938
1939         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
1940
1941         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
1942         in eval inside a derived class' constructor.
1943
1944         * bytecode/EvalCodeCache.h:
1945         (JSC::EvalCodeCache::getSlow):
1946         * bytecompiler/NodesCodegen.cpp:
1947         (JSC::ThisNode::emitBytecode):
1948         * debugger/DebuggerCallFrame.cpp:
1949         (JSC::DebuggerCallFrame::evaluate):
1950         * interpreter/Interpreter.cpp:
1951         (JSC::eval):
1952         * parser/ASTBuilder.h:
1953         (JSC::ASTBuilder::thisExpr):
1954         * parser/NodeConstructors.h:
1955         (JSC::ThisNode::ThisNode):
1956         * parser/Nodes.h:
1957         * parser/Parser.cpp:
1958         (JSC::Parser<LexerType>::Parser):
1959         (JSC::Parser<LexerType>::parsePrimaryExpression):
1960         * parser/Parser.h:
1961         (JSC::parse):
1962         * parser/ParserModes.h:
1963         * parser/SyntaxChecker.h:
1964         (JSC::SyntaxChecker::thisExpr):
1965         * runtime/CodeCache.cpp:
1966         (JSC::CodeCache::getGlobalCodeBlock):
1967         (JSC::CodeCache::getProgramCodeBlock):
1968         (JSC::CodeCache::getEvalCodeBlock):
1969         * runtime/CodeCache.h:
1970         (JSC::SourceCodeKey::SourceCodeKey):
1971         * runtime/Executable.cpp:
1972         (JSC::EvalExecutable::create):
1973         * runtime/Executable.h:
1974         * runtime/JSGlobalObject.cpp:
1975         (JSC::JSGlobalObject::createEvalCodeBlock):
1976         * runtime/JSGlobalObject.h:
1977         * runtime/JSGlobalObjectFunctions.cpp:
1978         (JSC::globalFuncEval):
1979         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
1980         * tests/stress/class-syntax-tdz-in-eval.js: Added.
1981
1982 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1983
1984         Unreviewed, rolling out r182186.
1985         https://bugs.webkit.org/show_bug.cgi?id=143270
1986
1987         it crashes all the WebGL tests on the Debug bots (Requested by
1988         dino on #webkit).
1989
1990         Reverted changeset:
1991
1992         "Web Inspector: add 2D/WebGL canvas instrumentation
1993         infrastructure"
1994         https://bugs.webkit.org/show_bug.cgi?id=137278
1995         http://trac.webkit.org/changeset/182186
1996
1997 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1998
1999         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
2000         https://bugs.webkit.org/show_bug.cgi?id=142937
2001
2002         Reviewed by Darin Adler.
2003
2004         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
2005         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
2006         But now, several functions perform ToObject onto a non-object parameter.
2007         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
2008         It is described in ES6 Annex E.
2009         Functions different from ES5 are following.
2010
2011         1. An attempt is make to coerce the argument using ToObject.
2012             Object.getOwnPropertyDescriptor
2013             Object.getOwnPropertyNames
2014             Object.getPrototypeOf
2015             Object.keys
2016
2017         2. Treated as if it was a non-extensible ordinary object with no own properties.
2018             Object.freeze
2019             Object.isExtensible
2020             Object.isFrozen
2021             Object.isSealed
2022             Object.preventExtensions
2023             Object.seal
2024
2025         * runtime/ObjectConstructor.cpp:
2026         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2027         (JSC::objectConstructorGetPrototypeOf):
2028         (JSC::objectConstructorGetOwnPropertyDescriptor):
2029         (JSC::objectConstructorGetOwnPropertyNames):
2030         (JSC::objectConstructorKeys):
2031         (JSC::objectConstructorSeal):
2032         (JSC::objectConstructorFreeze):
2033         (JSC::objectConstructorPreventExtensions):
2034         (JSC::objectConstructorIsSealed):
2035         (JSC::objectConstructorIsFrozen):
2036         (JSC::objectConstructorIsExtensible):
2037         * tests/stress/object-freeze-accept-non-object.js: Added.
2038         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
2039         (canary):
2040         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
2041         (compare):
2042         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
2043         * tests/stress/object-is-extensible-accept-non-object.js: Added.
2044         * tests/stress/object-is-frozen-accept-non-object.js: Added.
2045         * tests/stress/object-is-sealed-accept-non-object.js: Added.
2046         * tests/stress/object-keys-perform-to-object.js: Added.
2047         (compare):
2048         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
2049         * tests/stress/object-seal-accept-non-object.js: Added.
2050
2051 2015-03-31  Matt Baker  <mattbaker@apple.com>
2052
2053         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
2054         https://bugs.webkit.org/show_bug.cgi?id=137278
2055
2056         Reviewed by Timothy Hatcher.
2057
2058         Added Canvas protocol which defines types used by InspectorCanvasAgent.
2059
2060         * CMakeLists.txt:
2061         * DerivedSources.make:
2062         * inspector/protocol/Canvas.json: Added.
2063
2064         * inspector/scripts/codegen/generator.py:
2065         (Generator.stylized_name_for_enum_value):
2066         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
2067
2068 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
2069
2070         Extending null should set __proto__ to null
2071         https://bugs.webkit.org/show_bug.cgi?id=142882
2072
2073         Reviewed by Geoffrey Garen and Benjamin Poulain.
2074
2075         Set Derived.prototype.__proto__ to null when extending null.
2076
2077         * bytecompiler/NodesCodegen.cpp:
2078         (JSC::ClassExprNode::emitBytecode):
2079
2080 2015-03-30  Mark Lam  <mark.lam@apple.com>
2081
2082         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
2083         <https://webkit.org/b/143105>
2084
2085         Reviewed by Filip Pizlo.
2086
2087         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
2088         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
2089         JIT frames that may have its scope register not set.  The Debugger's current implementation
2090         which relies on the scope register is not happy about this.  For example, this results in a
2091         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
2092
2093         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
2094         ensure that the scope register value is flushed to the register in the stack frame.
2095
2096         * dfg/DFGByteCodeParser.cpp:
2097         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2098         (JSC::DFG::ByteCodeParser::setLocal):
2099         (JSC::DFG::ByteCodeParser::flush):
2100         - Add code to flush the scope register.
2101         (JSC::DFG::ByteCodeParser::inliningCost):
2102         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
2103           disabling inlining whenever the debugger is in use.
2104         * dfg/DFGGraph.cpp:
2105         (JSC::DFG::Graph::Graph):
2106         * dfg/DFGGraph.h:
2107         (JSC::DFG::Graph::hasDebuggerEnabled):
2108         * dfg/DFGStackLayoutPhase.cpp:
2109         (JSC::DFG::StackLayoutPhase::run):
2110         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
2111         * ftl/FTLCompile.cpp:
2112         (JSC::FTL::mmAllocateDataSection):
2113         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
2114
2115 2015-03-30  Michael Saboff  <msaboff@apple.com>
2116
2117         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
2118         https://bugs.webkit.org/show_bug.cgi?id=138391
2119
2120         Reviewed by Mark Lam.
2121
2122         Re-enabling these tests as I can't get them to fail on local iOS test devices.
2123         There have been many changes since these tests were disabled.
2124         I'll watch automated test results for failures.  If there are failures running automated
2125         testing, it might be due to the device's relative CPU performance.
