Array.concat should be fast for integer or double arrays
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-07-06  Ryosuke Niwa  <rniwa@webkit.org>
2
3         Array.concat should be fast for integer or double arrays
4         https://bugs.webkit.org/show_bug.cgi?id=146260
5
6         Reviewed by Darin Adler.
7
8         Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
9         arrays, simply memcopy the arrays into a new uninitialized buffer.
10
11         This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.
12
13         * runtime/ArrayPrototype.cpp:
14         (JSC::arrayProtoFuncConcat):
15         * runtime/JSArray.cpp:
16         (JSC::JSArray::fastConcatWith): Added.
17         * runtime/JSArray.h:
18         (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
19         the fact path. Returns NonArray otherwise.
20
21 2015-07-06  Youenn Fablet  <youenn.fablet@crf.canon.fr>
22
23         [Streams API] Remove ReadableStream custom constructor
24         https://bugs.webkit.org/show_bug.cgi?id=146547
25
26         Reviewed by Darin Adler.
27
28         Adding helper function to throw range errors.
29
30         * runtime/Error.h:
31         (JSC::throwRangeError):
32         (JSC::throwVMRangeError):
33
34 2015-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
35
36         [ES6] Implement the latest Promise spec in JS
37         https://bugs.webkit.org/show_bug.cgi?id=146229
38
39         Reviewed by Sam Weinig.
40
41         Updated the Promise implementation to meet to the ES6 spec.
42         This patch
43         1. Implement ES6 Promise and related abstract operations in builtins JS
44         2. Expose @enqueueJob private function to JS world to post the microtask
45
46         Updated implementation has one-on-one correspondence to the ES6 spec description.
47         And keep the JSPromiseDeferred because it is the interface used from the WebCore.
48
49         * CMakeLists.txt:
50         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
51         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
52         * JavaScriptCore.xcodeproj/project.pbxproj:
53         * builtins/Array.prototype.js:
54         (reduce):
55         (reduceRight):
56         (every):
57         (forEach):
58         (filter):
59         (map):
60         (some):
61         (fill):
62         (find):
63         (findIndex):
64         (includes):
65         (copyWithin):
66         ToInteger / ToLength are renamed to toInteger and toLength.
67         * builtins/ArrayConstructor.js:
68         (from):
69         ToInteger / ToLength are renamed to toInteger and toLength.
70         * builtins/GlobalObject.js:
71         (toInteger):
72         (toLength):
73         (isObject):
74         (ToInteger): Deleted.
75         (ToLength): Deleted.
76         ToInteger / ToLength are renamed to toInteger and toLength.
77         Add new abstract operation, isObject.
78         * builtins/Operations.Promise.js: Added.
79         (isPromise):
80         (newPromiseReaction):
81         (newPromiseDeferred):
82         (newPromiseCapability.executor):
83         (newPromiseCapability):
84         (triggerPromiseReactions):
85         (rejectPromise):
86         (fulfillPromise):
87         (createResolvingFunctions.resolve):
88         (createResolvingFunctions.reject):
89         (createResolvingFunctions):
90         (promiseReactionJob):
91         (promiseResolveThenableJob):
92         (initializePromise):
93         Added Promise related abstract operations.
94         * builtins/Promise.prototype.js:
95         (catch):
96         (.onFulfilled):
97         (.onRejected):
98         (then):
99         Promise#then implementation in JS.
100         * builtins/PromiseConstructor.js: Added.
101         (all.newResolveElement):
102         (all):
103         (race):
104         (reject):
105         (resolve):
106         Promise static functions implementations in JS.
107         * builtins/StringConstructor.js:
108         (raw):
109         ToInteger / ToLength are renamed to toInteger and toLength.
110         * inspector/JSInjectedScriptHost.cpp:
111         (Inspector::JSInjectedScriptHost::getInternalProperties):
112         * runtime/CommonIdentifiers.h:
113         * runtime/JSGlobalObject.cpp:
114         (JSC::enqueueJob):
115         (JSC::JSGlobalObject::init):
116         (JSC::JSGlobalObject::visitChildren):
117         * runtime/JSGlobalObject.h:
118         (JSC::JSGlobalObject::initializePromiseFunction):
119         (JSC::JSGlobalObject::newPromiseDeferredFunction):
120         * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
121         (JSC::createJSJob):
122         (JSC::JSJobMicrotask::run):
123         * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
124         * runtime/JSPromise.cpp:
125         (JSC::JSPromise::create):
126         (JSC::JSPromise::JSPromise):
127         (JSC::JSPromise::finishCreation):
128         (JSC::JSPromise::result):
129         (JSC::JSPromise::destroy): Deleted.
130         (JSC::JSPromise::visitChildren): Deleted.
131         (JSC::JSPromise::reject): Deleted.
132         (JSC::JSPromise::resolve): Deleted.
133         (JSC::JSPromise::appendResolveReaction): Deleted.
134         (JSC::JSPromise::appendRejectReaction): Deleted.
135         (JSC::triggerPromiseReactions): Deleted.
136         * runtime/JSPromise.h:
137         (JSC::JSPromise::status): Deleted.
138         (JSC::JSPromise::result): Deleted.
139         (JSC::JSPromise::constructor): Deleted.
140         * runtime/JSPromiseConstructor.cpp:
141         (JSC::constructPromise):
142         (JSC::JSPromiseConstructorFuncResolve): Deleted.
143         (JSC::JSPromiseConstructorFuncReject): Deleted.
144         (JSC::performPromiseRaceLoop): Deleted.
145         (JSC::JSPromiseConstructorFuncRace): Deleted.
146         (JSC::performPromiseAll): Deleted.
147         (JSC::JSPromiseConstructorFuncAll): Deleted.
148         * runtime/JSPromiseDeferred.cpp:
149         (JSC::JSPromiseDeferred::create):
150         (JSC::createJSPromiseDeferredFromConstructor): Deleted.
151         (JSC::updateDeferredFromPotentialThenable): Deleted.
152         (JSC::performDeferredResolve): Deleted.
153         (JSC::performDeferredReject): Deleted.
154         (JSC::abruptRejection): Deleted.
155         * runtime/JSPromiseDeferred.h:
156         * runtime/JSPromiseFunctions.cpp: Removed.
157         (JSC::deferredConstructionFunction): Deleted.
158         (JSC::createDeferredConstructionFunction): Deleted.
159         (JSC::identifyFunction): Deleted.
160         (JSC::createIdentifyFunction): Deleted.
161         (JSC::promiseAllCountdownFunction): Deleted.
162         (JSC::createPromiseAllCountdownFunction): Deleted.
163         (JSC::promiseResolutionHandlerFunction): Deleted.
164         (JSC::createPromiseResolutionHandlerFunction): Deleted.
165         (JSC::rejectPromiseFunction): Deleted.
166         (JSC::createRejectPromiseFunction): Deleted.
167         (JSC::resolvePromiseFunction): Deleted.
168         (JSC::createResolvePromiseFunction): Deleted.
169         (JSC::throwerFunction): Deleted.
170         (JSC::createThrowerFunction): Deleted.
171         * runtime/JSPromisePrototype.cpp:
172         (JSC::JSPromisePrototypeFuncThen): Deleted.
173         * runtime/JSPromiseReaction.cpp: Removed.
174         (JSC::createExecutePromiseReactionMicrotask): Deleted.
175         (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
176         (JSC::JSPromiseReaction::create): Deleted.
177         (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
178         (JSC::JSPromiseReaction::finishCreation): Deleted.
179         (JSC::JSPromiseReaction::visitChildren): Deleted.
180         * runtime/VM.cpp:
181         (JSC::VM::VM): Deleted.
182         * runtime/VM.h:
183
184 2015-07-04  Chris Dumez  <cdumez@apple.com>
185
186         Drop RefPtr::clear() method
187         https://bugs.webkit.org/show_bug.cgi?id=146556
188
189         Reviewed by Brady Eidson.
190
191         Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
192
193 2015-07-03  Dan Bernstein  <mitz@apple.com>
194
195         Just give up on -Wunreachable-code in JavaScriptCore.
196
197         * Configurations/Base.xcconfig:
198         * llint/LowLevelInterpreter.cpp:
199         (JSC::CLoop::execute):
200
201 2015-07-03  Dan Bernstein  <mitz@apple.com>
202
203         Fixed the LLINT CLoop build.
204
205         * llint/LowLevelInterpreter.cpp:
206         (JSC::CLoop::execute):
207
208 2015-07-03  Dan Bernstein  <mitz@apple.com>
209
210         [Xcode] Update some build settings as recommended by Xcode 7
211         https://bugs.webkit.org/show_bug.cgi?id=146597
212
213         Reviewed by Sam Weinig.
214
215         * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
216         GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
217
218         * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
219
220         * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
221
222 2015-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
223
224         Relax builtin JS restriction about try-catch
225         https://bugs.webkit.org/show_bug.cgi?id=146555
226
227         Reviewed by Sam Weinig.
228
229         When retrieving the captured variables from the full activated scope,
230         it swapped the given vector with the stored declared variables vector.
231         This is because retrieving the captured variables are executed in the
232         last sequence of the parser, so declared variables are no longer used.
233         However, in builtins functions case, after retrieving the captured
234         variables, we check the variables by using declared variables vector.
235         So at that time, the declared variables vector becomes empty and it
236         raises assertion failures when the builtins function contains the full
237         activated scope. try-catch's catch scope requires the upper scope full
238         activated, so JS code in the builtins cannot use the try-catch.
239
240         This patch relaxes this restriction. When retrieving the captured
241         variables from the scope, just copy to the given vector.
242
243         * parser/Parser.h:
244         (JSC::Scope::getCapturedVariables):
245
246 2015-07-02  Filip Pizlo  <fpizlo@apple.com>
247
248         DFG and FTL should have an OSR exit fuzzer
249         https://bugs.webkit.org/show_bug.cgi?id=146562
250
251         Reviewed by Benjamin Poulain.
252         
253         Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
254         spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
255         to harness this after I land it.
256         
257         Since it's turned off by default, it should have no effect on behavior.
258
259         * CMakeLists.txt:
260         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
261         * JavaScriptCore.xcodeproj/project.pbxproj:
262         * dfg/DFGOSRExitFuzz.cpp: Added.
263         (JSC::numberOfOSRExitFuzzChecks):
264         * dfg/DFGOSRExitFuzz.h: Added.
265         * dfg/DFGSpeculativeJIT.cpp:
266         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
267         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
268         (JSC::DFG::SpeculativeJIT::speculationCheck):
269         * dfg/DFGSpeculativeJIT.h:
270         * ftl/FTLLowerDFGToLLVM.cpp:
271         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
272         * jsc.cpp:
273         (jscmain):
274         * runtime/Options.h:
275         * runtime/TestRunnerUtils.h:
276
277 2015-07-02  Saam barati  <saambarati1@gmail.com>
278
279         Rename "Deconstruction" to "Destructuring" throughout JSC
280         https://bugs.webkit.org/show_bug.cgi?id=146100
281
282         Reviewed by Mark Lam.
283
284         It is good to use the same naming conventions as the ES6 
285         spec because it is the de facto way of speaking about these 
286         language features. This also has the benefit of improving JSC's
287         hackability because it improves code readability for newcomers 
288         to JSC or newcomers to this part of the code base.
289
290         * bytecompiler/BytecodeGenerator.cpp:
291         (JSC::BytecodeGenerator::generate):
292         (JSC::BytecodeGenerator::BytecodeGenerator):
293         (JSC::BytecodeGenerator::initializeNextParameter):
294         (JSC::BytecodeGenerator::visibleNameForParameter):
295         * bytecompiler/BytecodeGenerator.h:
296         (JSC::BytecodeGenerator::registerFor):
297         * bytecompiler/NodesCodegen.cpp:
298         (JSC::ForInNode::tryGetBoundLocal):
299         (JSC::ForInNode::emitLoopHeader):
300         (JSC::ForOfNode::emitBytecode):
301         (JSC::ClassExprNode::emitBytecode):
302         (JSC::DestructuringAssignmentNode::emitBytecode):
303         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
304         (JSC::ArrayPatternNode::collectBoundIdentifiers):
305         (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
306         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
307         * parser/ASTBuilder.h:
308         (JSC::ASTBuilder::createElementList):
309         (JSC::ASTBuilder::createFormalParameterList):
310         (JSC::ASTBuilder::createClause):
311         (JSC::ASTBuilder::createClauseList):
312         (JSC::ASTBuilder::createForInLoop):
313         (JSC::ASTBuilder::createForOfLoop):
314         (JSC::ASTBuilder::isBindingNode):
315         (JSC::ASTBuilder::isResolve):
316         (JSC::ASTBuilder::createDestructuringAssignment):
317         (JSC::ASTBuilder::createArrayPattern):
318         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
319         (JSC::ASTBuilder::appendArrayPatternEntry):
320         (JSC::ASTBuilder::appendArrayPatternRestEntry):
321         (JSC::ASTBuilder::createObjectPattern):
322         (JSC::ASTBuilder::appendObjectPatternEntry):
323         (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
324         * parser/NodeConstructors.h:
325         (JSC::TryNode::TryNode):
326         (JSC::ParameterNode::ParameterNode):
327         (JSC::ForOfNode::ForOfNode):
328         (JSC::DestructuringPatternNode::DestructuringPatternNode):
329         (JSC::ArrayPatternNode::ArrayPatternNode):
330         (JSC::ArrayPatternNode::create):
331         (JSC::ObjectPatternNode::ObjectPatternNode):
332         (JSC::BindingNode::create):
333         (JSC::BindingNode::BindingNode):
334         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
335         (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
336         (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
337         * parser/Nodes.cpp:
338         (JSC::FunctionParameters::create):
339         * parser/Nodes.h:
340         (JSC::ExpressionNode::isResolveNode):
341         (JSC::ExpressionNode::isBracketAccessorNode):
342         (JSC::ExpressionNode::isDotAccessorNode):
343         (JSC::ExpressionNode::isDestructuringNode):
344         (JSC::ExpressionNode::isFuncExprNode):
345         (JSC::ExpressionNode::isCommaNode):
346         (JSC::ExpressionNode::isSimpleArray):
347         (JSC::ParameterNode::pattern):
348         (JSC::ParameterNode::nextParam):
349         (JSC::FunctionParameters::size):
350         (JSC::FunctionParameters::at):
351         (JSC::FunctionParameters::patterns):
352         (JSC::DestructuringPatternNode::isBindingNode):
353         (JSC::DestructuringPatternNode::emitDirectBinding):
354         (JSC::ArrayPatternNode::appendIndex):
355         (JSC::ObjectPatternNode::appendEntry):
356         (JSC::BindingNode::boundProperty):
357         (JSC::DestructuringAssignmentNode::bindings):
358         (JSC::ExpressionNode::isDeconstructionNode): Deleted.
359         (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
360         (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
361         (JSC::DeconstructingAssignmentNode::bindings): Deleted.
362         * parser/Parser.cpp:
363         (JSC::Parser<LexerType>::parseVarDeclaration):
364         (JSC::Parser<LexerType>::parseWhileStatement):
365         (JSC::Parser<LexerType>::parseVarDeclarationList):
366         (JSC::Parser<LexerType>::createBindingPattern):
367         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
368         (JSC::Parser<LexerType>::parseDestructuringPattern):
369         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
370         (JSC::Parser<LexerType>::parseForStatement):
371         (JSC::Parser<LexerType>::parseFormalParameters):
372         (JSC::Parser<LexerType>::parseFunctionParameters):
373         (JSC::Parser<LexerType>::parseAssignmentExpression):
374         (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
375         (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
376         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
377         * parser/Parser.h:
378         (JSC::isEvalNode):
379         * parser/SyntaxChecker.h:
380         (JSC::SyntaxChecker::createPropertyList):
381         (JSC::SyntaxChecker::createElementList):
382         (JSC::SyntaxChecker::createFormalParameterList):
383         (JSC::SyntaxChecker::createClause):
384         (JSC::SyntaxChecker::createClauseList):
385         (JSC::SyntaxChecker::operatorStackPop):
386         * tests/stress/reserved-word-with-escape.js:
387         * tests/stress/rest-elements.js:
388
389 2015-07-02  Mark Lam  <mark.lam@apple.com>
390
391         Build fix for Win EWS bot.
392         https://bugs.webkit.org/show_bug.cgi?id=146551
393
394         Not reviewed.
395
396         * tools/JSDollarVMPrototype.cpp:
397         (JSC::functionCrash):
398
399 2015-07-02  Dan Bernstein  <mitz@apple.com>
400
401         <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
402         https://bugs.webkit.org/show_bug.cgi?id=146542
403
404         Reviewed by Sam Weinig.
405
406         * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
407
408 2015-07-01  Joseph Pecoraro  <pecoraro@apple.com>
409
410         Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
411         https://bugs.webkit.org/show_bug.cgi?id=146536
412
413         Reviewed by Timothy Hatcher.
414
415         * inspector/protocol/Timeline.json:
416         Change a CPUProfile from sending a required "calls" param to sending a required
417         "callInfo" param which includes aggregated information about the calls.
418
419 2015-06-30  Filip Pizlo  <fpizlo@apple.com>
420
421         DFG::freezeFragile should register the frozen value's structure
422         https://bugs.webkit.org/show_bug.cgi?id=136055
423         rdar://problem/21042120
424
425         Reviewed by Mark Lam and Geoffrey Garen.
426         
427         This fixes weird concurrency bugs where the constant folding phase tries to convert
428         something to a constant but then crashes because the constant's structure wasn't
429         registered. The AI was registering the structure of any value it saw, but constant folding
430         wasn't - and that's fine so long as there ain't no concurrency.
431         
432         The best fix is to just make it impossible to introduce a constant into the IR without
433         registering its structure. That's what this change does. This is not only a great
434         concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
435         less case of structure registering that you have to remember about.
436         
437         * dfg/DFGAbstractValue.cpp:
438         (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
439         (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
440         * dfg/DFGGraph.cpp:
441         (JSC::DFG::Graph::freezeFragile): Register the structure.
442         * dfg/DFGStructureRegistrationPhase.cpp:
443         (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
444
445 2015-07-01  Matthew Mirman  <mmirman@apple.com>
446
447         Unreviewed, rolling out r185889
448         https://bugs.webkit.org/show_bug.cgi?id=146528
449         rdar://problem/21573959
450
451         Patch breaks chromeexperiments.com
452         
453         Reverted changeset:
454         
455         * CMakeLists.txt:
456         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
457         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
458         * JavaScriptCore.xcodeproj/project.pbxproj:
459         * inspector/InjectedScriptSource.js:
460         (.):
461         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
462         * runtime/JSBoundSlotBaseFunction.h: Removed.
