[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2015-04-03  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore API should support type checking for Array and Date
        https://bugs.webkit.org/show_bug.cgi?id=143324

        Follow-up to address a comment by Dan.

        * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
        Added a comment explaining why.

2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>

        FTL JIT tests should fail if LLVM library isn't available
        https://bugs.webkit.org/show_bug.cgi?id=143374

        Reviewed by Mark Lam.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * runtime/Options.h:

2015-04-03  Zan Dobersek  <zdobersek@igalia.com>

        Fix the EFL and GTK build after r182243
        https://bugs.webkit.org/show_bug.cgi?id=143361

        Reviewed by Csaba Osztrogonác.

        * CMakeLists.txt: InspectorBackendCommands.js is generated in the
        DerivedSources/JavaScriptCore/inspector/ directory.

2015-04-03  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed, fixing Clang builds of the GTK port on Linux.

        * runtime/Options.cpp:
        Include the <math.h> header for isnan().

2015-04-02  Mark Lam  <mark.lam@apple.com>

        Enhance ability to dump JSC Options.
        <https://webkit.org/b/143357>

        Reviewed by Benjamin Poulain.

        Some enhancements to how the JSC options work:

        1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
           2 = All, 3 = Verbose.

           The default is 0 (None).  This dumps nothing.
           With the Overridden setting, at VM initialization time, we will dump all
           option values that have been changed from their default.
           With the All setting, at VM initialization time, we will dump all option values.
           With the Verbose setting, at VM initialization time, we will dump all option
           values along with their descriptions (if available).

        2. We now store a copy of the default option values.

           We later use this for comparison to tell if an option has been overridden, and
           print the default value for reference.  As a result, we no longer need the
           didOverride flag since we can compute whether the option is overridden at any time.

        3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).

           This will come in handy later when we want to rename some of the options to more sane
           names that are easier to remember.  For example, we can change
           Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
           Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
           of the description, we can afford to use shorter and less descriptive option names,
           but they will be easier to remember and use for day to day debugging work.

           In this patch, I did not change the names of any of the options yet.  I only added
           description strings for options that I know about, and where I think the option name
           isn't already descriptive enough.

        4. Also deleted some unused code.

        * jsc.cpp:
        (CommandLine::parseArguments):
        * runtime/Options.cpp:
        (JSC::Options::initialize):
        (JSC::Options::setOption):
        (JSC::Options::dumpAllOptions):
        (JSC::Options::dumpOption):
        (JSC::Options::Option::dump):
        (JSC::Options::Option::operator==):
        * runtime/Options.h:
        (JSC::OptionRange::rangeString):
        (JSC::Options::Option::Option):
        (JSC::Options::Option::operator!=):

2015-04-02  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore API should support type checking for Array and Date
        https://bugs.webkit.org/show_bug.cgi?id=143324

        Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.

        * API/JSValue.h:
        * API/JSValue.mm:
        (-[JSValue isArray]):
        (-[JSValue isDate]): Added an ObjC API.

        * API/JSValueRef.cpp:
        (JSValueIsArray):
        (JSValueIsDate):
        * API/JSValueRef.h: Added a C API.

        * API/WebKitAvailability.h: Brought our availability macros up to date
        and fixed a harmless bug where "10_10" translated to "10.0".

        * API/tests/testapi.c:
        (main): Added a test and corrected a pre-existing leak.

        * API/tests/testapi.mm:
        (testObjectiveCAPI): Added a test.

2015-04-02  Mark Lam  <mark.lam@apple.com>

        Add Options::dumpSourceAtDFGTime().
        <https://webkit.org/b/143349>

        Reviewed by Oliver Hunt, and Michael Saboff.

        Sometimes, we will want to see the JS source code that we're compiling, and it
        would be nice to be able to do this without having to jump thru a lot of hoops.
        So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
        Options::dumpBytecodeAtDFGTime() option.

        Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
        that explicitly take no arguments (instead of relying on the version that takes
        the default argument).  These versions are friendlier to use when we want to call
        them from an interactive debugging session.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpSource):
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * runtime/Options.h:

2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Clean up EnumerationMode to easily extend
        https://bugs.webkit.org/show_bug.cgi?id=143276

        Reviewed by Geoffrey Garen.

        To make the followings easily,
        1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
        2. Make ExcludeSymbols implicitly default for the existing flags
        we encapsulate EnumerationMode flags into EnumerationMode class.

        And this class manages 2 flags. Later it will be extended to 3.
        1. DontEnumPropertiesMode (default is Exclude)
        2. JSObjectPropertiesMode (default is Include)
        3. SymbolPropertiesMode (default is Exclude)
            SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.

        This patch replaces places using ExcludeDontEnumProperties
        to EnumerationMode() value which represents default mode.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
        * API/JSObjectRef.cpp:
        (JSObjectCopyPropertyNames):
        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
        * runtime/EnumerationMode.h:
        (JSC::EnumerationMode::EnumerationMode):
        (JSC::EnumerationMode::includeDontEnumProperties):
        (JSC::EnumerationMode::includeJSObjectProperties):
        (JSC::shouldIncludeDontEnumProperties): Deleted.
        (JSC::shouldExcludeDontEnumProperties): Deleted.
        (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
        (JSC::modeThatSkipsJSObject): Deleted.
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertyNames):
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnNonIndexPropertyNames):
        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        * runtime/JSFunction.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::getOwnNonIndexPropertyNames):
        (JSC::JSObject::getGenericPropertyNames):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::propertyNameEnumerator):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorKeys):
        (JSC::defineProperties):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnNonIndexPropertyNames):
        (JSC::RegExpObject::getPropertyNames):
        (JSC::RegExpObject::getGenericPropertyNames):
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertyNames):
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):

2015-04-01  Alex Christensen  <achristensen@webkit.org>

        Progress towards CMake on Windows and Mac.
        https://bugs.webkit.org/show_bug.cgi?id=143293

        Reviewed by Filip Pizlo.

        * CMakeLists.txt:
        Enabled using assembly on Windows.
        Replaced unix commands with CMake commands.
        * PlatformMac.cmake:
        Tell open source builders where to find unicode headers.

2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        IteratorClose should be called when jumping over the target for-of loop
        https://bugs.webkit.org/show_bug.cgi?id=143140

        Reviewed by Geoffrey Garen.

        This patch fixes labeled break/continue behaviors with for-of and iterators.

        1. Support IteratorClose beyond multiple loop contexts
        Previously, IteratorClose is only executed in for-of's breakTarget().
        However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
        For example,
        outer: for (var e1 of outer) {
            inner: for (var e2 of inner) {
                break outer;
            }
        }
        In this case, return method of inner should be called.
        We leverage the existing system for `finally` to execute inner.return method correctly.
        Leveraging `finally` system fixes `break`, `continue` and `return` cases.
        `throw` case is already supported by emitting try-catch handlers in for-of.

        2. Incorrect LabelScope creation is done in ForOfNode
        ForOfNode creates duplicated LabelScope.
        It causes infinite loop when executing the following program that contains
        explicitly labeled for-of loop.
        For example,
        inner: for (var elm of array) {
            continue inner;
        }

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::pushFinallyContext):
        (JSC::BytecodeGenerator::pushIteratorCloseContext):
        (JSC::BytecodeGenerator::popFinallyContext):
        (JSC::BytecodeGenerator::popIteratorCloseContext):
        (JSC::BytecodeGenerator::emitComplexPopScopes):
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::emitIteratorClose):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForOfNode::emitBytecode):
        * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
        (createIterator.iterator.return):
        (createIterator):
        * tests/stress/raise-error-in-iterator-close.js: Added.
        (createIterator.iterator.return):
        (createIterator):

2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Implement Symbol.unscopables
        https://bugs.webkit.org/show_bug.cgi?id=142829

        Reviewed by Geoffrey Garen.

        This patch introduces Symbol.unscopables functionality.
        In ES6, some generic names (like keys, values) are introduced
        as Array's method name. And this breaks the web since some web sites
        use like the following code.

        var values = ...;
        with (array) {
            values;  // This values is trapped by array's method "values".
        }

        To fix this, Symbol.unscopables introduces blacklist
        for with scope's trapping. When resolving scope,
        if name is found in the target scope and the target scope is with scope,
        we check Symbol.unscopables object to filter generic names.

        This functionality is only active for with scopes.
        Global scope does not have unscopables functionality.

        And since
        1) op_resolve_scope for with scope always return Dynamic resolve type,
        2) in that case, JSScope::resolve is always used in JIT and LLInt,
        3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
        to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
        So performance regression is only visible in Dynamic resolving case, and it is already much slow.

        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::runtimeFlags):
        * runtime/JSScope.cpp:
        (JSC::isUnscopable):
        (JSC::JSScope::resolve):
        * runtime/JSScope.h:
        (JSC::ScopeChainIterator::scope):
        * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
        (test):
        * tests/stress/unscopables.js: Added.
        (test):
        (.):

2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>

        ES6 class syntax should allow static setters and getters
        https://bugs.webkit.org/show_bug.cgi?id=143180

        Reviewed by Filip Pizlo

        Apparently I misread the spec when I initially implemented parseClass.
        ES6 class syntax allows static getters and setters so just allow that.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):

2015-03-31  Filip Pizlo  <fpizlo@apple.com>

        PutClosureVar CSE def() rule has a wrong base
        https://bugs.webkit.org/show_bug.cgi?id=143280

        Reviewed by Michael Saboff.
        
        I think that this code was incorrect in a benign way, since the base of a
        PutClosureVar is not a JS-visible object. But it was preventing some optimizations.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

2015-03-31  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r182200.
        https://bugs.webkit.org/show_bug.cgi?id=143279

        Probably causing assertion extravaganza on bots. (Requested by
        kling on #webkit).

        Reverted changeset:

        "Logically empty WeakBlocks should not pin down their
        MarkedBlocks indefinitely."
        https://bugs.webkit.org/show_bug.cgi?id=143210
        http://trac.webkit.org/changeset/182200

2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        Clean up Identifier factories to clarify the meaning of StringImpl*
        https://bugs.webkit.org/show_bug.cgi?id=143146

        Reviewed by Filip Pizlo.

        In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
        However, it's ambiguous because `StringImpl*` has 2 different meanings.
        1) normal string, it is replacable with `WTFString` and
        2) `uid`, which holds `isSymbol` information to represent Symbols.
        So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
        + `Identifier::fromString(VM*/ExecState*, const String&)`.
        Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
        + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
        This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.

        And to clean up `StringImpl` which is used as uid,
        we introduce `StringKind` into `StringImpl`. There's 3 kinds
        1. StringNormal (non-atomic, non-symbol)
        2. StringAtomic (atomic, non-symbol)
        3. StringSymbol (non-atomic, symbol)
        They are mutually exclusive. And (atomic, symbol) case should not exist.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::identifier):
        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptFunctionCall::call):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutableInternal):
        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::BuiltinNames):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitThrowReferenceError):
        (JSC::BytecodeGenerator::emitThrowTypeError):
        (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
        (JSC::BytecodeGenerator::emitEnumeration):
        * dfg/DFGDesiredIdentifiers.cpp:
        (JSC::DFG::DesiredIdentifiers::reallyAdd):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::functionDetails):
        (Inspector::constructInternalProperty):
        (Inspector::JSInjectedScriptHost::weakMapEntries):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::extractSourceInformationFromException):
        * jit/JITOperations.cpp:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::addFunction):
        (GlobalObject::addConstructableFunction):
        (functionRun):
        (runWithScripts):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::addVar):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::createBindingPattern):
        * parser/ParserArena.h:
        (JSC::IdentifierArena::makeIdentifier):
        (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
        (JSC::IdentifierArena::makeNumericIdentifier):
        * runtime/ArgumentsIteratorPrototype.cpp:
        (JSC::ArgumentsIteratorPrototype::finishCreation):
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoFuncPush):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::getOwnPropertySlot):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        (JSC::hasErrorInfo):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError):
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertySlot):
        * runtime/Identifier.h:
        (JSC::Identifier::isSymbol):
        (JSC::Identifier::Identifier):
        (JSC::Identifier::from): Deleted.
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::Identifier):
        (JSC::Identifier::fromUid):
        (JSC::Identifier::fromString):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContextAssumingStructure):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toPropertyKey):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        * runtime/JSObject.h:
        (JSC::makeIdentifier):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructorFuncRace):
        (JSC::JSPromiseConstructorFuncAll):
        * runtime/JSString.h:
        (JSC::JSString::toIdentifier):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::tryJSONPParse):
        (JSC::LiteralParser<CharType>::makeIdentifier):
        * runtime/Lookup.h:
        (JSC::reifyStaticProperties):
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/MapIteratorPrototype.cpp:
        (JSC::MapIteratorPrototype::finishCreation):
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        * runtime/PrivateName.h:
        (JSC::PrivateName::PrivateName):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (JSC::PropertyName::publicName):
        (JSC::PropertyName::asIndex):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::addKnownUnique):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):
        * runtime/SetIteratorPrototype.cpp:
        (JSC::SetIteratorPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        * runtime/StringIteratorPrototype.cpp:
        (JSC::StringIteratorPrototype::finishCreation):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):
        * runtime/SymbolConstructor.cpp:
        * runtime/VM.cpp:
        (JSC::VM::throwException):
        * runtime/WeakMapConstructor.cpp:
        (JSC::constructWeakMap):

2015-03-31  Andreas Kling  <akling@apple.com>

        Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
        <https://webkit.org/b/143210>

        Reviewed by Geoffrey Garen.

        Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
        we had a little problem where WeakBlocks with only null pointers would still keep their
        MarkedBlock alive.

        This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
        that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
        to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
        destroying them once they're fully dead.

        This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
        a mysterious issue where doing two full garbage collections back-to-back would free additional
        memory in the second collection.

        Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
        an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
        calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.

        * heap/Heap.h:
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
        owned by Heap, after everything else has been swept.

        (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
        after a full garbage collection ends. Note that we don't do this after Eden collections, since
        they are unlikely to cause entire WeakBlocks to go empty.

        (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
        to the Heap when it's detached from a WeakSet.

        (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
        of the logically empty WeakBlocks owned by Heap.

        (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
        and updates the next-logically-empty-weak-block-to-sweep index.

        (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
        won't be another chance after this.

        * heap/IncrementalSweeper.h:
        (JSC::IncrementalSweeper::hasWork): Deleted.

        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::fullSweep):
        (JSC::IncrementalSweeper::doSweep):
        (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
        adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
        changed to return a bool (true if there's more work to be done.)

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
        contain any pointers to live objects. The answer is stored in a new SweepResult member.

        * heap/WeakBlock.h:
        (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
        if the WeakBlock could be detached from the MarkedBlock.

        (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
        when declaring them.

2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>

        eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
        https://bugs.webkit.org/show_bug.cgi?id=142883

        Reviewed by Filip Pizlo.

        The crash was caused by eval inside the constructor of a derived class not checking TDZ.

        Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
        in eval inside a derived class' constructor.

        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::getSlow):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThisNode::emitBytecode):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::thisExpr):
        * parser/NodeConstructors.h:
        (JSC::ThisNode::ThisNode):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::thisExpr):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        * runtime/CodeCache.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::create):
        * runtime/Executable.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createEvalCodeBlock):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
        * tests/stress/class-syntax-tdz-in-eval.js: Added.

2015-03-31  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r182186.
        https://bugs.webkit.org/show_bug.cgi?id=143270

        it crashes all the WebGL tests on the Debug bots (Requested by
        dino on #webkit).

        Reverted changeset:

        "Web Inspector: add 2D/WebGL canvas instrumentation
        infrastructure"
        https://bugs.webkit.org/show_bug.cgi?id=137278
        http://trac.webkit.org/changeset/182186

2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
        https://bugs.webkit.org/show_bug.cgi?id=142937

        Reviewed by Darin Adler.

        In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
        In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
        But now, several functions perform ToObject onto a non-object parameter.
        And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
        It is described in ES6 Annex E.
        Functions different from ES5 are following.

        1. An attempt is make to coerce the argument using ToObject.
            Object.getOwnPropertyDescriptor
            Object.getOwnPropertyNames
            Object.getPrototypeOf
            Object.keys

        2. Treated as if it was a non-extensible ordinary object with no own properties.
            Object.freeze
            Object.isExtensible
            Object.isFrozen
            Object.isSealed
            Object.preventExtensions
            Object.seal

        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
        (JSC::objectConstructorGetPrototypeOf):
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorKeys):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorPreventExtensions):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        (JSC::objectConstructorIsExtensible):
        * tests/stress/object-freeze-accept-non-object.js: Added.
        * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
        (canary):
        * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
        (compare):
        * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
        * tests/stress/object-is-extensible-accept-non-object.js: Added.
        * tests/stress/object-is-frozen-accept-non-object.js: Added.
        * tests/stress/object-is-sealed-accept-non-object.js: Added.
        * tests/stress/object-keys-perform-to-object.js: Added.
        (compare):
        * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
        * tests/stress/object-seal-accept-non-object.js: Added.

2015-03-31  Matt Baker  <mattbaker@apple.com>

        Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
        https://bugs.webkit.org/show_bug.cgi?id=137278

        Reviewed by Timothy Hatcher.

        Added Canvas protocol which defines types used by InspectorCanvasAgent.

        * CMakeLists.txt:
        * DerivedSources.make:
        * inspector/protocol/Canvas.json: Added.

        * inspector/scripts/codegen/generator.py:
        (Generator.stylized_name_for_enum_value):
        Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.

2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>

        Extending null should set __proto__ to null
        https://bugs.webkit.org/show_bug.cgi?id=142882

        Reviewed by Geoffrey Garen and Benjamin Poulain.

        Set Derived.prototype.__proto__ to null when extending null.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ClassExprNode::emitBytecode):

2015-03-30  Mark Lam  <mark.lam@apple.com>

        REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
        <https://webkit.org/b/143105>

        Reviewed by Filip Pizlo.

        With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
        on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
        JIT frames that may have its scope register not set.  The Debugger's current implementation
        which relies on the scope register is not happy about this.  For example, this results in a
        crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.

        The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
        ensure that the scope register value is flushed to the register in the stack frame.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::flush):
        - Add code to flush the scope register.
        (JSC::DFG::ByteCodeParser::inliningCost):
        - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
          disabling inlining whenever the debugger is in use.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::hasDebuggerEnabled):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.

2015-03-30  Michael Saboff  <msaboff@apple.com>

        Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=138391

        Reviewed by Mark Lam.

        Re-enabling these tests as I can't get them to fail on local iOS test devices.
        There have been many changes since these tests were disabled.
        I'll watch automated test results for failures.  If there are failures running automated
        testing, it might be due to the device's relative CPU performance.
        
        * tests/stress/float32-repeat-out-of-bounds.js:
        * tests/stress/int8-repeat-out-of-bounds.js:

2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Regression: Preview for [[null]] shouldn't be []
        https://bugs.webkit.org/show_bug.cgi?id=143208

        Reviewed by Mark Lam.

        * inspector/InjectedScriptSource.js:
        Handle null when generating simple object previews.

2015-03-30  Per Arne Vollan  <peavo@outlook.com>

        Avoid using hardcoded values for JSValue::Int32Tag, if possible.
        https://bugs.webkit.org/show_bug.cgi?id=143134

        Reviewed by Geoffrey Garen.

        * jit/JSInterfaceJIT.h:
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):

2015-03-30  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
        https://bugs.webkit.org/show_bug.cgi?id=143104

        Reviewed by Geoffrey Garen.
        
        Created a test that is a 100% repro of the flaky failure. This test is called
        get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
        always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
        the inlined function. Other than that, it's the same as inline-arguments-local-escape.
        
        Also created three more tests for three similar, but not identical, failures.
        
        Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
        only reading those parts of the stack that are relevant to the current semantic code origin.
        That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
        like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
        read parts of the stack associated with the inline call frame for the phantom arguments. This
        may not be subsumed by the current semantic origin's stack area in cases that the arguments
        were allowed to "locally" escape.
        
        The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
        is not really a meaningful concept anymore. It is only meaningful for nodes that will read
        the stack due to function.arguments, but there are a bunch of other ways that we could also
        read the stack and those operations may read any stack slot. I believe that this change makes
        PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
        on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
        readTop() in PreciseLocalClobberize does the right thing.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGPreciseLocalClobberize.h:
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        * dfg/DFGPutStackSinkingPhase.cpp:
        * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
        * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
        * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
        * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
        * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.

2015-03-30  Benjamin Poulain  <benjamin@webkit.org>

        Start the features.json files
        https://bugs.webkit.org/show_bug.cgi?id=143207

        Reviewed by Darin Adler.

        Start the features.json files to have something to experiment
        with for the UI.

        * features.json: Added.

2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>

        [Win] Addresing post-review comment after r182122
        https://bugs.webkit.org/show_bug.cgi?id=143189

        Unreviewed.

2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>

        [Win] Allow building JavaScriptCore without Cygwin
        https://bugs.webkit.org/show_bug.cgi?id=143189

        Reviewed by Brent Fulgham.

        Paths like /usr/bin/ don't exist on Windows.
        Hashbangs don't work on Windows. Instead we must explicitly call the executable.
        Prefixing commands with environment variables doesn't work on Windows.
        Windows doesn't have 'cmp'
        Windows uses 'del' instead of 'rm'
        Windows uses 'type NUL' intead of 'touch'

        * DerivedSources.make:
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
        * JavaScriptCore.vcxproj/build-generated-files.pl:
        * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.

2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>

        Clean up JavaScriptCore/builtins
        https://bugs.webkit.org/show_bug.cgi?id=143177

        Reviewed by Ryosuke Niwa.

        * builtins/ArrayConstructor.js:
        (from):
        - We can compare to undefined instead of using a typeof undefined check.
        - Converge on double quoted strings everywhere.

        * builtins/ArrayIterator.prototype.js:
        (next):
        * builtins/StringIterator.prototype.js:
        (next):
        - Use shorthand object construction to avoid duplication.
        - Improve grammar in error messages.

        * tests/stress/array-iterators-next-with-call.js:
        * tests/stress/string-iterators.js:
        - Update for new error message strings.

2015-03-28  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: ES6: Better support for Symbol types in Type Profiler
        https://bugs.webkit.org/show_bug.cgi?id=141257

        Reviewed by Joseph Pecoraro.

        ES6 introduces the new primitive type Symbol. This patch makes JSC's 
        type profiler support this new primitive type.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * inspector/protocol/Runtime.json:
        * runtime/RuntimeType.cpp:
        (JSC::runtimeTypeForValue):
        * runtime/RuntimeType.h:
        (JSC::runtimeTypeIsPrimitive):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::addTypeInformation):
        (JSC::TypeSet::dumpTypes):
        (JSC::TypeSet::doesTypeConformTo):
        (JSC::TypeSet::displayName):
        (JSC::TypeSet::inspectorTypeSet):
        (JSC::TypeSet::toJSONString):
        * runtime/TypeSet.h:
        (JSC::TypeSet::seenTypes):
        * tests/typeProfiler/driver/driver.js:
        * tests/typeProfiler/symbol.js: Added.
        (wrapper.foo):
        (wrapper.bar):
        (wrapper.bar.bar.baz):
        (wrapper):

2015-03-27  Saam Barati  <saambarati1@gmail.com>

        Deconstruction parameters are bound too late
        https://bugs.webkit.org/show_bug.cgi?id=143148

        Reviewed by Filip Pizlo.

        Currently, a deconstruction pattern named with the same
        name as a function will shadow the function. This is
        wrong. It should be the other way around.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):

2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>

        parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
        https://bugs.webkit.org/show_bug.cgi?id=143170

        Reviewed by Benjamin Poulain.

        Assert that we never use 16-bit version of the parser to parse a default constructor
        since both base and derived default constructors should be using a 8-bit string.

        * parser/Parser.h:
        (JSC::parse):

2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>

        ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
        https://bugs.webkit.org/show_bug.cgi?id=142862

        Reviewed by Benjamin Poulain.

        Add a test that used to fail in DFG now that the bug has been fixed by r181993.

        * tests/stress/class-syntax-derived-default-constructor.js: Added.

2015-03-27  Michael Saboff  <msaboff@apple.com>

        load8Signed() and load16Signed() should be renamed to avoid confusion
        https://bugs.webkit.org/show_bug.cgi?id=143168

        Reviewed by Benjamin Poulain.

        Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load8SignedExtendTo32):
        (JSC::MacroAssemblerARM::load16SignedExtendTo32):
        (JSC::MacroAssemblerARM::load8Signed): Deleted.
        (JSC::MacroAssemblerARM::load16Signed): Deleted.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
        (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
        (JSC::MacroAssemblerARM64::load16Signed): Deleted.
        (JSC::MacroAssemblerARM64::load8Signed): Deleted.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
        (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
        (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
        (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
        (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
        (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
        (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
        (JSC::MacroAssemblerSH4::load16):
        (JSC::MacroAssemblerSH4::load8Signed): Deleted.
        (JSC::MacroAssemblerSH4::load16Signed): Deleted.
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
        (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
        (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
        (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitIntTypedArrayGetByVal):

2015-03-27  Michael Saboff  <msaboff@apple.com>

        Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=138390

        Reviewed by Mark Lam.

        Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
        instead of 64 bits.  This is what X86-64 does.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::load16Signed):
        (JSC::MacroAssemblerARM64::load8Signed):

2015-03-27  Saam Barati  <saambarati1@gmail.com>

        Add back previously broken assert from bug 141869
        https://bugs.webkit.org/show_bug.cgi?id=143005

        Reviewed by Michael Saboff.

        * runtime/ExceptionHelpers.cpp:
        (JSC::invalidParameterInSourceAppender):

2015-03-26  Geoffrey Garen  <ggaren@apple.com>

        Make some more objects use FastMalloc
        https://bugs.webkit.org/show_bug.cgi?id=143122

        Reviewed by Csaba Osztrogonác.

        * API/JSCallbackObject.h:
        * heap/IncrementalSweeper.h:
        * jit/JITThunks.h:
        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/RegExpCache.h:

2015-03-27  Michael Saboff  <msaboff@apple.com>

        Objects with numeric properties intermittently get a phantom 'length' property
        https://bugs.webkit.org/show_bug.cgi?id=142792

        Reviewed by Csaba Osztrogonác.

        Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
        test and branch instructions.  This function is used for linking tbz/tbnz branches between
        two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
        the failure case checks in the GetById array length stub created for "obj.length" access.
        If the failure case code address was at a negative offset from the stub, we'd look for bit 1
        being set when we should have been looking for bit 0.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):

2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        Insert exception check around toPropertyKey call
        https://bugs.webkit.org/show_bug.cgi?id=142922

        Reviewed by Geoffrey Garen.

        In some places, exception check is missing after/before toPropertyKey.
        However, since it calls toString, it's observable to users,

        Missing exception checks in Object.prototype methods can be
        observed since it would be overridden with toObject(null/undefined) errors.
        We inserted exception checks after toPropertyKey.

        Missing exception checks in GetById related code can be
        observed since it would be overridden with toObject(null/undefined) errors.
        In this case, we need to insert exception checks before/after toPropertyKey
        since RequireObjectCoercible followed by toPropertyKey can cause exceptions.

        JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
        However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
        According to the spec, we first perform RequireObjectCoercible and check the exception.
        And second, we perform ToPropertyKey and check the exception.
        Since JSValue::toPropertyKey can cause toString call, this is observable to users.
        For example, if the target is not object coercible,
        ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
        So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.

        This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.

        1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.

        toObject converts primitive types into wrapper objects.
        But it is not efficient since wrapper objects are not necessary
        if we look up methods from primitive values's prototype. (using synthesizePrototype is better).

        2. Using the result of toObject is not correct to the spec.

        To align to the spec correctly, we cannot use JSObject::get
        by using the wrapper object produced by the toObject suggested in (1).
        If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
        It is not correct since getter should be called with the original |this| value that may be primitive types.

        So in this patch, we use JSValue::requireObjectCoercible
        to check the target is object coercible and raise an error if it's not.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::requireObjectCoercible):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncPropertyIsEnumerable):
        * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
        (shouldThrow):
        (if):
        * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
        (shouldThrow):
        (.):

2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>

        WebContent Crash when instantiating class with Type Profiling enabled
        https://bugs.webkit.org/show_bug.cgi?id=143037

        Reviewed by Ryosuke Niwa.

        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitMoveEmptyValue):
        We cannot profile the type of an uninitialized empty JSValue.
        Nor do we expect this to be necessary, since it is effectively
        an unseen undefined value. So add a way to put the empty value
        without profiling.

        (JSC::BytecodeGenerator::emitMove):
        Add an assert to try to catch this issue early on, and force
        callers to explicitly use emitMoveEmptyValue instead.

        * tests/typeProfiler/classes.js: Added.
        (wrapper.Base):
        (wrapper.Derived):
        (wrapper):
        Add test coverage both for this case and classes in general.

2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ES6: Provide a better view for Classes in the console
        https://bugs.webkit.org/show_bug.cgi?id=142999

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Runtime.json:
        Provide a new `subtype` enum "class". This is a subtype of `type`
        "function", all other subtypes are subtypes of `object` types.
        For a class, the frontend will immediately want to get the prototype
        to enumerate its methods, so include the `classPrototype`.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        Denote class construction functions as "class" subtypes.

        * inspector/InjectedScriptSource.js:
        Handling for the new "class" type.

        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::isClassConstructorFunction):
        * runtime/JSFunction.h:
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::isClassConstructorFunction):
        Check if this function is a class constructor function. That information
        is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.

2015-03-26  Geoffrey Garen  <ggaren@apple.com>

        Function.prototype.toString should not decompile the AST
        https://bugs.webkit.org/show_bug.cgi?id=142853

        Reviewed by Darin Adler.

        Following up on Darin's review comments.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):

2015-03-26  Geoffrey Garen  <ggaren@apple.com>

        "lineNo" does not match WebKit coding style guidelines
        https://bugs.webkit.org/show_bug.cgi?id=143119

        Reviewed by Michael Saboff.

        We can afford to use whole words.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::lineNumberForBytecodeOffset):
        (JSC::CodeBlock::expressionRangeForBytecodeOffset):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::link):
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        * bytecode/UnlinkedCodeBlock.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::WhileNode::emitBytecode):
        * debugger/Debugger.cpp:
        (JSC::Debugger::toggleBreakpoint):
        * interpreter/Interpreter.cpp:
        (JSC::StackFrame::computeLineAndColumn):
        (JSC::GetStackTraceFunctor::operator()):
        (JSC::Interpreter::execute):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::computeLineAndColumn):
        * parser/Nodes.h:
        (JSC::Node::firstLine):
        (JSC::Node::lineNo): Deleted.
        (JSC::StatementNode::firstLine): Deleted.
        * parser/ParserError.h:
        (JSC::ParserError::toErrorObject):
        * profiler/LegacyProfiler.cpp:
        (JSC::createCallIdentifierFromFunctionImp):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::firstLine):
        (JSC::ScriptExecutable::setOverrideLineNumber):
        (JSC::ScriptExecutable::hasOverrideLineNumber):
        (JSC::ScriptExecutable::overrideLineNumber):
        (JSC::ScriptExecutable::lineNo): Deleted.
        (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
        (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
        (JSC::ScriptExecutable::overrideLineNo): Deleted.
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h:
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::report):
        * tools/CodeProfile.h:
        (JSC::CodeProfile::CodeProfile):

2015-03-26  Geoffrey Garen  <ggaren@apple.com>

        Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
        https://bugs.webkit.org/show_bug.cgi?id=142974

        Reviewed by Joseph Pecoraro.

        This patch does two things:

        (1) Restore JavaScriptCore's sanitization of line and column numbers to
        one-based values.

        We need this because WebCore sometimes provides huge negative column
        numbers.

        (2) Solve the attribute event listener line numbering problem a different
        way: Rather than offseting all line numbers by -1 in an attribute event
        listener in order to arrange for a custom result, instead use an explicit
        feature for saying "all errors in this code should map to this line number".

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::link):
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        * bytecode/UnlinkedCodeBlock.h:
        * interpreter/Interpreter.cpp:
        (JSC::StackFrame::computeLineAndColumn):
        (JSC::GetStackTraceFunctor::operator()):
        * interpreter/Interpreter.h:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::computeLineAndColumn):
        * parser/ParserError.h:
        (JSC::ParserError::toErrorObject): Plumb through an override line number.
        When a function has an override line number, all syntax and runtime
        errors in the function will map to it. This is useful for attribute event
        listeners.
 
        * parser/SourceCode.h:
        (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
        column numbers to one-based integers. It was kind of a hack to remove this.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::setOverrideLineNo):
        (JSC::ScriptExecutable::hasOverrideLineNo):
        (JSC::ScriptExecutable::overrideLineNo):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h: Plumb through an override line number.

2015-03-26  Filip Pizlo  <fpizlo@apple.com>

        If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.

        Reviewed by Michael Saboff.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitScopedArgumentsGetByVal):
        * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.

2015-03-26  Filip Pizlo  <fpizlo@apple.com>

        FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
        https://bugs.webkit.org/show_bug.cgi?id=143098

        Reviewed by Csaba Osztrogonác.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
        * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.

2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed gardening, skip failing tests on AArch64 Linux.

        * tests/mozilla/mozilla-tests.yaml:
        * tests/stress/cached-prototype-setter.js:

2015-03-26  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
        * ftl/FTLState.cpp:
        (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
        * ftl/FTLState.h:

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
        right, so this just makes 32-bit do the same.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Fix a typo that ggaren found but that I didn't fix before.

        * runtime/DirectArgumentsOffset.h:

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, VC found a bug. This fixes the bug.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, try to fix Windows build.

        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createWithInlineFrame):

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix debug build.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ConstDeclNode::emitCodeSingle):

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix CLOOP build.

        * dfg/DFGMinifiedID.h:

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Heap variables shouldn't end up in the stack frame
        https://bugs.webkit.org/show_bug.cgi?id=141174

        Reviewed by Geoffrey Garen.
        
        This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
        any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
        longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
        simplifications:
        
        - Accesses to variables no longer need checks or indirections to determine where the variable is
          at that moment in time. For example, loading a closure variable now takes just one load instead
          of two. Loading an argument by index now takes a bounds check and a load in the fastest case
          (when no arguments object allocation is required) while previously that same operation required
          a "did I allocate arguments yet" check, a bounds check, and then the load.
        
        - Reasoning about the allocation of an activation or arguments object now follows the same simple
          logic as the allocation of any other kind of object. Previously, those objects were lazily
          allocated - so an allocation instruction wasn't the actual allocation site, since it might not
          allocate anything at all. This made the implementation of traditional escape analyses really
          awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
          arguments object using the usual SSA tricks which allows for more comprehensive removal.
        
        - The allocations of arguments objects, functions, and activations are now much faster. While
          this patch generally expands our ability to eliminate arguments object allocations, an earlier
          version of the patch - which lacked that functionality - was a progression on some arguments-
          and closure-happy benchmarks because although no allocations were eliminated, all allocations
          were faster.
        
        - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
          its arguments objects or activations. The runtime doesn't have to do things to the arguments
          objects and activations that a frame allocated, when the frame is unwound. We always had horrid
          bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
          FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
          now gone. This also enables implementing block-scoping. Without this change, block-scope
          support would require telling CodeBlock and all of the rest of the runtime about all of the
          variables that store currently-live scopes. That would have been so disastrously hard that it
          might as well be impossible. With this change, it's fair game for the bytecode generator to
          simply allocate whatever activations it wants, wherever it wants, and to keep them live for
          however long it wants. This all works, because after bytecode generation, an activation is just
          an object and variables that refer to it are just normal variables.
        
        - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
          VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
          used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
          of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
          an arguments object.
        
        - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
          using activations used to prevent inlining; now functions that use activations can be inlined
          just fine.
        
        This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
        speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
        It's only a slow-down on very short-running microbenchmarks we had previously written for our old
        style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
        