2126         
2127         * tests/stress/float32-repeat-out-of-bounds.js:
2128         * tests/stress/int8-repeat-out-of-bounds.js:
2129
2130 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2131
2132         Web Inspector: Regression: Preview for [[null]] shouldn't be []
2133         https://bugs.webkit.org/show_bug.cgi?id=143208
2134
2135         Reviewed by Mark Lam.
2136
2137         * inspector/InjectedScriptSource.js:
2138         Handle null when generating simple object previews.
2139
2140 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
2141
2142         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
2143         https://bugs.webkit.org/show_bug.cgi?id=143134
2144
2145         Reviewed by Geoffrey Garen.
2146
2147         * jit/JSInterfaceJIT.h:
2148         * jit/Repatch.cpp:
2149         (JSC::tryCacheGetByID):
2150
2151 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
2152
2153         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
2154         https://bugs.webkit.org/show_bug.cgi?id=143104
2155
2156         Reviewed by Geoffrey Garen.
2157         
2158         Created a test that is a 100% repro of the flaky failure. This test is called
2159         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
2160         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
2161         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
2162         
2163         Also created three more tests for three similar, but not identical, failures.
2164         
2165         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
2166         only reading those parts of the stack that are relevant to the current semantic code origin.
2167         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
2168         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
2169         read parts of the stack associated with the inline call frame for the phantom arguments. This
2170         may not be subsumed by the current semantic origin's stack area in cases that the arguments
2171         were allowed to "locally" escape.
2172         
2173         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
2174         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
2175         the stack due to function.arguments, but there are a bunch of other ways that we could also
2176         read the stack and those operations may read any stack slot. I believe that this change makes
2177         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
2178         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
2179         readTop() in PreciseLocalClobberize does the right thing.
2180
2181         * dfg/DFGClobberize.h:
2182         (JSC::DFG::clobberize):
2183         * dfg/DFGPreciseLocalClobberize.h:
2184         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2185         * dfg/DFGPutStackSinkingPhase.cpp:
2186         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
2187         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
2188         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
2189         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
2190         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
2191
2192 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
2193
2194         Start the features.json files
2195         https://bugs.webkit.org/show_bug.cgi?id=143207
2196
2197         Reviewed by Darin Adler.
2198
2199         Start the features.json files to have something to experiment
2200         with for the UI.
2201
2202         * features.json: Added.
2203
2204 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2205
2206         [Win] Addresing post-review comment after r182122
2207         https://bugs.webkit.org/show_bug.cgi?id=143189
2208
2209         Unreviewed.
2210
2211 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2212
2213         [Win] Allow building JavaScriptCore without Cygwin
2214         https://bugs.webkit.org/show_bug.cgi?id=143189
2215
2216         Reviewed by Brent Fulgham.
2217
2218         Paths like /usr/bin/ don't exist on Windows.
2219         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
2220         Prefixing commands with environment variables doesn't work on Windows.
2221         Windows doesn't have 'cmp'
2222         Windows uses 'del' instead of 'rm'
2223         Windows uses 'type NUL' intead of 'touch'
2224
2225         * DerivedSources.make:
2226         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2227         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2228         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
2229         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2230         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
2231         * JavaScriptCore.vcxproj/build-generated-files.pl:
2232         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
2233
2234 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
2235
2236         Clean up JavaScriptCore/builtins
2237         https://bugs.webkit.org/show_bug.cgi?id=143177
2238
2239         Reviewed by Ryosuke Niwa.
2240
2241         * builtins/ArrayConstructor.js:
2242         (from):
2243         - We can compare to undefined instead of using a typeof undefined check.
2244         - Converge on double quoted strings everywhere.
2245
2246         * builtins/ArrayIterator.prototype.js:
2247         (next):
2248         * builtins/StringIterator.prototype.js:
2249         (next):
2250         - Use shorthand object construction to avoid duplication.
2251         - Improve grammar in error messages.
2252
2253         * tests/stress/array-iterators-next-with-call.js:
2254         * tests/stress/string-iterators.js:
2255         - Update for new error message strings.
2256
2257 2015-03-28  Saam Barati  <saambarati1@gmail.com>
2258
2259         Web Inspector: ES6: Better support for Symbol types in Type Profiler
2260         https://bugs.webkit.org/show_bug.cgi?id=141257
2261
2262         Reviewed by Joseph Pecoraro.
2263
2264         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
2265         type profiler support this new primitive type.
2266
2267         * dfg/DFGFixupPhase.cpp:
2268         (JSC::DFG::FixupPhase::fixupNode):
2269         * inspector/protocol/Runtime.json:
2270         * runtime/RuntimeType.cpp:
2271         (JSC::runtimeTypeForValue):
2272         * runtime/RuntimeType.h:
2273         (JSC::runtimeTypeIsPrimitive):
2274         * runtime/TypeSet.cpp:
2275         (JSC::TypeSet::addTypeInformation):
2276         (JSC::TypeSet::dumpTypes):
2277         (JSC::TypeSet::doesTypeConformTo):
2278         (JSC::TypeSet::displayName):
2279         (JSC::TypeSet::inspectorTypeSet):
2280         (JSC::TypeSet::toJSONString):
2281         * runtime/TypeSet.h:
2282         (JSC::TypeSet::seenTypes):
2283         * tests/typeProfiler/driver/driver.js:
2284         * tests/typeProfiler/symbol.js: Added.
2285         (wrapper.foo):
2286         (wrapper.bar):
2287         (wrapper.bar.bar.baz):
2288         (wrapper):
2289
2290 2015-03-27  Saam Barati  <saambarati1@gmail.com>
2291
2292         Deconstruction parameters are bound too late
2293         https://bugs.webkit.org/show_bug.cgi?id=143148
2294
2295         Reviewed by Filip Pizlo.
2296
2297         Currently, a deconstruction pattern named with the same
2298         name as a function will shadow the function. This is
2299         wrong. It should be the other way around.
2300
2301         * bytecompiler/BytecodeGenerator.cpp:
2302         (JSC::BytecodeGenerator::generate):
2303
2304 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
2305
2306         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
2307         https://bugs.webkit.org/show_bug.cgi?id=143170
2308
2309         Reviewed by Benjamin Poulain.
2310
2311         Assert that we never use 16-bit version of the parser to parse a default constructor
2312         since both base and derived default constructors should be using a 8-bit string.
2313
2314         * parser/Parser.h:
2315         (JSC::parse):
2316
2317 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
2318
2319         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
2320         https://bugs.webkit.org/show_bug.cgi?id=142862
2321
2322         Reviewed by Benjamin Poulain.
2323
2324         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
2325
2326         * tests/stress/class-syntax-derived-default-constructor.js: Added.