463         * runtime/JSGlobalObject.cpp:
464         (JSC::JSGlobalObject::init): Deleted.
465         (JSC::JSGlobalObject::visitChildren): Deleted.
466         * runtime/JSGlobalObject.h:
467         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
468         * runtime/JSObject.cpp:
469         (JSC::JSObject::getOwnPropertyDescriptor):
470         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
471         * runtime/VM.cpp:
472         (JSC::VM::VM): Deleted.
473         * runtime/VM.h:
474
475 2015-07-01  Dean Jackson  <dino@apple.com>
476
477         Disable the experimental WebGL2 implementation
478         https://bugs.webkit.org/show_bug.cgi?id=146526
479         <rdar://problem/21641235>
480
481         Reviewed by Myles Maxfield.
482
483         Add (and disable) an ENABLE_WEBGL2 flag.
484
485         * Configurations/FeatureDefines.xcconfig:
486
487 2015-07-01  Matthew Daiter  <mdaiter@apple.com>
488
489         Enable MEDIA_STREAM flag
490         https://bugs.webkit.org/show_bug.cgi?id=145947
491         <rdar://problem/21365829>
492
493         Reviewed by Eric Carlson.
494
495         * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
496
497 2015-06-30  Andy VanWagoner  <thetalecrafter@gmail.com>
498
499         Implement ECMAScript Internationalization API
500         https://bugs.webkit.org/show_bug.cgi?id=90906
501
502         Reviewed by Benjamin Poulain.
503
504         * CMakeLists.txt: add IntlObject.cpp
505         * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
506         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
507         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
508         * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
509         * runtime/CommonIdentifiers.h: add "Intl" name
510         * runtime/IntlObject.cpp: Added.
511         (JSC::IntlObject::IntlObject):
512         (JSC::IntlObject::create):
513         (JSC::IntlObject::finishCreation):
514         (JSC::IntlObject::createStructure):
515         * runtime/IntlObject.h: Added.
516         * runtime/JSGlobalObject.cpp: Add global Intl
517         (JSC::JSGlobalObject::init):
518
519 2015-06-30  Basile Clement  <basile_clement@apple.com>
520
521         Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
522         https://bugs.webkit.org/show_bug.cgi?id=146431
523
524         Reviewed by Filip Pizlo.
525
526         * dfg/DFGNode.h:
527         (JSC::DFG::Node::isFunctionAllocation):
528         (JSC::DFG::Node::isPhantomFunctionAllocation):
529         * dfg/DFGObjectAllocationSinkingPhase.cpp:
530         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
531         * dfg/DFGPromoteHeapAccess.h:
532         (JSC::DFG::promoteHeapAccess):
533
534 2015-06-30  Matt Baker  <mattbaker@apple.com>
535
536         Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
537         https://bugs.webkit.org/show_bug.cgi?id=146168
538
539         Reviewed by Brian Burg.
540
541         * inspector/protocol/Timeline.json:
542         New timeline record type for compositing events.
543
544 2015-06-29  Dean Jackson  <dino@apple.com>
545
546         Temporarily disable PICTURE_SIZES
547         https://bugs.webkit.org/show_bug.cgi?id=146435
548         <rdar://problem/21087013>
549
550         Reviewed by Tim Horton.
551
552         Temporarily disable PICTURE_SIZES because it causes problems with out
553         of date <picture> polyfills.
554
555         * Configurations/FeatureDefines.xcconfig:
556
557 2015-06-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
558
559         Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
560         https://bugs.webkit.org/show_bug.cgi?id=146403
561
562         Reviewed by Darin Adler.
563
564         * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
565
566 2015-06-28 Aleksandr Skachkov   <gskachkov@gmail.com>
567
568         [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
569         https://bugs.webkit.org/show_bug.cgi?id=146394
570
571         Reviewed by Yusuke Suzuki.
572
573         * parser/Parser.cpp:
574         (JSC::Parser<LexerType>::parseFunctionInfo):
575
576 2015-06-27  Darin Adler  <darin@apple.com>
577
578         Make converting JSString to StringView idiomatically safe
579         https://bugs.webkit.org/show_bug.cgi?id=146387
580
581         Reviewed by Anders Carlsson.
582
583         * jsc.cpp:
584         (functionPrint): Add explicit call to SafeView::get, needed since there
585         is no StringView temporary.
586         (functionDebug): Ditto.
587
588         * runtime/ArrayPrototype.cpp:
589         (JSC::holesMustForwardToPrototype): Refactored into helper function.
590         (JSC::join): Refactored so that StringView is a function argument, making
591         the lifetime simpler.
592         (JSC::arrayProtoFuncJoin): Ditto.
593         (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
594
595         * runtime/JSGlobalObjectFunctions.cpp:
596         (JSC::encode): Add explicit call to SafeView::get.
597
598         * runtime/JSString.h: Moved declarations of functions to the top of the
599         file instead of mixing them in with the function definitions. Changed
600         return type of the view function to return a JSString::SafeView so that
601         the JSString's lifetime will last as long as the StringView does in
602         typical coding idioms.
603         (JSC::JSString::getIndex): Use unsafeView so we can index into the
604         view; could also have used view.get but here in this class this seems fine.
605         (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
606         (JSC::JSString::unsafeView): Ditto.
607         (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
608         and a JSString. The ExecState is needed to create the StringView, and the
609         JSString needs to be kept alive as long as the StringView is.
610         (JSC::JSString::SafeView::operator StringView): Call unsafeView.
611         (JSC::JSString::SafeView::get): Convenience for when we want to call
612         StringView member functions.
613         (JSC::JSString::view): Added. Returns a SafeView.
614
615         * runtime/StringPrototype.cpp:
616         (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
617
618 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
619
620         Remove ARMv7Assembler.cpp
621         https://bugs.webkit.org/show_bug.cgi?id=146340
622
623         Reviewed by Filip Pizlo.
624
625         * CMakeLists.txt:
626         * JavaScriptCore.xcodeproj/project.pbxproj:
627         * assembler/ARMv7Assembler.cpp: Removed.
628
629 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
630
631         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
632         https://bugs.webkit.org/show_bug.cgi?id=146344
633
634         Reviewed by Yusuke Suzuki.
635
636         * parser/Parser.cpp:
637         (JSC::Parser<LexerType>::parseSourceElements):
638
639 2015-06-26 Aleksandr Skachkov  <gskachkov@gmail.com>
640
641          [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. 
642          https://bugs.webkit.org/show_bug.cgi?id=144955
643
644          Reviewed by Yusuke Suzuki.
645
646          Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.     
647         This patch implements the simplest cases of arrow function declaration:
648            parameters             () => 10 + 20
649            parameter               x => x + 20
650            parameters         (x, y) => x + y
651            function with block     x => { return x*10; }
652
653         Not implemented:
654            bind of the this, arguments, super and etc.
655            exception in case of trying to use 'new' with arrow function
656
657         * parser/ASTBuilder.h:
658         (JSC::ASTBuilder::createFunctionExpr):
659         (JSC::ASTBuilder::createArrowFunctionExpr):
660         (JSC::ASTBuilder::createGetterOrSetterProperty):
661         (JSC::ASTBuilder::createFuncDeclStatement):
662         * parser/Lexer.cpp:
663         (JSC::Lexer<T>::setTokenPosition):
664         (JSC::Lexer<T>::lex):
665         * parser/Lexer.h:
666         (JSC::Lexer::lastTokenLocation):
667         (JSC::Lexer::setTerminator):
668         * parser/Parser.cpp:
669         (JSC::Parser<LexerType>::parseInner):
670         (JSC::Parser<LexerType>::parseSourceElements):
671         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
672         (JSC::Parser<LexerType>::parseSwitchClauses):
673         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
674         (JSC::Parser<LexerType>::parseBlockStatement):
675         (JSC::Parser<LexerType>::parseFunctionBody):
676         (JSC::stringForFunctionMode):
677         (JSC::Parser<LexerType>::parseFunctionParameters):
678         (JSC::Parser<LexerType>::parseFunctionInfo):
679         (JSC::Parser<LexerType>::parseFunctionDeclaration):
680         (JSC::Parser<LexerType>::parseClass):
681         (JSC::Parser<LexerType>::parseAssignmentExpression):
682         (JSC::Parser<LexerType>::parsePropertyMethod):
683         (JSC::Parser<LexerType>::parseGetterSetter):
684         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
685         * parser/Parser.h:
686         (JSC::Parser::locationBeforeLastToken):
687         (JSC::Parser::isEndOfArrowFunction):
688         (JSC::Parser::isArrowFunctionParamters):
689         (JSC::Parser::setEndOfStatement):
690         * parser/ParserFunctionInfo.h:
691         * parser/ParserTokens.h:
692         * parser/SourceCode.h:
693         (JSC::SourceCode::subArrowExpression):
694         * parser/SourceProviderCacheItem.h:
695         (JSC::SourceProviderCacheItem::endFunctionToken):
696         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
697         * parser/SyntaxChecker.h:
698         (JSC::SyntaxChecker::createArrowFunctionExpr):
699         (JSC::SyntaxChecker::setFunctionNameStart):
700
701 2015-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
702
703         [ES6] Support rest element in destructuring assignments
704         https://bugs.webkit.org/show_bug.cgi?id=146206
705
706         Reviewed by Oliver Hunt.
707
708         This patch enables rest element (...rest) in array binding patterns.
709         It generates array from the iterables.
710         In variable declarations and parameters, `[...identifier]` form is only allowed,
711         while expressions can take `[...[...rest]]` pattern.
712
713         * bytecompiler/BytecodeGenerator.cpp:
714         (JSC::BytecodeGenerator::emitEnumeration):
715         (JSC::BytecodeGenerator::emitIteratorNext):
716         * bytecompiler/BytecodeGenerator.h:
717         * bytecompiler/NodesCodegen.cpp:
718         (JSC::ArrayPatternNode::bindValue):
719         (JSC::ArrayPatternNode::toString):
720         * parser/ASTBuilder.h:
721         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
722         (JSC::ASTBuilder::appendArrayPatternEntry):
723         (JSC::ASTBuilder::appendArrayPatternRestEntry):
724         * parser/Nodes.h:
725         (JSC::ArrayPatternNode::appendIndex):
726         * parser/Parser.cpp:
727         (JSC::Parser<LexerType>::parseDeconstructionPattern):
728         * parser/SyntaxChecker.h:
729         (JSC::SyntaxChecker::operatorStackPop):
730         * tests/stress/rest-elements.js: Added.
731         (shouldBe):
732         (shouldThrow):
733
734 2015-06-25  Commit Queue  <commit-queue@webkit.org>
735
736         Unreviewed, rolling out r185956.
737         https://bugs.webkit.org/show_bug.cgi?id=146321
738
739         Causes massive crashes on test bots (Requested by bfulgham on
740         #webkit).
741
742         Reverted changeset:
743
744         "Enabling MEDIA_STREAM"
745         https://bugs.webkit.org/show_bug.cgi?id=145947
746         http://trac.webkit.org/changeset/185956
747
748 2015-06-25  Michael Saboff  <msaboff@apple.com>
749
750         Minor fix to idx bounds check after 185954
751
752         Rubber Stamped by Ryosuke Niwa.
753
754         Changed "idx > 1" to "idx > 0" in two places.
755
756         * runtime/ExceptionHelpers.cpp:
757         (JSC::functionCallBase):
758
759 2015-06-25  Keith Miller  <keith_miller@apple.com>
760
761         Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack.
762         https://bugs.webkit.org/show_bug.cgi?id=146297
763
764         Reviewed by Filip Pizlo.
765
766         Since we cannot blacklist the system memcpy we must use our own naive implementation,
767         copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is
768         only called as part of an O(heapsize) operation. As the heap is generally much larger
769         than the stack the performance hit is minimal.
770
771         * heap/MachineStackMarker.cpp:
772         (JSC::copyMemory):
773         (JSC::MachineThreads::tryCopyOtherThreadStack):
774         (JSC::asanUnsafeMemcpy): Deleted.
775
776 2015-06-25  Matthew Daiter  <mdaiter@apple.com>
777
778         Enabling MEDIA_STREAM
779         https://bugs.webkit.org/show_bug.cgi?id=145947
780         <rdar://problem/21365829>
781
782         Reviewed by Brent Fulgham.
783
784         * Configurations/FeatureDefines.xcconfig:
785
786 2015-06-25  Michael Saboff  <msaboff@apple.com>
787
788         REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689)
789         https://bugs.webkit.org/show_bug.cgi?id=146298
790
791         Reviewed by Mark Lam.
792
793         We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left
794         string index.  Added checks that idx stays within the string.  Also added a termination
795         condition when idx is 0.
796
797         * runtime/ExceptionHelpers.cpp:
798         (JSC::functionCallBase):
799
800 2015-06-24  Chris Dumez  <cdumez@apple.com>
801
802         Unreviewed, speculative build fix after r185942.
803
804         Add missing include for StrongInlines.h.
805
806         * runtime/ArrayPrototype.cpp:
807
808 2015-06-24  Darin Adler  <darin@apple.com>
809
810         Optimize Array.join and Array.reverse for high speed array types
811         https://bugs.webkit.org/show_bug.cgi?id=146275
812
813         Reviewed by Mark Lam.
814
815         This seems to yield another 17% speed improvement in the array
816         test from the Peacekeeper benchmark.
817
818         * runtime/ArrayPrototype.cpp:
819         (JSC::isHole): Added. Helper to check for holes.
820         (JSC::containsHole): Ditto.
821         (JSC::arrayProtoFuncJoin): Added special cases for the various types
822         of arrays that could be in a butterfly.
823         (JSC::arrayProtoFuncReverse): Ditto.
824
825         * runtime/JSStringJoiner.h: Made appendEmptyString public so we can
826         call it from the new parts of Array.join.
827
828 2015-06-24  Filip Pizlo  <fpizlo@apple.com>
829
830         DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear
831         https://bugs.webkit.org/show_bug.cgi?id=146291
832         rdar://problem/21435366
833
834         Reviewed by Michael Saboff.
835         
836         The filter() method returns Contradiction only when a value *becomes* clear. This is
837         necessary for supporting the convention that non-JSValue nodes have a bottom proved
838         type. (We should fix that convention eventually, but for now let's just be consistent
839         about it.)
840         
841         * dfg/DFGFiltrationResult.h: Document the issue.
842         * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue.
843         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
844         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
845         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
846         * dfg/DFGSpeculativeJIT64.cpp: Work around the issue.
847         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
848         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
849         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
850         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
851
852 2015-06-24  Michael Saboff  <msaboff@apple.com>
853
854         Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo
855         https://bugs.webkit.org/show_bug.cgi?id=146285
856
857         Reviewed by Filip Pizlo.
858
859         CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains
860         a collection of PolymorphicCallNode.  Those PolymorphicCallNodes have a reference back to the
861         CallLinkInfo.  When a CallLinkInfo replaces or clears "stub", the ref count of the
862         PolymorphicCallStubRoutine is decremented as expected, but since it inherits from
863         GCAwareJITStubRoutine, it isn't actually deleted until GC.  In the mean time, the original
864         CallLinkInfo can go away.  If PolymorphicCallNode::unlink() is called at that point,
865         it will try to unlink a now deleted CallLinkInfo and crash as a result.
866
867         The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when
868         when we set a new stub or clear an existing stub for a CallLinkInfo.  This is done by
869         calling PolymorphicCallNode::clearCallNodesFor() on the old stub.
870
871         The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor.
872         This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo.
873         Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo.
874
875         In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
876         made all the data elements private.
877
878         * bytecode/CallLinkInfo.cpp:
879         (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor()
880         to clear the back references to this CallLinkInfo.
881         * bytecode/CallLinkInfo.h:
882         (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub().
883         (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub.
884
885 2015-06-24  Michael Saboff  <msaboff@apple.com>
886
887         Refactor CallLinkInfo from a struct to a class
888         https://bugs.webkit.org/show_bug.cgi?id=146292
889
890         Rubber stamped by Filip Pizlo.
891
892         Refactored CallLinkInfo from a struct to a class with proper accessors and made all the
893         data elements private.
894
895         Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285.
