Getter or setter method named "prototype" or "constrcutor" should throw SyntaxError
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-26  Ryosuke Niwa  <rniwa@webkit.org>
2
3         Getter or setter method named "prototype" or "constrcutor" should throw SyntaxError
4         https://bugs.webkit.org/show_bug.cgi?id=144243
5
6         Reviewed by Darin Adler.
7
8         Fixed the bug by adding explicit checks in parseGetterSetter when we're parsing class methods.
9
10         * parser/Parser.cpp:
11         (JSC::Parser<LexerType>::parseGetterSetter):
12
13 2015-04-26  Jordan Harband  <ljharb@gmail.com>
14
15         Map#forEach does not pass "map" argument to callback.
16         https://bugs.webkit.org/show_bug.cgi?id=144187
17
18         Reviewed by Darin Adler.
19
20         Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-map.prototype.foreach
21         step 7.a.i., the callback should be called with three arguments.
22
23         * runtime/MapPrototype.cpp:
24         (JSC::mapProtoFuncForEach):
25
26 2015-04-26  Yusuke Suzuki  <utatane.tea@gmail.com>
27
28         [ES6] Implement ES6 template literals
29         https://bugs.webkit.org/show_bug.cgi?id=142691
30
31         Reviewed by Darin Adler.
32
33         This patch implements TemplateLiteral.
34         Since TaggedTemplate requires some global states and
35         primitive operations like GetTemplateObject,
36         we separate the patch. It will be implemented in a subsequent patch.
37
38         Template Literal Syntax is guarded by ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX compile time flag.
39         By disabling it, we can disable Template Literal support.
40
41         To implement template literals, in this patch,
42         we newly introduces bytecode op_to_string.
43         In template literals, we alternately evaluate the expression and
44         perform ToString onto the result of evaluation.
45         For example,
46
47         `${f1()} ${f2()}`
48
49         In this template literal, execution order is the following,
50         1. calling f1()
51         2. ToString(the result of f1())
52         3. calling f2()
53         4. ToString(the result of f2())
54
55         op_strcat also performs ToString. However, performing ToString
56         onto expressions are batched in op_strcat, it's not the same to the
57         template literal spec. In the above example,
58         ToString(f1()) should be called before calling f2().
59
60         * Configurations/FeatureDefines.xcconfig:
61         * bytecode/BytecodeList.json:
62         * bytecode/BytecodeUseDef.h:
63         (JSC::computeUsesForBytecodeOffset):
64         (JSC::computeDefsForBytecodeOffset):
65         * bytecode/CodeBlock.cpp:
66         (JSC::CodeBlock::dumpBytecode):
67         * bytecompiler/BytecodeGenerator.h:
68         (JSC::BytecodeGenerator::emitToString):
69         (JSC::BytecodeGenerator::emitToNumber): Deleted.
70         * bytecompiler/NodesCodegen.cpp:
71         (JSC::TemplateStringNode::emitBytecode):
72         (JSC::TemplateLiteralNode::emitBytecode):
73         * dfg/DFGByteCodeParser.cpp:
74         (JSC::DFG::ByteCodeParser::parseBlock):
75         * dfg/DFGCapabilities.cpp:
76         (JSC::DFG::capabilityLevel):
77         * jit/JIT.cpp:
78         (JSC::JIT::privateCompileMainPass):
79         (JSC::JIT::privateCompileSlowCases):
80         * jit/JIT.h:
81         * jit/JITOpcodes.cpp:
82         (JSC::JIT::emit_op_to_string):
83         (JSC::JIT::emitSlow_op_to_string):
84         * jit/JITOpcodes32_64.cpp:
85         (JSC::JIT::emit_op_to_string):
86         (JSC::JIT::emitSlow_op_to_string):
87         * llint/LowLevelInterpreter32_64.asm:
88         * llint/LowLevelInterpreter64.asm:
89         * parser/ASTBuilder.h:
90         (JSC::ASTBuilder::createTemplateString):
91         (JSC::ASTBuilder::createTemplateStringList):
92         (JSC::ASTBuilder::createTemplateExpressionList):
93         (JSC::ASTBuilder::createTemplateLiteral):
94         * parser/Lexer.cpp:
95         (JSC::Lexer<T>::Lexer):
96         (JSC::Lexer<T>::parseIdentifierSlowCase):
97         (JSC::Lexer<T>::parseString):
98         (JSC::LineNumberAdder::LineNumberAdder):
99         (JSC::LineNumberAdder::clear):
100         (JSC::LineNumberAdder::add):
101         (JSC::Lexer<T>::parseTemplateLiteral):
102         (JSC::Lexer<T>::lex):
103         (JSC::Lexer<T>::scanRegExp):
104         (JSC::Lexer<T>::scanTrailingTemplateString):
105         (JSC::Lexer<T>::parseStringSlowCase): Deleted.
106         * parser/Lexer.h:
107         * parser/NodeConstructors.h:
108         (JSC::TemplateExpressionListNode::TemplateExpressionListNode):
109         (JSC::TemplateStringNode::TemplateStringNode):
110         (JSC::TemplateStringListNode::TemplateStringListNode):
111         (JSC::TemplateLiteralNode::TemplateLiteralNode):
112         * parser/Nodes.h:
113         (JSC::TemplateExpressionListNode::value):
114         (JSC::TemplateExpressionListNode::next):
115         (JSC::TemplateStringNode::cooked):
116         (JSC::TemplateStringNode::raw):
117         (JSC::TemplateStringListNode::value):
118         (JSC::TemplateStringListNode::next):
119         * parser/Parser.cpp:
120         (JSC::Parser<LexerType>::parseTemplateString):
121         (JSC::Parser<LexerType>::parseTemplateLiteral):
122         (JSC::Parser<LexerType>::parsePrimaryExpression):
123         * parser/Parser.h:
124         * parser/ParserTokens.h:
125         * parser/SyntaxChecker.h:
126         (JSC::SyntaxChecker::createTemplateString):
127         (JSC::SyntaxChecker::createTemplateStringList):
128         (JSC::SyntaxChecker::createTemplateExpressionList):
129         (JSC::SyntaxChecker::createTemplateLiteral):
130         (JSC::SyntaxChecker::createSpreadExpression): Deleted.