2327
2328 2015-03-27  Michael Saboff  <msaboff@apple.com>
2329
2330         load8Signed() and load16Signed() should be renamed to avoid confusion
2331         https://bugs.webkit.org/show_bug.cgi?id=143168
2332
2333         Reviewed by Benjamin Poulain.
2334
2335         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
2336
2337         * assembler/MacroAssemblerARM.h:
2338         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
2339         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
2340         (JSC::MacroAssemblerARM::load8Signed): Deleted.
2341         (JSC::MacroAssemblerARM::load16Signed): Deleted.
2342         * assembler/MacroAssemblerARM64.h:
2343         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
2344         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
2345         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
2346         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
2347         * assembler/MacroAssemblerARMv7.h:
2348         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
2349         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
2350         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
2351         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
2352         * assembler/MacroAssemblerMIPS.h:
2353         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
2354         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
2355         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
2356         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
2357         * assembler/MacroAssemblerSH4.h:
2358         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
2359         (JSC::MacroAssemblerSH4::load8):
2360         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
2361         (JSC::MacroAssemblerSH4::load16):
2362         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
2363         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
2364         * assembler/MacroAssemblerX86Common.h:
2365         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
2366         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
2367         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
2368         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
2369         * dfg/DFGSpeculativeJIT.cpp:
2370         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2371         * jit/JITPropertyAccess.cpp:
2372         (JSC::JIT::emitIntTypedArrayGetByVal):
2373
2374 2015-03-27  Michael Saboff  <msaboff@apple.com>
2375
2376         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
2377         https://bugs.webkit.org/show_bug.cgi?id=138390
2378
2379         Reviewed by Mark Lam.
2380
2381         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
2382         instead of 64 bits.  This is what X86-64 does.
2383
2384         * assembler/MacroAssemblerARM64.h:
2385         (JSC::MacroAssemblerARM64::load16Signed):
2386         (JSC::MacroAssemblerARM64::load8Signed):
2387
2388 2015-03-27  Saam Barati  <saambarati1@gmail.com>
2389
2390         Add back previously broken assert from bug 141869
2391         https://bugs.webkit.org/show_bug.cgi?id=143005
2392
2393         Reviewed by Michael Saboff.
2394
2395         * runtime/ExceptionHelpers.cpp:
2396         (JSC::invalidParameterInSourceAppender):
2397
2398 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
2399
2400         Make some more objects use FastMalloc
2401         https://bugs.webkit.org/show_bug.cgi?id=143122
2402
2403         Reviewed by Csaba Osztrogonác.
2404
2405         * API/JSCallbackObject.h:
2406         * heap/IncrementalSweeper.h:
2407         * jit/JITThunks.h:
2408         * runtime/JSGlobalObjectDebuggable.h:
2409         * runtime/RegExpCache.h:
2410
2411 2015-03-27  Michael Saboff  <msaboff@apple.com>
2412
2413         Objects with numeric properties intermittently get a phantom 'length' property
2414         https://bugs.webkit.org/show_bug.cgi?id=142792
2415
2416         Reviewed by Csaba Osztrogonác.
2417
2418         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
2419         test and branch instructions.  This function is used for linking tbz/tbnz branches between
2420         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
2421         the failure case checks in the GetById array length stub created for "obj.length" access.
2422         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
2423         being set when we should have been looking for bit 0.
2424
2425         * assembler/ARM64Assembler.h:
2426         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
2427
2428 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2429
2430         Insert exception check around toPropertyKey call
2431         https://bugs.webkit.org/show_bug.cgi?id=142922
2432
2433         Reviewed by Geoffrey Garen.
2434
2435         In some places, exception check is missing after/before toPropertyKey.
2436         However, since it calls toString, it's observable to users,
2437
2438         Missing exception checks in Object.prototype methods can be
2439         observed since it would be overridden with toObject(null/undefined) errors.
2440         We inserted exception checks after toPropertyKey.
2441
2442         Missing exception checks in GetById related code can be
2443         observed since it would be overridden with toObject(null/undefined) errors.
2444         In this case, we need to insert exception checks before/after toPropertyKey
2445         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
2446
2447         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
2448         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
2449         According to the spec, we first perform RequireObjectCoercible and check the exception.
2450         And second, we perform ToPropertyKey and check the exception.
2451         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
2452         For example, if the target is not object coercible,
2453         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
2454         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
2455
2456         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
2457
2458         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
2459
2460         toObject converts primitive types into wrapper objects.
2461         But it is not efficient since wrapper objects are not necessary
2462         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
2463
2464         2. Using the result of toObject is not correct to the spec.
2465
2466         To align to the spec correctly, we cannot use JSObject::get
2467         by using the wrapper object produced by the toObject suggested in (1).
2468         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
2469         It is not correct since getter should be called with the original |this| value that may be primitive types.
2470
2471         So in this patch, we use JSValue::requireObjectCoercible
2472         to check the target is object coercible and raise an error if it's not.
2473
2474         * dfg/DFGOperations.cpp:
2475         * jit/JITOperations.cpp:
2476         (JSC::getByVal):
2477         * llint/LLIntSlowPaths.cpp:
2478         (JSC::LLInt::getByVal):
2479         * runtime/CommonSlowPaths.cpp:
2480         (JSC::SLOW_PATH_DECL):
2481         * runtime/JSCJSValue.h:
2482         * runtime/JSCJSValueInlines.h:
2483         (JSC::JSValue::requireObjectCoercible):
2484         * runtime/ObjectPrototype.cpp:
2485         (JSC::objectProtoFuncHasOwnProperty):
2486         (JSC::objectProtoFuncDefineGetter):
2487         (JSC::objectProtoFuncDefineSetter):
2488         (JSC::objectProtoFuncLookupGetter):
2489         (JSC::objectProtoFuncLookupSetter):
2490         (JSC::objectProtoFuncPropertyIsEnumerable):
2491         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
2492         (shouldThrow):
2493         (if):
2494         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
2495         (shouldThrow):
2496         (.):
2497
2498 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
2499
2500         WebContent Crash when instantiating class with Type Profiling enabled
2501         https://bugs.webkit.org/show_bug.cgi?id=143037
2502
2503         Reviewed by Ryosuke Niwa.
2504
2505         * bytecompiler/BytecodeGenerator.h:
2506         * bytecompiler/BytecodeGenerator.cpp:
2507         (JSC::BytecodeGenerator::BytecodeGenerator):
2508         (JSC::BytecodeGenerator::emitMoveEmptyValue):
2509         We cannot profile the type of an uninitialized empty JSValue.
2510         Nor do we expect this to be necessary, since it is effectively
2511         an unseen undefined value. So add a way to put the empty value
2512         without profiling.
2513
2514         (JSC::BytecodeGenerator::emitMove):
2515         Add an assert to try to catch this issue early on, and force
2516         callers to explicitly use emitMoveEmptyValue instead.
2517
2518         * tests/typeProfiler/classes.js: Added.
2519         (wrapper.Base):
2520         (wrapper.Derived):
2521         (wrapper):
2522         Add test coverage both for this case and classes in general.
2523
2524 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
2525
2526         Web Inspector: ES6: Provide a better view for Classes in the console
2527         https://bugs.webkit.org/show_bug.cgi?id=142999
2528
2529         Reviewed by Timothy Hatcher.
2530
2531         * inspector/protocol/Runtime.json:
2532         Provide a new `subtype` enum "class". This is a subtype of `type`
2533         "function", all other subtypes are subtypes of `object` types.