896
897         * bytecode/CallLinkInfo.cpp:
898         (JSC::CallLinkInfo::clearStub):
899         (JSC::CallLinkInfo::unlink):
900         (JSC::CallLinkInfo::visitWeak):
901         * bytecode/CallLinkInfo.h:
902         (JSC::CallLinkInfo::callTypeFor):
903         (JSC::CallLinkInfo::CallLinkInfo):
904         (JSC::CallLinkInfo::~CallLinkInfo):
905         (JSC::CallLinkInfo::specializationKindFor):
906         (JSC::CallLinkInfo::specializationKind):
907         (JSC::CallLinkInfo::isLinked):
908         (JSC::CallLinkInfo::setUpCall):
909         (JSC::CallLinkInfo::setCallLocations):
910         (JSC::CallLinkInfo::setUpCallFromFTL):
911         (JSC::CallLinkInfo::callReturnLocation):
912         (JSC::CallLinkInfo::hotPathBegin):
913         (JSC::CallLinkInfo::hotPathOther):
914         (JSC::CallLinkInfo::setCallee):
915         (JSC::CallLinkInfo::clearCallee):
916         (JSC::CallLinkInfo::callee):
917         (JSC::CallLinkInfo::setLastSeenCallee):
918         (JSC::CallLinkInfo::clearLastSeenCallee):
919         (JSC::CallLinkInfo::lastSeenCallee):
920         (JSC::CallLinkInfo::haveLastSeenCallee):
921         (JSC::CallLinkInfo::setStub):
922         (JSC::CallLinkInfo::stub):
923         (JSC::CallLinkInfo::seenOnce):
924         (JSC::CallLinkInfo::clearSeen):
925         (JSC::CallLinkInfo::setSeen):
926         (JSC::CallLinkInfo::hasSeenClosure):
927         (JSC::CallLinkInfo::setHasSeenClosure):
928         (JSC::CallLinkInfo::clearedByGC):
929         (JSC::CallLinkInfo::setCallType):
930         (JSC::CallLinkInfo::callType):
931         (JSC::CallLinkInfo::addressOfMaxNumArguments):
932         (JSC::CallLinkInfo::maxNumArguments):
933         (JSC::CallLinkInfo::offsetOfSlowPathCount):
934         (JSC::CallLinkInfo::setCalleeGPR):
935         (JSC::CallLinkInfo::calleeGPR):
936         (JSC::CallLinkInfo::slowPathCount):
937         (JSC::CallLinkInfo::setCodeOrigin):
938         (JSC::CallLinkInfo::codeOrigin):
939         (JSC::getCallLinkInfoCodeOrigin):
940         * bytecode/CallLinkStatus.cpp:
941         (JSC::CallLinkStatus::computeFor):
942         (JSC::CallLinkStatus::computeFromCallLinkInfo):
943         (JSC::CallLinkStatus::computeDFGStatuses):
944         * bytecode/CallLinkStatus.h:
945         * bytecode/CodeBlock.cpp:
946         (JSC::CodeBlock::printCallOp):
947         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
948         * dfg/DFGJITCompiler.cpp:
949         (JSC::DFG::JITCompiler::link):
950         * dfg/DFGOSRExitCompilerCommon.cpp:
951         (JSC::DFG::reifyInlinedCallFrames):
952         * dfg/DFGSpeculativeJIT32_64.cpp:
953         (JSC::DFG::SpeculativeJIT::emitCall):
954         * dfg/DFGSpeculativeJIT64.cpp:
955         (JSC::DFG::SpeculativeJIT::emitCall):
956         * ftl/FTLJSCallBase.cpp:
957         (JSC::FTL::JSCallBase::link):
958         * jit/AccessorCallJITStubRoutine.h:
959         * jit/JIT.cpp:
960         (JSC::JIT::privateCompile):
961         * jit/JIT.h:
962         * jit/JITCall.cpp:
963         (JSC::JIT::compileSetupVarargsFrame):
964         (JSC::JIT::compileOpCall):
965         * jit/JITCall32_64.cpp:
966         (JSC::JIT::compileSetupVarargsFrame):
967         (JSC::JIT::compileOpCall):
968         * jit/JITOperations.cpp:
969         * jit/PolymorphicCallStubRoutine.cpp:
970         (JSC::PolymorphicCallNode::unlink):
971         (JSC::PolymorphicCallNode::clearCallLinkInfo):
972         * jit/PolymorphicCallStubRoutine.h:
973         * jit/Repatch.cpp:
974         (JSC::generateByIdStub):
975         (JSC::linkSlowFor):
976         (JSC::linkFor):
977         (JSC::revertCall):
978         (JSC::unlinkFor):
979         (JSC::linkPolymorphicCall):
980         * jit/ThunkGenerators.cpp:
981         (JSC::virtualForThunkGenerator):
982
983 2015-06-24  Doug Russell  <d_russell@apple.com>
984
985         Bug 146177 - AX: AXObjectCache should try to use an unignored accessibilityObject 
986         when posting a selection notification when on the border between two accessibilityObjects
987         https://bugs.webkit.org/show_bug.cgi?id=146177
988
989         Add an adopt() function to simplify JSRetainPtr<JSStringRef> { Adopt, string } to adopt(string).
990
991         Reviewed by Darin Adler.
992
993         * API/JSRetainPtr.h:
994         (adopt):
995
996 2015-06-24  Keith Miller  <keith_miller@apple.com>
997
998         Strict Equality on objects should only check that one of the two sides is an object.
999         https://bugs.webkit.org/show_bug.cgi?id=145992
1000
1001         This patch adds a new optimization for checking strict equality on objects.
1002         If we speculate that a strict equality comparison has an object on one side
1003         we only need to type check that side. Equality is then determined by a pointer
1004         comparison between the two values (although in the 32-bit case we must also check
1005         that the other side is a cell). Once LICM hoists type checks out of a loop we
1006         can be cleverer about how we choose the operand we type check if both are
1007         speculated to be objects.
1008
1009         For testing I added the addressOf function, which returns the address
1010         of a Cell to the runtime.
1011
1012         Reviewed by Mark Lam.
1013
1014         * dfg/DFGFixupPhase.cpp:
1015         (JSC::DFG::FixupPhase::fixupNode):
1016         * dfg/DFGSpeculativeJIT.cpp:
1017         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1018         * dfg/DFGSpeculativeJIT.h:
1019         * dfg/DFGSpeculativeJIT32_64.cpp:
1020         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
1021         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
1022         * dfg/DFGSpeculativeJIT64.cpp:
1023         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
1024         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
1025         * ftl/FTLCapabilities.cpp:
1026         (JSC::FTL::canCompile):
1027         * ftl/FTLLowerDFGToLLVM.cpp:
1028         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
1029         * jsc.cpp:
1030         (GlobalObject::finishCreation):
1031         (functionAddressOf):
1032         * tests/stress/equality-type-checking.js: Added.
1033         (Foo):
1034         (checkStrictEq):
1035         (checkStrictEqOther):
1036
1037 2015-06-24  Mark Lam  <mark.lam@apple.com>
1038
1039         Fixed assertion in JSStringJoiner::join() (regression from r185899).
1040
1041         Not reviewed.
1042
1043         JSStringJoiner did not account for the case where the array being joined can
1044         have null or undefined elements.  As a result, its size may be less than
1045         its initially reserved capacity (which was estimated based on the array length).
1046
1047         * runtime/JSStringJoiner.cpp:
1048         (JSC::JSStringJoiner::join):
1049
1050 2015-06-24  Darin Adler  <darin@apple.com>
1051
1052         Fix Array.concat with RuntimeArray (regression from my last patch)
1053
1054         * runtime/ArrayPrototype.cpp:
1055         (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length.
1056
1057         * runtime/JSArray.cpp:
1058         (JSC::JSArray::defineOwnProperty): Added comment about use of
1059         JSArray::length here that is incorrect (in a really non-obvious way).
1060         (JSC::JSArray::fillArgList): Ditto.
1061         (JSC::JSArray::copyToArguments): Ditto.
1062
1063         * runtime/JSArray.h: Added a comment explaining that it is not always
1064         safe to use JSArray::length.
1065
1066 2015-06-23  Mark Lam  <mark.lam@apple.com>
1067
1068         Gardening: Fixing 2 bad asserts from r185889.
1069         https://bugs.webkit.org/show_bug.cgi?id=140575
1070
1071         Not reviewed.
1072
1073         * runtime/JSBoundSlotBaseFunction.cpp:
1074         (JSC::JSBoundSlotBaseFunction::finishCreation):
1075
1076 2015-06-23  Dan Bernstein  <mitz@apple.com>
1077
1078         Fixed iOS production builds.
1079
1080         * JavaScriptCore.xcodeproj/project.pbxproj:
1081
1082 2015-06-22  Darin Adler  <darin@apple.com>
1083
1084         Make Array.join work directly on substrings without reifying them
1085         https://bugs.webkit.org/show_bug.cgi?id=146191
1086
1087         Reviewed by Andreas Kling.
1088
1089         Besides the Array.join change, this has other optimizations based on
1090         profiling the Peacekeeper array benchmark.
1091
1092         I measured a 14% speed improvement in the Peacekeeper array benchmark.
1093
1094         Still a lot of low hanging fruit in that test because so many of functions
1095         on the array prototype are not optimizing for simple cases. For example,
1096         the reverse function does individual get and put calls even when the array
1097         is entirely made up of integers in contiguous storage.
1098
1099         * runtime/ArrayPrototype.cpp:
1100         (JSC::getProperty): Use tryGetIndexQuickly first before getPropertySlot.
1101         (JSC::argumentClampedIndexFromStartOrEnd): Marked inline.
1102         (JSC::shift): Use the getProperty helper in this file instead of using
1103         getPropertySlot. Use putByIndexInline instead of calling putByIndex directly.
1104         In both cases this can yield a faster code path.
1105         (JSC::unshift): Ditto.
1106         (JSC::arrayProtoFuncToString): Updated to use the new JSStringJoiner
1107         interface. Changed local variable name to thisArray since it's not a
1108         JSObject*. Changed loop index to i instead of k.
1109         (JSC::arrayProtoFuncToLocaleString): Updated to use the new JSStringJoiner
1110         interface. Renamed thisObj to thisObject. Added a missing exception check
1111         after the toLocaleString function is called, but before toString is called
1112         the result of that function.
1113         (JSC::arrayProtoFuncJoin): Updated to use the new JSStringJointer interface.
1114         Added a missing exception check after calling toString on the separator
1115         but before calling get to get the first element in the array-like object
1116         being joined. Changed loop index to i instead of k. Added missing exception
1117         check after calling toString on each string from the array before calling
1118         get for the next element.
1119         (JSC::arrayProtoFuncConcat): Use JSArray::length instead of using the
1120         getLength function.
1121         (JSC::arrayProtoFuncReverse): Ditto. Also use putByIndexInline.
1122         (JSC::arrayProtoFuncShift): Ditto.
1123         (JSC::arrayProtoFuncSplice): Use getIndex instead of get, which includes some
1124         additional optimizations.
1125         (JSC::getOrHole): Deleted. Unused function.
1126         (JSC::arrayProtoFuncUnShift): Use putByIndexInline.
1127
1128         * runtime/ExceptionHelpers.cpp:
1129         (JSC::errorDescriptionForValue): Removed the duplicate copy of the the logic
1130         from JSValue::toString.
1131
1132         * runtime/JSCJSValue.cpp:
1133         (JSC::JSValue::toStringSlowCase): Improved the performance when converting a
1134         small integer to a single character string.
1135         (JSC::JSValue::toWTFStringSlowCase): Moved the contents of the
1136         inlineJSValueNotStringtoString function here.
1137         * runtime/JSCJSValue.h: Removed no longer used toWTFStringInline and fixed
1138         a comment with a typo.
1139
1140         * runtime/JSObject.h:
1141         (JSC::JSObject::putByIndexInline): Marked ALWAYS_INLINE because this was not
1142         getting inlined at some call sites.
1143         (JSC::JSObject::indexingData): Deleted. Unused function.
1144         (JSC::JSObject::currentIndexingData): Deleted. Unused function.
1145         (JSC::JSObject::getHolyIndexQuickly): Deleted. Unused function.
1146         (JSC::JSObject::relevantLength): Deleted. Unused function.
1147         (JSC::JSObject::currentRelevantLength): Deleted. Unused function.
1148
1149         * runtime/JSString.h: Added the StringViewWithUnderlyingString struct and
1150         the viewWithUnderlyingString function. Removed the inlineJSValueNotStringtoString
1151         and toWTFStringInline functions.
1152
1153         * runtime/JSStringJoiner.cpp:
1154         (JSC::appendStringToData): Changed this to be a template instead of writing
1155         it out, since StringView::getCharactersWithUpconvert does almsot exactly what
1156         this function was trying to do.
1157         (JSC::joinStrings): Rewrote this to use StringView.
1158         (JSC::JSStringJoiner::joinedLength): Added. Factored out from the join function.
1159         (JSC::JSStringJoiner::join): Rewrote to make it a bit simpler. Added an assertion
1160         that we entirely filled capacity, since we are now reserving capacity and using
1161         uncheckedAppend. Use String instead of RefPtr<StringImpl> because there was no
1162         particular value to using the impl directly.
1163
1164         * runtime/JSStringJoiner.h: Changed the interface to the class to use StringView.
1165         Also changed this class so it now has the responsibility to convert each JSValue
1166         into a string. This let us share more code between toString and join, and also
1167         lets us use the new viewWithUnderlyingString function, which could be confusing at
1168         all the call sites, but is easier to understand here.
1169
1170 2015-06-23  Matthew Mirman  <mmirman@apple.com>
1171
1172         Completes native binding descriptors with native getters and potentially setters.
1173         https://bugs.webkit.org/show_bug.cgi?id=140575
1174         rdar://problem/19506502
1175
1176         Reviewed by Mark Lam.
1177
1178         * CMakeLists.txt:  Added JSBoundSlotBaseFunction.cpp
1179         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1180         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1181         * JavaScriptCore.xcodeproj/project.pbxproj:
1182         * inspector/InjectedScriptSource.js: Added case for descriptor having a native getter.
1183         * runtime/JSBoundSlotBaseFunction.cpp: Added.
1184         (JSC::boundSlotBaseFunctionCall):
1185         (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):  
1186         Necessary wrapper for custom getters and setters as objects.
1187         (JSC::JSBoundSlotBaseFunction::create):
1188         (JSC::JSBoundSlotBaseFunction::visitChildren):
1189         (JSC::JSBoundSlotBaseFunction::finishCreation):
1190         * runtime/JSBoundSlotBaseFunction.h: Added.
1191         (JSC::JSBoundSlotBaseFunction::createStructure):
1192         (JSC::JSBoundSlotBaseFunction::boundSlotBase):
1193         (JSC::JSBoundSlotBaseFunction::customGetterSetter):
1194         (JSC::JSBoundSlotBaseFunction::isGetter):
1195         * runtime/JSGlobalObject.cpp:
1196         (JSC::JSGlobalObject::init): Added a globally initialized structure for JSBoundSlotBaseFunction
1197         (JSC::JSGlobalObject::visitChildren): visits that structure
1198         * runtime/JSGlobalObject.h:
1199         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): added a getter for that structure
1200         * runtime/JSObject.cpp:
1201         (JSC::JSObject::getOwnPropertyDescriptor): extends the case for CustomGetterSetter to 
1202         actually include GetterSetter as a JSBoundSlotBaseFunction
1203         * runtime/VM.cpp: Added initializer for customGetterSetterFunctionMap
1204         * runtime/VM.h: Added cache for JSBoundSlotBaseFunction
1205
1206 2015-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1207
1208         [ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern
1209         https://bugs.webkit.org/show_bug.cgi?id=146192
1210
1211         Reviewed by Darin Adler.
1212
1213         According to the ES6 spec, trailing comma in ArrayBindingPattern and ObjectBindingPattern is allowed.
1214         And empty ArrayBindingPattern and ObjectBindingPattern is also allowed.
1215
1216         This patch allows trailing comma and empty binding patterns.
1217
1218         * bytecompiler/NodesCodegen.cpp:
1219         (JSC::ArrayPatternNode::bindValue):
1220         * parser/Parser.cpp:
1221         (JSC::Parser<LexerType>::parseDeconstructionPattern):
1222         * tests/stress/trailing-comma-in-patterns.js: Added.
1223         (shouldBe):
1224         (iterator):
1225
1226 2015-06-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1227
1228         [ES6] Destructuring assignment need to accept iterables
1229         https://bugs.webkit.org/show_bug.cgi?id=144111
1230
1231         Reviewed by Darin Adler.
1232
1233         This patch makes that destructuring assignments to array binding patterns accept iterables.
1234         Previously, it just access the indexed properties.
1235         After this patch, it iterates the given value by using ES6 iterator protocol.
1236
1237         The iteration becomes different from the for-of case.
1238         1. Since there's no break/continue case, finally scope is not necessary.
1239         2. When the error is raised, the close status of the iterator becomes true. So IteratorClose is not called for that.
1240         3. Since the array binding patterns requires a limited count of iterations (if there is no rest(...rest) case), IteratorClose is called when the iteration does not consume the all values of the iterator.
1241         4. Since the array binding patterns requires a specified count of iterations, iterator's next call is skipped when iterator becomes closed.
1242
1243         * bytecompiler/BytecodeGenerator.cpp:
1244         (JSC::BytecodeGenerator::emitIteratorClose):
1245         * bytecompiler/BytecodeGenerator.h:
1246         * bytecompiler/NodesCodegen.cpp:
1247         (JSC::ArrayPatternNode::bindValue):
1248         * parser/ASTBuilder.h:
1249         (JSC::ASTBuilder::finishArrayPattern):
1250         * parser/Nodes.h:
1251         * parser/Parser.cpp:
1252         (JSC::Parser<LexerType>::parseDeconstructionPattern):
1253         * parser/SyntaxChecker.h:
1254         (JSC::SyntaxChecker::operatorStackPop):
1255         * tests/stress/destructuring-assignment-accepts-iterables.js: Added.
1256         (shouldBe):
1257         (shouldThrow):
1258         (.set shouldThrow):
1259
1260 2015-06-19  Devin Rousso  <drousso@apple.com>
1261
1262         Web Inspector: Highlight currently edited CSS selector
1263         https://bugs.webkit.org/show_bug.cgi?id=145658
1264
1265         Reviewed by Joseph Pecoraro.
1266
1267         * inspector/protocol/DOM.json: Added highlightSelector to show highlight over multiple nodes.
1268
1269 2015-06-19  Mark Lam  <mark.lam@apple.com>
1270
1271         Gardening: fix build for EWS bots.
1272
1273         Not reviewed.
1274
1275         * runtime/JSArray.cpp:
1276         (JSC::JSArray::setLengthWithArrayStorage):
1277
1278 2015-06-19  Michael Saboff  <msaboff@apple.com>
1279
1280         Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL::fixFunctionBasedOnStackMaps + 17225
1281         https://bugs.webkit.org/show_bug.cgi?id=146133
1282
1283         Reviewed by Geoffrey Garen.
1284
1285         When generating code to put in inline caching areas, if there isn't enough space,
1286         then create and link to an out of line area.  We connect the inline code to this
1287         out of line code area by planting a jump from the inline area to the out of line
1288         code and appending a jump at the end of the out of line code bck to the instruction
1289         following the inline area.  We fill the unused inline area with nops, primarily to 
1290         ensure the disassembler doesn't get confused.
1291
1292         * ftl/FTLCompile.cpp:
1293         (generateInlineIfPossibleOutOfLineIfNot): New function that determines if there is enough space
1294         in the inline code area for the code to link.  If so, it links inline, otherwise it links the
1295         code out of line and plants appropriate jumps to/from the out of line code.
1296         (generateICFastPath):
1297         (generateCheckInICFastPath):
1298         (fixFunctionBasedOnStackMaps):
1299         Use generateInlineIfPossibleOutOfLineIfNot() to link code intended for inline cache space.
1300
1301         * ftl/FTLJITFinalizer.cpp:
1302         (JSC::FTL::JITFinalizer::finalizeFunction):
1303         * ftl/FTLJITFinalizer.h:
1304         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
1305         Added code to finalize any out of line LinkBuffer created by generateInlineIfPossibleOutOfLineIfNot().
1306
1307 2015-06-19  Geoffrey Garen  <ggaren@apple.com>
1308
1309         WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276
1310         https://bugs.webkit.org/show_bug.cgi?id=146163
1311         <rdar://problem/20392986>
1312
1313         Reviewed by Michael Saboff.
1314
1315         There's no good way to test this in our test harness because we don't
1316         have a way to simulate executable memory pressure, and doing so would
1317         cause the cases that still use JITCompilationMustSucceed to crash.
1318
1319         Instead, I tested by manually forcing all regexp JIT compilation to
1320         fail and running the JavaScriptCore tests.
1321
1322         * yarr/YarrJIT.cpp:
1323         (JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can
1324         fall back to the regexp interpreter if we need to.
1325
1326 2015-06-19  Mark Lam  <mark.lam@apple.com>
1327
1328         Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround.