131         * runtime/CommonSlowPaths.cpp:
132         (JSC::SLOW_PATH_DECL):
133         * runtime/CommonSlowPaths.h:
134         * tests/stress/template-literal-line-terminators.js: Added.
135         (test):
136         (testEval):
137         (testEvalLineNumber):
138         * tests/stress/template-literal-syntax.js: Added.
139         (testSyntax):
140         (testSyntaxError):
141         * tests/stress/template-literal.js: Added.
142         (test):
143         (testEval):
144         (testEmbedded):
145
146 2015-04-26  Jordan Harband  <ljharb@gmail.com>
147
148         Set#forEach does not pass "key" or "set" arguments to callback.
149         https://bugs.webkit.org/show_bug.cgi?id=144188
150
151         Reviewed by Darin Adler.
152
153         Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.foreach
154         Set#forEach should pass 3 arguments to the callback.
155
156         * runtime/SetPrototype.cpp:
157         (JSC::setProtoFuncForEach):
158
159 2015-04-26  Benjamin Poulain  <benjamin@webkit.org>
160
161         [JSC] Implement Math.clz32(), remove Number.clz()
162         https://bugs.webkit.org/show_bug.cgi?id=144205
163
164         Reviewed by Michael Saboff.
165
166         This patch adds the ES6 function Math.clz32(), and remove the non-standard
167         Number.clz(). Number.clz() probably came from an older draft.
168
169         The new function has a corresponding instrinsic: Clz32Intrinsic,
170         and a corresponding DFG node: ArithClz32, optimized all the way to LLVM.
171
172         * assembler/MacroAssemblerX86Common.h:
173         (JSC::MacroAssemblerX86Common::countLeadingZeros32):
174         * assembler/X86Assembler.h:
175         (JSC::X86Assembler::bsr_rr):
176         The x86 assembler did not have countLeadingZeros32() because there is
177         no native CLZ instruction on that architecture.
178
179         I have added the version with bsr + branches for the case of zero.
180         An other popular version uses cmov to handle the case of zero. I kept
181         it simple since the Assembler has no support for cmov.
182
183         It is unlikely to matter much. If the code is hot enough, LLVM picks
184         something good based on the surrounding code.
185
186         * dfg/DFGAbstractInterpreterInlines.h:
187         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
188         Constant handling + effect propagation. The node only produces integer (between 0 and 32).
189
190         * dfg/DFGBackwardsPropagationPhase.cpp:
191         (JSC::DFG::BackwardsPropagationPhase::propagate):
192         Thanks to the definition of toUint32(), we can ignore plenty of details
193         from doubles.
194
195         * dfg/DFGByteCodeParser.cpp:
196         (JSC::DFG::ByteCodeParser::handleIntrinsic):
197         * dfg/DFGClobberize.h:
198         (JSC::DFG::clobberize):
199         * dfg/DFGDoesGC.cpp:
200         (JSC::DFG::doesGC):
201         * dfg/DFGFixupPhase.cpp:
202         (JSC::DFG::FixupPhase::fixupNode):
203         * dfg/DFGNodeType.h:
204         * dfg/DFGPredictionPropagationPhase.cpp:
205         (JSC::DFG::PredictionPropagationPhase::propagate):
206         * dfg/DFGSafeToExecute.h:
207         (JSC::DFG::safeToExecute):
208         * dfg/DFGSpeculativeJIT.cpp:
209         (JSC::DFG::SpeculativeJIT::compileArithClz32):
210         * dfg/DFGSpeculativeJIT.h:
211         * dfg/DFGSpeculativeJIT32_64.cpp:
212         (JSC::DFG::SpeculativeJIT::compile):
213         * dfg/DFGSpeculativeJIT64.cpp:
214         (JSC::DFG::SpeculativeJIT::compile):
215         * ftl/FTLCapabilities.cpp:
216         (JSC::FTL::canCompile):
217         * ftl/FTLIntrinsicRepository.h:
218         * ftl/FTLLowerDFGToLLVM.cpp:
219         (JSC::FTL::LowerDFGToLLVM::compileNode):
220         (JSC::FTL::LowerDFGToLLVM::compileArithClz32):
221         * ftl/FTLOutput.h:
222         (JSC::FTL::Output::ctlz32):
223         * jit/ThunkGenerators.cpp:
224         (JSC::clz32ThunkGenerator):
225         * jit/ThunkGenerators.h:
226         * runtime/Intrinsic.h:
227         * runtime/MathCommon.h:
228         (JSC::clz32):
229         Fun fact: InstCombine does not recognize this pattern to eliminate
230         the branch which makes our FTL version better than the C version.
231
232         * runtime/MathObject.cpp:
233         (JSC::MathObject::finishCreation):
234         (JSC::mathProtoFuncClz32):
235         * runtime/NumberPrototype.cpp:
236         (JSC::clz): Deleted.
237         (JSC::numberProtoFuncClz): Deleted.
238         * runtime/VM.cpp:
239         (JSC::thunkGeneratorForIntrinsic):
240         * tests/stress/math-clz32-basics.js: Added.