        The easiest way of understanding this change is to start by looking at the changes in runtime/,
        and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbortReason.h:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
        * bytecode/ByValInfo.h:
        (JSC::hasOptimizableIndexingForJSType):
        (JSC::hasOptimizableIndexing):
        (JSC::jitArrayModeForJSType):
        (JSC::jitArrayModePermitsPut):
        (JSC::jitArrayModeForStructure):
        * bytecode/BytecodeKills.h: Added.
        (JSC::BytecodeKills::BytecodeKills):
        (JSC::BytecodeKills::operandIsKilled):
        (JSC::BytecodeKills::forEachOperandKilledAt):
        (JSC::BytecodeKills::KillSet::KillSet):
        (JSC::BytecodeKills::KillSet::add):
        (JSC::BytecodeKills::KillSet::forEachLocal):
        (JSC::BytecodeKills::KillSet::contains):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::isValidRegisterForLiveness):
        (JSC::stepOverInstruction):
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
        (JSC::BytecodeLivenessAnalysis::computeKills):
        (JSC::indexForOperand): Deleted.
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
        (JSC::getLivenessInfo): Deleted.
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/BytecodeLivenessAnalysisInlines.h:
        (JSC::operandIsAlwaysLive):
        (JSC::operandThatIsNotAlwaysLiveIsLive):
        (JSC::operandIsLive):
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::nameForRegister):
        (JSC::CodeBlock::validate):
        (JSC::CodeBlock::isCaptured): Deleted.
        (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
        (JSC::CodeBlock::machineSlowArguments): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::unmodifiedArgumentsRegister): Deleted.
        (JSC::CodeBlock::setArgumentsRegister): Deleted.
        (JSC::CodeBlock::argumentsRegister): Deleted.
        (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
        (JSC::CodeBlock::usesArguments): Deleted.
        (JSC::CodeBlock::captureCount): Deleted.
        (JSC::CodeBlock::captureStart): Deleted.
        (JSC::CodeBlock::captureEnd): Deleted.
        (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
        (JSC::CodeBlock::hasSlowArguments): Deleted.
        (JSC::ExecState::argumentAfterCapture): Deleted.
        * bytecode/CodeOrigin.h:
        * bytecode/DataFormat.h:
        (JSC::dataFormatToString):
        * bytecode/FullBytecodeLiveness.h:
        (JSC::FullBytecodeLiveness::getLiveness):
        (JSC::FullBytecodeLiveness::operandIsLive):
        (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
        (JSC::FullBytecodeLiveness::getOut): Deleted.
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/Operands.h:
        (JSC::Operands::virtualRegisterForIndex):
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromClassInfo):
        * bytecode/SpeculatedType.h:
        (JSC::isDirectArgumentsSpeculation):
        (JSC::isScopedArgumentsSpeculation):
        (JSC::isActionableMutableArraySpeculation):
        (JSC::isActionableArraySpeculation):
        (JSC::isArgumentsSpeculation): Deleted.
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
        (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
        (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
        * bytecode/ValueRecovery.cpp:
        (JSC::ValueRecovery::dumpInContext):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
        (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
        (JSC::ValueRecovery::nodeID):
        (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
        * bytecode/VirtualRegister.h:
        (JSC::VirtualRegister::operator==):
        (JSC::VirtualRegister::operator!=):
        (JSC::VirtualRegister::operator<):
        (JSC::VirtualRegister::operator>):
        (JSC::VirtualRegister::operator<=):
        (JSC::VirtualRegister::operator>=):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeNextParameter):
        (JSC::BytecodeGenerator::visibleNameForParameter):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::variable):
        (JSC::BytecodeGenerator::createVariable):
        (JSC::BytecodeGenerator::emitResolveScope):
        (JSC::BytecodeGenerator::emitGetFromScope):
        (JSC::BytecodeGenerator::emitPutToScope):
        (JSC::BytecodeGenerator::initializeVariable):
        (JSC::BytecodeGenerator::emitInstanceOf):
        (JSC::BytecodeGenerator::emitNewFunction):
        (JSC::BytecodeGenerator::emitNewFunctionInternal):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitReturn):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::isArgumentNumber):
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::addVar): Deleted.
        (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
        (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
        (JSC::BytecodeGenerator::resolveCallee): Deleted.
        (JSC::BytecodeGenerator::addCallee): Deleted.
        (JSC::BytecodeGenerator::addParameter): Deleted.
        (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
        (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
        (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
        (JSC::BytecodeGenerator::isCaptured): Deleted.
        (JSC::BytecodeGenerator::local): Deleted.
        (JSC::BytecodeGenerator::constLocal): Deleted.
        (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
        (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
        (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
        (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
        (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::Variable::Variable):
        (JSC::Variable::isResolved):
        (JSC::Variable::ident):
        (JSC::Variable::offset):
        (JSC::Variable::isLocal):
        (JSC::Variable::local):
        (JSC::Variable::isSpecial):
        (JSC::BytecodeGenerator::argumentsRegister):
        (JSC::BytecodeGenerator::emitNode):
        (JSC::BytecodeGenerator::registerFor):
        (JSC::Local::Local): Deleted.
        (JSC::Local::operator bool): Deleted.
        (JSC::Local::get): Deleted.
        (JSC::Local::isSpecial): Deleted.
        (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
        (JSC::ResolveScopeInfo::isLocal): Deleted.
        (JSC::ResolveScopeInfo::localIndex): Deleted.
        (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
        (JSC::BytecodeGenerator::captureMode): Deleted.
        (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
        (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
        (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
        (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure):
        (JSC::ResolveNode::emitBytecode):
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::EvalFunctionCallNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::DeleteResolveNode::emitBytecode):
        (JSC::TypeOfResolveNode::emitBytecode):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::EmptyVarExpression::emitBytecode):
        (JSC::ForInNode::tryGetBoundLocal):
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        (JSC::ArrayPatternNode::emitDirectBinding):
        (JSC::BindingNode::bindValue):
        (JSC::getArgumentByVal): Deleted.
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
        * dfg/DFGAbstractValue.h:
        * dfg/DFGArgumentPosition.h:
        (JSC::DFG::ArgumentPosition::addVariable):
        * dfg/DFGArgumentsEliminationPhase.cpp: Added.
        (JSC::DFG::performArgumentsElimination):
        * dfg/DFGArgumentsEliminationPhase.h: Added.
        * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
        * dfg/DFGArgumentsSimplificationPhase.h: Removed.
        * dfg/DFGArgumentsUtilities.cpp: Added.
        (JSC::DFG::argumentsInvolveStackSlot):
        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
        * dfg/DFGArgumentsUtilities.h: Added.
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        (JSC::DFG::ArrayMode::alreadyChecked):
        (JSC::DFG::arrayTypeToString):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::canCSEStorage):
        (JSC::DFG::ArrayMode::modeForPut):
        * dfg/DFGAvailabilityMap.cpp:
        (JSC::DFG::AvailabilityMap::prune):
        * dfg/DFGAvailabilityMap.h:
        (JSC::DFG::AvailabilityMap::closeOverNodes):
        (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::newVariableAccessData):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::flushDirect):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
        (JSC::DFG::ByteCodeParser::handleVarargsCall):
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
        (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::isSupportedForInlining):
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::CommonData):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::cleanVariables):
        * dfg/DFGDisassembler.h:
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGFlushFormat.cpp:
        (WTF::printInternal):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        (JSC::DFG::dataFormatFor):
        * dfg/DFGForAllKills.h: Added.
        (JSC::DFG::forAllLiveNodesAtTail):
        (JSC::DFG::forAllDirectlyKilledOperands):
        (JSC::DFG::forAllKilledOperands):
        (JSC::DFG::forAllKilledNodesAtNodeIndex):
        (JSC::DFG::forAllKillsInBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::substituteGetLocal):
        (JSC::DFG::Graph::livenessFor):
        (JSC::DFG::Graph::killsFor):
        (JSC::DFG::Graph::tryGetConstantClosureVar):
        (JSC::DFG::Graph::tryGetRegisters): Deleted.
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::symbolTableFor):
        (JSC::DFG::Graph::uses):
        (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
        (JSC::DFG::Graph::capturedVarsFor): Deleted.
        (JSC::DFG::Graph::usesArguments): Deleted.
        (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
        (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
        (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGMayExit.cpp:
        (JSC::DFG::mayExit):
        * dfg/DFGMinifiedID.h:
        * dfg/DFGMinifiedNode.cpp:
        (JSC::DFG::MinifiedNode::fromNode):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        (JSC::DFG::MinifiedNode::hasInlineCallFrame):
        (JSC::DFG::MinifiedNode::inlineCallFrame):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToIdentityOn):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasConstant):
        (JSC::DFG::Node::constant):
        (JSC::DFG::Node::hasScopeOffset):
        (JSC::DFG::Node::scopeOffset):
        (JSC::DFG::Node::hasDirectArgumentsOffset):
        (JSC::DFG::Node::capturedArgumentsOffset):
        (JSC::DFG::Node::variablePointer):
        (JSC::DFG::Node::hasCallVarargsData):
        (JSC::DFG::Node::hasLoadVarargsData):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasCellOperand):
        (JSC::DFG::Node::objectMaterializationData):
        (JSC::DFG::Node::isPhantomAllocation):
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        (JSC::DFG::Node::shouldSpeculateDirectArguments):
        (JSC::DFG::Node::shouldSpeculateScopedArguments):
        (JSC::DFG::Node::isPhantomArguments): Deleted.
        (JSC::DFG::Node::hasVarNumber): Deleted.
        (JSC::DFG::Node::varNumber): Deleted.
        (JSC::DFG::Node::registerPointer): Deleted.
        (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGOSRExitCompiler.cpp:
        (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
        * dfg/DFGOSRExitCompiler.h:
        (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
        (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
        (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
        (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
        (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPreciseLocalClobberize.h:
        (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        (JSC::DFG::preciseLocalClobberize):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
        (JSC::DFG::forEachLocalReadByUnwind): Deleted.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
        * dfg/DFGPromoteHeapAccess.h:
        (JSC::DFG::promoteHeapAccess):
        * dfg/DFGPromotedHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGPromotedHeapLocation.h:
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
        (JSC::DFG::SpeculativeJIT::emitGetLength):
        (JSC::DFG::SpeculativeJIT::emitGetCallee):
        (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        (JSC::DFG::SpeculativeJIT::compileNewFunction):
        (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
        (JSC::DFG::SpeculativeJIT::compilePutToArguments):
        (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
        (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
        (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
        (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
        (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validateCPS):
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGValueSource.h:
        (JSC::DFG::dataFormatToValueSourceKind):
        (JSC::DFG::valueSourceKindToDataFormat):
        (JSC::DFG::ValueSource::ValueSource):
        (JSC::DFG::ValueSource::forFlushFormat):
        (JSC::DFG::ValueSource::valueRecovery):
        * dfg/DFGVarargsForwardingPhase.cpp: Added.
        (JSC::DFG::performVarargsForwarding):
        * dfg/DFGVarargsForwardingPhase.h: Added.
        * dfg/DFGVariableAccessData.cpp:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::flushFormat):
        (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldNeverUnbox):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::isCaptured): Deleted.
        (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
        (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
        * dfg/DFGVariableAccessDataDump.cpp:
        (JSC::DFG::VariableAccessDataDump::dump):
        * dfg/DFGVariableAccessDataDump.h:
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
        * dfg/DFGVariableEventStream.h:
        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::AbstractHeap::dump):
        (JSC::FTL::AbstractField::dump):
        (JSC::FTL::IndexedAbstractHeap::dump):
        (JSC::FTL::NumberedAbstractHeap::dump):
        (JSC::FTL::AbsoluteAbstractHeap::dump):
        * ftl/FTLAbstractHeap.h:
        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLExitArgument.cpp:
        (JSC::FTL::ExitArgument::dump):
        * ftl/FTLExitPropertyValue.cpp:
        (JSC::FTL::ExitPropertyValue::withLocalsOffset):
        * ftl/FTLExitPropertyValue.h:
        * ftl/FTLExitTimeObjectMaterialization.cpp:
        (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
        (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
        * ftl/FTLExitTimeObjectMaterialization.h:
        (JSC::FTL::ExitTimeObjectMaterialization::origin):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::withLocalsOffset):
        (JSC::FTL::ExitValue::valueFormat):
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::isArgument):
        (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
        (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
        (JSC::FTL::ExitValue::valueFormat): Deleted.
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfCallForwardVarargs):
        (JSC::FTL::sizeOfConstructForwardVarargs):
        (JSC::FTL::sizeOfICFor):
        * ftl/FTLInlineCacheSize.h:
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLJSCallVarargs.cpp:
        (JSC::FTL::JSCallVarargs::JSCallVarargs):
        (JSC::FTL::JSCallVarargs::emit):
        * ftl/FTLJSCallVarargs.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compilePutStack):
        (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
        (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
        (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
        (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
        (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
        (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
        (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
        (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
        (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
        (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
        (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
        (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
        (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
        (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
        (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
        (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
        (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
        (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
        (JSC::FTL::LowerDFGToLLVM::baseIndex):
        (JSC::FTL::LowerDFGToLLVM::allocateObject):
        (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
        (JSC::FTL::LowerDFGToLLVM::isArrayType):
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
        (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
        (JSC::FTL::LowerDFGToLLVM::loadStructure):
        (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
        (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileRecovery):
        (JSC::FTL::compileStub):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationMaterializeObjectInOSR):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::aShr):