1329         https://bugs.webkit.org/show_bug.cgi?id=146154
1330
1331         Reviewed by Darin Adler.
1332
1333         * assembler/MacroAssemblerCodeRef.h:
1334         (JSC::MacroAssemblerCodePtr::dataLocation):
1335         (JSC::MacroAssemblerCodePtr::operator bool):
1336         (JSC::MacroAssemblerCodePtr::operator==):
1337         (JSC::MacroAssemblerCodeRef::tryToDisassemble):
1338         (JSC::MacroAssemblerCodeRef::operator bool):
1339         (JSC::MacroAssemblerCodeRef::dump):
1340         (JSC::MacroAssemblerCodePtr::operator UnspecifiedBoolType*): Deleted.
1341         (JSC::MacroAssemblerCodeRef::operator UnspecifiedBoolType*): Deleted.
1342
1343         * bytecode/CodeOrigin.cpp:
1344         (JSC::CodeOrigin::isApproximatelyEqualTo):
1345         - Fixed a bug here where we were expecting to compare Executable pointers, but
1346           ended up comparing a (UnspecifiedBoolType*)1 with another
1347           (UnspecifiedBoolType*)1.
1348
1349         * bytecode/LLIntCallLinkInfo.h:
1350         (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo):
1351         (JSC::LLIntCallLinkInfo::isLinked):
1352         (JSC::LLIntCallLinkInfo::unlink):
1353         * dfg/DFGBlockWorklist.h:
1354         (JSC::DFG::BlockWith::BlockWith):
1355         (JSC::DFG::BlockWith::operator bool):
1356         (JSC::DFG::BlockWithOrder::BlockWithOrder):
1357         (JSC::DFG::BlockWithOrder::operator bool):
1358         (JSC::DFG::BlockWith::operator UnspecifiedBoolType*): Deleted.
1359         (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*): Deleted.
1360         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1361         * dfg/DFGLazyNode.h:
1362         (JSC::DFG::LazyNode::operator!):
1363         (JSC::DFG::LazyNode::operator bool):
1364         (JSC::DFG::LazyNode::operator UnspecifiedBoolType*): Deleted.
1365         * heap/CopyWriteBarrier.h:
1366         (JSC::CopyWriteBarrier::operator!):
1367         (JSC::CopyWriteBarrier::operator bool):
1368         (JSC::CopyWriteBarrier::get):
1369         (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*): Deleted.
1370         * heap/Handle.h:
1371         (JSC::HandleBase::operator!):
1372         (JSC::HandleBase::operator bool):
1373         (JSC::HandleBase::slot):
1374         (JSC::HandleBase::operator UnspecifiedBoolType*): Deleted.
1375         * heap/Strong.h:
1376         (JSC::Strong::operator!):
1377         (JSC::Strong::operator bool):
1378         (JSC::Strong::swap):
1379         (JSC::Strong::operator UnspecifiedBoolType*): Deleted.
1380         * jit/JITWriteBarrier.h:
1381         (JSC::JITWriteBarrierBase::operator bool):
1382         (JSC::JITWriteBarrierBase::operator!):
1383         (JSC::JITWriteBarrierBase::setFlagOnBarrier):
1384         (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*): Deleted.
1385         * runtime/JSArray.cpp:
1386         (JSC::JSArray::setLengthWithArrayStorage):
1387         * runtime/JSCJSValue.h:
1388         * runtime/JSCJSValueInlines.h:
1389         (JSC::JSValue::JSValue):
1390         (JSC::JSValue::operator bool):
1391         (JSC::JSValue::operator==):
1392         (JSC::JSValue::operator UnspecifiedBoolType*): Deleted.
1393         * runtime/JSObject.h:
1394         (JSC::JSObject::hasSparseMap):
1395         * runtime/PropertyDescriptor.h:
1396         (JSC::PropertyDescriptor::writablePresent):
1397         (JSC::PropertyDescriptor::enumerablePresent):
1398         (JSC::PropertyDescriptor::configurablePresent):
1399         (JSC::PropertyDescriptor::setterPresent):
1400         (JSC::PropertyDescriptor::getterPresent):
1401         * runtime/WriteBarrier.h:
1402         (JSC::WriteBarrierBase::slot):
1403         (JSC::WriteBarrierBase::operator bool):
1404         (JSC::WriteBarrierBase::operator!):
1405         (JSC::WriteBarrierBase<Unknown>::tagPointer):
1406         (JSC::WriteBarrierBase<Unknown>::payloadPointer):
1407         (JSC::WriteBarrierBase<Unknown>::operator bool):
1408         (JSC::WriteBarrierBase<Unknown>::operator!):
1409         (JSC::WriteBarrierBase::operator UnspecifiedBoolType*): Deleted.
1410         (JSC::WriteBarrierBase<Unknown>::operator UnspecifiedBoolType*): Deleted.
1411
1412 2015-06-19  Anders Carlsson  <andersca@apple.com>
1413
1414         Add a JSC symlink in /System/Library/PrivateFrameworks
1415         https://bugs.webkit.org/show_bug.cgi?id=146158
1416         rdar://problem/21465968
1417
1418         Reviewed by Dan Bernstein.
1419
1420         * JavaScriptCore.xcodeproj/project.pbxproj:
1421
1422 2015-06-19  Joseph Pecoraro  <pecoraro@apple.com>
1423
1424         Web Inspector: Avoid getOwnPropertyNames/Symbols on very large lists
1425         https://bugs.webkit.org/show_bug.cgi?id=146141
1426
1427         Reviewed by Timothy Hatcher.
1428
1429         * inspector/InjectedScriptSource.js:
1430         (InjectedScript.prototype._propertyDescriptors):
1431         Avoid calling getOwnPropertyNames/Symbols on very large lists. Instead
1432         just generate property descriptors for the first 100 indexes. Note
1433         this would behave poorly for sparse arrays with a length > 100, but
1434         general support for lists with more than 100 elements is poor. See:
1435         <https://webkit.org/b/143589> Web Inspector: Better handling for large collections in Object Trees
1436
1437 2015-06-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1438
1439         [DFG] Avoid OSR exit in the middle of string concatenation
1440         https://bugs.webkit.org/show_bug.cgi?id=145820
1441
1442         Reviewed by Filip Pizlo.
1443
1444         DFG attempt to compile ValueAdd with String type into MakeRope(left, ToString(ToPrimitive(right))).
1445
1446         So when right is speculated as SpecObject, ToPrimitive(SpecObject) is speculated as SpecString.
1447         It leads ToString to become Identity with a speculated type check.
1448
1449         However, ToPrimitive and ToString are originated from the same bytecode. And ToPrimitive may have
1450         an observable side effect when the given parameter is an object (calling object.{toString,valueOf}).
1451
1452         So when object.toString() returns a number (it is allowed in the ES spec), ToPrimitive performs
1453         observable `object.toString()` calling. But ToString is converted into a speculated type check for
1454         SpecString and it raises OSR exit. And we exit to the original ValueAdd's bytecode position and
1455         it redundantly performs an observable ToPrimitive execution.
1456
1457         To fix this, this patch avoid fixing up for newly introduced ToString node.
1458         Since fix up phase is not iterated repeatedly, by avoiding fixing up when generating the node,
1459         we can avoid conversion from ToString to Check.
1460
1461         * dfg/DFGFixupPhase.cpp:
1462         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1463         * tests/stress/toprimitive-speculated-types.js: Added.
1464         (shouldBe):
1465         (raw):
1466         (Counter):
1467
1468 2015-06-18  Brian J. Burg  <burg@cs.washington.edu>
1469
1470         Web Inspector: improve generated types for objects passed to backend commands
1471         https://bugs.webkit.org/show_bug.cgi?id=146091
1472
1473         Reviewed by Joseph Pecoraro.
1474
1475         The main change is that objects passed in will have a type like const T& or const T*,
1476         rather than const RefPtr<T>&&. These protocol objects are owned by the generated dispatcher
1477         methods and only exist to pass data to backend command implementations. So, there is no
1478         reason for callees to add a reference or take ownership of these inputs.
1479
1480         Some small improvements were made in the code generator to standardize how these
1481         expressions are generated for parameters. Optional in parameters are now prefixed with
1482         'opt_in_' to make the generated method signatures and implementations clearer.
1483
1484         * inspector/InspectorValues.cpp:
1485         (Inspector::InspectorArrayBase::get): Add const qualifier.
1486         * inspector/InspectorValues.h:
1487         * inspector/agents/InspectorDebuggerAgent.cpp:
1488         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1489         (Inspector::parseLocation):
1490         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1491         (Inspector::InspectorDebuggerAgent::continueToLocation):
1492         * inspector/agents/InspectorDebuggerAgent.h:
1493         * inspector/agents/InspectorRuntimeAgent.cpp:
1494         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1495         (Inspector::InspectorRuntimeAgent::saveResult):
1496         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1497         * inspector/agents/InspectorRuntimeAgent.h:
1498
1499         * inspector/scripts/codegen/cpp_generator.py: Always generate PrimitiveType('array').
1500         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Alter the type signature
1501         for an unchecked input to use pointers or references.
1502
1503         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1504         (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1505         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1506         Local variables for optional parameters now have the 'opt_' prefix.
1507
1508         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1509         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1510         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1511         Local variables for optional parameters now have the 'opt_' prefix.
1512         Split parameterName and parameterKey into two separate template variables to avoid mixups.
1513
1514         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1515
1516 2015-06-18  Joseph Pecoraro  <pecoraro@apple.com>
1517
1518         Unreviewed. Rollout r185670 as it caused some tests to be flakey.
1519
1520         * debugger/Debugger.cpp:
1521
1522 2015-06-17  Alex Christensen  <achristensen@webkit.org>
1523
1524         [Content Extensions] Log blocked loads to the WebInspector console
1525         https://bugs.webkit.org/show_bug.cgi?id=146089
1526
1527         Reviewed by Joseph Pecoraro.
1528
1529         * inspector/ConsoleMessage.cpp:
1530         (Inspector::messageSourceValue):
1531         * inspector/protocol/Console.json:
1532         * runtime/ConsoleTypes.h:
1533         Add content blocker message source.
1534
1535 2015-06-18  Saam Barati  <saambarati1@gmail.com>
1536
1537         [ES6] support default values in deconstruction parameter nodes
1538         https://bugs.webkit.org/show_bug.cgi?id=142679
1539
1540         Reviewed by Darin Adler.
1541
1542         ES6 destructuring allows destructuring properties to assign 
1543         default values. A link to the spec: 
1544         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-destructuring-binding-patterns
1545
1546         This patch implements default values for all places where deconstruction
1547         is allowed besides function parameters. This is because function
1548         parameters are parsed in a separate parser arena than the function
1549         body itself and ExpresionNode's which are default values for
1550         deconstruction parameters will be deallocated by the time we parse the body
1551         of the function. I have opened a bug to address this problem:
1552         https://bugs.webkit.org/show_bug.cgi?id=145995
1553
1554         * bytecompiler/NodesCodegen.cpp:
1555         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode):
1556         (JSC::assignDefaultValueIfUndefined):
1557         (JSC::ArrayPatternNode::bindValue):
1558         (JSC::ArrayPatternNode::emitDirectBinding):
1559         (JSC::ArrayPatternNode::toString):
1560         (JSC::ArrayPatternNode::collectBoundIdentifiers):
1561         (JSC::ObjectPatternNode::bindValue):
1562         * parser/ASTBuilder.h:
1563         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
1564         (JSC::ASTBuilder::appendArrayPatternEntry):
1565         (JSC::ASTBuilder::createObjectPattern):
1566         (JSC::ASTBuilder::appendObjectPatternEntry):
1567         (JSC::ASTBuilder::createBindingLocation):
1568         * parser/Nodes.h:
1569         (JSC::ArrayPatternNode::appendIndex):
1570         (JSC::ObjectPatternNode::appendEntry):
1571         (JSC::ObjectPatternNode::Entry::Entry): Deleted.
1572         * parser/Parser.cpp:
1573         (JSC::Parser<LexerType>::parseDeconstructionPattern):
1574         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern):
1575         (JSC::Parser<LexerType>::parseConstDeclarationList):
1576         * parser/Parser.h:
1577         * parser/SyntaxChecker.h:
1578         (JSC::SyntaxChecker::operatorStackPop):
1579
1580 2015-06-17  Joseph Pecoraro  <pecoraro@apple.com>
1581
1582         Web Inspector: Do not show JavaScriptCore builtins in inspector
1583         https://bugs.webkit.org/show_bug.cgi?id=146049
1584
1585         Reviewed by Timothy Hatcher.
1586
1587         * debugger/Debugger.cpp:
1588
1589 2015-06-17  Andreas Kling  <akling@apple.com>
1590
1591         [JSC] jsSubstring() should have a fast path for 0..baseLength "substrings."
1592         <https://webkit.org/b/146051>
1593
1594         Reviewed by Anders Carlsson.
1595
1596         If asked to make a substring that actually spans the entire base string,
1597         have jsSubstring() just return the base instead of allocating a new JSString.
1598
1599         3% speed-up on Octane/regexp.
1600
1601         * runtime/JSString.h:
1602         (JSC::jsSubstring):
1603
1604 2015-06-16  Alex Christensen  <achristensen@webkit.org>
1605
1606         32-bit build fix after r185640.
1607
1608         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1609         Explicitly cast clamped int64_t to an int.
1610
1611 2015-06-09  Filip Pizlo  <fpizlo@apple.com>
1612
1613         FTL should eliminate array bounds checks in loops
1614         https://bugs.webkit.org/show_bug.cgi?id=145768
1615
1616         Reviewed by Benjamin Poulain.
1617         
1618         This adds a phase that does forward propagation of integer inequalities. This allows us
1619         to do the algebraic reasoning we need to eliminate array bounds checks in loops. It
1620         also eliminates overflow checks on ArithAdd with a constant.
1621         
1622         The phase's analysis produces results that are powerful enough to do speculative bounds
1623         check hoisting, but this phase currently only does elimination. We can implement
1624         hoisting later.
1625         
1626         On programs that just loop over an array like:
1627         
1628             for (var i = 0; i < array.length; ++i)
1629                 thingy += array[i]
1630         
1631         This change is a 60% speed-up.
1632         
1633         This is also a ~3% speed-up on Kraken, and it shows various speed-ups on individual
1634         tests in Octane.
1635
1636         * CMakeLists.txt:
1637         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1638         * JavaScriptCore.xcodeproj/project.pbxproj:
1639         * dfg/DFGIntegerRangeOptimizationPhase.cpp: Added.
1640         (JSC::DFG::performIntegerRangeOptimization):
1641         * dfg/DFGIntegerRangeOptimizationPhase.h: Added.
1642         * dfg/DFGPlan.cpp:
1643         (JSC::DFG::Plan::compileInThreadImpl):
1644         * tests/stress/add-overflows-after-not-equal.js: Added.
1645         * tests/stress/no-abc-skippy-loop.js: Added.
1646         * tests/stress/no-abc-skippy-paired-loop.js: Added.
1647         * tests/stress/sub-overflows-after-not-equal.js: Added.
1648
1649 2015-06-16  Andreas Kling  <akling@apple.com>
1650
1651         Remove unused template parameter InlineCapacity from SegmentedVector.
1652         <https://webkit.org/b/146044>
1653
1654         Reviewed by Anders Carlsson.
1655
1656         * bytecode/ArrayProfile.h:
1657         * dfg/DFGCommonData.h:
1658
1659 2015-06-16  Michael Saboff  <msaboff@apple.com>
1660
1661         Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the calling function
1662         https://bugs.webkit.org/show_bug.cgi?id=146029
1663
1664         Reviewed by Benjamin Poulain.
1665
1666         Save and restore m_currentInstruction around call to ByteCodeParser::inlineCall() as it will
1667         use m_currentInstruction during its own parsing.  This happens because inlineCall() parses the
1668         inlined callee's bytecodes by calling parseCodeBlock() which calls parseBlock() on each block.
1669         It is in parseBlock() that we set m_currentInstruction to an instruction before we parse it.
1670
1671         * dfg/DFGByteCodeParser.cpp:
1672         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1673         (JSC::DFG::ByteCodeParser::parseBlock): Added an ASSERT to catch this issue.
1674
1675 2015-06-16  Filip Pizlo  <fpizlo@apple.com>
1676
1677         Unreviewed, roll out unintended JSC change from https://trac.webkit.org/changeset/185425.
1678
1679         * bytecode/CodeBlock.h:
1680         (JSC::CodeBlock::hasExitSite):
1681         (JSC::CodeBlock::exitProfile):
1682         (JSC::CodeBlock::numberOfExitSites): Deleted.
1683         * bytecode/DFGExitProfile.cpp:
1684         (JSC::DFG::ExitProfile::add):
1685         * bytecode/DFGExitProfile.h:
1686         (JSC::DFG::ExitProfile::hasExitSite):
1687         (JSC::DFG::ExitProfile::size): Deleted.
1688         * dfg/DFGByteCodeParser.cpp:
1689         (JSC::DFG::ByteCodeParser::inliningCost):
1690         * runtime/Options.h:
1691
1692 2015-06-16  Mark Lam  <mark.lam@apple.com>
1693
1694         Use NakedPtr<Exception>& to return exception results.
1695         https://bugs.webkit.org/show_bug.cgi?id=145870
1696
1697         Reviewed by Anders Carlsson and Filip Pizlo.
1698
1699         Before r185259, calls into the VM takes a JSValue* exception result argument for
1700         returning any uncaught exception that may have been thrown while executing JS code.
1701         As a result, clients of the VM functions will declare a local JSValue exception
1702         result which is automatically initialized to a null value (i.e. the empty value,
1703         not the JS null value).
1704
1705         With r185259, the VM functions were changed to take an Exception*& exception result
1706         instead, and the VM functions are responsible for initializing the exception result
1707         to null if no exception is thrown.
1708
1709         This introduces 2 issues:
1710
1711         1. the VM functions are vulnerable to modifications that may add early returns
1712            before the exception result is nullified.  This can result in the exception
1713            result being used without initialization.
1714
1715         2. Previously, a client could technically use the same exception result for more
1716            than one calls into the VM functions.  If an earlier call sets it to a thrown
1717            value, the thrown value will stick unless a subsequent call throws a different
1718            exception.
1719
1720            With the new Exception*& exception result, the VM functions will always clear
1721            the exception result before proceeding.  As a result, the client's exception
1722            result will be null after the second call even though the first call saw an
1723            exception thrown.  This is a change in the expected behavior.
1724
1725         To fix these issues, we'll introduce a NakedPtr smart pointer whose sole purpose
1726         is to guarantee that the pointer is initialized.  The VM functions will now take
1727         a NakedPtr<Exception>& instead of the Exception*&.  This ensures that the
1728         exception result is initialized.
1729
1730         The VM functions be also reverted to only set the exception result if a new
1731         exception is thrown.