241         (mathClz32OnInteger):
242         (testMathClz32OnIntegers):
243         (verifyMathClz32OnIntegerWithOtherTypes):
244         (mathClz32OnDouble):
245         (testMathClz32OnDoubles):
246         (verifyMathClz32OnDoublesWithOtherTypes):
247         (mathClz32NoArguments):
248         (mathClz32TooManyArguments):
249         (testMathClz32OnConstants):
250         (mathClz32StructTransition):
251         (Math.clz32):
252
253 2015-04-26  Yusuke Suzuki  <utatane.tea@gmail.com>
254
255         [ES6] Array.from need to accept iterables
256         https://bugs.webkit.org/show_bug.cgi?id=141055
257
258         Reviewed by Darin Adler.
259
260         ES6 spec requires that Array.from accepts iterable objects.
261         This patch introduces this functionality, Array.from accepting iterable objects.
262
263         Currently, `isConstructor` is not used. Instead of it, `typeof thiObj === "function"` is used.
264         However, it doesn't conform to the spec. While `isConstructor` queries the given object has `[[Construct]]`,
265         `typeof thisObj === "function"` queries the given object has `[[Call]]`.
266         This will be fixed in the subsequent patch[1].
267
268         [1]: https://bugs.webkit.org/show_bug.cgi?id=144093
269
270         * builtins/ArrayConstructor.js:
271         (from):
272         * parser/Parser.cpp:
273         (JSC::Parser<LexerType>::parseInner):
274         * runtime/CommonIdentifiers.h:
275         * runtime/JSGlobalObject.cpp:
276         (JSC::JSGlobalObject::init):
277         * tests/stress/array-from-with-iterable.js: Added.
278         (shouldBe):
279         (.set for):
280         (.set var):
281         (.get var):
282         (argumentsGenerators):
283         (.set shouldBe):
284         (.set new):
285         * tests/stress/array-from-with-iterator.js: Added.
286         (shouldBe):
287         (shouldThrow):
288         (createIterator.iterator.return):
289         (createIterator):
290         (.):
291
292 2015-04-25  Jordan Harband  <ljharb@gmail.com>
293
294         Set#keys !== Set#values
295         https://bugs.webkit.org/show_bug.cgi?id=144190
296
297         Reviewed by Darin Adler.
298
299         per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.keys
300         Set#keys should === Set#values
301
302         * runtime/SetPrototype.cpp:
303         (JSC::SetPrototype::finishCreation):
304         (JSC::setProtoFuncValues):
305         (JSC::setProtoFuncEntries):
306         (JSC::setProtoFuncKeys): Deleted.
307
308 2015-04-25  Joseph Pecoraro  <pecoraro@apple.com>
309
310         Allow for pausing a JSContext when opening a Web Inspector
311         <rdar://problem/20564788>
312
313         Reviewed by Timothy Hatcher.
314
315         * inspector/remote/RemoteInspector.mm:
316         (Inspector::RemoteInspector::receivedSetupMessage):
317         * inspector/remote/RemoteInspectorConstants.h:
318         * inspector/remote/RemoteInspectorDebuggable.h:
319         * inspector/remote/RemoteInspectorDebuggableConnection.h:
320         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
321         (Inspector::RemoteInspectorDebuggableConnection::setup):
322         On any incoming setup message, we may want to automatically
323         pause the debuggable. If requested, pause the debuggable
324         after we have setup the frontend connection.
325
326         * runtime/JSGlobalObjectDebuggable.h:
327         * runtime/JSGlobalObjectDebuggable.cpp:
328         (JSC::JSGlobalObjectDebuggable::pause):
329         Pass through to the inspector controller.
330
331         * inspector/JSGlobalObjectInspectorController.h:
332         * inspector/JSGlobalObjectInspectorController.cpp:
333         (Inspector::JSGlobalObjectInspectorController::pause):
334         Enable pause on next statement.
335
336 2015-04-23  Ryosuke Niwa  <rniwa@webkit.org>
337
338         class methods should be non-enumerable
339         https://bugs.webkit.org/show_bug.cgi?id=143181
340
341         Reviewed by Darin Adler.
342
343         Fixed the bug by using Object.defineProperty to define methods.
344
345         This patch adds the concept of link time constants and uses it to resolve Object.defineProperty
346         inside CodeBlock's constructor since bytecode can be linked against multiple global objects.
347
348         * bytecode/CodeBlock.cpp: 
349         (JSC::CodeBlock::CodeBlock): Resolve link time constants that are used. Ignore ones with register
350         index of zero.
351         * bytecode/SpecialPointer.h: Added a new enum for link time constants. It currently contains
352         exactly one entry for Object.defineProperty.
353         * bytecode/UnlinkedCodeBlock.h:
354         (JSC::UnlinkedCodeBlock::addConstant): Added. Like addConstant that takes JSValue, allocate a new
355         constant register for the link time constant we're adding.
356         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Added.
357         * bytecompiler/BytecodeGenerator.cpp:
358         (JSC::BytecodeGenerator::emitMoveLinkTimeConstant): Added. Like addConstantValue, allocate a new
359         register for the specified link time constant and notify UnlinkedCodeBlock about it.
360         (JSC::BytecodeGenerator::emitCallDefineProperty): Added. Create a new property descriptor and call
361         Object.defineProperty with it.
362         * bytecompiler/BytecodeGenerator.h:
363         * bytecompiler/NodesCodegen.cpp:
364         (JSC::PropertyListNode::emitBytecode): Make static and non-static getters and setters for classes
365         non-enumerable by using emitCallDefineProperty to define them.
366         (JSC::PropertyListNode::emitPutConstantProperty): Ditto for a non-accessor properties.
367         (JSC::ClassExprNode::emitBytecode): Make prototype.constructor non-enumerable and make prototype
368         property on the class non-writable, non-configurable, and non-enumerable by using defineProperty.