        (JSC::FTL::Output::lShr):
        (JSC::FTL::Output::zeroExtPtr):
        * heap/CopyToken.h:
        * interpreter/CallFrame.h:
        (JSC::ExecState::getArgumentUnsafe):
        * interpreter/Interpreter.cpp:
        (JSC::sizeOfVarargs):
        (JSC::sizeFrameForVarargs):
        (JSC::loadVarargs):
        (JSC::unwindCallFrame):
        * interpreter/Interpreter.h:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::createArguments):
        (JSC::StackVisitor::Frame::existingArguments): Deleted.
        * interpreter/StackVisitor.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeValue):
        (JSC::AssemblyHelpers::loadValue):
        (JSC::AssemblyHelpers::storeTrustedValue):
        (JSC::AssemblyHelpers::branchIfNotCell):
        (JSC::AssemblyHelpers::branchIsEmpty):
        (JSC::AssemblyHelpers::argumentsStart):
        (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
        (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
        (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgument):
        * jit/GPRInfo.h:
        (JSC::JSValueRegs::withTwoAvailableRegs):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_lexical_environment):
        (JSC::JIT::emit_op_new_func):
        (JSC::JIT::emit_op_create_direct_arguments):
        (JSC::JIT::emit_op_create_scoped_arguments):
        (JSC::JIT::emit_op_create_out_of_band_arguments):
        (JSC::JIT::emit_op_tear_off_arguments): Deleted.
        (JSC::JIT::emit_op_create_arguments): Deleted.
        (JSC::JIT::emit_op_init_lazy_reg): Deleted.
        (JSC::JIT::emit_op_get_arguments_length): Deleted.
        (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
        (JSC::JIT::emit_op_get_argument_by_val): Deleted.
        (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_lexical_environment):
        (JSC::JIT::emit_op_tear_off_arguments): Deleted.
        (JSC::JIT::emit_op_create_arguments): Deleted.
        (JSC::JIT::emit_op_init_lazy_reg): Deleted.
        (JSC::JIT::emit_op_get_arguments_length): Deleted.
        (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
        (JSC::JIT::emit_op_get_argument_by_val): Deleted.
        (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_get_from_arguments):
        (JSC::JIT::emit_op_put_to_arguments):
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::emitDirectArgumentsGetByVal):
        (JSC::JIT::emitScopedArgumentsGetByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_get_from_arguments):
        (JSC::JIT::emit_op_put_to_arguments):
        (JSC::JIT::emit_op_init_global_const):
        * jit/SetupVarargsFrame.cpp:
        (JSC::emitSetupVarargsFrameFastCase):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * parser/Nodes.h:
        (JSC::ScopeNode::captures):
        * runtime/Arguments.cpp: Removed.
        * runtime/Arguments.h: Removed.
        * runtime/ArgumentsMode.h: Added.
        * runtime/DirectArgumentsOffset.cpp: Added.
        (JSC::DirectArgumentsOffset::dump):
        * runtime/DirectArgumentsOffset.h: Added.
        (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/ConstantMode.cpp: Added.
        (WTF::printInternal):
        * runtime/ConstantMode.h:
        (JSC::modeForIsConstant):
        * runtime/DirectArguments.cpp: Added.
        (JSC::DirectArguments::DirectArguments):
        (JSC::DirectArguments::createUninitialized):
        (JSC::DirectArguments::create):
        (JSC::DirectArguments::createByCopying):
        (JSC::DirectArguments::visitChildren):
        (JSC::DirectArguments::copyBackingStore):
        (JSC::DirectArguments::createStructure):
        (JSC::DirectArguments::overrideThings):
        (JSC::DirectArguments::overrideThingsIfNecessary):
        (JSC::DirectArguments::overrideArgument):
        (JSC::DirectArguments::copyToArguments):
        (JSC::DirectArguments::overridesSize):
        * runtime/DirectArguments.h: Added.
        (JSC::DirectArguments::internalLength):
        (JSC::DirectArguments::length):
        (JSC::DirectArguments::canAccessIndexQuickly):
        (JSC::DirectArguments::getIndexQuickly):
        (JSC::DirectArguments::setIndexQuickly):
        (JSC::DirectArguments::callee):
        (JSC::DirectArguments::argument):
        (JSC::DirectArguments::overrodeThings):
        (JSC::DirectArguments::offsetOfCallee):
        (JSC::DirectArguments::offsetOfLength):
        (JSC::DirectArguments::offsetOfMinCapacity):
        (JSC::DirectArguments::offsetOfOverrides):
        (JSC::DirectArguments::storageOffset):
        (JSC::DirectArguments::offsetOfSlot):
        (JSC::DirectArguments::allocationSize):
        (JSC::DirectArguments::storage):
        * runtime/FunctionPrototype.cpp:
        * runtime/GenericArguments.h: Added.
        (JSC::GenericArguments::GenericArguments):
        * runtime/GenericArgumentsInlines.h: Added.
        (JSC::GenericArguments<Type>::getOwnPropertySlot):
        (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
        (JSC::GenericArguments<Type>::getOwnPropertyNames):
        (JSC::GenericArguments<Type>::put):
        (JSC::GenericArguments<Type>::putByIndex):
        (JSC::GenericArguments<Type>::deleteProperty):
        (JSC::GenericArguments<Type>::deletePropertyByIndex):
        (JSC::GenericArguments<Type>::defineOwnProperty):
        (JSC::GenericArguments<Type>::copyToArguments):
        * runtime/GenericOffset.h: Added.
        (JSC::GenericOffset::GenericOffset):
        (JSC::GenericOffset::operator!):
        (JSC::GenericOffset::offsetUnchecked):
        (JSC::GenericOffset::offset):
        (JSC::GenericOffset::operator==):
        (JSC::GenericOffset::operator!=):
        (JSC::GenericOffset::operator<):
        (JSC::GenericOffset::operator>):
        (JSC::GenericOffset::operator<=):
        (JSC::GenericOffset::operator>=):
        (JSC::GenericOffset::operator+):
        (JSC::GenericOffset::operator-):
        (JSC::GenericOffset::operator+=):
        (JSC::GenericOffset::operator-=):
        * runtime/JSArgumentsIterator.cpp:
        (JSC::JSArgumentsIterator::finishCreation):
        (JSC::argumentsFuncIterator):
        * runtime/JSArgumentsIterator.h:
        (JSC::JSArgumentsIterator::create):
        (JSC::JSArgumentsIterator::next):
        * runtime/JSEnvironmentRecord.cpp:
        (JSC::JSEnvironmentRecord::visitChildren):
        * runtime/JSEnvironmentRecord.h:
        (JSC::JSEnvironmentRecord::variables):
        (JSC::JSEnvironmentRecord::isValid):
        (JSC::JSEnvironmentRecord::variableAt):
        (JSC::JSEnvironmentRecord::offsetOfVariables):
        (JSC::JSEnvironmentRecord::offsetOfVariable):
        (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
        (JSC::JSEnvironmentRecord::allocationSize):
        (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
        (JSC::JSEnvironmentRecord::finishCreationUninitialized):
        (JSC::JSEnvironmentRecord::finishCreation):
        (JSC::JSEnvironmentRecord::registers): Deleted.
        (JSC::JSEnvironmentRecord::registerAt): Deleted.
        (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
        (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::addStaticGlobals):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::directArgumentsStructure):
        (JSC::JSGlobalObject::scopedArgumentsStructure):
        (JSC::JSGlobalObject::outOfBandArgumentsStructure):
        (JSC::JSGlobalObject::argumentsStructure): Deleted.
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::symbolTableGet):
        (JSC::JSLexicalEnvironment::symbolTablePut):
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
        (JSC::JSLexicalEnvironment::visitChildren): Deleted.
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::create):
        (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
        (JSC::JSLexicalEnvironment::registersOffset): Deleted.
        (JSC::JSLexicalEnvironment::storageOffset): Deleted.
        (JSC::JSLexicalEnvironment::storage): Deleted.
        (JSC::JSLexicalEnvironment::allocationSize): Deleted.
        (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
        (JSC::JSLexicalEnvironment::isValid): Deleted.
        (JSC::JSLexicalEnvironment::registerAt): Deleted.
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::visitChildren): Deleted.
        * runtime/JSNameScope.h:
        (JSC::JSNameScope::create):
        (JSC::JSNameScope::value):
        (JSC::JSNameScope::finishCreation):
        (JSC::JSNameScope::JSNameScope):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        * runtime/JSSegmentedVariableObject.cpp:
        (JSC::JSSegmentedVariableObject::findVariableIndex):
        (JSC::JSSegmentedVariableObject::addVariables):
        (JSC::JSSegmentedVariableObject::visitChildren):
        (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
        (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
        * runtime/JSSegmentedVariableObject.h:
        (JSC::JSSegmentedVariableObject::variableAt):
        (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
        (JSC::JSSegmentedVariableObject::registerAt): Deleted.
        (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
        * runtime/JSSymbolTableObject.h:
        (JSC::JSSymbolTableObject::offsetOfSymbolTable):
        (JSC::symbolTableGet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/JSType.h:
        * runtime/Options.h:
        * runtime/ClonedArguments.cpp: Added.
        (JSC::ClonedArguments::ClonedArguments):
        (JSC::ClonedArguments::createEmpty):
        (JSC::ClonedArguments::createWithInlineFrame):
        (JSC::ClonedArguments::createWithMachineFrame):
        (JSC::ClonedArguments::createByCopyingFrom):
        (JSC::ClonedArguments::createStructure):
        (JSC::ClonedArguments::getOwnPropertySlot):
        (JSC::ClonedArguments::getOwnPropertyNames):
        (JSC::ClonedArguments::put):
        (JSC::ClonedArguments::deleteProperty):
        (JSC::ClonedArguments::defineOwnProperty):
        (JSC::ClonedArguments::materializeSpecials):
        (JSC::ClonedArguments::materializeSpecialsIfNecessary):
        * runtime/ClonedArguments.h: Added.
        (JSC::ClonedArguments::specialsMaterialized):
        * runtime/ScopeOffset.cpp: Added.
        (JSC::ScopeOffset::dump):
        * runtime/ScopeOffset.h: Added.
        (JSC::ScopeOffset::ScopeOffset):
        * runtime/ScopedArguments.cpp: Added.
        (JSC::ScopedArguments::ScopedArguments):
        (JSC::ScopedArguments::finishCreation):
        (JSC::ScopedArguments::createUninitialized):
        (JSC::ScopedArguments::create):
        (JSC::ScopedArguments::createByCopying):
        (JSC::ScopedArguments::createByCopyingFrom):
        (JSC::ScopedArguments::visitChildren):
        (JSC::ScopedArguments::createStructure):
        (JSC::ScopedArguments::overrideThings):
        (JSC::ScopedArguments::overrideThingsIfNecessary):
        (JSC::ScopedArguments::overrideArgument):
        (JSC::ScopedArguments::copyToArguments):
        * runtime/ScopedArguments.h: Added.
        (JSC::ScopedArguments::internalLength):
        (JSC::ScopedArguments::length):
        (JSC::ScopedArguments::canAccessIndexQuickly):
        (JSC::ScopedArguments::getIndexQuickly):
        (JSC::ScopedArguments::setIndexQuickly):
        (JSC::ScopedArguments::callee):
        (JSC::ScopedArguments::overrodeThings):
        (JSC::ScopedArguments::offsetOfOverrodeThings):
        (JSC::ScopedArguments::offsetOfTotalLength):
        (JSC::ScopedArguments::offsetOfTable):
        (JSC::ScopedArguments::offsetOfScope):
        (JSC::ScopedArguments::overflowStorageOffset):
        (JSC::ScopedArguments::allocationSize):
        (JSC::ScopedArguments::overflowStorage):
        * runtime/ScopedArgumentsTable.cpp: Added.
        (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
        (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
        (JSC::ScopedArgumentsTable::destroy):
        (JSC::ScopedArgumentsTable::create):
        (JSC::ScopedArgumentsTable::clone):
        (JSC::ScopedArgumentsTable::setLength):
        (JSC::ScopedArgumentsTable::set):
        (JSC::ScopedArgumentsTable::createStructure):
        * runtime/ScopedArgumentsTable.h: Added.
        (JSC::ScopedArgumentsTable::length):
        (JSC::ScopedArgumentsTable::get):
        (JSC::ScopedArgumentsTable::lock):
        (JSC::ScopedArgumentsTable::offsetOfLength):
        (JSC::ScopedArgumentsTable::offsetOfArguments):
        (JSC::ScopedArgumentsTable::at):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::prepareToWatch):
        (JSC::SymbolTable::SymbolTable):
        (JSC::SymbolTable::visitChildren):
        (JSC::SymbolTable::localToEntry):
        (JSC::SymbolTable::entryFor):
        (JSC::SymbolTable::cloneScopePart):
        (JSC::SymbolTable::prepareForTypeProfiling):
        (JSC::SymbolTable::uniqueIDForOffset):
        (JSC::SymbolTable::globalTypeSetForOffset):
        (JSC::SymbolTable::cloneCapturedNames): Deleted.
        (JSC::SymbolTable::uniqueIDForRegister): Deleted.
        (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::varOffsetFromBits):
        (JSC::SymbolTableEntry::scopeOffsetFromBits):
        (JSC::SymbolTableEntry::Fast::varOffset):
        (JSC::SymbolTableEntry::Fast::scopeOffset):
        (JSC::SymbolTableEntry::Fast::isDontEnum):
        (JSC::SymbolTableEntry::Fast::getAttributes):
        (JSC::SymbolTableEntry::SymbolTableEntry):
        (JSC::SymbolTableEntry::varOffset):
        (JSC::SymbolTableEntry::isWatchable):
        (JSC::SymbolTableEntry::scopeOffset):
        (JSC::SymbolTableEntry::setAttributes):
        (JSC::SymbolTableEntry::constantMode):
        (JSC::SymbolTableEntry::isDontEnum):
        (JSC::SymbolTableEntry::disableWatching):
        (JSC::SymbolTableEntry::pack):
        (JSC::SymbolTableEntry::isValidVarOffset):
        (JSC::SymbolTable::createNameScopeTable):
        (JSC::SymbolTable::maxScopeOffset):
        (JSC::SymbolTable::didUseScopeOffset):
        (JSC::SymbolTable::didUseVarOffset):
        (JSC::SymbolTable::scopeSize):
        (JSC::SymbolTable::nextScopeOffset):
        (JSC::SymbolTable::takeNextScopeOffset):
        (JSC::SymbolTable::add):
        (JSC::SymbolTable::set):
        (JSC::SymbolTable::argumentsLength):
        (JSC::SymbolTable::setArgumentsLength):
        (JSC::SymbolTable::argumentOffset):
        (JSC::SymbolTable::setArgumentOffset):
        (JSC::SymbolTable::arguments):
        (JSC::SlowArgument::SlowArgument): Deleted.
        (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
        (JSC::SymbolTableEntry::getIndex): Deleted.
        (JSC::SymbolTableEntry::isValidIndex): Deleted.
        (JSC::SymbolTable::captureStart): Deleted.
        (JSC::SymbolTable::setCaptureStart): Deleted.
        (JSC::SymbolTable::captureEnd): Deleted.
        (JSC::SymbolTable::setCaptureEnd): Deleted.
        (JSC::SymbolTable::captureCount): Deleted.
        (JSC::SymbolTable::isCaptured): Deleted.
        (JSC::SymbolTable::parameterCount): Deleted.
        (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
        (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
        (JSC::SymbolTable::slowArguments): Deleted.
        (JSC::SymbolTable::setSlowArguments): Deleted.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * runtime/VarOffset.cpp: Added.
        (JSC::VarOffset::dump):
        (WTF::printInternal):
        * runtime/VarOffset.h: Added.
        (JSC::VarOffset::VarOffset):
        (JSC::VarOffset::assemble):
        (JSC::VarOffset::isValid):
        (JSC::VarOffset::operator!):
        (JSC::VarOffset::kind):
        (JSC::VarOffset::isStack):
        (JSC::VarOffset::isScope):
        (JSC::VarOffset::isDirectArgument):
        (JSC::VarOffset::stackOffsetUnchecked):
        (JSC::VarOffset::scopeOffsetUnchecked):
        (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
        (JSC::VarOffset::stackOffset):
        (JSC::VarOffset::scopeOffset):
        (JSC::VarOffset::capturedArgumentsOffset):
        (JSC::VarOffset::rawOffset):
        (JSC::VarOffset::checkSanity):
        (JSC::VarOffset::operator==):
        (JSC::VarOffset::operator!=):
        (JSC::VarOffset::hash):
        (JSC::VarOffset::isHashTableDeletedValue):
        (JSC::VarOffsetHash::hash):
        (JSC::VarOffsetHash::equal):
        * tests/stress/arguments-exit-strict-mode.js: Added.
        * tests/stress/arguments-exit.js: Added.
        * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
        * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
        * tests/stress/arguments-inlined-exit.js: Added.
        * tests/stress/arguments-interference.js: Added.
        * tests/stress/arguments-interference-cfg.js: Added.
        * tests/stress/dead-get-closure-var.js: Added.
        * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
        * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
        * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
        * tests/stress/varargs-closure-inlined-exit.js: Added.
        * tests/stress/varargs-exit.js: Added.
        * tests/stress/varargs-inlined-exit.js: Added.
        * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
        * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
        * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
        * tests/stress/varargs-inlined-simple-exit.js: Added.
        * tests/stress/varargs-too-few-arguments.js: Added.
        * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
        * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
        * tests/stress/varargs-varargs-inlined-exit.js: Added.