1732
1733         * API/JSBase.cpp:
1734         (JSEvaluateScript):
1735         * API/JSScriptRef.cpp:
1736         * bindings/ScriptFunctionCall.cpp:
1737         (Deprecated::ScriptFunctionCall::call):
1738         * bindings/ScriptFunctionCall.h:
1739         * debugger/Debugger.cpp:
1740         (JSC::Debugger::hasBreakpoint):
1741         * debugger/Debugger.h:
1742         * debugger/DebuggerCallFrame.cpp:
1743         (JSC::DebuggerCallFrame::thisValue):
1744         (JSC::DebuggerCallFrame::evaluate):
1745         * debugger/DebuggerCallFrame.h:
1746         (JSC::DebuggerCallFrame::isValid):
1747         * inspector/InjectedScriptManager.cpp:
1748         (Inspector::InjectedScriptManager::createInjectedScript):
1749         * inspector/InspectorEnvironment.h:
1750         * inspector/JSJavaScriptCallFrame.cpp:
1751         (Inspector::JSJavaScriptCallFrame::evaluate):
1752         * inspector/JavaScriptCallFrame.h:
1753         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
1754         (Inspector::JavaScriptCallFrame::thisValue):
1755         (Inspector::JavaScriptCallFrame::evaluate):
1756         * inspector/ScriptDebugServer.cpp:
1757         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
1758         * jsc.cpp:
1759         (functionRun):
1760         (functionLoad):
1761         (runWithScripts):
1762         (runInteractive):
1763         * runtime/CallData.cpp:
1764         (JSC::call):
1765         * runtime/CallData.h:
1766         * runtime/Completion.cpp:
1767         (JSC::checkSyntax):
1768         (JSC::evaluate):
1769         * runtime/Completion.h:
1770         (JSC::evaluate):
1771
1772 2015-06-15  Filip Pizlo  <fpizlo@apple.com>
1773
1774         FTL boolify() UntypedUse is wrong in the masquerades-as-undefined case
1775         https://bugs.webkit.org/show_bug.cgi?id=146002
1776
1777         Reviewed by Darin Adler.
1778
1779         * ftl/FTLLowerDFGToLLVM.cpp: Put this in an anonymous namespace. We should have done that all along. It makes it easier to add debug code.
1780         (JSC::FTL::DFG::LowerDFGToLLVM::boolify): Fix the bug.
1781         * tests/stress/logical-not-masquerades.js: Added. This test creates a masquerader so that the watchpoint is invalid. Previously this would fail for the normal object cases.
1782         (foo):
1783
1784 2015-06-16  Andreas Kling  <akling@apple.com>
1785
1786         [JSC] Pre-bake final Structure for RegExp matches arrays.
1787         <https://webkit.org/b/146006>
1788
1789         Reviewed by Darin Adler.
1790
1791         Since we always add the "index" and "input" fields to RegExp matches arrays,
1792         cache a finished structure on the global object so we can create these arrays without
1793         starting from scratch with a bare array every time.
1794
1795         10% progression on Octane/regexp (on my MBP.)
1796
1797         * runtime/JSArray.h:
1798         (JSC::JSArray::create):
1799         (JSC::JSArray::tryCreateUninitialized):
1800         (JSC::JSArray::createWithButterfly): Factored out JSArray construction into a helper
1801         so we can call this from RegExpMatchesArray.cpp.
1802
1803         * runtime/JSGlobalObject.cpp:
1804         (JSC::JSGlobalObject::init):
1805         (JSC::JSGlobalObject::visitChildren):
1806         * runtime/JSGlobalObject.h:
1807         (JSC::JSGlobalObject::regExpMatchesArrayStructure): Add a cached Structure for RegExp
1808         subpattern matches arrays.
1809
1810         * runtime/JSObject.h:
1811         (JSC::JSNonFinalObject::finishCreation): Tweak assertion that used to check that
1812         JSNonFinalObjects always start out with zero capacity. Since RegExp matches arrays now
1813         start out with capacity for 2 properties, that won't work. Change it to check that we
1814         don't have inline storage instead, since that should only be used by final objects.
1815
1816         * runtime/RegExpMatchesArray.h:
1817         * runtime/RegExpMatchesArray.cpp:
1818         (JSC::tryCreateUninitializedRegExpMatchesArray): Helper to construct a JSArray with
1819         the cached Structure and a Butterfly with 2 slots of property storage.
1820
1821         (JSC::createRegExpMatchesArray):
1822         (JSC::createRegExpMatchesArrayStructure): Creates the array Structure that gets cached
1823         by the JSGlobalObject.
1824
1825 2015-06-16  Saam Barati  <saambarati1@gmail.com>
1826
1827         LLInt's code path for get_from_scope with case GlobalVarWithVarInjectionChecks has dead code
1828         https://bugs.webkit.org/show_bug.cgi?id=144268
1829
1830         Reviewed by Darin Adler.
1831
1832         The call to loadVariable(.) both for 32bit and 64bit is unnecessary. 
1833         It grabs a value that is immediately overwritten by a call to getGlobalVar(). 
1834
1835         * llint/LowLevelInterpreter32_64.asm:
1836         * llint/LowLevelInterpreter64.asm:
1837
1838 2015-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1839
1840         [ES6] Introduce %IteratorPrototype% and drop all XXXIteratorConstructor
1841         https://bugs.webkit.org/show_bug.cgi?id=145963
1842
1843         Reviewed by Darin Adler.
1844
1845         ES6 iterators inherit %IteratorPrototype%.
1846         And these prototype objects of derived iterators don't have @@iterator methods.
1847         Instead they use the %IteratorPrototype%[@@iterator] method.
1848
1849         To encourage inlining in for-of statement, we define this method in JS builtins.
1850
1851         And these iterator prototype objects don't have any constructor function.
1852         This patch drops them (like StringIteratorConstructor).
1853
1854         * CMakeLists.txt:
1855         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1856         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1857         * JavaScriptCore.xcodeproj/project.pbxproj:
1858         * builtins/Iterator.prototype.js: Renamed from Source/JavaScriptCore/runtime/StringIteratorConstructor.cpp.
1859         (SymbolIterator):
1860         * runtime/ArrayIteratorConstructor.cpp:
1861         (JSC::ArrayIteratorConstructor::finishCreation): Deleted.
1862         * runtime/ArrayIteratorConstructor.h: Removed.
1863         (JSC::ArrayIteratorConstructor::create): Deleted.
1864         (JSC::ArrayIteratorConstructor::createStructure): Deleted.
1865         (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor): Deleted.
1866         * runtime/ArrayIteratorPrototype.cpp:
1867         (JSC::ArrayIteratorPrototype::finishCreation):
1868         (JSC::arrayIteratorProtoFuncIterator): Deleted.
1869         * runtime/IteratorPrototype.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorConstructor.cpp.
1870         (JSC::IteratorPrototype::finishCreation):
1871         * runtime/IteratorPrototype.h: Renamed from Source/JavaScriptCore/runtime/SetIteratorConstructor.h.
1872         (JSC::IteratorPrototype::create):
1873         (JSC::IteratorPrototype::createStructure):
1874         (JSC::IteratorPrototype::IteratorPrototype):
1875         * runtime/JSFunction.cpp:
1876         (JSC::JSFunction::createBuiltinFunction):
1877         * runtime/JSFunction.h:
1878         * runtime/JSGlobalObject.cpp:
1879         (JSC::JSGlobalObject::init):
1880         (JSC::JSGlobalObject::visitChildren):
1881         * runtime/JSGlobalObject.h:
1882         (JSC::JSGlobalObject::iteratorPrototype):
1883         * runtime/MapIteratorConstructor.cpp: Removed.
1884         (JSC::MapIteratorConstructor::finishCreation): Deleted.
1885         * runtime/MapIteratorConstructor.h: Removed.
1886         (JSC::MapIteratorConstructor::create): Deleted.
1887         (JSC::MapIteratorConstructor::createStructure): Deleted.
1888         (JSC::MapIteratorConstructor::MapIteratorConstructor): Deleted.
1889         * runtime/MapIteratorPrototype.cpp:
1890         (JSC::MapIteratorPrototype::finishCreation): Deleted.
1891         (JSC::MapIteratorPrototypeFuncIterator): Deleted.
1892         * runtime/SetIteratorConstructor.cpp: Removed.
1893         (JSC::SetIteratorConstructor::finishCreation): Deleted.
1894         * runtime/SetIteratorConstructor.h:
1895         (JSC::SetIteratorConstructor::create): Deleted.
1896         (JSC::SetIteratorConstructor::createStructure): Deleted.
1897         (JSC::SetIteratorConstructor::SetIteratorConstructor): Deleted.
1898         * runtime/SetIteratorPrototype.cpp:
1899         (JSC::SetIteratorPrototype::finishCreation): Deleted.
1900         (JSC::SetIteratorPrototypeFuncIterator): Deleted.
1901         * runtime/StringIteratorConstructor.cpp:
1902         (JSC::StringIteratorConstructor::finishCreation): Deleted.
1903         * runtime/StringIteratorConstructor.h: Removed.
1904         (JSC::StringIteratorConstructor::create): Deleted.
1905         (JSC::StringIteratorConstructor::createStructure): Deleted.
1906         (JSC::StringIteratorConstructor::StringIteratorConstructor): Deleted.
1907         * runtime/StringIteratorPrototype.cpp:
1908         (JSC::StringIteratorPrototype::finishCreation):
1909         (JSC::stringIteratorPrototypeIterator): Deleted.
1910         * tests/stress/iterator-prototype.js: Added.
1911         (shouldBe):
1912         (inheritIteratorPrototype):
1913         (testChain):
1914
1915 2015-06-15  Michael Saboff  <msaboff@apple.com>
1916
1917         JIT bug - fails when inspector closed, works when open
1918         https://bugs.webkit.org/show_bug.cgi?id=145243
1919
1920         Reviewed by Oliver Hunt.
1921
1922         We need to provide the Arguments object as the base when creating the HeapLocation for
1923         GetFromArguments and PutToArguments.  Otherwise we endup creating a HeapLocation for
1924         any arguments object, not the one we need.
1925
1926         * dfg/DFGClobberize.h:
1927         (JSC::DFG::clobberize):
1928
1929 2015-06-13  Joseph Pecoraro  <pecoraro@apple.com>
1930
1931         Web Inspector: console.table() with a list of objects no longer works
1932         https://bugs.webkit.org/show_bug.cgi?id=145952
1933
1934         Reviewed by Timothy Hatcher.
1935
1936         * inspector/InjectedScriptSource.js:
1937         (InjectedScript.RemoteObject.prototype._generatePreview):
1938         Calling generatePreview again was actually starting with a preview
1939         of the current object instead of the sub-value. Go down the other
1940         path that correctly generates sub-previews. Leave filtering on the
1941         backend unimplemented, which we were already ignoring.
1942
1943 2015-06-13  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1944
1945         [Streams API] ReadableJSStream should handle promises returned by JS source start callback
1946         https://bugs.webkit.org/show_bug.cgi?id=145792
1947
1948         Reviewed by Darin Adler.
1949
1950         Added support for JSFunction implemented by std::function.
1951
1952         * runtime/JSFunction.cpp:
1953         (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create
1954         (JSC::JSFunction::create):
1955         (JSC::runStdFunction):
1956         * runtime/JSFunction.h: Added std::function based JSFunction::create prototype.
1957         * runtime.JSPromise.h:
1958
1959 2015-06-12  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
1960
1961         Purge PassRefPtr in JavaScriptCore - 2
1962         https://bugs.webkit.org/show_bug.cgi?id=145834
1963
1964         Reviewed by Darin Adler.
1965
1966         As a step to remove PassRefPtr, this patch cleans up PassRefPtr as much as possible
1967         in JavaScriptCore.
1968
1969         * API/JSClassRef.cpp:
1970         (OpaqueJSClass::create):
1971         * API/JSClassRef.h:
1972         * debugger/DebuggerCallFrame.cpp:
1973         (JSC::DebuggerCallFrame::callerFrame):
1974         * debugger/DebuggerCallFrame.h:
1975         * dfg/DFGJITCompiler.h:
1976         (JSC::DFG::JITCompiler::jitCode):
1977         * inspector/ScriptCallStackFactory.cpp:
1978         (Inspector::createScriptCallStack):
1979         (Inspector::createScriptCallStackForConsole):
1980         (Inspector::createScriptCallStackFromException):
1981         (Inspector::createScriptArguments):
1982         * inspector/ScriptCallStackFactory.h:
1983         * jit/ExecutableAllocator.cpp:
1984         (JSC::ExecutableAllocator::allocate):
1985         * jit/ExecutableAllocator.h:
1986         * jit/ExecutableAllocatorFixedVMPool.cpp:
1987         (JSC::ExecutableAllocator::allocate):
1988         * profiler/LegacyProfiler.cpp:
1989         (JSC::LegacyProfiler::stopProfiling):
1990         * profiler/LegacyProfiler.h:
1991         * runtime/DateInstanceCache.h:
1992         * runtime/Executable.cpp:
1993         (JSC::ScriptExecutable::newCodeBlockFor):
1994         * runtime/Executable.h:
1995         * runtime/GenericTypedArrayView.h:
1996         * runtime/GenericTypedArrayViewInlines.h:
1997         (JSC::GenericTypedArrayView<Adaptor>::create):
1998         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
1999
2000 2015-06-12  Darin Adler  <darin@apple.com>
2001
2002         Fix minor ES6 compliance issue in RegExp.prototype.toString and optimize performance a little
2003         https://bugs.webkit.org/show_bug.cgi?id=145935
2004
2005         Reviewed by Anders Carlsson.
2006
2007         Test: js/regexp-toString.html
2008
2009         * runtime/RegExpPrototype.cpp:
2010         (JSC::getFlags): Avoid memory allocation for the flags string by returning it in a character
2011         buffer instead of constructing a WTF::String for it.
2012         (JSC::regExpProtoFuncToString): Require only that the this value be an object; don't require
2013         that it is actually a regular expression object. This is covered in the ES6 specification.
2014         Also removed comment about the "/(?:)/" trick since that is now the repsonsibility of the
2015         getter for the "source" property. Updated to use getFlags so we do one less memory allocation.
2016         (JSC::regExpProtoGetterFlags): Chagned to use getFlags instead of the old flagsString.
2017
2018 2015-06-12  Basile Clement  <basile_clement@apple.com>
2019
2020         DFG Object Allocation Sinking should not consider GetClosureVar as escapes
2021         https://bugs.webkit.org/show_bug.cgi?id=145904
2022
2023         Reviewed by Filip Pizlo.
2024
2025         The object allocation sinking phase is currently able to sink
2026         CreateActivation nodes, but will consider any GetClosureVar node as
2027         escaping.
2028
2029         This is not problematic in general as most of the GetClosureVar nodes
2030         we would have been able to sink over will have been eliminated by CSE
2031         anyway. Still, this is an oversight that we should fix since the
2032         machinery is already in place.
2033
2034         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2035         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2036         * dfg/DFGPromoteHeapAccess.h:
2037         (JSC::DFG::promoteHeapAccess):
2038
2039 2015-06-11  Mark Lam  <mark.lam@apple.com>
2040
2041         WebCore::reportException() needs to be able to accept a raw thrown value in addition to Exception objects.
2042         https://bugs.webkit.org/show_bug.cgi?id=145872
2043
2044         Reviewed by Michael Saboff.
2045
2046         In r185259, we changed exception handling code inside the VM to work with
2047         Exception objects instead of the thrown JSValue.  The handling code will get the
2048         exception stack trace from the Exception object.
2049
2050         However, there is some code that cannot be updated to pass the Exception object.
2051         An example of this are the ObjC API functions.  Those functions are specified to
2052         return any thrown exception JSValue in a JSValueRef.  Since these APIs are
2053         public, we cannot arbitrarily change them to use the Exception object.
2054
2055         There are client code that calls these APIs and then passes the returned exception
2056         JSValue to WebCore::reportException() to be reported.  WebCore::reportException()
2057         previously relied on the VM::exceptionStackTrace() to provide a cache of the
2058         stack trace of the last thrown exception.  VM::exceptionStackTrace() no longer
2059         exists in the current code.
2060
2061         To restore this functionality, we will introduce VM::lastException() which
2062         caches the last thrown Exception object.  With this, if the exception passed to
2063         WebCore::reportException() to be reported isn't an Exception object (which has its
2064         own stack trace), reportException() can again use the cached exception stack trace
2065         which is available from VM::lastException().
2066
2067         * heap/Heap.cpp:
2068         (JSC::Heap::visitException):
2069         - visit VM::m_lastException on GCs.
2070
2071         * interpreter/CallFrame.h:
2072         (JSC::ExecState::lastException):
2073         (JSC::ExecState::clearLastException):
2074         - convenience functions to get and clear the last exception.
2075
2076         * runtime/Exception.cpp:
2077         (JSC::Exception::create):
2078         (JSC::Exception::finishCreation):
2079         - add support to create an Exception object without capturing the JS stack trace.
2080           This is needed for making an Exception object to wrap a thrown value that does
2081           not have a stack trace.
2082           Currently, this is only used by WebCore::reportException() when there is no
2083           Exception object and no last exception available to provide a stack trace.
2084
2085         * runtime/Exception.h:
2086         (JSC::Exception::cast): Deleted.  No longer needed.
2087
2088         * runtime/VM.h:
2089         (JSC::VM::clearLastException):
2090         (JSC::VM::setException):
2091         (JSC::VM::lastException):
2092         (JSC::VM::addressOfLastException):
2093         - Added support for VM::m_lastException.
2094           VM::m_lastException serves to cache the exception stack of the most recently
2095           thrown exception like VM::exceptionStackTrace() used to before r185259.
2096
2097         * runtime/VMEntryScope.cpp:
2098         (JSC::VMEntryScope::VMEntryScope):
2099         - Clear VM::m_lastException when we re-enter the VM.  Exceptions should have been
2100           handled before we re-enter the VM anyway.  So, this is a good place to release
2101           the cached last exception.
2102
2103           NOTE: this is also where the old code before r185259 clears the last exception
2104           stack trace.  So, we're just restoring the previous behavior here in terms of
2105           the lifecycle of the last exception stack.
2106
2107 2015-06-11  Andreas Kling  <akling@apple.com>
2108
2109         jsSubstring() should support creating substrings from substrings.
2110         <https://webkit.org/b/145427>
2111
2112         Reviewed by Geoffrey Garen
2113
2114         Tweak jsSubstring() to support base strings that are themselves substrings.
2115         They will now share the same grandparent base. This avoids creating a new StringImpl.
2116
2117         * runtime/JSString.h:
2118         (JSC::jsSubstring): Don't force rope resolution here. Instead do that in finishCreation()
2119         if the base string is a non-substring rope. Note that resolveRope() is the very last thing
2120         called, since it may allocate and the JSRopeString needs to be ready for marking.