369         * runtime/CommonIdentifiers.h:
370         * runtime/JSGlobalObject.cpp:
371         (JSC::JSGlobalObject::init): Set m_definePropertyFunction.
372         (JSC::JSGlobalObject::visitChildren): Visit m_definePropertyFunction.
373         * runtime/JSGlobalObject.h:
374         (JSC::JSGlobalObject::definePropertyFunction): Added.
375         (JSC::JSGlobalObject::actualPointerFor): Added a variant that takes LinkTimeConstant.
376         (JSC::JSGlobalObject::jsCellForLinkTimeConstant): Like actualPointerFor, takes LinkTimeConstant and
377         returns a JSCell; e.g. Object.defineProperty.
378         * runtime/ObjectConstructor.cpp:
379         (JSC::ObjectConstructor::addDefineProperty): Added. Returns Object.defineProperty.
380         * runtime/ObjectConstructor.h:
381
382 2015-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
383
384         [ES6] Implement String.fromCodePoint
385         https://bugs.webkit.org/show_bug.cgi?id=144160
386
387         Reviewed by Darin Adler.
388
389         This patch implements String.fromCodePoint.
390         It accepts multiple code points and generates a string that consists of given code points.
391         The range [0x0000 - 0x10FFFF] is valid for code points.
392         If the given value is out of range, throw a range error.
393
394         When a 0xFFFF <= valid code point is given,
395         String.fromCodePoint generates a string that contains surrogate pairs.
396
397         * runtime/StringConstructor.cpp:
398         (JSC::stringFromCodePoint):
399         (JSC::constructWithStringConstructor):
400         * tests/stress/string-from-code-point.js: Added.
401         (shouldBe):
402         (shouldThrow):
403         (toCodePoints):
404         (passThrough):
405
406 2015-04-25  Martin Robinson  <mrobinson@igalia.com>
407
408         Rename ENABLE_3D_RENDERING to ENABLE_3D_TRANSFORMS
409         https://bugs.webkit.org/show_bug.cgi?id=144182
410
411         Reviewed by Simon Fraser.
412
413         * Configurations/FeatureDefines.xcconfig: Replace all instances of 3D_RENDERING with 3D_TRANSFORMS.
414
415 2015-04-25  Mark Lam  <mark.lam@apple.com>
416
417         mayExit() is wrong about Branch nodes with ObjectOrOtherUse: they can exit.
418         https://bugs.webkit.org/show_bug.cgi?id=144152
419
420         Reviewed by Filip Pizlo.
421
422         Changed the EdgeMayExit functor to recognize ObjectUse, ObjectOrOtherUse,
423         StringObjectUse, and StringOrStringObjectUse kinds as potentially triggering
424         OSR exits.  This was overlooked in the original code.
425
426         While only the ObjectOrOtherUse kind is relevant for manifesting this bug with
427         the Branch node, the other 3 may also trigger the same bug for other nodes.
428         To prevent this bug from manifesting with other nodes (and future ones that
429         are yet to be added to mayExits()'s "potential won't exit" set), we fix the
430         EdgeMayExit functor to handle all 4 use kinds (instead of just ObjectOrOtherUse).
431
432         Also added a test to exercise a code path that will trigger this bug with
433         the Branch node before the fix is applied.
434
435         * dfg/DFGMayExit.cpp:
436         * tests/stress/branch-may-exit-due-to-object-or-other-use-kind.js: Added.
437         (inlinedFunction):
438         (foo):
439
440 2015-04-24  Commit Queue  <commit-queue@webkit.org>
441
442         Unreviewed, rolling out r183288.
443         https://bugs.webkit.org/show_bug.cgi?id=144189
444
445         Made js/sort-with-side-effecting-comparisons.html time out in
446         debug builds (Requested by ap on #webkit).
447
448         Reverted changeset:
449
450         "It shouldn't take 1846 lines of code and 5 FIXMEs to sort an
451         array."
452         https://bugs.webkit.org/show_bug.cgi?id=144013
453         http://trac.webkit.org/changeset/183288
454
455 2015-04-24  Filip Pizlo  <fpizlo@apple.com>
456
457         CRASH in operationCreateDirectArgumentsDuringExit()
458         https://bugs.webkit.org/show_bug.cgi?id=143962
459
460         Reviewed by Geoffrey Garen.
461         
462         We shouldn't assume that constant-like OSR exit values are always recoverable. They are only
463         recoverable so long as they are live. Therefore, OSR exit should track liveness of
464         constants instead of assuming that they are always live.
465
466         * dfg/DFGGenerationInfo.h:
467         (JSC::DFG::GenerationInfo::noticeOSRBirth):
468         (JSC::DFG::GenerationInfo::appendBirth):
469         * dfg/DFGSpeculativeJIT.cpp:
470         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
471         * dfg/DFGVariableEvent.cpp:
472         (JSC::DFG::VariableEvent::dump):
473         * dfg/DFGVariableEvent.h:
474         (JSC::DFG::VariableEvent::birth):
475         (JSC::DFG::VariableEvent::id):
476         (JSC::DFG::VariableEvent::dataFormat):
477         * dfg/DFGVariableEventStream.cpp:
478         (JSC::DFG::VariableEventStream::reconstruct):
479         * tests/stress/phantom-direct-arguments-clobber-argument-count.js: Added.
480         (foo):
481         (bar):
482         * tests/stress/phantom-direct-arguments-clobber-callee.js: Added.