2534         For a class, the frontend will immediately want to get the prototype
2535         to enumerate its methods, so include the `classPrototype`.
2536
2537         * inspector/JSInjectedScriptHost.cpp:
2538         (Inspector::JSInjectedScriptHost::subtype):
2539         Denote class construction functions as "class" subtypes.
2540
2541         * inspector/InjectedScriptSource.js:
2542         Handling for the new "class" type.
2543
2544         * bytecode/UnlinkedCodeBlock.h:
2545         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
2546         * runtime/Executable.h:
2547         (JSC::FunctionExecutable::isClassConstructorFunction):
2548         * runtime/JSFunction.h:
2549         * runtime/JSFunctionInlines.h:
2550         (JSC::JSFunction::isClassConstructorFunction):
2551         Check if this function is a class constructor function. That information
2552         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
2553
2554 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
2555
2556         Function.prototype.toString should not decompile the AST
2557         https://bugs.webkit.org/show_bug.cgi?id=142853
2558
2559         Reviewed by Darin Adler.
2560
2561         Following up on Darin's review comments.
2562
2563         * runtime/FunctionConstructor.cpp:
2564         (JSC::constructFunctionSkippingEvalEnabledCheck):
2565
2566 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
2567
2568         "lineNo" does not match WebKit coding style guidelines
2569         https://bugs.webkit.org/show_bug.cgi?id=143119
2570
2571         Reviewed by Michael Saboff.
2572
2573         We can afford to use whole words.
2574
2575         * bytecode/CodeBlock.cpp:
2576         (JSC::CodeBlock::lineNumberForBytecodeOffset):
2577         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
2578         * bytecode/UnlinkedCodeBlock.cpp:
2579         (JSC::UnlinkedFunctionExecutable::link):
2580         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2581         * bytecode/UnlinkedCodeBlock.h:
2582         * bytecompiler/NodesCodegen.cpp:
2583         (JSC::WhileNode::emitBytecode):
2584         * debugger/Debugger.cpp:
2585         (JSC::Debugger::toggleBreakpoint):
2586         * interpreter/Interpreter.cpp:
2587         (JSC::StackFrame::computeLineAndColumn):
2588         (JSC::GetStackTraceFunctor::operator()):
2589         (JSC::Interpreter::execute):
2590         * interpreter/StackVisitor.cpp:
2591         (JSC::StackVisitor::Frame::computeLineAndColumn):
2592         * parser/Nodes.h:
2593         (JSC::Node::firstLine):
2594         (JSC::Node::lineNo): Deleted.
2595         (JSC::StatementNode::firstLine): Deleted.
2596         * parser/ParserError.h:
2597         (JSC::ParserError::toErrorObject):
2598         * profiler/LegacyProfiler.cpp:
2599         (JSC::createCallIdentifierFromFunctionImp):
2600         * runtime/CodeCache.cpp:
2601         (JSC::CodeCache::getGlobalCodeBlock):
2602         * runtime/Executable.cpp:
2603         (JSC::ScriptExecutable::ScriptExecutable):
2604         (JSC::ScriptExecutable::newCodeBlockFor):
2605         (JSC::FunctionExecutable::fromGlobalCode):
2606         * runtime/Executable.h:
2607         (JSC::ScriptExecutable::firstLine):
2608         (JSC::ScriptExecutable::setOverrideLineNumber):
2609         (JSC::ScriptExecutable::hasOverrideLineNumber):
2610         (JSC::ScriptExecutable::overrideLineNumber):
2611         (JSC::ScriptExecutable::lineNo): Deleted.
2612         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
2613         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
2614         (JSC::ScriptExecutable::overrideLineNo): Deleted.
2615         * runtime/FunctionConstructor.cpp:
2616         (JSC::constructFunctionSkippingEvalEnabledCheck):
2617         * runtime/FunctionConstructor.h:
2618         * tools/CodeProfile.cpp:
2619         (JSC::CodeProfile::report):
2620         * tools/CodeProfile.h:
2621         (JSC::CodeProfile::CodeProfile):
2622
2623 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
2624
2625         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
2626         https://bugs.webkit.org/show_bug.cgi?id=142974
2627
2628         Reviewed by Joseph Pecoraro.
2629
2630         This patch does two things:
2631
2632         (1) Restore JavaScriptCore's sanitization of line and column numbers to
2633         one-based values.
2634
2635         We need this because WebCore sometimes provides huge negative column
2636         numbers.
2637
2638         (2) Solve the attribute event listener line numbering problem a different
2639         way: Rather than offseting all line numbers by -1 in an attribute event
2640         listener in order to arrange for a custom result, instead use an explicit
2641         feature for saying "all errors in this code should map to this line number".
2642
2643         * bytecode/UnlinkedCodeBlock.cpp:
2644         (JSC::UnlinkedFunctionExecutable::link):
2645         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2646         * bytecode/UnlinkedCodeBlock.h:
2647         * interpreter/Interpreter.cpp:
2648         (JSC::StackFrame::computeLineAndColumn):
2649         (JSC::GetStackTraceFunctor::operator()):
2650         * interpreter/Interpreter.h:
2651         * interpreter/StackVisitor.cpp:
2652         (JSC::StackVisitor::Frame::computeLineAndColumn):
2653         * parser/ParserError.h:
2654         (JSC::ParserError::toErrorObject): Plumb through an override line number.
2655         When a function has an override line number, all syntax and runtime
2656         errors in the function will map to it. This is useful for attribute event
2657         listeners.
2658  
2659         * parser/SourceCode.h:
2660         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
2661         column numbers to one-based integers. It was kind of a hack to remove this.
2662
2663         * runtime/Executable.cpp:
2664         (JSC::ScriptExecutable::ScriptExecutable):
2665         (JSC::FunctionExecutable::fromGlobalCode):
2666         * runtime/Executable.h:
2667         (JSC::ScriptExecutable::setOverrideLineNo):
2668         (JSC::ScriptExecutable::hasOverrideLineNo):
2669         (JSC::ScriptExecutable::overrideLineNo):
2670         * runtime/FunctionConstructor.cpp:
2671         (JSC::constructFunctionSkippingEvalEnabledCheck):
2672         * runtime/FunctionConstructor.h: Plumb through an override line number.
2673
2674 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2675
2676         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
2677
2678         Reviewed by Michael Saboff.
2679
2680         * jit/JITPropertyAccess.cpp:
2681         (JSC::JIT::emitScopedArgumentsGetByVal):
2682         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
2683
2684 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2685
2686         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
2687         https://bugs.webkit.org/show_bug.cgi?id=143098
2688
2689         Reviewed by Csaba Osztrogonác.
2690
2691         * ftl/FTLLowerDFGToLLVM.cpp:
2692         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
2693         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
2694
2695 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
2696
2697         Unreviewed gardening, skip failing tests on AArch64 Linux.
2698
2699         * tests/mozilla/mozilla-tests.yaml:
2700         * tests/stress/cached-prototype-setter.js:
2701
2702 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2703
2704         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
2705
2706         * dfg/DFGConstantFoldingPhase.cpp:
2707         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
2708         * ftl/FTLCompile.cpp:
2709         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
2710         * ftl/FTLState.cpp:
2711         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
2712         * ftl/FTLState.h:
2713
2714 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2715
2716         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
2717         right, so this just makes 32-bit do the same.