2121
2122         (JSC::JSString::isSubstring): Added a helper to find out if a JSString is
2123         a substring. This is just for internal use, so you don't have to cast to
2124         JSRopeString for the real substringness flag.
2125
2126 2015-06-11  Commit Queue  <commit-queue@webkit.org>
2127
2128         Unreviewed, rolling out r185465.
2129         https://bugs.webkit.org/show_bug.cgi?id=145893
2130
2131         "This patch is breaking 32bit mac build" (Requested by youenn
2132         on #webkit).
2133
2134         Reverted changeset:
2135
2136         "[Streams API] ReadableJSStream should handle promises
2137         returned by JS source start callback"
2138         https://bugs.webkit.org/show_bug.cgi?id=145792
2139         http://trac.webkit.org/changeset/185465
2140
2141 2015-06-11  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2142
2143         [Streams API] ReadableJSStream should handle promises returned by JS source start callback
2144         https://bugs.webkit.org/show_bug.cgi?id=145792
2145
2146         Reviewed by Darin Adler.
2147
2148         Added support for JSFunction implemented by std::function.
2149
2150         * runtime/JSFunction.cpp:
2151         (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create
2152         (JSC::JSFunction::create):
2153         (JSC::runStdFunction):
2154         * runtime/JSFunction.h: Added std::function based JSFunction::create prototype.
2155         * runtime.JSPromise.h:
2156
2157 2015-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2158
2159         ASSERTION FAILED: s.length() > 1 on LayoutTests/js/regexp-flags.html
2160         https://bugs.webkit.org/show_bug.cgi?id=145599
2161
2162         Unreviewed, simple follow up patch.
2163
2164         use jsString instead of jsMakeNontrivialString
2165         since the flag string may be trivial (0 or 1 length).
2166
2167         * runtime/RegExpPrototype.cpp:
2168         (JSC::regExpProtoGetterFlags):
2169
2170 2015-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2171
2172         JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure
2173         https://bugs.webkit.org/show_bug.cgi?id=90678
2174
2175         Reviewed by Darin Adler.
2176
2177         After ES6, escaped reserved words in identifiers are prohibited.
2178         After parsing Identifier, we should perform `m_buffer16.shrink(0)`.
2179
2180         * parser/Lexer.cpp:
2181         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2182         * tests/mozilla/ecma_3/Unicode/uc-003.js:
2183         (test): Deleted.
2184         * tests/stress/reserved-word-with-escape.js: Added.
2185         (testSyntax):
2186         (testSyntaxError):
2187
2188 2015-06-10  Jordan Harband  <ljharb@gmail.com>
2189
2190         Implement RegExp.prototype.flags
2191         https://bugs.webkit.org/show_bug.cgi?id=145599
2192
2193         Reviewed by Geoffrey Garen.
2194         Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-get-regexp.prototype.flags
2195
2196         * runtime/CommonIdentifiers.h:
2197         * runtime/RegExpPrototype.cpp:
2198         (JSC::flagsString):
2199         (JSC::regExpProtoFuncToString):
2200         (JSC::regExpProtoGetterFlags):
2201         * tests/stress/static-getter-in-names.js:
2202
2203 2015-06-10  Filip Pizlo  <fpizlo@apple.com>
2204
2205         DFG ASSERTION FAILED: !iterate() on stress/singleton-scope-then-overwrite.js.ftl-eager
2206         https://bugs.webkit.org/show_bug.cgi?id=145853
2207
2208         Unreviewed, remove the assertion.
2209
2210         * dfg/DFGCSEPhase.cpp:
2211
2212 2015-06-10  Commit Queue  <commit-queue@webkit.org>
2213
2214         Unreviewed, rolling out r185414.
2215         https://bugs.webkit.org/show_bug.cgi?id=145844
2216
2217         broke debug and jsc tests (Requested by alexchristensen on
2218         #webkit).
2219
2220         Reverted changeset:
2221
2222         "JavaScript: Drop the “escaped reserved words as identifiers”
2223         compatibility measure"
2224         https://bugs.webkit.org/show_bug.cgi?id=90678
2225         http://trac.webkit.org/changeset/185414
2226
2227 2015-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2228
2229         JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure
2230         https://bugs.webkit.org/show_bug.cgi?id=90678
2231
2232         Reviewed by Darin Adler.
2233
2234         After ES6, escaped reserved words in identifiers are prohibited.
2235
2236         * parser/Lexer.cpp:
2237         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2238         * tests/stress/reserved-word-with-escape.js: Added.
2239         (testSyntax):
2240         (testSyntaxError):
2241
2242 2015-06-10  Andreas Kling  <akling@apple.com>
2243
2244         [JSC] InlineCallFrame::arguments should be sized-to-fit.
2245         <https://webkit.org/b/145782>
2246
2247         Reviewed by Darin Adler.
2248
2249         I spotted this Vector<ValueRecovery> looking a bit chubby in Instruments,
2250         with 354 kB of memory allocated on cnet.com.
2251
2252         Use resizeToFit() instead of resize() since we know the final size up front.
2253
2254         * dfg/DFGByteCodeParser.cpp:
2255         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2256
2257 2015-06-09  Chris Dumez  <cdumez@apple.com>
2258
2259         Allow one sync GC per gcTimer interval on critical memory pressure warning
2260         https://bugs.webkit.org/show_bug.cgi?id=145773
2261
2262         Reviewed by Geoffrey Garen.
2263
2264         On critical memory pressure warning, we were calling GCController::garbageCollectSoon(),
2265         which does not offer any guarantee on when the garbage collection will actually take
2266         place.
2267
2268         On critical memory pressure, we need to free up memory as soon as possible to avoid
2269         getting killed so this is an issue. Also, the fact that we clear the PageCache on
2270         critical memory pressure means a GC would likely be useful, even if the last
2271         collection did not free much memory.
2272
2273         This patch adds a new GCController::garbageCollectNowIfNotDoneRecently() API that allows
2274         one synchronous GC per gcTimer interval on critical memory pressure warning. This makes
2275         us more responsive to critical memory pressure and avoids doing synchronous GCs too
2276         often.
2277
2278         * heap/FullGCActivityCallback.cpp:
2279         (JSC::FullGCActivityCallback::doCollection):
2280         * heap/FullGCActivityCallback.h:
2281         (JSC::GCActivityCallback::createFullTimer):
2282         * heap/GCActivityCallback.h:
2283         * heap/Heap.cpp:
2284         (JSC::Heap::collectAllGarbageIfNotDoneRecently):
2285         * heap/Heap.h:
2286
2287         * heap/IncrementalSweeper.cpp:
2288         (JSC::IncrementalSweeper::doWork): Deleted.
2289         * heap/IncrementalSweeper.h:
2290
2291         Drop fullSweep() API as it no longer seems useful. garbageCollectNow()
2292         already does a sweep after the full collection.
2293
2294 2015-06-09  Andreas Kling  <akling@apple.com>
2295
2296         [JSC] CodeBlock::m_constantRegisters should be sized-to-fit.
2297         <https://webkit.org/b/145784>
2298
2299         Reviewed by Darin Adler.
2300
2301         Spotted this Vector looking chubby on cnet.com, with 1.23 MB of memory
2302         allocated below CodeBlock::setConstantRegisters().
2303
2304         Use resizeToFit() instead since we know the final size up front.
2305         Also removed some unused functions that operated on this constants vector
2306         and the corresponding one in UnlinkedCodeBlock.
2307
2308         * bytecode/CodeBlock.cpp:
2309         (JSC::CodeBlock::addOrFindConstant): Deleted.
2310         (JSC::CodeBlock::findConstant): Deleted.
2311         * bytecode/CodeBlock.h:
2312         (JSC::CodeBlock::setConstantRegisters):
2313         (JSC::CodeBlock::numberOfConstantRegisters): Deleted.
2314         * bytecode/UnlinkedCodeBlock.cpp:
2315         (JSC::UnlinkedCodeBlock::addOrFindConstant): Deleted.
2316         * bytecode/UnlinkedCodeBlock.h:
2317         (JSC::UnlinkedCodeBlock::numberOfConstantRegisters): Deleted.
2318         (JSC::UnlinkedCodeBlock::getConstant): Deleted.
2319
2320 2015-06-09  Andreas Kling  <akling@apple.com>
2321
2322         [JSC] Polymorphic{Get,Put}ByIdList::addAccess() should optimize for size, not speed.
2323         <https://webkit.org/b/145786>
2324
2325         Reviewed by Darin Adler.
2326
2327         These functions already contained comments saying they optimize for size over speed,
2328         but they were using Vector::resize() which adds the usual slack for faster append().
2329
2330         Switch them over to using Vector::resizeToFit() instead, which makes the Vector
2331         allocate a perfectly sized backing store.
2332
2333         Spotted 670 kB of the GetById ones, and 165 kB of PutById on cnet.com, so these
2334         Vectors are definitely worth shrink-wrapping.
2335
2336         * bytecode/PolymorphicGetByIdList.cpp:
2337         (JSC::PolymorphicGetByIdList::addAccess):
2338         * bytecode/PolymorphicPutByIdList.cpp:
2339         (JSC::PolymorphicPutByIdList::addAccess):
2340
2341 2015-06-09  Andreas Kling  <akling@apple.com>
2342
2343         [JSC] JSPropertyNameEnumerator's property name vector should be sized-to-fit.
2344         <https://webkit.org/b/145787>
2345
2346         Reviewed by Darin Adler.
2347
2348         Saw 108 kB worth of JSPropertyNameEnumerator backing store Vectors on cnet.com.
2349         Use Vector::resizeToFit() since we know the perfect size up front.
2350
2351         * runtime/JSPropertyNameEnumerator.cpp:
2352         (JSC::JSPropertyNameEnumerator::finishCreation):
2353
2354 2015-06-09  Andreas Kling  <akling@apple.com>
2355
2356         FunctionExecutable::isCompiling() is weird and wrong.
2357         <https://webkit.org/b/145689>
2358
2359         Reviewed by Geoffrey Garen.
2360
2361         Remove FunctionExecutable::isCompiling() and the clearCodeIfNotCompiling() style
2362         functions that called it before throwing away code.
2363
2364         isCompiling() would consider the executable to be "compiling" if it had a CodeBlock
2365         but no JITCode. In practice, every executable gets a JITCode at the same time as it
2366         gets a CodeBlock, by way of prepareForExecutionImpl().
2367
2368         * debugger/Debugger.cpp:
2369         * heap/Heap.cpp:
2370         (JSC::Heap::deleteAllCompiledCode):
2371         (JSC::Heap::deleteAllUnlinkedFunctionCode):
2372         * inspector/agents/InspectorRuntimeAgent.cpp:
2373         (Inspector::TypeRecompiler::visit):
2374         * runtime/Executable.cpp:
2375         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
2376         (JSC::FunctionExecutable::clearCodeIfNotCompiling): Deleted.
2377         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling): Deleted.
2378         * runtime/Executable.h:
2379         * runtime/VM.cpp:
2380         (JSC::StackPreservingRecompiler::visit):
2381
2382 2015-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2383
2384         Introduce getter definition into static hash tables and use it for getters in RegExp.prototype.
2385         https://bugs.webkit.org/show_bug.cgi?id=145705
2386
2387         Reviewed by Darin Adler.
2388
2389         In this patch, we introduce Accessor type into property tables.
2390         With Accessor type, create_hash_table creates a static getter property.
2391         This getter property is reified as the same to the static functions.
2392
2393         In the mean time, we only support getter because `putEntry` and `lookupPut`
2394         only work with null setter currently. However, in the spec, there's
2395         no need to add static setter properties. So we will add it if it becomes
2396         necessary in the future.
2397
2398         And at the same time, this patch fixes the issue 145738. Before this patch,
2399         `putEntry` in `JSObject::deleteProperty` adds `undefined` property if
2400         `isValidOffset(...)` is false (deleted). As the result, deleting twice
2401         revives the property with `undefined` value.
2402
2403         If the static functions are reified and the entry is
2404         `BuiltinOrFunctionOrAccessor`, there's no need to execute `putEntry` with
2405         static hash table entry. They should be handled in the normal structure's
2406         looking up because they should be already reified. So added guard for this.
2407
2408         * CMakeLists.txt:
2409         * DerivedSources.make:
2410         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2411         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2412         * JavaScriptCore.xcodeproj/project.pbxproj:
2413         * create_hash_table:
2414         * runtime/JSObject.cpp:
2415         (JSC::getClassPropertyNames):
2416         (JSC::JSObject::put):
2417         (JSC::JSObject::deleteProperty):
2418         (JSC::JSObject::reifyStaticFunctionsForDelete):
2419         * runtime/Lookup.cpp:
2420         (JSC::reifyStaticAccessor):
2421         (JSC::setUpStaticFunctionSlot):
2422         * runtime/Lookup.h:
2423         (JSC::HashTableValue::propertyGetter):
2424         (JSC::HashTableValue::propertyPutter):
2425         (JSC::HashTableValue::accessorGetter):
2426         (JSC::HashTableValue::accessorSetter):
2427         (JSC::getStaticPropertySlot):
2428         (JSC::getStaticValueSlot):
2429         (JSC::putEntry):
2430         (JSC::reifyStaticProperties):
2431         * runtime/PropertySlot.h:
2432         * runtime/RegExpObject.cpp:
2433         (JSC::RegExpObject::getOwnPropertySlot):
2434         (JSC::regExpObjectGlobal): Deleted.
2435         (JSC::regExpObjectIgnoreCase): Deleted.
2436         (JSC::regExpObjectMultiline): Deleted.
2437         (JSC::appendLineTerminatorEscape<LChar>): Deleted.
2438         (JSC::appendLineTerminatorEscape<UChar>): Deleted.
2439         (JSC::regExpObjectSourceInternal): Deleted.
2440         (JSC::regExpObjectSource): Deleted.
2441         * runtime/RegExpPrototype.cpp:
2442         (JSC::RegExpPrototype::getOwnPropertySlot):
2443         (JSC::regExpProtoGetterGlobal):
2444         (JSC::regExpProtoGetterIgnoreCase):
2445         (JSC::regExpProtoGetterMultiline):
2446         (JSC::appendLineTerminatorEscape<LChar>):
2447         (JSC::appendLineTerminatorEscape<UChar>):
2448         (JSC::regExpProtoGetterSourceInternal):
2449         (JSC::regExpProtoGetterSource):
2450         * tests/stress/static-function-delete.js: Added.
2451         (shouldBe):
2452         * tests/stress/static-function-put.js: Added.
2453         (shouldBe):
2454         * tests/stress/static-getter-delete.js: Added.
2455         (shouldBe):
2456         (shouldThrow):
2457         * tests/stress/static-getter-descriptors.js: Added.
2458         (shouldBe):
2459         * tests/stress/static-getter-enumeration.js: Added.
2460         (shouldBe):
2461         * tests/stress/static-getter-get.js: Added.
2462         (shouldBe):
2463         * tests/stress/static-getter-in-names.js: Added.
2464         (shouldBe):
2465         * tests/stress/static-getter-names.js: Added.
2466         (shouldBe):
2467         * tests/stress/static-getter-put.js: Added.
2468         (shouldBe):
2469         (shouldThrow):
2470
2471 2015-06-09  Andreas Kling  <akling@apple.com>
2472
2473         [JSC] JSString::getIndex() should avoid reifying substrings.
2474         <https://webkit.org/b/145803>
2475
2476         Reviewed by Darin Adler.
2477
2478         Implement getIndex() using JSString::view(), which cuts it down to a one-liner
2479         and also avoids reifying substrings.
2480
2481         I saw 178 kB of reified substrings below operationGetByVal -> getIndex()
2482         on cnet.com, so this should help.
2483
2484         * runtime/JSString.cpp:
2485         (JSC::JSRopeString::getIndexSlowCase): Deleted.
2486         * runtime/JSString.h:
2487         (JSC::JSString::getIndex):
2488
2489 2015-06-09  Andreas Kling  <akling@apple.com>
2490
2491         [JSC] String.prototype.indexOf() should use StringView.
2492         <https://webkit.org/b/145351>
2493
2494         Reviewed by Darin Adler.
2495
2496         Use StringView::find() to implement String.prototype.indexOf().
2497         This avoids reifying the needle and haystack JSStrings in case they
2498         are substrings.
2499
2500         Reduces malloc memory by ~190 kB on cnet.com.
2501
2502         * runtime/StringPrototype.cpp:
2503         (JSC::stringProtoFuncIndexOf):
2504
2505 2015-06-09  Csaba Osztrogonác  <ossy@webkit.org>
2506
2507         [cmake] Fix the style issues in cmake project files
2508         https://bugs.webkit.org/show_bug.cgi?id=145755
2509
2510         Reviewed by Darin Adler.
2511
2512         * CMakeLists.txt:
2513
2514 2015-06-08  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2515
2516         Purge PassRefPtr in JavaScriptCore
2517         https://bugs.webkit.org/show_bug.cgi?id=145750
2518
2519         As a step to purge PassRefPtr, this patch replaces PassRefPtr with Ref or RefPtr.
2520
2521         Reviewed by Darin Adler.
2522
2523         * API/JSClassRef.cpp:
2524         (OpaqueJSClass::createNoAutomaticPrototype):
2525         * API/JSClassRef.h:
2526         * API/JSContextRef.cpp:
2527         * API/JSScriptRef.cpp:
2528         (OpaqueJSScript::create):
2529         * API/JSStringRef.cpp:
2530         (JSStringCreateWithCharacters):
2531         (JSStringCreateWithUTF8CString):
2532         * API/OpaqueJSString.cpp:
2533         (OpaqueJSString::create):
2534         * API/OpaqueJSString.h:
2535         (OpaqueJSString::create):
2536         * bytecompiler/StaticPropertyAnalysis.h:
2537         (JSC::StaticPropertyAnalysis::create):
2538         * debugger/DebuggerCallFrame.h:
2539         (JSC::DebuggerCallFrame::create):
2540         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2541         (JSC::DFG::ToFTLDeferredCompilationCallback::create):
2542         * dfg/DFGToFTLDeferredCompilationCallback.h:
2543         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2544         (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
2545         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create): Deleted.