483         (foo):
484         (bar):
485
486 2015-04-24  Benjamin Poulain  <bpoulain@apple.com>
487
488         [JSC] When inserting a NaN into a Int32 array, we convert it to DoubleArray then to ContiguousArray
489         https://bugs.webkit.org/show_bug.cgi?id=144169
490
491         Reviewed by Geoffrey Garen.
492
493         * runtime/JSObject.cpp:
494         (JSC::JSObject::convertInt32ForValue):
495         DoubleArray do not store NaN, they are used for holes.
496         What happened was:
497         1) We fail to insert the NaN in the Int32 array because it is a double.
498         2) We were converting the array to DoubleArray.
499         3) We were trying to insert the value again. We would fail again because
500            DoubleArray does not store NaN.
501         4) We would convert the DoubleArrayt to Contiguous Array, converting the values
502            to boxed values.
503
504         * tests/stress/int32array-transition-on-nan.js: Added.
505         The behavior is not really observable. This only test nothing crashes in those
506         cases.
507
508         (insertNaNWhileFilling):
509         (testInsertNaNWhileFilling):
510         (insertNaNAfterFilling):
511         (testInsertNaNAfterFilling):
512         (pushNaNWhileFilling):
513         (testPushNaNWhileFilling):
514
515 2015-04-21  Geoffrey Garen  <ggaren@apple.com>
516
517         It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array.
518         https://bugs.webkit.org/show_bug.cgi?id=144013
519
520         Reviewed by Mark Lam.
521
522         This patch implements Array.prototype.sort in JavaScript, removing the
523         C++ implementations. It is simpler and less error-prone to express our
524         operations in JavaScript, which provides memory safety, exception safety,
525         and recursion safety.
526
527         The performance result is mixed, but net positive in my opinion. It's
528         difficult to enumerate all the results, since we used to have so many
529         different sorting modes, and there are lots of different data patterns
530         across which you might want to measure sorting. Suffice it to say:
531
532             (*) The benchmarks we track are faster or unchanged.
533
534             (*) Sorting random input using a comparator -- which we think is
535             common -- is 3X faster.
536
537             (*) Sorting random input in a non-array object -- which jQuery does
538             -- is 4X faster.
539
540             (*) Sorting random input in a compact array of integers using a
541             trivial pattern-matchable comparator is 2X *slower*.
542
543         * builtins/Array.prototype.js:
544         (sort.min):
545         (sort.stringComparator):
546         (sort.compactSparse): Special case compaction for sparse arrays because
547         we don't want to hang when sorting new Array(BIG).
548
549         (sort.compact):
550         (sort.merge):
551         (sort.mergeSort): Use merge sort because it's a reasonably efficient
552         stable sort. We have evidence that some sites depend on stable sort,
553         even though the ES6 spec does not mandate it. (See
554         <http://trac.webkit.org/changeset/33967>.)
555
556         This is a textbook implementation of merge sort with three optimizations:
557
558             (1) Use iteration instead of recursion;
559
560             (2) Use array subscripting instead of array copying in order to
561             create logical sub-lists without creating physical sub-lists;
562
563             (3) Swap src and dst at each iteration instead of copying src into
564             dst, and only copy src into the subject array at the end if src is
565             not the subject array.
566
567         (sort.inflate):
568         (sort.comparatorSort):
569         (sort): Sort in JavaScript for the win.
570
571         * builtins/BuiltinExecutables.cpp:
572         (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private
573         names so we can use helper functions.
574
575         * bytecode/CodeBlock.h:
576         (JSC::CodeBlock::isNumericCompareFunction): Deleted.
577         * bytecode/UnlinkedCodeBlock.cpp:
578         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
579         * bytecode/UnlinkedCodeBlock.h:
580         (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted.
581         (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted.
582         * bytecompiler/BytecodeGenerator.cpp:
583         (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted.
584         * bytecompiler/BytecodeGenerator.h:
585         * bytecompiler/NodesCodegen.cpp:
586         (JSC::FunctionNode::emitBytecode): We don't do this special casing based
587         on pattern matching anymore. This was mainly an optimization to avoid 
588         the overhead of calling from C++ to JS, which we now avoid by
589         sorting in JS.
590
591         * heap/Heap.cpp:
592         (JSC::Heap::markRoots):
593         (JSC::Heap::pushTempSortVector): Deleted.
594         (JSC::Heap::popTempSortVector): Deleted.
595         (JSC::Heap::visitTempSortVectors): Deleted.
596         * heap/Heap.h: We don't have temp sort vectors anymore because we sort
597         in JavaScript using a normal JavaScript array for our temporary storage.
598
599         * parser/Parser.cpp:
600         (JSC::Parser<LexerType>::parseInner): Allow capturing so we can use
601         helper functions.
602
603         * runtime/ArrayPrototype.cpp:
604         (JSC::isNumericCompareFunction): Deleted.
605         (JSC::attemptFastSort): Deleted.
606         (JSC::performSlowSort): Deleted.
607         (JSC::arrayProtoFuncSort): Deleted.
608
609         * runtime/CommonIdentifiers.h: New strings used by sort.
610
611         * runtime/JSArray.cpp:
612         (JSC::compareNumbersForQSortWithInt32): Deleted.
613         (JSC::compareNumbersForQSortWithDouble): Deleted.
614         (JSC::compareNumbersForQSort): Deleted.
615         (JSC::compareByStringPairForQSort): Deleted.
616         (JSC::JSArray::sortNumericVector): Deleted.
617         (JSC::JSArray::sortNumeric): Deleted.
618         (JSC::ContiguousTypeAccessor::getAsValue): Deleted.
619         (JSC::ContiguousTypeAccessor::setWithValue): Deleted.
620         (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted.
621         (JSC::ContiguousTypeAccessor<ArrayWithDouble>::getAsValue): Deleted.
622         (JSC::ContiguousTypeAccessor<ArrayWithDouble>::setWithValue): Deleted.