2718
2719         * dfg/DFGSpeculativeJIT32_64.cpp:
2720         (JSC::DFG::SpeculativeJIT::emitCall):
2721
2722 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2723
2724         Fix a typo that ggaren found but that I didn't fix before.
2725
2726         * runtime/DirectArgumentsOffset.h:
2727
2728 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2729
2730         Unreviewed, VC found a bug. This fixes the bug.
2731
2732         * dfg/DFGConstantFoldingPhase.cpp:
2733         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2734
2735 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2736
2737         Unreviewed, try to fix Windows build.
2738
2739         * runtime/ClonedArguments.cpp:
2740         (JSC::ClonedArguments::createWithInlineFrame):
2741
2742 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2743
2744         Unreviewed, fix debug build.
2745
2746         * bytecompiler/NodesCodegen.cpp:
2747         (JSC::ConstDeclNode::emitCodeSingle):
2748
2749 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2750
2751         Unreviewed, fix CLOOP build.
2752
2753         * dfg/DFGMinifiedID.h:
2754
2755 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2756
2757         Heap variables shouldn't end up in the stack frame
2758         https://bugs.webkit.org/show_bug.cgi?id=141174
2759
2760         Reviewed by Geoffrey Garen.
2761         
2762         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
2763         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
2764         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
2765         simplifications:
2766         
2767         - Accesses to variables no longer need checks or indirections to determine where the variable is
2768           at that moment in time. For example, loading a closure variable now takes just one load instead
2769           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
2770           (when no arguments object allocation is required) while previously that same operation required
2771           a "did I allocate arguments yet" check, a bounds check, and then the load.
2772         
2773         - Reasoning about the allocation of an activation or arguments object now follows the same simple
2774           logic as the allocation of any other kind of object. Previously, those objects were lazily
2775           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
2776           allocate anything at all. This made the implementation of traditional escape analyses really
2777           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
2778           arguments object using the usual SSA tricks which allows for more comprehensive removal.
2779         
2780         - The allocations of arguments objects, functions, and activations are now much faster. While
2781           this patch generally expands our ability to eliminate arguments object allocations, an earlier
2782           version of the patch - which lacked that functionality - was a progression on some arguments-
2783           and closure-happy benchmarks because although no allocations were eliminated, all allocations
2784           were faster.
2785         
2786         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
2787           its arguments objects or activations. The runtime doesn't have to do things to the arguments
2788           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
2789           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
2790           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
2791           now gone. This also enables implementing block-scoping. Without this change, block-scope
2792           support would require telling CodeBlock and all of the rest of the runtime about all of the
2793           variables that store currently-live scopes. That would have been so disastrously hard that it
2794           might as well be impossible. With this change, it's fair game for the bytecode generator to
2795           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
2796           however long it wants. This all works, because after bytecode generation, an activation is just
2797           an object and variables that refer to it are just normal variables.
2798         
2799         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
2800           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
2801           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
2802           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
2803           an arguments object.
2804         
2805         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
2806           using activations used to prevent inlining; now functions that use activations can be inlined
2807           just fine.
2808         
2809         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
2810         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
2811         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
2812         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
2813         
2814         The easiest way of understanding this change is to start by looking at the changes in runtime/,
2815         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
2816
2817         * CMakeLists.txt:
2818         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2819         * JavaScriptCore.xcodeproj/project.pbxproj:
2820         * assembler/AbortReason.h:
2821         * assembler/AbstractMacroAssembler.h:
2822         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
2823         * bytecode/ByValInfo.h:
2824         (JSC::hasOptimizableIndexingForJSType):
2825         (JSC::hasOptimizableIndexing):
2826         (JSC::jitArrayModeForJSType):
2827         (JSC::jitArrayModePermitsPut):
2828         (JSC::jitArrayModeForStructure):
2829         * bytecode/BytecodeKills.h: Added.
2830         (JSC::BytecodeKills::BytecodeKills):
2831         (JSC::BytecodeKills::operandIsKilled):
2832         (JSC::BytecodeKills::forEachOperandKilledAt):
2833         (JSC::BytecodeKills::KillSet::KillSet):
2834         (JSC::BytecodeKills::KillSet::add):
2835         (JSC::BytecodeKills::KillSet::forEachLocal):
2836         (JSC::BytecodeKills::KillSet::contains):
2837         * bytecode/BytecodeList.json:
2838         * bytecode/BytecodeLivenessAnalysis.cpp:
2839         (JSC::isValidRegisterForLiveness):
2840         (JSC::stepOverInstruction):
2841         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
2842         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2843         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
2844         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2845         (JSC::BytecodeLivenessAnalysis::computeKills):
2846         (JSC::indexForOperand): Deleted.
2847         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
2848         (JSC::getLivenessInfo): Deleted.
2849         * bytecode/BytecodeLivenessAnalysis.h:
2850         * bytecode/BytecodeLivenessAnalysisInlines.h:
2851         (JSC::operandIsAlwaysLive):
2852         (JSC::operandThatIsNotAlwaysLiveIsLive):
2853         (JSC::operandIsLive):
2854         * bytecode/BytecodeUseDef.h:
2855         (JSC::computeUsesForBytecodeOffset):
2856         (JSC::computeDefsForBytecodeOffset):
2857         * bytecode/CodeBlock.cpp:
2858         (JSC::CodeBlock::dumpBytecode):
2859         (JSC::CodeBlock::CodeBlock):
2860         (JSC::CodeBlock::nameForRegister):
2861         (JSC::CodeBlock::validate):
2862         (JSC::CodeBlock::isCaptured): Deleted.
2863         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
2864         (JSC::CodeBlock::machineSlowArguments): Deleted.
2865         * bytecode/CodeBlock.h:
2866         (JSC::unmodifiedArgumentsRegister): Deleted.
2867         (JSC::CodeBlock::setArgumentsRegister): Deleted.
2868         (JSC::CodeBlock::argumentsRegister): Deleted.
2869         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
2870         (JSC::CodeBlock::usesArguments): Deleted.
2871         (JSC::CodeBlock::captureCount): Deleted.
2872         (JSC::CodeBlock::captureStart): Deleted.
2873         (JSC::CodeBlock::captureEnd): Deleted.
2874         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
2875         (JSC::CodeBlock::hasSlowArguments): Deleted.
2876         (JSC::ExecState::argumentAfterCapture): Deleted.
2877         * bytecode/CodeOrigin.h:
2878         * bytecode/DataFormat.h:
2879         (JSC::dataFormatToString):
2880         * bytecode/FullBytecodeLiveness.h:
2881         (JSC::FullBytecodeLiveness::getLiveness):
2882         (JSC::FullBytecodeLiveness::operandIsLive):
2883         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
2884         (JSC::FullBytecodeLiveness::getOut): Deleted.