2546         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
2547         * dfg/DFGWorklist.cpp:
2548         (JSC::DFG::Worklist::create):
2549         (JSC::DFG::ensureGlobalDFGWorklist):
2550         (JSC::DFG::ensureGlobalFTLWorklist):
2551         * dfg/DFGWorklist.h:
2552         * heap/EdenGCActivityCallback.h:
2553         (JSC::GCActivityCallback::createEdenTimer):
2554         * heap/FullGCActivityCallback.h:
2555         (JSC::GCActivityCallback::createFullTimer):
2556         * heap/GCActivityCallback.h:
2557         * inspector/InjectedScriptHost.h:
2558         * inspector/JavaScriptCallFrame.h:
2559         (Inspector::JavaScriptCallFrame::create):
2560         * inspector/ScriptArguments.cpp:
2561         (Inspector::ScriptArguments::create):
2562         * inspector/ScriptArguments.h:
2563         * jit/JITStubRoutine.h:
2564         (JSC::JITStubRoutine::createSelfManagedRoutine):
2565         * jit/JITToDFGDeferredCompilationCallback.cpp:
2566         (JSC::JITToDFGDeferredCompilationCallback::create):
2567         * jit/JITToDFGDeferredCompilationCallback.h:
2568         * jsc.cpp:
2569         (jscmain):
2570         * parser/NodeConstructors.h:
2571         (JSC::ArrayPatternNode::create):
2572         (JSC::ObjectPatternNode::create):
2573         (JSC::BindingNode::create):
2574         * parser/Nodes.cpp:
2575         (JSC::FunctionParameters::create):
2576         * parser/Nodes.h:
2577         * parser/SourceProvider.h:
2578         (JSC::StringSourceProvider::create):
2579         * profiler/Profile.cpp:
2580         (JSC::Profile::create):
2581         * profiler/Profile.h:
2582         * profiler/ProfileGenerator.cpp:
2583         (JSC::ProfileGenerator::create):
2584         * profiler/ProfileGenerator.h:
2585         * profiler/ProfileNode.h:
2586         (JSC::ProfileNode::create):
2587         * runtime/DataView.cpp:
2588         (JSC::DataView::create):
2589         * runtime/DataView.h:
2590         * runtime/DateInstanceCache.h:
2591         (JSC::DateInstanceData::create):
2592         * runtime/JSPromiseReaction.cpp:
2593         (JSC::createExecutePromiseReactionMicrotask):
2594         * runtime/JSPromiseReaction.h:
2595         * runtime/PropertyNameArray.h:
2596         (JSC::PropertyNameArrayData::create):
2597         * runtime/TypeSet.h:
2598         (JSC::StructureShape::create):
2599         (JSC::TypeSet::create):
2600         * runtime/TypedArrayBase.h:
2601         (JSC::TypedArrayBase::create):
2602         (JSC::TypedArrayBase::createUninitialized):
2603         (JSC::TypedArrayBase::subarrayImpl):
2604         * runtime/VM.cpp:
2605         (JSC::VM::createContextGroup):
2606         (JSC::VM::create):
2607         (JSC::VM::createLeaked):
2608         * runtime/VM.h:
2609         * yarr/RegularExpression.cpp:
2610         (JSC::Yarr::RegularExpression::Private::create):
2611
2612 2015-06-08  Filip Pizlo  <fpizlo@apple.com>
2613
2614         It should be possible to hoist all constants in DFG SSA
2615         https://bugs.webkit.org/show_bug.cgi?id=145769
2616
2617         Reviewed by Geoffrey Garen.
2618         
2619         It's sometimes somewhat more efficient, and convenient, to have all constants at the
2620         top of the root block. We don't require this as an IR invariant because too many phases
2621         want to be able to insert constants in weird places. But, this phase will be great for
2622         preparing for https://bugs.webkit.org/show_bug.cgi?id=145768.
2623
2624         * CMakeLists.txt:
2625         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2626         * JavaScriptCore.xcodeproj/project.pbxproj:
2627         * dfg/DFGConstantHoistingPhase.cpp: Added.
2628         (JSC::DFG::performConstantHoisting):
2629         * dfg/DFGConstantHoistingPhase.h: Added.
2630         * dfg/DFGPlan.cpp:
2631         (JSC::DFG::Plan::compileInThreadImpl):
2632
2633 2015-06-07  Filip Pizlo  <fpizlo@apple.com>
2634
2635         The tiny set magic in StructureSet should be available in WTF
2636         https://bugs.webkit.org/show_bug.cgi?id=145722
2637
2638         Reviewed by Geoffrey Garen.
2639         
2640         I moved the generic logic of small sets of pointers and moved it into WTF. Now,
2641         StructureSet is a subclass of TinyPtrSet<Structure*>. There shouldn't be any functional
2642         change.
2643
2644         * bytecode/StructureSet.cpp:
2645         (JSC::StructureSet::filter):
2646         (JSC::StructureSet::filterArrayModes):
2647         (JSC::StructureSet::speculationFromStructures):
2648         (JSC::StructureSet::arrayModesFromStructures):
2649         (JSC::StructureSet::dumpInContext):
2650         (JSC::StructureSet::dump):
2651         (JSC::StructureSet::clear): Deleted.
2652         (JSC::StructureSet::add): Deleted.
2653         (JSC::StructureSet::remove): Deleted.
2654         (JSC::StructureSet::contains): Deleted.
2655         (JSC::StructureSet::merge): Deleted.
2656         (JSC::StructureSet::exclude): Deleted.
2657         (JSC::StructureSet::isSubsetOf): Deleted.
2658         (JSC::StructureSet::overlaps): Deleted.
2659         (JSC::StructureSet::operator==): Deleted.
2660         (JSC::StructureSet::addOutOfLine): Deleted.
2661         (JSC::StructureSet::containsOutOfLine): Deleted.
2662         (JSC::StructureSet::copyFromOutOfLine): Deleted.
2663         (JSC::StructureSet::OutOfLineList::create): Deleted.
2664         (JSC::StructureSet::OutOfLineList::destroy): Deleted.
2665         * bytecode/StructureSet.h:
2666         (JSC::StructureSet::onlyStructure):
2667         (JSC::StructureSet::StructureSet): Deleted.
2668         (JSC::StructureSet::operator=): Deleted.
2669         (JSC::StructureSet::~StructureSet): Deleted.
2670         (JSC::StructureSet::isEmpty): Deleted.
2671         (JSC::StructureSet::genericFilter): Deleted.
2672         (JSC::StructureSet::isSupersetOf): Deleted.
2673         (JSC::StructureSet::size): Deleted.
2674         (JSC::StructureSet::at): Deleted.
2675         (JSC::StructureSet::operator[]): Deleted.
2676         (JSC::StructureSet::last): Deleted.
2677         (JSC::StructureSet::iterator::iterator): Deleted.
2678         (JSC::StructureSet::iterator::operator*): Deleted.
2679         (JSC::StructureSet::iterator::operator++): Deleted.
2680         (JSC::StructureSet::iterator::operator==): Deleted.
2681         (JSC::StructureSet::iterator::operator!=): Deleted.
2682         (JSC::StructureSet::begin): Deleted.
2683         (JSC::StructureSet::end): Deleted.
2684         (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine): Deleted.
2685         (JSC::StructureSet::ContainsOutOfLine::operator()): Deleted.
2686         (JSC::StructureSet::copyFrom): Deleted.
2687         (JSC::StructureSet::OutOfLineList::list): Deleted.
2688         (JSC::StructureSet::OutOfLineList::OutOfLineList): Deleted.
2689         (JSC::StructureSet::deleteStructureListIfNecessary): Deleted.
2690         (JSC::StructureSet::isThin): Deleted.
2691         (JSC::StructureSet::pointer): Deleted.
2692         (JSC::StructureSet::singleStructure): Deleted.
2693         (JSC::StructureSet::structureList): Deleted.
2694         (JSC::StructureSet::set): Deleted.
2695         (JSC::StructureSet::setEmpty): Deleted.
2696         (JSC::StructureSet::getReservedFlag): Deleted.
2697         (JSC::StructureSet::setReservedFlag): Deleted.
2698         * dfg/DFGStructureAbstractValue.cpp:
2699         (JSC::DFG::StructureAbstractValue::clobber):
2700         (JSC::DFG::StructureAbstractValue::filter):
2701         (JSC::DFG::StructureAbstractValue::filterSlow):
2702         (JSC::DFG::StructureAbstractValue::contains):
2703         * dfg/DFGStructureAbstractValue.h:
2704         (JSC::DFG::StructureAbstractValue::makeTop):
2705
2706 2015-06-08  Csaba Osztrogonác  <ossy@webkit.org>
2707
2708         [ARM] Add the missing setupArgumentsWithExecState functions after r185240
2709         https://bugs.webkit.org/show_bug.cgi?id=145754
2710
2711         Reviewed by Benjamin Poulain.
2712
2713         * jit/CCallHelpers.h:
2714         (JSC::CCallHelpers::setupArgumentsWithExecState):
2715
2716 2015-06-08  Brady Eidson  <beidson@apple.com>
2717
2718         Completely remove all IDB properties/constructors when it is disabled at runtime.
2719         rdar://problem/18429374 and https://bugs.webkit.org/show_bug.cgi?id=137034
2720
2721         Reviewed by Geoffrey Garen.
2722
2723         * runtime/CommonIdentifiers.h:
2724
2725 2015-06-06  Mark Lam  <mark.lam@apple.com>
2726
2727         Returned Exception* values need to be initialized to nullptr when no exceptions are thrown.
2728         https://bugs.webkit.org/show_bug.cgi?id=145720
2729
2730         Reviewed by Dan Bernstein.
2731
2732         * debugger/DebuggerCallFrame.cpp:
2733         (JSC::DebuggerCallFrame::evaluate):
2734
2735 2015-06-05  Mark Lam  <mark.lam@apple.com>
2736
2737         Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren().
2738         https://bugs.webkit.org/show_bug.cgi?id=145709
2739
2740         Reviewed by Geoffrey Garen.
2741
2742         * jsc.cpp:
2743         (functionSetElementRoot):
2744         - The Element class has a member of type Root which extends JSDestructibleObject.
2745           It should be stored in a WriteBarrier, and visited by visitChildren().  
2746
2747         * runtime/ClonedArguments.cpp:
2748         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2749         (JSC::ClonedArguments::visitChildren):
2750         * runtime/ClonedArguments.h:
2751         - Add missing visitChildren().
2752
2753         * tests/stress/cloned-arguments-should-visit-callee-during-gc.js: Added.
2754         (makeTransientFunction.transientFunc):
2755         (makeTransientFunction):
2756
2757 2015-06-05  Geoffrey Garen  <ggaren@apple.com>
2758
2759         DropAllLocks RELEASE_ASSERT on iOS
2760         https://bugs.webkit.org/show_bug.cgi?id=139654
2761
2762         Reviewed by Mark Lam.
2763
2764         * runtime/JSLock.cpp:
2765         (JSC::JSLock::dropAllLocks): Removed a comment because it duplicated
2766         the code beneath it. Removed a FIXME because we can't ASSERT that
2767         we're holding the lock. WebKit1 on iOS drops the lock before calling to
2768         delegates, not knowing whether it holds the lock or not.
2769
2770         (JSC::JSLock::DropAllLocks::DropAllLocks): Only ASSERT that we are not
2771         GC'ing if we hold the lock. If we do not hold the lock, it is perfectly
2772         valid for some other thread, which does hold the lock, to be GC'ing.
2773         What is not valid is to drop the lock in the middle of GC, since GC
2774         must be atomic.
2775
2776 2015-06-05  Filip Pizlo  <fpizlo@apple.com>
2777
2778         speculateRealNumber() should early exit if you're already a real number, not if you're already a real double.
2779
2780         Rubber stamped by Mark Lam.
2781         
2782         This was causing: https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK1%20(Tests)/r185261%20(5180)/webaudio/note-grain-on-timing-crash-log.txt
2783
2784         * dfg/DFGSpeculativeJIT.cpp:
2785         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
2786
2787 2015-06-05  Mark Lam  <mark.lam@apple.com>
2788
2789         finally blocks should not set the exception stack trace when re-throwing the exception.
2790         https://bugs.webkit.org/show_bug.cgi?id=145525
2791
2792         Reviewed by Geoffrey Garen.
2793
2794         How exceptions presently work:
2795         =============================
2796         1. op_throw can throw any JSValue.
2797         2. the VM tries to capture the stack at the throw point and propagate that as needed.
2798         3. finally blocks are implemented using op_catch to catch the thrown value, and throws it again using op_throw.
2799
2800         What's wrong with how it presently works:
2801         ========================================
2802         1. finally's makes for bad exception throw line numbers in the Inspector console.
2803
2804            The op_throw in finally will throw the value anew i.e. it captures a stack from the re-throw point.
2805            As a result, the Inspector sees the finally block as the throw point.  The original stack is lost.
2806
2807         2. finally's breaks the Inspector's "Breaks on Uncaught Exception"
2808
2809            This is because finally blocks are indistinguishable from catch blocks.  As a result, a try-finally,
2810            which should break in the Inspector on the throw, does not because the Inspector thought the
2811            exception was "caught".
2812
2813         3. finally's yields confusing break points when the Inspector "Breaks on All Exceptions"
2814
2815            a. In a try-finally scenario, the Inspector breaks 2 times: 1 at the throw, 1 at the finally.
2816            b. In a for-of loop (which has synthesized finallys), the Inspector will do another break.
2817               Similarly for other cases of JS code which synthesize finallys.
2818            c. At VM re-entry boundaries (e.g. js throws & returns to native code, which returns to js),
2819               the Inspector will do another break if there's an uncaught exception.
2820
2821         How this patch fixes the issues:
2822         ===============================
2823         1. We introduce an Exception object that wraps the thrown value and the exception stack.
2824
2825            When throwing an exception, the VM will check if the thrown value is an Exception
2826            object or not.  If it is not an Exception object, then we must be throwing a new
2827            exception.  The VM will create an Exception object to wrap the thrown value and
2828            capture the current stack for it.
2829
2830            If the thrown value is already an Exception object, then the requested throw operation
2831            must be a re-throw.  The VM will not capture a new stack for it.
2832
2833         2. op_catch will now populate 2 locals: 1 for the Exception, 1 for the thrown JSValue.
2834
2835            The VM is aware of the Exception object and uses it for rethrows in finally blocks.
2836            JS source code is never aware of the Exception object.
2837
2838            JS code is aware of the thrown value.  If it throws the caught thrown value, that
2839            constitutes a new throw, and a new Exception object will be created for it.
2840
2841         3. The VM no longer tracks the thrown JSValue and the exception stack.  It will only
2842            track a m_exception field which is an Exception*.
2843
2844         4. The BytecodeGenerator has already been updated in a prior patch to distinguish
2845            between Catch, Finally, and SynthesizedFinally blocks.  The interpreter runtime will
2846            now report to the debugger whether we have a Catch handler, not just any handlers.
2847
2848            The debugger will use this detail to determine whether to break or not.  "Break on
2849            uncaught exceptions" will only break if no Catch handler was found.
2850
2851            This solves the issue of the debugger breaking at finally blocks, and for-of statements.
2852
2853         5. The Exception object will also have a flag to indicate whether the debugger has been
2854            notified of the Exception being thrown.  Once the Interpreter notifies the debugger
2855            of the Exception object, it will mark this flag and not repeat the notify the debugger
2856            again of the same Exception.
2857
2858            This solves the issue of the debugger breaking at VM re-entry points due to uncaught
2859            exceptions.
2860
2861         6. The life-cycle of the captured exception stack trace will now follow the life-cycle
2862            of the Exception object.
2863
2864         Other changes:
2865         7. Change all clients of the VM::exception() to expect an Exception* instead of JSValue.
2866
2867         8. Fixed a few bugs where thrown exceptions are not cleared before exiting the VM.
2868
2869         9. Also renamed some variables and classes to better describe what they are.
2870
2871         * API/JSBase.cpp:
2872         (JSEvaluateScript):
2873         (JSCheckScriptSyntax):
2874
2875         * API/JSObjectRef.cpp:
2876         (handleExceptionIfNeeded):
2877         - The functions below all do the same exception check.  Added this helper
2878           to simplify the code.
2879         (JSClassCreate):
2880         (JSObjectMakeFunction):
2881         (JSObjectMakeArray):
2882         (JSObjectMakeDate):
2883         (JSObjectMakeError):
2884         (JSObjectMakeRegExp):
2885         (JSObjectGetProperty):
2886         (JSObjectSetProperty):
2887         (JSObjectGetPropertyAtIndex):
2888         (JSObjectSetPropertyAtIndex):
2889         (JSObjectDeleteProperty):
2890         (JSObjectCallAsFunction):
2891         (JSObjectCallAsConstructor):
2892
2893         * API/JSScriptRef.cpp:
2894         * API/JSValue.mm:
2895         (JSContainerConvertor::take):
2896         (reportExceptionToInspector):
2897
2898         * API/JSValueRef.cpp:
2899         (handleExceptionIfNeeded):
2900         - The functions below all do the same exception check.  Added this helper
2901           to simplify the code.
2902         (evernoteHackNeeded):
2903         (JSValueIsEqual):
2904         (JSValueIsInstanceOfConstructor):
2905         (JSValueCreateJSONString):
2906         (JSValueToNumber):
2907         (JSValueToStringCopy):
2908         (JSValueToObject):
2909
2910         * CMakeLists.txt:
2911         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2912         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2913         * JavaScriptCore.xcodeproj/project.pbxproj:
2914         - Added new files Exception.h and Exception.cpp.
2915
2916         * bindings/ScriptFunctionCall.cpp:
2917         (Deprecated::ScriptFunctionCall::call):
2918         * bindings/ScriptFunctionCall.h:
2919
2920         * bytecode/BytecodeList.json:
2921         - op_catch now had 2 operands: the exception register, and the thrown value register.
2922
2923         * bytecode/BytecodeUseDef.h:
2924         (JSC::computeDefsForBytecodeOffset):
2925         * bytecode/CodeBlock.cpp:
2926         (JSC::CodeBlock::dumpBytecode):
2927         (JSC::CodeBlock::handlerForBytecodeOffset):
2928         * bytecode/CodeBlock.h:
2929         - handlerForBytecodeOffset() now can look for just Catch handlers only.
2930
2931         * bytecode/HandlerInfo.h:
2932         - Cleaned up some white space I accidentally added in a previous patch.
2933
2934         * bytecompiler/BytecodeGenerator.cpp:
2935         (JSC::BytecodeGenerator::pushTry):
2936         (JSC::BytecodeGenerator::popTryAndEmitCatch):
2937         (JSC::BytecodeGenerator::emitThrowReferenceError):
2938         (JSC::BytecodeGenerator::emitEnumeration):
2939         * bytecompiler/BytecodeGenerator.h:
2940         (JSC::BytecodeGenerator::emitThrow):
2941         * bytecompiler/NodesCodegen.cpp:
2942         (JSC::TryNode::emitBytecode):
2943         - Adding support for op_catch's 2 operands.