623         (JSC::ContiguousTypeAccessor<ArrayWithDouble>::replaceDataReference): Deleted.
624         (JSC::JSArray::sortCompactedVector): Deleted.
625         (JSC::JSArray::sort): Deleted.
626         (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted.
627         (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted.
628         (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted.
629         (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted.
630         (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted.
631         (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted.
632         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted.
633         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted.
634         (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted.
635         (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted.
636         (JSC::JSArray::sortVector): Deleted.
637         (JSC::JSArray::compactForSorting): Deleted.
638         * runtime/JSArray.h:
639
640         * runtime/JSGlobalObject.cpp:
641         (JSC::JSGlobalObject::init):
642         * runtime/ObjectConstructor.cpp:
643         (JSC::ObjectConstructor::finishCreation): Provide some builtins used
644         by sort.
645
646 2015-04-24  Matthew Mirman  <mmirman@apple.com>
647
648         Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined
649         https://bugs.webkit.org/show_bug.cgi?id=141865
650         rdar://problem/19927273
651
652         Reviewed by Filip Pizlo.
653
654         * runtime/JSGlobalObjectFunctions.cpp:
655         (JSC::globalFuncProtoGetter):
656         (JSC::globalFuncProtoSetter):
657
658 2015-04-23  Benjamin Poulain  <bpoulain@apple.com>
659
660         Remove a useless branch on DFGGraph::addShouldSpeculateMachineInt()
661         https://bugs.webkit.org/show_bug.cgi?id=144118
662
663         Reviewed by Geoffrey Garen.
664
665         * dfg/DFGGraph.h:
666         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
667         Both block do the same thing.
668
669 2015-04-23  Joseph Pecoraro  <pecoraro@apple.com>
670
671         Web Inspector: Speculative fix for non-main thread auto-attach failures
672         https://bugs.webkit.org/show_bug.cgi?id=144134
673
674         Reviewed by Timothy Hatcher.
675
676         * inspector/remote/RemoteInspector.mm:
677         (Inspector::RemoteInspector::singleton):
678
679 2015-04-23  Basile Clement  <basile_clement@apple.com>
680
681         Allow function allocation sinking
682         https://bugs.webkit.org/show_bug.cgi?id=144016
683
684         Reviewed by Filip Pizlo.
685
686         This adds the ability to sink function allocations in the
687         DFGObjectAllocationSinkingPhase.
688
689         In order to enable this, we add a new PhantomNewFunction node that is
690         used similarily to the PhantomNewObject node, i.e. as a placeholder to replace
691         a sunk NewFunction and keep track of the allocations that have to be performed
692         in case of OSR exit after the sunk allocation but before the real one.
693         The FunctionExecutable and JSLexicalEnvironment (activation) of the function
694         are stored onto the PhantomNewFunction through PutHints in order for them
695         to be recovered on OSR exit.
696
697         Contrary to sunk object allocations, sunk function allocations do not
698         support any kind of operations (e.g. storing into a field) ; any such operation
699         will mark the function allocation as escaping and trigger materialization. As
700         such, function allocations can only be sunk to places where it would have been
701         correct to syntactically move them, and we don't need a special
702         MaterializeNewFunction node to recover possible operations on the function. A
703         sunk NewFunction node will simply create new NewFunction nodes, then replace
704         itself with a PhantomNewFunction node.
705
706         In itself, this change is not expected to have a significant impact on
707         performances other than in degenerate cases (see e.g.
708         JSRegress/sink-function), but it is a step towards being able to sink recursive
709         closures onces we support CreateActivation sinking as well as allocation cycles
710         sinking.
711
712         * dfg/DFGAbstractInterpreterInlines.h:
713         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
714         * dfg/DFGClobberize.h:
715         (JSC::DFG::clobberize):
716         * dfg/DFGDoesGC.cpp:
717         (JSC::DFG::doesGC):
718         * dfg/DFGFixupPhase.cpp:
719         (JSC::DFG::FixupPhase::fixupNode):
720         * dfg/DFGNode.h:
721         (JSC::DFG::Node::convertToPhantomNewFunction):
722         (JSC::DFG::Node::isPhantomAllocation):
723         * dfg/DFGNodeType.h:
724         * dfg/DFGObjectAllocationSinkingPhase.cpp:
725         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
726         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
727         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
728         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
729         * dfg/DFGPredictionPropagationPhase.cpp:
730         (JSC::DFG::PredictionPropagationPhase::propagate):
731         * dfg/DFGPromotedHeapLocation.cpp:
732         (WTF::printInternal):
733         * dfg/DFGPromotedHeapLocation.h:
734         * dfg/DFGSafeToExecute.h:
735         (JSC::DFG::safeToExecute):
736         * dfg/DFGSpeculativeJIT32_64.cpp:
737         (JSC::DFG::SpeculativeJIT::compile):
738         * dfg/DFGSpeculativeJIT64.cpp:
739         (JSC::DFG::SpeculativeJIT::compile):
740         * dfg/DFGValidate.cpp:
741         (JSC::DFG::Validate::validateCPS):
742         * ftl/FTLCapabilities.cpp:
743         (JSC::FTL::canCompile):
744         * ftl/FTLLowerDFGToLLVM.cpp:
745         (JSC::FTL::LowerDFGToLLVM::compileNode):
746         * ftl/FTLOperations.cpp:
747         (JSC::FTL::operationMaterializeObjectInOSR):
748         * tests/stress/function-sinking-no-double-allocate.js: Added.
749         (call):
750         (.f):
751         (sink):
752         * tests/stress/function-sinking-osrexit.js: Added.
753         (.g):
754         (sink):
755         * tests/stress/function-sinking-put.js: Added.