2885         * bytecode/Instruction.h:
2886         (JSC::Instruction::Instruction):
2887         * bytecode/Operands.h:
2888         (JSC::Operands::virtualRegisterForIndex):
2889         * bytecode/SpeculatedType.cpp:
2890         (JSC::dumpSpeculation):
2891         (JSC::speculationToAbbreviatedString):
2892         (JSC::speculationFromClassInfo):
2893         * bytecode/SpeculatedType.h:
2894         (JSC::isDirectArgumentsSpeculation):
2895         (JSC::isScopedArgumentsSpeculation):
2896         (JSC::isActionableMutableArraySpeculation):
2897         (JSC::isActionableArraySpeculation):
2898         (JSC::isArgumentsSpeculation): Deleted.
2899         * bytecode/UnlinkedCodeBlock.cpp:
2900         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2901         * bytecode/UnlinkedCodeBlock.h:
2902         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
2903         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
2904         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
2905         * bytecode/ValueRecovery.cpp:
2906         (JSC::ValueRecovery::dumpInContext):
2907         * bytecode/ValueRecovery.h:
2908         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
2909         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
2910         (JSC::ValueRecovery::nodeID):
2911         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
2912         * bytecode/VirtualRegister.h:
2913         (JSC::VirtualRegister::operator==):
2914         (JSC::VirtualRegister::operator!=):
2915         (JSC::VirtualRegister::operator<):
2916         (JSC::VirtualRegister::operator>):
2917         (JSC::VirtualRegister::operator<=):
2918         (JSC::VirtualRegister::operator>=):
2919         * bytecompiler/BytecodeGenerator.cpp:
2920         (JSC::BytecodeGenerator::generate):
2921         (JSC::BytecodeGenerator::BytecodeGenerator):
2922         (JSC::BytecodeGenerator::initializeNextParameter):
2923         (JSC::BytecodeGenerator::visibleNameForParameter):
2924         (JSC::BytecodeGenerator::emitMove):
2925         (JSC::BytecodeGenerator::variable):
2926         (JSC::BytecodeGenerator::createVariable):
2927         (JSC::BytecodeGenerator::emitResolveScope):
2928         (JSC::BytecodeGenerator::emitGetFromScope):
2929         (JSC::BytecodeGenerator::emitPutToScope):
2930         (JSC::BytecodeGenerator::initializeVariable):
2931         (JSC::BytecodeGenerator::emitInstanceOf):
2932         (JSC::BytecodeGenerator::emitNewFunction):
2933         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2934         (JSC::BytecodeGenerator::emitCall):
2935         (JSC::BytecodeGenerator::emitReturn):
2936         (JSC::BytecodeGenerator::emitConstruct):
2937         (JSC::BytecodeGenerator::isArgumentNumber):
2938         (JSC::BytecodeGenerator::emitEnumeration):
2939         (JSC::BytecodeGenerator::addVar): Deleted.
2940         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
2941         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
2942         (JSC::BytecodeGenerator::resolveCallee): Deleted.
2943         (JSC::BytecodeGenerator::addCallee): Deleted.
2944         (JSC::BytecodeGenerator::addParameter): Deleted.
2945         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
2946         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
2947         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
2948         (JSC::BytecodeGenerator::isCaptured): Deleted.
2949         (JSC::BytecodeGenerator::local): Deleted.
2950         (JSC::BytecodeGenerator::constLocal): Deleted.
2951         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
2952         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
2953         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
2954         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
2955         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
2956         * bytecompiler/BytecodeGenerator.h:
2957         (JSC::Variable::Variable):
2958         (JSC::Variable::isResolved):
2959         (JSC::Variable::ident):
2960         (JSC::Variable::offset):
2961         (JSC::Variable::isLocal):
2962         (JSC::Variable::local):
2963         (JSC::Variable::isSpecial):
2964         (JSC::BytecodeGenerator::argumentsRegister):
2965         (JSC::BytecodeGenerator::emitNode):
2966         (JSC::BytecodeGenerator::registerFor):
2967         (JSC::Local::Local): Deleted.
2968         (JSC::Local::operator bool): Deleted.
2969         (JSC::Local::get): Deleted.
2970         (JSC::Local::isSpecial): Deleted.
2971         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
2972         (JSC::ResolveScopeInfo::isLocal): Deleted.
2973         (JSC::ResolveScopeInfo::localIndex): Deleted.
2974         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
2975         (JSC::BytecodeGenerator::captureMode): Deleted.
2976         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
2977         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
2978         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
2979         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
2980         * bytecompiler/NodesCodegen.cpp:
2981         (JSC::ResolveNode::isPure):
2982         (JSC::ResolveNode::emitBytecode):
2983         (JSC::BracketAccessorNode::emitBytecode):
2984         (JSC::DotAccessorNode::emitBytecode):
2985         (JSC::EvalFunctionCallNode::emitBytecode):
2986         (JSC::FunctionCallResolveNode::emitBytecode):
2987         (JSC::CallFunctionCallDotNode::emitBytecode):
2988         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2989         (JSC::PostfixNode::emitResolve):
2990         (JSC::DeleteResolveNode::emitBytecode):
2991         (JSC::TypeOfResolveNode::emitBytecode):
2992         (JSC::PrefixNode::emitResolve):
2993         (JSC::ReadModifyResolveNode::emitBytecode):
2994         (JSC::AssignResolveNode::emitBytecode):
2995         (JSC::ConstDeclNode::emitCodeSingle):
2996         (JSC::EmptyVarExpression::emitBytecode):
2997         (JSC::ForInNode::tryGetBoundLocal):
2998         (JSC::ForInNode::emitLoopHeader):
2999         (JSC::ForOfNode::emitBytecode):
3000         (JSC::ArrayPatternNode::emitDirectBinding):
3001         (JSC::BindingNode::bindValue):
3002         (JSC::getArgumentByVal): Deleted.
3003         * dfg/DFGAbstractHeap.h:
3004         * dfg/DFGAbstractInterpreter.h:
3005         * dfg/DFGAbstractInterpreterInlines.h:
3006         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3007         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
3008         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
3009         * dfg/DFGAbstractValue.h:
3010         * dfg/DFGArgumentPosition.h:
3011         (JSC::DFG::ArgumentPosition::addVariable):
3012         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
3013         (JSC::DFG::performArgumentsElimination):
3014         * dfg/DFGArgumentsEliminationPhase.h: Added.
3015         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
3016         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
3017         * dfg/DFGArgumentsUtilities.cpp: Added.
3018         (JSC::DFG::argumentsInvolveStackSlot):
3019         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3020         * dfg/DFGArgumentsUtilities.h: Added.