2015-03-25  Andy Estes  <aestes@apple.com>

        [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
        https://bugs.webkit.org/show_bug.cgi?id=143068

        Reviewed by Dan Bernstein.

        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
        https://bugs.webkit.org/show_bug.cgi?id=142993

        Reviewed by Geoffrey Garen and Mark Lam.
        
        This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
        into using JITCompilationCanFail and having a legit fallback path. This mostly involves
        having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
        failure, but also involves adding the same kind of thing to the stub generators in
        Repatch.
        
        Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
        of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
        like host call stub generation, could handle a GC, but those get invoked very rarely. So,
        this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
        printout.
        
        Also add a way of inducing executable allocation failure, so that we can test this.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::link): Deleted.
        (JSC::DFG::JITCompiler::linkFunction): Deleted.
        * dfg/DFGJITCompiler.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateCodeSection):
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLState.h:
        * jit/ArityCheckFailReturnThunks.cpp:
        (JSC::ArityCheckFailReturnThunks::returnPCsFor):
        * jit/ExecutableAllocationFuzz.cpp: Added.
        (JSC::numberOfExecutableAllocationFuzzChecks):
        (JSC::doExecutableAllocationFuzzing):
        * jit/ExecutableAllocationFuzz.h: Added.
        (JSC::doExecutableAllocationFuzzingIfEnabled):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::allocate):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCompilationEffort.h:
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStubAndGetOldStructure):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::linkPolymorphicCall):
        * jsc.cpp:
        (jscmain):
        * runtime/Options.h:
        * runtime/TestRunnerUtils.h:
        * runtime/VM.cpp:
        * tests/executableAllocationFuzz: Added.
        * tests/executableAllocationFuzz.yaml: Added.
        * tests/executableAllocationFuzz/v8-raytrace.js: Added.

2015-03-25  Mark Lam  <mark.lam@apple.com>

        REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
        <https://webkit.org/b/135719>

        Reviewed by Geoffrey Garen.

        This is a regression introduced in http://trac.webkit.org/changeset/169139 which
        changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
        update the LLINT to access it as such.

        The issue has only manifested so far on the CLoop tests because those are LLINT
        only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
        hiding the bug in the LLINT.

        * API/JSContextRef.cpp:
        (createWatchdogIfNeeded):
        (JSContextGroupSetExecutionTimeLimit):
        (JSContextGroupClearExecutionTimeLimit):
        * llint/LowLevelInterpreter.asm:

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.

        Rubber stamped by Geoffrey Garen.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):

2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>

        Fix formatting in BuiltinExecutables
        https://bugs.webkit.org/show_bug.cgi?id=143061

        Reviewed by Ryosuke Niwa.

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutableInternal):

2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>

        ES6: Classes: Program level class statement throws exception in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=143038

        Reviewed by Ryosuke Niwa.

        Classes expose a name to the current lexical environment. This treats
        "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
        Also, improve error messages for class statements where the class is missing a name.

        * parser/Parser.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        Fill name in info parameter if needed. Better error message if name is needed and missing.

        (JSC::Parser<LexerType>::parseClassDeclaration):
        Pass info parameter to get name, and expose the name as a variable name.

        (JSC::Parser<LexerType>::parsePrimaryExpression):
        Pass info parameter that is ignored.

        * parser/ParserFunctionInfo.h:
        Add a parser info for class, to extract the name.

2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        New map and set modification tests in r181922 fails
        https://bugs.webkit.org/show_bug.cgi?id=143031

        Reviewed and tweaked by Geoffrey Garen.

        When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
        to adjust for the packed backing store.

        Consider the following map data.

        x: deleted, o: exists
        0 1 2 3 4
        x x x x o

        And iterator with m_index 3.

        When packing the map data, map data will become,

        0
        o

        At that time, we perfom didRemoveEntry 4 times on iterators.
        times => m_index/index/result
        1 => 3/0/dec
        2 => 2/1/dec
        3 => 1/2/nothing
        4 => 1/3/nothing

        After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
        This is because if we use decremented m_index for comparison,
        while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.

        In this patch, we compare against the packed index instead.
        times => m_index/packedIndex/result
        1 => 3/0/dec
        2 => 2/0/dec
        3 => 1/0/dec
        4 => 0/0/nothing

        So m_index becomes 0 as expected.

        And according to the spec, once the iterator is closed (becomes done: true),
        its internal [[Map]]/[[Set]] is set to undefined.
        So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).

        In this patch, we change 2 things.
        1.
        Compare an iterator's index against the packed index when removing an entry.

        2.
        If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.

        * runtime/MapData.h:
        (JSC::MapDataImpl::IteratorData::finish):
        (JSC::MapDataImpl::IteratorData::isFinished):
        (JSC::MapDataImpl::IteratorData::didRemoveEntry):
        (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
        (JSC::MapDataImpl::IteratorData::startPackBackingStore):
        * runtime/MapDataInlines.h:
        (JSC::JSIterator>::replaceAndPackBackingStore):
        * tests/stress/modify-map-during-iteration.js:
        * tests/stress/modify-set-during-iteration.js:

2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>

        Setter should have a single formal parameter, Getter no parameters
        https://bugs.webkit.org/show_bug.cgi?id=142903

        Reviewed by Geoffrey Garen.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        Enforce no parameters for getters and a single parameter
        for setters, with informational error messages.

2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>

        ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
        https://bugs.webkit.org/show_bug.cgi?id=143012

        Reviewed by Ryosuke Niwa.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitReturn):
        Fix handling of "undefined" when returned from a Derived class. It was
        returning "undefined" when it should have returned "this".

2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
        https://bugs.webkit.org/show_bug.cgi?id=142696

        Reviewed and tweaked by Geoffrey Garen.

        Before r142556, JSSetIterator::destroy was not defined.
        So accidentally MapData::const_iterator in JSSet was never destroyed.
        But it had non trivial destructor, decrementing MapData->m_iteratorCount.

        After r142556, JSSetIterator::destroy works.
        It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
        But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.

        It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
        and marks it in visitChildren (WriteBarrier<Unknown>).
        However, the order of destructions is not guaranteed in GC-ed system.

        Consider the following case,
        allocate JSSet and subsequently allocate JSSetIterator.
        And they resides in the separated MarkedBlock, <1> and <2>.

        JSSet<1> <- JSSetIterator<2>

        And after that, when performing GC, Marker decides that the above 2 objects are not marked.
        And Marker also decides MarkedBlocks <1> and <2> can be sweeped.

        First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
        Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
        However, JSSetIterator<2>'s destructor,
        JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.

        In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
        When packing the removed elements in JSSet/JSMap, we apply the change to all live
        iterators tracked by WeakGCMap.

        WeakGCMap can only track JSCell since they are managed by GC.
        So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
        introduces JS style iterator signatures into C++ class IteratorData.
        If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
        IteratorData directly.

        * runtime/JSMap.cpp:
        (JSC::JSMap::destroy):
        * runtime/JSMap.h:
        (JSC::JSMap::JSMap):
        (JSC::JSMap::begin): Deleted.
        (JSC::JSMap::end): Deleted.
        * runtime/JSMapIterator.cpp:
        (JSC::JSMapIterator::destroy):
        * runtime/JSMapIterator.h:
        (JSC::JSMapIterator::next):
        (JSC::JSMapIterator::nextKeyValue):
        (JSC::JSMapIterator::iteratorData):
        (JSC::JSMapIterator::JSMapIterator):
        * runtime/JSSet.cpp:
        (JSC::JSSet::destroy):
        * runtime/JSSet.h:
        (JSC::JSSet::JSSet):
        (JSC::JSSet::begin): Deleted.
        (JSC::JSSet::end): Deleted.
        * runtime/JSSetIterator.cpp:
        (JSC::JSSetIterator::destroy):
        * runtime/JSSetIterator.h:
        (JSC::JSSetIterator::next):
        (JSC::JSSetIterator::iteratorData):
        (JSC::JSSetIterator::JSSetIterator):
        * runtime/MapData.h:
        (JSC::MapDataImpl::IteratorData::finish):
        (JSC::MapDataImpl::IteratorData::isFinished):
        (JSC::MapDataImpl::shouldPack):
        (JSC::JSIterator>::MapDataImpl):
        (JSC::JSIterator>::KeyType::KeyType):
        (JSC::JSIterator>::IteratorData::IteratorData):
        (JSC::JSIterator>::IteratorData::next):
        (JSC::JSIterator>::IteratorData::ensureSlot):
        (JSC::JSIterator>::IteratorData::applyMapDataPatch):
        (JSC::JSIterator>::IteratorData::refreshCursor):
        (JSC::MapDataImpl::const_iterator::key): Deleted.
        (JSC::MapDataImpl::const_iterator::value): Deleted.
        (JSC::MapDataImpl::const_iterator::operator++): Deleted.
        (JSC::MapDataImpl::const_iterator::finish): Deleted.
        (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
        (JSC::MapDataImpl::begin): Deleted.
        (JSC::MapDataImpl::end): Deleted.
        (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
        (JSC::MapDataImpl<Entry>::clear): Deleted.
        (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
        (JSC::=): Deleted.
        * runtime/MapDataInlines.h:
        (JSC::JSIterator>::clear):
        (JSC::JSIterator>::find):
        (JSC::JSIterator>::contains):
        (JSC::JSIterator>::add):
        (JSC::JSIterator>::set):
        (JSC::JSIterator>::get):
        (JSC::JSIterator>::remove):
        (JSC::JSIterator>::replaceAndPackBackingStore):
        (JSC::JSIterator>::replaceBackingStore):
        (JSC::JSIterator>::ensureSpaceForAppend):
        (JSC::JSIterator>::visitChildren):
        (JSC::JSIterator>::copyBackingStore):
        (JSC::JSIterator>::applyMapDataPatch):
        (JSC::MapDataImpl<Entry>::find): Deleted.
        (JSC::MapDataImpl<Entry>::contains): Deleted.
        (JSC::MapDataImpl<Entry>::add): Deleted.
        (JSC::MapDataImpl<Entry>::set): Deleted.
        (JSC::MapDataImpl<Entry>::get): Deleted.
        (JSC::MapDataImpl<Entry>::remove): Deleted.
        (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
        (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
        (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
        (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
        (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
        * runtime/MapPrototype.cpp:
        (JSC::mapProtoFuncForEach):
        * runtime/SetPrototype.cpp:
        (JSC::setProtoFuncForEach):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::forEach):
        * tests/stress/modify-map-during-iteration.js: Added.
        (testValue):
        (identityPairs):
        (.set if):
        (var):
        (set map):
        * tests/stress/modify-set-during-iteration.js: Added.
        (testValue):
        (set forEach):
        (set delete):

2015-03-24  Mark Lam  <mark.lam@apple.com>

        The ExecutionTimeLimit test should use its own JSGlobalContextRef.
        <https://webkit.org/b/143024>

        Reviewed by Geoffrey Garen.

        Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
        passed in from testapi.c.  It should create its own for better
        encapsulation of the test.

        * API/tests/ExecutionTimeLimitTest.cpp:
        (currentCPUTimeAsJSFunctionCallback):
        (testExecutionTimeLimit):
        * API/tests/ExecutionTimeLimitTest.h:
        * API/tests/testapi.c:
        (main):

2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>

        ES6: Object Literal Methods toString is missing method name
        https://bugs.webkit.org/show_bug.cgi?id=142992

        Reviewed by Geoffrey Garen.

        Always stringify functions in the pattern:

          "function " + <function name> + <text from opening parenthesis to closing brace>.

        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        Update the path that was not stringifying in this pattern.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
        * parser/Nodes.h:
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::parametersStartOffset):
        Pass the already known function parameter opening parenthesis
        start offset through to the FunctionExecutable. 

        * tests/mozilla/js1_5/Scope/regress-185485.js:
        (with.g):
        Add back original space in this test that was removed by r181810
        now that we have the space again in stringification.

2015-03-24  Michael Saboff  <msaboff@apple.com>

        REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
        https://bugs.webkit.org/show_bug.cgi?id=142856

        Reviewed by Filip Pizlo.

        Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
        get info for three loops to iterate over indexed properties, structure properties and other properties,
        respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
        for all loops before we exectue any enumeration.

        The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
        The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
        and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);

        Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
        op_next_enumerator_pname.
        Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
        The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
        end value we stop iterating on.