756         (.g):
757         (sink):
758
759 2015-04-23  Basile Clement  <basile_clement@apple.com>
760
761         Make FunctionRareData allocation thread-safe
762         https://bugs.webkit.org/show_bug.cgi?id=144001
763
764         Reviewed by Mark Lam.
765
766         The two things we want to prevent are:
767
768          1. A thread seeing a pointer to a not-yet-fully-created rare data from
769             a JSFunction
770          2. A thread seeing a pointer to a not-yet-fully-created Structure from
771             an ObjectAllocationProfile
772
773         For 1., only the JS thread can be creating the rare data (in
774         runtime/CommonSlowPaths.cpp or in dfg/DFGOperations.cpp), so we don't need to
775         worry about concurrent writes, and we don't need any fences when *reading* the
776         rare data from the JS thread. Thus we only need a storeStoreFence between the
777         rare data creation and assignment to m_rareData in
778         JSFunction::createAndInitializeRareData() to ensure that when the store to
779         m_rareData is issued, the rare data has been properly created.
780
781         For the DFG compilation threads, the only place they can access the
782         rare data is through JSFunction::rareData(), and so we only need a
783         loadLoadFence there to ensure that when we see a non-null pointer in
784         m_rareData, the pointed object will be seen as a fully created
785         FunctionRareData.
786
787
788         For 2., the structure is created in
789         ObjectAllocationProfile::initialize() (which appears to be called only by the
790         JS thread as well, in bytecode/CodeBlock.cpp and on rare data initialization,
791         which always happen in the JS thread), and read through
792         ObjectAllocationProfile::structure() and
793         ObjectAllocationProfile::inlineCapacity(), so following the same reasoning we
794         put a storeStoreFence in ObjectAllocationProfile::initialize() and a
795         loadLoadFence in ObjectAllocationProfile::structure() (and change
796         ObjectAllocationProfile::inlineCapacity() to go through
797         ObjectAllocationProfile::structure()).
798
799         We don't need a fence in ObjectAllocationProfile::clear() because
800         clearing the structure is already as atomic as it gets.
801
802         Finally, notice that we don't care about the ObjectAllocationProfile's
803         m_allocator as that is only used by ObjectAllocationProfile::initialize() and
804         ObjectAllocationProfile::clear() that are always run in the JS thread.
805         ObjectAllocationProfile::isNull() could cause some trouble, but it is
806         currently only used in the ObjectAllocationProfile::clear()'s ASSERT in the JS
807         thread.  Doing isNull()-style pre-checks would be wrong in any other concurrent
808         thread anyway.
809
810         * bytecode/ObjectAllocationProfile.h:
811         (JSC::ObjectAllocationProfile::initialize):
812         (JSC::ObjectAllocationProfile::structure):
813         (JSC::ObjectAllocationProfile::inlineCapacity):
814         * runtime/JSFunction.cpp:
815         (JSC::JSFunction::allocateAndInitializeRareData):
816         * runtime/JSFunction.h:
817         (JSC::JSFunction::rareData):
818         (JSC::JSFunction::allocationStructure): Deleted.
819         This is no longer used, as all the accesses to the ObjectAllocationProfile go through the rare data.
820
821 2015-04-22  Filip Pizlo  <fpizlo@apple.com>
822
823         DFG should insert Phantoms late using BytecodeKills and block-local OSR availability
824         https://bugs.webkit.org/show_bug.cgi?id=143735
825
826         Reviewed by Geoffrey Garen.
827         
828         We've always had bugs arising from the fact that we would MovHint something into a local,
829         and then fail to keep it alive. We would then try to keep things alive by putting Phantoms
830         on those Nodes that were MovHinted. But this became increasingly tricky. Given the
831         sophistication of the transformations we are doing today, this approach is just not sound
832         anymore.
833         
834         This comprehensively fixes these bugs by having the DFG backend automatically insert
835         Phantoms just before codegen based on bytecode liveness. To make this practical, this also
836         makes it much faster to query bytecode liveness.
837         
838         It's about as perf-neutral as it gets for a change that increases compiler work without
839         actually optimizing anything. Later changes will remove the old Phantom-preserving logic,
840         which should then speed us up. I can't really report concrete slow-down numbers because
841         they are low enough to basically be in the noise. For example, a 20-iteration run of
842         SunSpider yields "maybe 0.8% slower", whatever that means.
843
844         * CMakeLists.txt:
845         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
846         * JavaScriptCore.xcodeproj/project.pbxproj:
847         * bytecode/BytecodeLivenessAnalysis.cpp:
848         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
849         * bytecode/FullBytecodeLiveness.h:
850         (JSC::FullBytecodeLiveness::getLiveness):
851         * bytecode/VirtualRegister.h:
852         (JSC::VirtualRegister::operator+):
853         (JSC::VirtualRegister::operator-):
854         * dfg/DFGForAllKills.h:
855         (JSC::DFG::forAllLiveNodesAtTail):
856         (JSC::DFG::forAllKilledOperands):
857         (JSC::DFG::forAllKilledNodesAtNodeIndex):
858         * dfg/DFGGraph.cpp:
859         (JSC::DFG::Graph::isLiveInBytecode):
860         (JSC::DFG::Graph::localsLiveInBytecode):
861         * dfg/DFGGraph.h:
862         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
863         (JSC::DFG::Graph::forAllLiveInBytecode):
864         * dfg/DFGMayExit.cpp:
865         (JSC::DFG::mayExit):
866         * dfg/DFGMovHintRemovalPhase.cpp:
867         * dfg/DFGNodeType.h:
868         * dfg/DFGPhantomInsertionPhase.cpp: Added.
869         (JSC::DFG::performPhantomInsertion):
870         * dfg/DFGPhantomInsertionPhase.h: Added.