3021         * dfg/DFGArrayMode.cpp:
3022         (JSC::DFG::ArrayMode::refine):
3023         (JSC::DFG::ArrayMode::alreadyChecked):
3024         (JSC::DFG::arrayTypeToString):
3025         * dfg/DFGArrayMode.h:
3026         (JSC::DFG::ArrayMode::canCSEStorage):
3027         (JSC::DFG::ArrayMode::modeForPut):
3028         * dfg/DFGAvailabilityMap.cpp:
3029         (JSC::DFG::AvailabilityMap::prune):
3030         * dfg/DFGAvailabilityMap.h:
3031         (JSC::DFG::AvailabilityMap::closeOverNodes):
3032         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
3033         * dfg/DFGBackwardsPropagationPhase.cpp:
3034         (JSC::DFG::BackwardsPropagationPhase::propagate):
3035         * dfg/DFGByteCodeParser.cpp:
3036         (JSC::DFG::ByteCodeParser::newVariableAccessData):
3037         (JSC::DFG::ByteCodeParser::getLocal):
3038         (JSC::DFG::ByteCodeParser::setLocal):
3039         (JSC::DFG::ByteCodeParser::getArgument):
3040         (JSC::DFG::ByteCodeParser::setArgument):
3041         (JSC::DFG::ByteCodeParser::flushDirect):
3042         (JSC::DFG::ByteCodeParser::flush):
3043         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
3044         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3045         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3046         (JSC::DFG::ByteCodeParser::handleInlining):
3047         (JSC::DFG::ByteCodeParser::parseBlock):
3048         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3049         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3050         * dfg/DFGCPSRethreadingPhase.cpp:
3051         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3052         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3053         * dfg/DFGCSEPhase.cpp:
3054         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
3055         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3056         * dfg/DFGCapabilities.cpp:
3057         (JSC::DFG::isSupportedForInlining):
3058         (JSC::DFG::capabilityLevel):
3059         * dfg/DFGClobberize.h:
3060         (JSC::DFG::clobberize):
3061         * dfg/DFGCommon.h:
3062         * dfg/DFGCommonData.h:
3063         (JSC::DFG::CommonData::CommonData):
3064         * dfg/DFGConstantFoldingPhase.cpp:
3065         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3066         * dfg/DFGDCEPhase.cpp:
3067         (JSC::DFG::DCEPhase::cleanVariables):
3068         * dfg/DFGDisassembler.h:
3069         * dfg/DFGDoesGC.cpp:
3070         (JSC::DFG::doesGC):
3071         * dfg/DFGFixupPhase.cpp:
3072         (JSC::DFG::FixupPhase::fixupNode):
3073         * dfg/DFGFlushFormat.cpp:
3074         (WTF::printInternal):
3075         * dfg/DFGFlushFormat.h:
3076         (JSC::DFG::resultFor):
3077         (JSC::DFG::useKindFor):
3078         (JSC::DFG::dataFormatFor):
3079         * dfg/DFGForAllKills.h: Added.
3080         (JSC::DFG::forAllLiveNodesAtTail):
3081         (JSC::DFG::forAllDirectlyKilledOperands):
3082         (JSC::DFG::forAllKilledOperands):
3083         (JSC::DFG::forAllKilledNodesAtNodeIndex):
3084         (JSC::DFG::forAllKillsInBlock):
3085         * dfg/DFGGraph.cpp:
3086         (JSC::DFG::Graph::Graph):
3087         (JSC::DFG::Graph::dump):
3088         (JSC::DFG::Graph::substituteGetLocal):
3089         (JSC::DFG::Graph::livenessFor):
3090         (JSC::DFG::Graph::killsFor):
3091         (JSC::DFG::Graph::tryGetConstantClosureVar):
3092         (JSC::DFG::Graph::tryGetRegisters): Deleted.
3093         * dfg/DFGGraph.h:
3094         (JSC::DFG::Graph::symbolTableFor):
3095         (JSC::DFG::Graph::uses):
3096         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
3097         (JSC::DFG::Graph::capturedVarsFor): Deleted.
3098         (JSC::DFG::Graph::usesArguments): Deleted.
3099         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
3100         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
3101         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
3102         * dfg/DFGHeapLocation.cpp:
3103         (WTF::printInternal):
3104         * dfg/DFGHeapLocation.h:
3105         * dfg/DFGInPlaceAbstractState.cpp:
3106         (JSC::DFG::InPlaceAbstractState::initialize):
3107         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3108         * dfg/DFGJITCompiler.cpp:
3109         (JSC::DFG::JITCompiler::link):
3110         * dfg/DFGMayExit.cpp:
3111         (JSC::DFG::mayExit):
3112         * dfg/DFGMinifiedID.h:
3113         * dfg/DFGMinifiedNode.cpp:
3114         (JSC::DFG::MinifiedNode::fromNode):
3115         * dfg/DFGMinifiedNode.h:
3116         (JSC::DFG::belongsInMinifiedGraph):
3117         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
3118         (JSC::DFG::MinifiedNode::inlineCallFrame):
3119         * dfg/DFGNode.cpp:
3120         (JSC::DFG::Node::convertToIdentityOn):
3121         * dfg/DFGNode.h:
3122         (JSC::DFG::Node::hasConstant):
3123         (JSC::DFG::Node::constant):
3124         (JSC::DFG::Node::hasScopeOffset):
3125         (JSC::DFG::Node::scopeOffset):
3126         (JSC::DFG::Node::hasDirectArgumentsOffset):
3127         (JSC::DFG::Node::capturedArgumentsOffset):
3128         (JSC::DFG::Node::variablePointer):
3129         (JSC::DFG::Node::hasCallVarargsData):
3130         (JSC::DFG::Node::hasLoadVarargsData):
3131         (JSC::DFG::Node::hasHeapPrediction):
3132         (JSC::DFG::Node::hasCellOperand):
3133         (JSC::DFG::Node::objectMaterializationData):
3134         (JSC::DFG::Node::isPhantomAllocation):
3135         (JSC::DFG::Node::willHaveCodeGenOrOSR):
3136         (JSC::DFG::Node::shouldSpeculateDirectArguments):
3137         (JSC::DFG::Node::shouldSpeculateScopedArguments):
3138         (JSC::DFG::Node::isPhantomArguments): Deleted.
3139         (JSC::DFG::Node::hasVarNumber): Deleted.
3140         (JSC::DFG::Node::varNumber): Deleted.
3141         (JSC::DFG::Node::registerPointer): Deleted.