2944
2945         * debugger/Debugger.cpp:
2946         (JSC::Debugger::hasBreakpoint):
2947         (JSC::Debugger::pauseIfNeeded):
2948         (JSC::Debugger::exception):
2949         * debugger/Debugger.h:
2950         * debugger/DebuggerCallFrame.cpp:
2951         (JSC::DebuggerCallFrame::thisValue):
2952         (JSC::DebuggerCallFrame::evaluate):
2953         * debugger/DebuggerCallFrame.h:
2954         (JSC::DebuggerCallFrame::isValid):
2955         * inspector/InjectedScriptManager.cpp:
2956         (Inspector::InjectedScriptManager::createInjectedScript):
2957         * inspector/InspectorEnvironment.h:
2958         * inspector/JSGlobalObjectInspectorController.cpp:
2959         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2960         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2961         * inspector/JSGlobalObjectInspectorController.h:
2962         * inspector/JSGlobalObjectScriptDebugServer.h:
2963         * inspector/JSJavaScriptCallFrame.cpp:
2964         (Inspector::JSJavaScriptCallFrame::evaluate):
2965         * inspector/JavaScriptCallFrame.h:
2966         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
2967         (Inspector::JavaScriptCallFrame::thisValue):
2968         (Inspector::JavaScriptCallFrame::evaluate):
2969         * inspector/ScriptCallStackFactory.cpp:
2970         (Inspector::extractSourceInformationFromException):
2971         (Inspector::createScriptCallStackFromException):
2972         * inspector/ScriptCallStackFactory.h:
2973         * inspector/ScriptDebugServer.cpp:
2974         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
2975         (Inspector::ScriptDebugServer::handleBreakpointHit):
2976         (Inspector::ScriptDebugServer::handleExceptionInBreakpointCondition):
2977         * inspector/ScriptDebugServer.h:
2978         * interpreter/CallFrame.h:
2979         (JSC::ExecState::clearException):
2980         (JSC::ExecState::exception):
2981         (JSC::ExecState::hadException):
2982         (JSC::ExecState::atomicStringTable):
2983         (JSC::ExecState::propertyNames):
2984         (JSC::ExecState::clearSupplementaryExceptionInfo): Deleted.
2985
2986         * interpreter/Interpreter.cpp:
2987         (JSC::unwindCallFrame):
2988         (JSC::Interpreter::stackTraceAsString):
2989         (JSC::GetCatchHandlerFunctor::GetCatchHandlerFunctor):
2990         (JSC::GetCatchHandlerFunctor::operator()):
2991         (JSC::Interpreter::unwind):
2992         - Added a check for didNotifyInspectorOfThrow() here to prevent duplicate reports
2993           of the same Exception to the debugger.
2994
2995         (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor): Deleted.
2996         (JSC::GetExceptionHandlerFunctor::operator()): Deleted.
2997         - Renamed GetExceptionHandlerFunctor to GetCatchHandlerFunctor since the debugger
2998           is only interested in knowing whether we have Catch handlers.
2999
3000         * interpreter/Interpreter.h:
3001         (JSC::SuspendExceptionScope::SuspendExceptionScope):
3002         (JSC::SuspendExceptionScope::~SuspendExceptionScope):
3003         (JSC::Interpreter::sampler):
3004         (JSC::ClearExceptionScope::ClearExceptionScope): Deleted.
3005         (JSC::ClearExceptionScope::~ClearExceptionScope): Deleted.
3006         - Renamed ClearExceptionScope to SuspendExceptionScope because "clear" implies that
3007           we're purging the exception.  Instead, we're merely suspending any handling of
3008           that exception for a period defined by the scope.
3009
3010         * jit/AssemblyHelpers.cpp:
3011         (JSC::AssemblyHelpers::emitExceptionCheck):
3012
3013         * jit/JITExceptions.cpp:
3014         (JSC::genericUnwind):
3015         - Removed the exception argument.  It is always the value in VM::exception() anyway.
3016           genericUnwind() can just get it from the VM, and save everyone some work.
3017
3018         * jit/JITExceptions.h:
3019         * jit/JITOpcodes.cpp:
3020         (JSC::JIT::emit_op_catch):
3021         * jit/JITOpcodes32_64.cpp:
3022         (JSC::JIT::privateCompileCTINativeCall):
3023         (JSC::JIT::emit_op_catch):
3024         - Add support for the new op_catch operands.
3025
3026         * jit/JITOperations.cpp:
3027         * jit/ThunkGenerators.cpp:
3028         (JSC::nativeForGenerator):
3029         * jsc.cpp:
3030         (functionRun):
3031         (functionLoad):
3032         (runWithScripts):
3033         (runInteractive):
3034         * llint/LLIntOffsetsExtractor.cpp:
3035         * llint/LLIntSlowPaths.cpp:
3036         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3037
3038         * llint/LowLevelInterpreter32_64.asm:
3039         * llint/LowLevelInterpreter64.asm:
3040         - Add support for the new op_catch operands.  Also update the code to handle
3041           VM::m_exception being an Exception pointer, not a JSValue.
3042
3043         * parser/NodeConstructors.h:
3044         (JSC::TryNode::TryNode):
3045         * parser/Nodes.h:
3046         * runtime/CallData.cpp:
3047         (JSC::call):
3048         * runtime/CallData.h:
3049
3050         * runtime/Completion.cpp:
3051         (JSC::evaluate):
3052         * runtime/Completion.h:
3053         (JSC::evaluate):
3054         - Change evaluate() to take a reference to the returned exception value instead
3055           of a pointer.  In all but 2 or 3 cases, we want the returned exception anyway.
3056           Might as well simplify the code by requiring the reference.
3057
3058         * runtime/Error.h:
3059         (JSC::throwVMError):
3060         (JSC::throwVMTypeError):
3061
3062         * runtime/Exception.cpp: Added.
3063         (JSC::Exception::create):
3064         (JSC::Exception::destroy):
3065         (JSC::Exception::createStructure):
3066         (JSC::Exception::visitChildren):
3067         (JSC::Exception::Exception):
3068         (JSC::Exception::~Exception):
3069         * runtime/Exception.h: Added.
3070         (JSC::Exception::valueOffset):
3071         (JSC::Exception::cast):
3072         (JSC::Exception::value):
3073         (JSC::Exception::stack):
3074         (JSC::Exception::didNotifyInspectorOfThrow):
3075         (JSC::Exception::setDidNotifyInspectorOfThrow):
3076
3077         * runtime/ExceptionHelpers.cpp:
3078         (JSC::createTerminatedExecutionException):
3079         (JSC::isTerminatedExecutionException):
3080         (JSC::createStackOverflowError):
3081         * runtime/ExceptionHelpers.h:
3082         * runtime/GetterSetter.cpp:
3083         (JSC::callGetter):
3084         * runtime/IteratorOperations.cpp:
3085         (JSC::iteratorClose):
3086         * runtime/JSObject.cpp:
3087         * runtime/JSPromiseConstructor.cpp:
3088         (JSC::constructPromise):
3089         * runtime/JSPromiseDeferred.cpp:
3090         (JSC::updateDeferredFromPotentialThenable):
3091         (JSC::abruptRejection):
3092         * runtime/JSPromiseReaction.cpp:
3093         (JSC::ExecutePromiseReactionMicrotask::run):
3094
3095         * runtime/VM.cpp:
3096         (JSC::VM::VM):
3097         (JSC::VM::releaseExecutableMemory):
3098         (JSC::VM::throwException):
3099         (JSC::VM::setStackPointerAtVMEntry):
3100         (JSC::VM::getExceptionInfo): Deleted.
3101         (JSC::VM::setExceptionInfo): Deleted.
3102         (JSC::VM::clearException): Deleted.
3103         (JSC::clearExceptionStack): Deleted.
3104         * runtime/VM.h:
3105         (JSC::VM::targetMachinePCForThrowOffset):
3106         (JSC::VM::clearException):
3107         (JSC::VM::setException):
3108         (JSC::VM::exception):
3109         (JSC::VM::addressOfException):
3110         (JSC::VM::exceptionStack): Deleted.
3111         * runtime/VMEntryScope.cpp:
3112         (JSC::VMEntryScope::VMEntryScope):
3113         (JSC::VMEntryScope::setEntryScopeDidPopListener):
3114
3115 2015-06-04  Benjamin Poulain  <bpoulain@apple.com>
3116
3117         [JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case
3118         https://bugs.webkit.org/show_bug.cgi?id=145673
3119
3120         Reviewed by Geoffrey Garen.
3121
3122         Previously, we were deciding to use out-of-bounds speculation based on two informations:
3123         -Explicitly detected out-of-bounds accesses tracked on ArrayProfile.
3124         -The number of time we took the slow cases in the baseline JIT.
3125
3126         The heuristic based on slow cases was a little too fragile.
3127
3128         In some cases, we were running into that limit just because the indexing type changes between
3129         two values (typically Int32Array and DoubleArray). Sometimes we were just unlucky on what
3130         we used for the inline cache.
3131
3132         In Kraken, this was hurting us on "audio-beat-detection" and "audio-fft". The array types we see
3133         change between Int32 and Double. We run into the slow path a bit but never hit
3134         out-of-bounds.
3135
3136         By the time we compile in DFG, we have stable Double Arrays but we speculate out-of-bounds based
3137         on the number of slow cases we took. Because of that, we start boxing the double on GetByVal,
3138         using DoubleRep, etc. adding a ton of overhead over otherwise very simple operations.
3139
3140         WebXPRT was also suffering from this problem but the other way arround: we were missing
3141         the out-of-bounds accesses due to changes in indexing types, we were below the threshold
3142         of slow-path access, thus we predicted in-bounds accesses for code that was doing plenty
3143         of out-of-bands.
3144
3145
3146         This patch fixes the problem by tracking the out-of-bounds access explicitly any time we go
3147         into the slow path in baseline JIT. Since we no longer miss any out-of-bounds, we can remove
3148         the slow-path heuristic.
3149
3150         There is new additional special case in the C code regarding out-of-bounds: Arguments access.
3151         Mispredicting out-of-bounds accesses on arguments is a disaster for performance, so those are
3152         tracked in the way DFG expect it.
3153
3154
3155         There are a few important cases that are still not covered optimally:
3156         -PutByVal on Arguments.
3157         -Get/Put ByVal on TypedArray.
3158         Those are simply not used by DFG in any way. TypedArrays should probably be looked at in the future.
3159
3160         * bytecode/ArrayProfile.cpp:
3161         (JSC::ArrayProfile::computeUpdatedPrediction):
3162         The inline-cache repatch cases now update the ArrayProfile information. This has no value in baseline
3163         JIT but it helps avoiding one recompile in DFG for the missing ArrayProfile information.
3164
3165         * bytecode/ArrayProfile.h:
3166         (JSC::ArrayProfile::setOutOfBounds):
3167         * dfg/DFGByteCodeParser.cpp:
3168         (JSC::DFG::ByteCodeParser::getArrayMode):
3169         (JSC::DFG::ByteCodeParser::parseBlock):
3170         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath): Deleted.
3171         * jit/CCallHelpers.h:
3172         (JSC::CCallHelpers::setupArgumentsWithExecState):
3173         * jit/JIT.h:
3174         * jit/JITInlines.h:
3175         (JSC::JIT::callOperation):
3176         * jit/JITOpcodes.cpp:
3177         (JSC::JIT::emitSlow_op_has_indexed_property):
3178         * jit/JITOpcodes32_64.cpp:
3179         (JSC::JIT::emitSlow_op_has_indexed_property):
3180         * jit/JITOperations.cpp:
3181         (JSC::canUseFastArgumentAccess):
3182         This is not my favorite part of this patch.
3183
3184         I tried having JSObject::canGetIndexQuickly() handle arguments which would put everything
3185         on the generic path. Unfortunately, that code is very performance sensitive and some benchmarks were
3186         impacted by over 10%
3187
3188         I left JSObject::canGetIndexQuickly() alone, and I added the canUseFastArgumentAccess() mirroring
3189         how DFG uses out-of-bounds for Arguments.
3190
3191         (JSC::getByVal):
3192         * jit/JITOperations.h:
3193         * jit/JITPropertyAccess.cpp:
3194         (JSC::JIT::emitSlow_op_get_by_val):
3195         (JSC::JIT::emitSlow_op_put_by_val):
3196         * jit/JITPropertyAccess32_64.cpp:
3197         (JSC::JIT::emitSlow_op_get_by_val):
3198         (JSC::JIT::emitSlow_op_put_by_val):
3199         * runtime/JSPromiseFunctions.cpp:
3200         * tests/stress/get-by-val-out-of-bounds-basics.js: Added.
3201         (opaqueGetByValOnInt32ArrayEarlyOutOfBounds):
3202         (testInt32ArrayEarlyOutOfBounds):
3203         (testIndexingTypeChangesOnInt32Array):
3204         (opaqueGetByValOnStringArrayHotOutOfBounds):
3205         (testStringArrayHotOutOfBounds):
3206         (testIndexingTypeChangesOnStringArray):
3207         (opaqueGetByValOnStringAndInt32ArrayHotOutOfBounds):
3208         (testStringAndInt32ArrayHotOutOfBounds):
3209         (opaqueGetByValOnDoubleArrayHotOutOfBounds):
3210         * tests/stress/put-by-val-out-of-bounds-basics.js: Added.
3211         (opaquePutByValOnInt32ArrayEarlyOutOfBounds):
3212         (testInt32ArrayEarlyOutOfBounds):
3213         (opaquePutByValOnStringArrayHotOutOfBounds):
3214         (testStringArrayHotOutOfBounds):
3215
3216 2015-06-03  Filip Pizlo  <fpizlo@apple.com>
3217
3218         Simplify unboxing of double JSValues known to be not NaN and not Int32
3219         https://bugs.webkit.org/show_bug.cgi?id=145618
3220
3221         Reviewed by Geoffrey Garen.
3222         
3223         In many cases we know that we most likely loaded a non-NaN double value from the heap.
3224         Prior to this patch, we would do two branches before unboxing the double. This patch
3225         reduces this to one branch in the common case. Before:
3226         
3227             if (is int32)
3228                 unbox int32 and convert to double
3229             else if (is number)
3230                 unbox double
3231             else
3232                 exit
3233         
3234         After:
3235
3236             tmp = unbox double
3237             if (tmp == tmp)
3238                 done
3239             else if (is int32)
3240                 unbox int32 and convert to double
3241             else
3242                 exit
3243         
3244         We only use the new style if we have profiling that tells us that we are unlikely to see
3245         either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch.
3246         
3247         This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up.
3248         
3249         Rolling this back in after I made DFG::SpeculativeJIT call a new version of unboxDouble()
3250         that doesn't assert that the JSValue is a double, since we are intentionally using it
3251         before doing the "is a double" test. This wasn't a problem on 32-bit since unboxDouble()
3252         does no such assertion on 32-bit.
3253
3254         * dfg/DFGAbstractInterpreterInlines.h:
3255         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3256         * dfg/DFGFixupPhase.cpp:
3257         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3258         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3259         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3260         * dfg/DFGNode.h:
3261         (JSC::DFG::Node::shouldSpeculateDouble):
3262         (JSC::DFG::Node::shouldSpeculateDoubleReal):
3263         (JSC::DFG::Node::shouldSpeculateNumber):
3264         * dfg/DFGSafeToExecute.h:
3265         (JSC::DFG::SafeToExecuteEdge::operator()):
3266         * dfg/DFGSpeculativeJIT.cpp:
3267         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3268         (JSC::DFG::SpeculativeJIT::speculateNumber):
3269         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
3270         (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
3271         (JSC::DFG::SpeculativeJIT::speculate):
3272         (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted.
3273         * dfg/DFGSpeculativeJIT.h:
3274         * dfg/DFGUseKind.cpp:
3275         (WTF::printInternal):
3276         * dfg/DFGUseKind.h:
3277         (JSC::DFG::typeFilterFor):
3278         (JSC::DFG::isNumerical):
3279         * ftl/FTLCapabilities.cpp:
3280         (JSC::FTL::canCompile):
3281         * ftl/FTLLowerDFGToLLVM.cpp:
3282         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3283         (JSC::FTL::LowerDFGToLLVM::boxDouble):
3284         (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
3285         (JSC::FTL::LowerDFGToLLVM::speculate):
3286         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3287         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3288         (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal):
3289         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted.
3290         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted.
3291         * jit/AssemblyHelpers.h:
3292         (JSC::AssemblyHelpers::branchIfNotOther):
3293         (JSC::AssemblyHelpers::branchIfInt32):
3294         (JSC::AssemblyHelpers::branchIfNotInt32):
3295         (JSC::AssemblyHelpers::branchIfNumber):
3296
3297 2015-06-04  Joseph Pecoraro  <pecoraro@apple.com>
3298
3299         Web Inspector: Class constructor appearing as Object Tree property does not include parameters
3300         https://bugs.webkit.org/show_bug.cgi?id=145661
3301
3302         Reviewed by Timothy Hatcher.
3303
3304         * inspector/InjectedScriptSource.js:
3305         (InjectedScript.prototype._classPreview):
3306         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3307         The string we will return for previews of class constructor functions.
3308
3309         (InjectedScript.RemoteObject):
3310         (InjectedScript.RemoteObject.prototype._describe):
3311         No longer return the class name as the description string.
3312         Instead return the class name for the RemoteObject.className.
3313
3314 2015-06-04  Commit Queue  <commit-queue@webkit.org>
3315
3316         Unreviewed, rolling out r185216.
3317         https://bugs.webkit.org/show_bug.cgi?id=145666
3318
3319         it caused a bunch of debug crashes (Requested by pizlo on
3320         #webkit).
3321
3322         Reverted changeset:
3323
3324         "Simplify unboxing of double JSValues known to be not NaN and
3325         not Int32"
3326         https://bugs.webkit.org/show_bug.cgi?id=145618
3327         http://trac.webkit.org/changeset/185216
3328
3329 2015-06-03  Filip Pizlo  <fpizlo@apple.com>
3330
3331         Simplify unboxing of double JSValues known to be not NaN and not Int32
3332         https://bugs.webkit.org/show_bug.cgi?id=145618
3333
3334         Reviewed by Geoffrey Garen.
3335         
3336         In many cases we know that we most likely loaded a non-NaN double value from the heap.
3337         Prior to this patch, we would do two branches before unboxing the double. This patch
3338         reduces this to one branch in the common case. Before:
3339         
3340             if (is int32)
3341                 unbox int32 and convert to double
3342             else if (is number)
3343                 unbox double
3344             else
3345                 exit
3346         
3347         After:
3348
3349             tmp = unbox double
3350             if (tmp == tmp)
3351                 done
3352             else if (is int32)
3353                 unbox int32 and convert to double
3354             else
3355                 exit
3356         
3357         We only use the new style if we have profiling that tells us that we are unlikely to see
3358         either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch.
3359         
3360         This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up.