        Made corresponding node changes to the DFG and FTL for the bytecode changes.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
        (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
        (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
        (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
        (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
        (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitMultiLoopBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
        (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
        (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_enumerator_structure_pname):
        (JSC::JIT::emit_op_enumerator_generic_pname):
        (JSC::JIT::emit_op_get_property_enumerator):
        (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
        (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
        (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_enumerator_structure_pname):
        (JSC::JIT::emit_op_enumerator_generic_pname):
        (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::create):
        (JSC::JSPropertyNameEnumerator::finishCreation):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::JSPropertyNameEnumerator::indexedLength):
        (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
        (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
        (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
        (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
        (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
        (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
        (JSC::propertyNameEnumerator):
        (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
        (JSC::structurePropertyNameEnumerator): Deleted.
        (JSC::genericPropertyNameEnumerator): Deleted.
        * runtime/Structure.cpp:
        (JSC::Structure::setCachedPropertyNameEnumerator):
        (JSC::Structure::cachedPropertyNameEnumerator):
        (JSC::Structure::canCachePropertyNameEnumerator):
        (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
        (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
        (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
        (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
        (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
        (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
        * runtime/Structure.h:
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::visitChildren):
        (JSC::StructureRareData::cachedPropertyNameEnumerator):
        (JSC::StructureRareData::setCachedPropertyNameEnumerator):
        (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
        (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
        (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
        (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
        * runtime/StructureRareData.h:
        * tests/stress/for-in-delete-during-iteration.js:

2015-03-24  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix for debug builds.

        * runtime/ExceptionHelpers.cpp:
        (JSC::invalidParameterInSourceAppender):

2015-03-24  Saam Barati  <saambarati1@gmail.com>

        Improve error messages in JSC
        https://bugs.webkit.org/show_bug.cgi?id=141869

        Reviewed by Geoffrey Garen.

        JavaScriptCore has some unintuitive error messages associated
        with certain common errors. This patch changes some specific
        error messages to be more understandable and also creates a
        mechanism that will allow for easy modification of error messages
        in the future. The specific errors we change are not a function
        errors and invalid parameter errors.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/Interpreter.cpp:
        (JSC::sizeOfVarargs):
        * jit/JITOperations.cpp:
        op_throw_static_error always has a JSString as its argument.
        There is no need to dance around this, and we should assert
        that this always holds. This JSString represents the error 
        message we want to display to the user, so there is no need
        to pass it into errorDescriptionForValue which will now place
        quotes around the string.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::hasSourceAppender):
        (JSC::ErrorInstance::sourceAppender):
        (JSC::ErrorInstance::setSourceAppender):
        (JSC::ErrorInstance::clearSourceAppender):
        (JSC::ErrorInstance::setRuntimeTypeForCause):
        (JSC::ErrorInstance::runtimeTypeForCause):
        (JSC::ErrorInstance::clearRuntimeTypeForCause):
        (JSC::ErrorInstance::appendSourceToMessage): Deleted.
        (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
        (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
        * runtime/ExceptionHelpers.cpp:
        (JSC::errorDescriptionForValue):
        (JSC::defaultApproximateSourceError):
        (JSC::defaultSourceAppender):
        (JSC::functionCallBase):
        (JSC::notAFunctionSourceAppender):
        (JSC::invalidParameterInSourceAppender):
        (JSC::invalidParameterInstanceofSourceAppender):
        (JSC::createError):
        (JSC::createInvalidFunctionApplyParameterError):
        (JSC::createInvalidInParameterError):
        (JSC::createInvalidInstanceofParameterError):
        (JSC::createNotAConstructorError):
        (JSC::createNotAFunctionError):
        (JSC::createNotAnObjectError):
        (JSC::createInvalidParameterError): Deleted.
        * runtime/ExceptionHelpers.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::hasInstance):
        * runtime/RuntimeType.cpp: Added.
        (JSC::runtimeTypeForValue):
        (JSC::runtimeTypeAsString):
        * runtime/RuntimeType.h: Added.
        * runtime/TypeProfilerLog.cpp:
        (JSC::TypeProfilerLog::processLogEntries):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
        * runtime/TypeSet.h:
        * runtime/VM.cpp:
        (JSC::appendSourceToError):
        (JSC::VM::throwException):

2015-03-23  Filip Pizlo  <fpizlo@apple.com>

        JSC should have a low-cost asynchronous disassembler
        https://bugs.webkit.org/show_bug.cgi?id=142997

        Reviewed by Mark Lam.
        
        This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
        doesn't block execution. Some code will live a little longer because of this, since the
        work tasks hold a ref to the code, but other than that there is basically no overhead.
        
        At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
        provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
        the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
        JSC_asyncDisassembly has bizarre behavior - so just choose one.
        
        A simple way of understanding how great this is, is to run a small benchmark like
        V8Spider/earley-boyer.
        
        Performance without any disassembly flags: 60ms
        Performance with JSC_showDisassembly=true: 477ms
        Performance with JSC_asyncDisassembly=true: 65ms
        
        So, the overhead of disassembly goes from 8x to 8%.
        
        Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
        measuring benchmark performance. This is because at VM exit, we wait for all async
        disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
        after the benchmark completely finishes to finish the disassemblies. This small weirdness
        should be OK for the intended use-cases, since all you have to do to get around it is to
        measure the execution time of the benchmark payload rather than the end-to-end time of
        launching the VM.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::wasAlreadyDisassembled):
        (JSC::LinkBuffer::didAlreadyDisassemble):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::disassemble):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * disassembler/Disassembler.cpp:
        (JSC::disassembleAsynchronously):
        (JSC::waitForAsynchronousDisassembly):
        * disassembler/Disassembler.h:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jsc.cpp:
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::~VM):

2015-03-23  Dean Jackson  <dino@apple.com>

        ES7: Implement Array.prototype.includes
        https://bugs.webkit.org/show_bug.cgi?id=142707

        Reviewed by Geoffrey Garen.

        Add support for the ES7 includes method on Arrays.
        https://github.com/tc39/Array.prototype.includes

        * builtins/Array.prototype.js:
        (includes): Implementation in JS.
        * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.

2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>

        __defineGetter__/__defineSetter__ should throw exceptions
        https://bugs.webkit.org/show_bug.cgi?id=142934

        Reviewed by Geoffrey Garen.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        Throw exceptions when these functions are used directly.

2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>

        Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
        https://bugs.webkit.org/show_bug.cgi?id=142952

        Reviewed by Geoffrey Garen.

        * runtime/Structure.cpp:
        (JSC::PropertyTable::checkConsistency):
        The check offset method doesn't exist in PropertyTable, it exists in Structure.

        (JSC::Structure::checkConsistency):
        So move it here, and always put it at the start to match normal behavior.

2015-03-22  Filip Pizlo  <fpizlo@apple.com>

        Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
        https://bugs.webkit.org/show_bug.cgi?id=142956

        Rubber stamped by Gyuyoung Kim.
        
        Just removing dead code.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGValueRecoveryOverride.h: Removed.

2015-03-22  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
        https://bugs.webkit.org/show_bug.cgi?id=142948

        Reviewed by Sam Weinig.
        
        It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
        since a signal may clobber the area below the stack pointer. When the DFG is executing,
        the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
        baseline, we will use a different amount of stack. This is because baseline is a different
        compiler. It will make different decisions. So it will use a different amount of stack.
        
        This gets tricky when we are in the process of doing an OSR exit, because we are sort of
        incrementally transforming the stack from how it looked in the DFG to how it will look in
        baseline. The most conservative approach would be to set the stack pointer to the max of
        DFG and baseline.
        
        When this code was written, a reckless assumption was made: that the stack usage in
        baseline is always at least as large as the stack usage in DFG. Based on this incorrect
        assumption, the code first adjusts the stack pointer to account for the baseline stack
        usage. This sort of usually works, because usually baseline does happen to use more stack.
        But that's not an invariant. Nobody guarantees this. We will never make any changes that
        would make this be guaranteed, because that would be antithetical to how optimizing
        compilers work. The DFG should be allowed to use however much stack it decides that it
        should use in order to get good performance, and it shouldn't try to guarantee that it
        always uses less stack than baseline.
        
        As such, we must always assume that the frame size for DFG execution (i.e.
        frameRegisterCount) and the frame size in baseline once we exit (i.e.
        requiredRegisterCountForExit) are two independent quantities and they have no
        relationship.
        
        Fortunately, though, this code can be made correct by just moving the stack adjustment to
        just before we do conversions. This is because we have since changed the OSR exit
        algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
        drop it out of the scratch buffer and into the stack according to the baseline layout. The
        point just before conversions is the point where we have finished reading the DFG frame
        and will not read it anymore, and we haven't started writing the baseline frame. So, at
        this point it is safe to set the stack pointer to account for the frame size at exit.
        
        This is benign because baseline happens to create larger frames than DFG.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::adjustAndJumpToTarget):

2015-03-22  Filip Pizlo  <fpizlo@apple.com>

        Shorten the number of iterations to 10,000 since that's enough to test all tiers.

        Rubber stamped by Sam Weinig.

        * tests/stress/equals-masquerader.js:

2015-03-22  Filip Pizlo  <fpizlo@apple.com>

        tests/stress/*tdz* tests do 10x more iterations than necessary
        https://bugs.webkit.org/show_bug.cgi?id=142946

        Reviewed by Ryosuke Niwa.
        
        The stress test harness runs all of these tests in various configurations. This includes
        no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
        enough to get to the highest tier. The only exceptions are very large functions or
        functions that have some reoptimizations. That happens rarely, and when it does happen,
        usually 20,000 iterations is enough.
        
        Therefore, these tests use 10x too many iterations. This is bad, since these tests
        allocate on each iteration, and so they run very slowly in debug mode.

        * tests/stress/class-syntax-no-loop-tdz.js:
        * tests/stress/class-syntax-no-tdz-in-catch.js:
        * tests/stress/class-syntax-no-tdz-in-conditional.js:
        * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
        * tests/stress/class-syntax-no-tdz-in-loop.js:
        * tests/stress/class-syntax-no-tdz.js:
        * tests/stress/class-syntax-tdz-in-catch.js:
        * tests/stress/class-syntax-tdz-in-conditional.js:
        * tests/stress/class-syntax-tdz-in-loop.js:
        * tests/stress/class-syntax-tdz.js:

2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>

        Fix a typo in Parser error message
        https://bugs.webkit.org/show_bug.cgi?id=142942

        Reviewed by Alexey Proskuryakov.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_resolve_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_resolve_scope):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        Fix a common identifier typo.

2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>

        Computed Property names should allow only AssignmentExpressions not any Expression
        https://bugs.webkit.org/show_bug.cgi?id=142902

        Reviewed by Ryosuke Niwa.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseProperty):
        Limit computed expressions to just assignment expressions instead of
        any expression (which allowed comma expressions).

2015-03-21  Andreas Kling  <akling@apple.com>

        Make UnlinkedFunctionExecutable fit in a 128-byte cell.
        <https://webkit.org/b/142939>

        Reviewed by Mark Hahnenberg.

        Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
        a 128-byte heap cell instead of requiring a 256-byte one.

        Threw in a static_assert to catch anyone pushing it over the limit again.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::functionMode):

2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>

        GCTimer should know keep track of nested GC phases
        https://bugs.webkit.org/show_bug.cgi?id=142675

        Reviewed by Darin Adler.

        This improves the GC phase timing output in Heap.cpp by linking
        phases nested inside other phases together, allowing tools
        to compute how much time we're spending in various nested phases.

        * heap/Heap.cpp:

2015-03-20  Geoffrey Garen  <ggaren@apple.com>

        FunctionBodyNode should known where its parameters started
        https://bugs.webkit.org/show_bug.cgi?id=142926

        Reviewed by Ryosuke Niwa.

        This will allow us to re-parse parameters instead of keeping the
        parameters piece of the AST around forever.

        I also took the opportunity to initialize most FunctionBodyNode data
        members at construction time, to help clarify that they are set right.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionExpr): No need to pass
        functionKeywordStart here; we now provide it at FunctionBodyNode
        creation time.

        (JSC::ASTBuilder::createFunctionBody): Require everything we need at
        construction time, including the start of our parameters.

        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
        functionKeywordStart here; we now provide it at FunctionBodyNode
        creation time.

        (JSC::ASTBuilder::setFunctionNameStart): Deleted.

        * parser/Nodes.cpp:
        (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
        construction time.

        * parser/Nodes.h: Added a field for the location of our parameters.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionBody):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parsePropertyMethod):
        (JSC::Parser<LexerType>::parseGetterSetter):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        * parser/Parser.h: Refactored to match above interface changes.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFunctionExpr):
        (JSC::SyntaxChecker::createFunctionBody):
        (JSC::SyntaxChecker::createFuncDeclStatement):
        (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
        above interface changes.

        (JSC::SyntaxChecker::setFunctionNameStart): Deleted.

2015-03-20  Filip Pizlo  <fpizlo@apple.com>

        Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
        https://bugs.webkit.org/show_bug.cgi?id=142920

        Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
        
        Observably effectful, n.: If we reexecute the bytecode instruction after this node has
        executed, then something other than the bytecode instruction's specified outcome will
        happen.