3142         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
3143         * dfg/DFGNodeType.h:
3144         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3145         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3146         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3147         * dfg/DFGOSRExitCompiler.cpp:
3148         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
3149         * dfg/DFGOSRExitCompiler.h:
3150         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
3151         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
3152         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
3153         * dfg/DFGOSRExitCompiler32_64.cpp:
3154         (JSC::DFG::OSRExitCompiler::compileExit):
3155         * dfg/DFGOSRExitCompiler64.cpp:
3156         (JSC::DFG::OSRExitCompiler::compileExit):
3157         * dfg/DFGOSRExitCompilerCommon.cpp:
3158         (JSC::DFG::reifyInlinedCallFrames):
3159         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
3160         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
3161         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
3162         * dfg/DFGOSRExitCompilerCommon.h:
3163         * dfg/DFGOperations.cpp:
3164         * dfg/DFGOperations.h:
3165         * dfg/DFGPlan.cpp:
3166         (JSC::DFG::Plan::compileInThreadImpl):
3167         * dfg/DFGPreciseLocalClobberize.h:
3168         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
3169         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
3170         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
3171         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3172         (JSC::DFG::preciseLocalClobberize):
3173         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
3174         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
3175         * dfg/DFGPredictionPropagationPhase.cpp:
3176         (JSC::DFG::PredictionPropagationPhase::run):
3177         (JSC::DFG::PredictionPropagationPhase::propagate):
3178         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3179         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
3180         * dfg/DFGPromoteHeapAccess.h:
3181         (JSC::DFG::promoteHeapAccess):
3182         * dfg/DFGPromotedHeapLocation.cpp:
3183         (WTF::printInternal):
3184         * dfg/DFGPromotedHeapLocation.h:
3185         * dfg/DFGSSAConversionPhase.cpp:
3186         (JSC::DFG::SSAConversionPhase::run):
3187         * dfg/DFGSafeToExecute.h:
3188         (JSC::DFG::safeToExecute):
3189         * dfg/DFGSpeculativeJIT.cpp:
3190         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
3191         (JSC::DFG::SpeculativeJIT::emitGetLength):
3192         (JSC::DFG::SpeculativeJIT::emitGetCallee):
3193         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
3194         (JSC::DFG::SpeculativeJIT::checkArray):
3195         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3196         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3197         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3198         (JSC::DFG::SpeculativeJIT::compileNewFunction):
3199         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
3200         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3201         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3202         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3203         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3204         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
3205         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
3206         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
3207         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
3208         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
3209         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
3210         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
3211         * dfg/DFGSpeculativeJIT.h:
3212         (JSC::DFG::SpeculativeJIT::callOperation):
3213         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3214         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3215         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
3216         * dfg/DFGSpeculativeJIT32_64.cpp:
3217         (JSC::DFG::SpeculativeJIT::emitCall):
3218         (JSC::DFG::SpeculativeJIT::compile):
3219         * dfg/DFGSpeculativeJIT64.cpp:
3220         (JSC::DFG::SpeculativeJIT::emitCall):
3221         (JSC::DFG::SpeculativeJIT::compile):
3222         * dfg/DFGStackLayoutPhase.cpp:
3223         (JSC::DFG::StackLayoutPhase::run):
3224         * dfg/DFGStrengthReductionPhase.cpp:
3225         (JSC::DFG::StrengthReductionPhase::handleNode):
3226         * dfg/DFGStructureRegistrationPhase.cpp:
3227         (JSC::DFG::StructureRegistrationPhase::run):
3228         * dfg/DFGUnificationPhase.cpp:
3229         (JSC::DFG::UnificationPhase::run):
3230         * dfg/DFGValidate.cpp:
3231         (JSC::DFG::Validate::validateCPS):
3232         * dfg/DFGValueSource.cpp:
3233         (JSC::DFG::ValueSource::dump):
3234         * dfg/DFGValueSource.h:
3235         (JSC::DFG::dataFormatToValueSourceKind):
3236         (JSC::DFG::valueSourceKindToDataFormat):
3237         (JSC::DFG::ValueSource::ValueSource):
3238         (JSC::DFG::ValueSource::forFlushFormat):
3239         (JSC::DFG::ValueSource::valueRecovery):
3240         * dfg/DFGVarargsForwardingPhase.cpp: Added.
3241         (JSC::DFG::performVarargsForwarding):
3242         * dfg/DFGVarargsForwardingPhase.h: Added.
3243         * dfg/DFGVariableAccessData.cpp:
3244         (JSC::DFG::VariableAccessData::VariableAccessData):
3245         (JSC::DFG::VariableAccessData::flushFormat):
3246         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
3247         * dfg/DFGVariableAccessData.h:
3248         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
3249         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
3250         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
3251         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
3252         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
3253         * dfg/DFGVariableAccessDataDump.cpp:
3254         (JSC::DFG::VariableAccessDataDump::dump):
3255         * dfg/DFGVariableAccessDataDump.h:
3256         * dfg/DFGVariableEventStream.cpp:
3257         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
3258         * dfg/DFGVariableEventStream.h:
3259         * ftl/FTLAbstractHeap.cpp:
3260         (JSC::FTL::AbstractHeap::dump):
3261         (JSC::FTL::AbstractField::dump):
3262         (JSC::FTL::IndexedAbstractHeap::dump):
3263         (JSC::FTL::NumberedAbstractHeap::dump):
3264         (JSC::FTL::AbsoluteAbstractHeap::dump):
3265         * ftl/FTLAbstractHeap.h:
3266         * ftl/FTLAbstractHeapRepository.cpp:
3267         * ftl/FTLAbstractHeapRepository.h:
3268         * ftl/FTLCapabilities.cpp:
3269         (JSC::FTL::canCompile):
3270         * ftl/FTLCompile.cpp:
3271         (JSC::FTL::mmAllocateDataSection):
3272         * ftl/FTLExitArgument.cpp:
3273         (JSC::FTL::ExitArgument::dump):
3274         * ftl/FTLExitPropertyValue.cpp:
3275         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
3276         * ftl/FTLExitPropertyValue.h:
3277         * ftl/FTLExitTimeObjectMaterialization.cpp:
3278         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
3279         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
3280         * ftl/FTLExitTimeObjectMaterialization.h:
3281         (JSC::FTL::ExitTimeObjectMaterialization::origin):
3282         * ftl/FTLExitValue.cpp:
3283         (JSC::FTL::ExitValue::withLocalsOffset):
3284         (JSC::FTL::ExitValue::valueFormat):
3285         (JSC::FTL::ExitValue::dumpInContext):
3286         * ftl/FTLExitValue.h:
3287         (JSC::FTL::ExitValue::isArgument):
3288         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
3289         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
3290         (JSC::FTL::ExitValue::valueFormat): Deleted.
3291         * ftl/FTLInlineCacheSize.cpp:
3292         (JSC::FTL::sizeOfCallForwardVarargs):
3293         (JSC::FTL::sizeOfConstructForwardVarargs):
3294         (JSC::FTL::sizeOfICFor):
3295         * ftl/FTLInlineCacheSize.h:
3296         * ftl/FTLIntrinsicRepository.h:
3297         * ftl/FTLJSCallVarargs.cpp:
3298         (JSC::FTL::JSCallVarargs::JSCallVarargs):
3299         (JSC::FTL::JSCallVarargs::emit):
3300         * ftl/FTLJSCallVarargs.h:
3301         * ftl/FTLLowerDFGToLLVM.cpp:
3302         (JSC::FTL::LowerDFGToLLVM::lower):
3303         (JSC::FTL::LowerDFGToLLVM::compileNode):
3304         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
3305         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
3306         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3307         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
3308         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3309         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
3310         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
3311         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
3312         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
3313         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
3314         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
3315         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
3316         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
3317         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
3318         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
3319         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
3320         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
3321         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
3322         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
3323         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
3324         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
3325         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
3326         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
3327         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
3328         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
3329         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
3330         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
3331         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
3332         (JSC::FTL::LowerDFGToLLVM::baseIndex):
3333         (JSC::FTL::LowerDFGToLLVM::allocateObject):