        We almost never had observably effectful nodes except at the end of the bytecode
        instruction.  The exception is a lowered transitioning PutById:

        PutStructure(@o, S1 -> S2)
        PutByOffset(@o, @o, @v)

        The PutStructure is observably effectful: if you try to reexecute the bytecode after
        doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
        first checking what the old structure of the object is; but if we reexecute, the old
        structure will seem to be the new structure.  But the property ensured by the new
        structure hasn't been stored yet, so any attempt to load it or scan it will crash.

        Intriguingly, however, none of the other operations involved in the PutById are
        observably effectful.  Consider this example:

        PutByOffset(@o, @o, @v)
        PutStructure(@o, S1 -> S2)

        Note that the PutStructure node doesn't reallocate property storage; see further below
        for an example that does that. Because no property storage is happening, we know that we
        already had room for the new property.  This means that the PutByOffset is no observable
        until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
        observably effectful.

        Now consider this:

        b: AllocatePropertyStorage(@o)
        PutByOffset(@b, @o, @v)
        PutStructure(@o, S1 -> S2)

        Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
        effectful. It *does* reallocate the property storage and the new property storage pointer
        is stored into the object. But until the PutStructure occurs, the world will just think
        that the reallocation didn't happen, in the sense that we'll think that the property
        storage is using less memory than what we just allocated. That's harmless.

        The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
        AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
        everything could be expected to be fine, so long as all of @o, @v and @b are on the
        stack. If they are all on the stack, then the GC will leave the property storage alone
        (so the extra memory we just allocated would be safe). The GC will not scan the part of
        the property storage that contains @v, but that's fine, so long as @v is on the stack.
        
        The better long-term solution is probably bug 142921.
        
        But for now, this:
        
        - Fixes an object materialization bug, exemplified by the two tests, that previously
          crashed 100% of the time with FTL enabled and concurrent JIT disabled.
        
        - Allows us to remove the workaround introduced in r174856.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::insertCheck):
        (JSC::DFG::FixupPhase::indexOfNode): Deleted.
        (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
        (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
        * tests/stress/materialize-past-butterfly-allocation.js: Added.
        (bar):
        (foo0):
        (foo1):
        (foo2):
        (foo3):
        (foo4):
        * tests/stress/materialize-past-put-structure.js: Added.
        (foo):

2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
        https://bugs.webkit.org/show_bug.cgi?id=142410

        Reviewed by Geoffrey Garen.

        Before this patch, added function JSValue::toPropertyKey returns PropertyName.
        Since PropertyName doesn't have AtomicStringImpl ownership,
        if Identifier is implicitly converted to PropertyName and Identifier is destructed,
        PropertyName may refer freed AtomicStringImpl*.

        This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
        to keep AtomicStringImpl* ownership after the toPropertyName call is done.
        And receive the result value as Identifier type to keep ownership in the caller side.

        To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.

        However, now we don't need to have both Identifier and PropertyName.
        So we'll merge PropertyName to Identifier in the subsequent patch.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toPropertyKey):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorDefineProperty):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncPropertyIsEnumerable):

2015-03-18  Geoffrey Garen  <ggaren@apple.com>

        Function.prototype.toString should not decompile the AST
        https://bugs.webkit.org/show_bug.cgi?id=142853

        Reviewed by Sam Weinig.

        To recover the function parameter string, Function.prototype.toString
        decompiles the function parameters from the AST. This is bad for a few
        reasons:

        (1) It requires us to keep pieces of the AST live forever. This is an
        awkward design and a waste of memory.

        (2) It doesn't match Firefox or Chrome (because it changes whitespace
        and ES6 destructuring expressions).

        (3) It doesn't scale to ES6 default argument parameters, which require
        arbitrarily complex decompilation.

        (4) It can counterfeit all the line numbers in a function (because
        whitespace can include newlines).

        (5) It's expensive, and we've seen cases where websites invoke
        Function.prototype.toString a lot by accident.

        The fix is to do what we do for the rest of the function: Just quote the
        original source text.

        Since this change inevitably changes some function stringification, I
        took the opportunity to make our stringification match Firefox's and
        Chrome's.

        * API/tests/testapi.c:
        (assertEqualsAsUTF8String): Be more informative when this fails.

        (main): Updated to match new stringification rules.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
        * bytecode/UnlinkedCodeBlock.h:

        * parser/Nodes.h:
        (JSC::StatementNode::isFuncDeclNode): New helper for constructing
        anonymous functions.

        * parser/SourceCode.h:
        (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
        of function declaration over function expression.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::paramString): Deleted. Yay!
        * runtime/Executable.h:
        (JSC::FunctionExecutable::parameterCount):

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
        the opening brace to match Firefox and Chrome, and a space after the comma
        to match Firefox and WebKit coding style. Added the function name to
        the text of the function so it would look right when stringify-ing. Switched
        from parentheses to braces to produce a function declaration instead of
        a function expression because we are required to exclude the function's
        name from its scope, and that's what a function declaration does.

        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString): Removed an old workaround because the
        library it worked around doesn't really exist anymore, and the behavior
        doesn't match Firefox or Chrome. Use type profiling offsets instead of
        function body offsets because we want to include the function name and
        the parameter string, rather than stitching them in manually by
        decompiling the AST.

        (JSC::insertSemicolonIfNeeded): Deleted.

        * tests/mozilla/js1_2/function/tostring-1.js:
        * tests/mozilla/js1_5/Scope/regress-185485.js:
        (with.g): Updated these test results for formatting changes.

2015-03-20  Joseph Pecoraro  <pecoraro@apple.com>

        SyntaxChecker assertion is trapped with computed property name and getter
        https://bugs.webkit.org/show_bug.cgi?id=142863

        Reviewed by Ryosuke Niwa.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::getName):
        Remove invalid assert. Computed properties will not have a name
        and the calling code is checking for null expecting it. The
        AST path (non-CheckingPath) already does this without the assert
        so it is well tested.

2015-03-19  Mark Lam  <mark.lam@apple.com>

        JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
        <https://webkit.org/b/142846>

        Reviewed by Geoffrey Garen.

        Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
        1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
           that a JSCallbackObject references.
        2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
           vm.heap.addFinalizer() which destroys the JSCallbackObject.

        The first finalizer is implemented as a virtual function of a JSCallbackObjectData
        instance that will be destructed if the 2nd finalizer is called.  Hence, if the
        2nd finalizer if called first, the later invocation of the 1st finalizer will
        result in a crash.

        This patch fixes the issue by eliminating the finalizer registration in init().
        Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
        if needed.  This ensures that these finalizers are called before the JSCallbackObject
        is destructor.

        Also added assertions to a few Heap functions because JSCell::classInfo() expects
        all objects that are allocated from MarkedBlock::Normal blocks to be derived from
        JSDestructibleObject.  These assertions will help us catch violations of this
        expectation earlier.

        * API/JSCallbackObject.cpp:
        (JSC::JSCallbackObjectData::finalize): Deleted.
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::~JSCallbackObjectData):
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
        (JSC::JSCallbackObject<Parent>::init):
        * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
        (finalize):
        (testGlobalContextWithFinalizer):
        * API/tests/GlobalContextWithFinalizerTest.h: Added.
        * API/tests/testapi.c:
        (main):
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/HeapInlines.h:
        (JSC::Heap::allocateObjectOfType):
        (JSC::Heap::subspaceForObjectOfType):
        (JSC::Heap::allocatorForObjectOfType):

2015-03-19  Andreas Kling  <akling@apple.com>

        JSCallee unnecessarily overrides a bunch of things in the method table.
        <https://webkit.org/b/142855>

        Reviewed by Geoffrey Garen.

        Remove JSCallee method table overrides that simply call to base class.
        This makes JSFunction property slot lookups slightly more efficient since
        they can take the fast path when passing over JSCallee in the base class chain.

        * runtime/JSCallee.cpp:
        (JSC::JSCallee::getOwnPropertySlot): Deleted.
        (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted.
        (JSC::JSCallee::put): Deleted.
        (JSC::JSCallee::deleteProperty): Deleted.
        (JSC::JSCallee::defineOwnProperty): Deleted.
        * runtime/JSCallee.h:

2015-03-19  Andreas Kling  <akling@apple.com>

        DFGAllocator should use bmalloc's aligned allocator.
        <https://webkit.org/b/142871>

        Reviewed by Geoffrey Garen.

        Switch DFGAllocator to using bmalloc through fastAlignedMalloc().

        * dfg/DFGAllocator.h:
        (JSC::DFG::Allocator<T>::allocateSlow):
        (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
        * heap/CopiedSpace.h:
        * heap/MarkedBlock.h:
        * heap/MarkedSpace.h:

2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>

        ES6 Classes: Extends should accept an expression without parenthesis
        https://bugs.webkit.org/show_bug.cgi?id=142840

        Reviewed by Ryosuke Niwa.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        "extends" allows a LeftHandExpression (new expression / call expression,
        which includes a member expression), not a primary expression. Our
        parseMemberExpression does all of these.

2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection
        https://bugs.webkit.org/show_bug.cgi?id=142830

        Reviewed by Timothy Hatcher.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
        Give Probe Samples object previews.

2015-03-17  Ryuan Choi  <ryuan.choi@navercorp.com>

        [EFL] Expose JavaScript binding interface through ewk_extension
        https://bugs.webkit.org/show_bug.cgi?id=142033

        Reviewed by Gyuyoung Kim.

        * PlatformEfl.cmake: Install Javascript APIs.

2015-03-17  Geoffrey Garen  <ggaren@apple.com>

        Function bodies should always include braces
        https://bugs.webkit.org/show_bug.cgi?id=142795

        Reviewed by Michael Saboff.

        Having a mode for excluding the opening and closing braces from a function
        body was unnecessary and confusing.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::link):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through
        a boolean: there is only one kind of function now.

        (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted.
        (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only
        have one way to do things. This removes the old mode that would pretend
        that a function always started at column 1. That pretense was not true:
        an attribute event listener does not necessarily start at column 1.

        * bytecode/UnlinkedCodeBlock.h:
        * generate-js-builtins: Adopt the new one true linking function.

        * parser/Parser.h:
        (JSC::Parser<LexerType>::parse):
        (JSC::parse): needsReparsingAdjustment is always true now, so I removed it.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::ProgramExecutable::initializeGlobalProperties):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a
        leading space because that's what this function's comment says is required
        for web compatibility. We used to fake this up after the fact when
        stringifying, based on the bodyIncludesBraces flag, but that flag is gone now.

        * runtime/FunctionPrototype.cpp:
        (JSC::insertSemicolonIfNeeded):
        (JSC::functionProtoFuncToString): No need to add braces and/or a space
        after the fact -- we always have them now.

2015-03-17  Mark Lam  <mark.lam@apple.com>

        Refactor execution time limit tests out of testapi.c.
        <https://webkit.org/b/142798>

        Rubber stamped by Michael Saboff.

        These tests were sometimes failing to time out on C loop builds.  Let's
        refactor them out of the big monolith that is testapi.c so that we can
        reason more easily about them and make adjustments if needed.

        * API/tests/ExecutionTimeLimitTest.cpp: Added.
        (currentCPUTime):
        (currentCPUTimeAsJSFunctionCallback):
        (shouldTerminateCallback):
        (cancelTerminateCallback):
        (extendTerminateCallback):
        (testExecutionTimeLimit):
        * API/tests/ExecutionTimeLimitTest.h: Added.
        * API/tests/testapi.c:
        (main):
        (currentCPUTime): Deleted.
        (currentCPUTime_callAsFunction): Deleted.
        (shouldTerminateCallback): Deleted.
        (cancelTerminateCallback): Deleted.
        (extendTerminateCallback): Deleted.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2015-03-17  Geoffrey Garen  <ggaren@apple.com>

        Built-in functions should know that they use strict mode
        https://bugs.webkit.org/show_bug.cgi?id=142788

        Reviewed by Mark Lam.

        Even though all of our builtin functions use strict mode, the parser
        thinks that they don't. This is because Executable::toStrictness treats
        builtin-ness and strict-ness as mutually exclusive.

        The fix is to disambiguate builtin-ness from strict-ness.

        This bug is currently unobservable because of some other parser bugs. But
        it causes lots of test failures once those other bugs are fixed.

        * API/JSScriptRef.cpp:
        (parseScript):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API
        for a separate value to indicate builtin-ness vs strict-ness.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto.

        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function
        was misleading since it pretended that no builtin function was ever
        strict, which is the opposite of true.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        * parser/Lexer.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        * parser/Parser.h:
        (JSC::parse): Adopt the new API.

        * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give
        existing modes clearer names.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API.

        * runtime/CodeCache.h:
        (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and
        bulitin-ness as separate pieces of the code cache key. We would not want
        a user function to match a built-in function in the cache, even if they
        agreed about strictness, since builtin functions have different lexing
        rules.

        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::ProgramExecutable::checkSyntax):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::create):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API.

2015-03-16  Filip Pizlo  <fpizlo@apple.com>

        DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor
        https://bugs.webkit.org/show_bug.cgi?id=142769

        Reviewed by Michael Saboff.
        
        When we sink an object allocation, we need to have some way of tracking what stores would
        have happened had the allocation not been sunk, so that we know how to rematerialize the
        object on OSR exit. Prior to this change, trunk had two ways of describing such a "put