871         * dfg/DFGPlan.cpp:
872         (JSC::DFG::Plan::compileInThreadImpl):
873         * dfg/DFGScoreBoard.h:
874         (JSC::DFG::ScoreBoard::sortFree):
875         (JSC::DFG::ScoreBoard::assertClear):
876         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
877         (JSC::DFG::VirtualRegisterAllocationPhase::run):
878         * ftl/FTLLowerDFGToLLVM.cpp:
879         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
880         * tests/stress/phantom-inadequacy.js: Added.
881         (bar):
882         (baz):
883         (foo):
884
885 2015-04-23  Filip Pizlo  <fpizlo@apple.com>
886
887         Rename HardPhantom to MustGenerate.
888
889         Rubber stamped by Geoffrey Garen.
890         
891         We are steadily moving towards Phantom just being a backend hack in the DFG. HardPhantom
892         is more than that; it's a utility for forcing the execution of otherwise killable nodes.
893         NodeMustGenerate is the flag we use to indicate that something isn't killable. So this
894         node should just be called MustGenerate.
895
896         * dfg/DFGAbstractInterpreterInlines.h:
897         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
898         * dfg/DFGArgumentsEliminationPhase.cpp:
899         * dfg/DFGClobberize.h:
900         (JSC::DFG::clobberize):
901         * dfg/DFGDCEPhase.cpp:
902         (JSC::DFG::DCEPhase::run):
903         * dfg/DFGDoesGC.cpp:
904         (JSC::DFG::doesGC):
905         * dfg/DFGFixupPhase.cpp:
906         (JSC::DFG::FixupPhase::fixupNode):
907         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
908         * dfg/DFGIntegerCheckCombiningPhase.cpp:
909         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
910         * dfg/DFGMayExit.cpp:
911         (JSC::DFG::mayExit):
912         * dfg/DFGNode.h:
913         (JSC::DFG::Node::willHaveCodeGenOrOSR):
914         * dfg/DFGNodeType.h:
915         * dfg/DFGObjectAllocationSinkingPhase.cpp:
916         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
917         * dfg/DFGPhantomCanonicalizationPhase.cpp:
918         (JSC::DFG::PhantomCanonicalizationPhase::run):
919         * dfg/DFGPhantomRemovalPhase.cpp:
920         (JSC::DFG::PhantomRemovalPhase::run):
921         * dfg/DFGPredictionPropagationPhase.cpp:
922         (JSC::DFG::PredictionPropagationPhase::propagate):
923         * dfg/DFGSafeToExecute.h:
924         (JSC::DFG::safeToExecute):
925         * dfg/DFGSpeculativeJIT32_64.cpp:
926         (JSC::DFG::SpeculativeJIT::compile):
927         * dfg/DFGSpeculativeJIT64.cpp:
928         (JSC::DFG::SpeculativeJIT::compile):
929         * dfg/DFGTypeCheckHoistingPhase.cpp:
930         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
931         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
932         * dfg/DFGVarargsForwardingPhase.cpp:
933         * ftl/FTLCapabilities.cpp:
934         (JSC::FTL::canCompile):
935         * ftl/FTLLowerDFGToLLVM.cpp:
936         (JSC::FTL::LowerDFGToLLVM::compileNode):
937
938 2015-04-23  Jordan Harband  <ljharb@gmail.com>
939
940         Implement `Object.assign`
941         https://bugs.webkit.org/show_bug.cgi?id=143980
942
943         Reviewed by Filip Pizlo.
944
945         per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.assign
946
947         * builtins/ObjectConstructor.js: Added.
948         (assign):
949         * runtime/CommonIdentifiers.h:
950         * runtime/JSGlobalObject.cpp:
951         (JSC::JSGlobalObject::init):
952         * runtime/ObjectConstructor.cpp:
953         * runtime/ObjectConstructor.h:
954
955 2015-04-22  Filip Pizlo  <fpizlo@apple.com>
956
957         Unreviewed, fix debug build.
958
959         * dfg/DFGGraph.h:
960         (JSC::DFG::Graph::performSubstitutionForEdge):
961
962 2015-04-22  Filip Pizlo  <fpizlo@apple.com>
963
964         Nodes should have an optional epoch field
965         https://bugs.webkit.org/show_bug.cgi?id=144084
966
967         Reviewed by Ryosuke Niwa and Mark Lam.
968         
969         This makes it easier to do epoch-based analyses on nodes. I plan to do just that in
970         https://bugs.webkit.org/show_bug.cgi?id=143735. Currently the epoch field is not yet
971         used.
972
973         * dfg/DFGCPSRethreadingPhase.cpp:
974         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
975         * dfg/DFGCSEPhase.cpp:
976         * dfg/DFGEpoch.h:
977         (JSC::DFG::Epoch::fromUnsigned):
978         (JSC::DFG::Epoch::toUnsigned):
979         * dfg/DFGGraph.cpp:
980         (JSC::DFG::Graph::clearReplacements):
981         (JSC::DFG::Graph::clearEpochs):
982         * dfg/DFGGraph.h:
983         (JSC::DFG::Graph::performSubstitutionForEdge):
984         * dfg/DFGNode.h:
985         (JSC::DFG::Node::Node):
986         (JSC::DFG::Node::replaceWith):
987         (JSC::DFG::Node::replacement):
988         (JSC::DFG::Node::setReplacement):
989         (JSC::DFG::Node::epoch):
990         (JSC::DFG::Node::setEpoch):
991         * dfg/DFGSSAConversionPhase.cpp:
992         (JSC::DFG::SSAConversionPhase::run):
993
994 2015-04-22  Mark Lam  <mark.lam@apple.com>
995
996         Fix assertion failure and race condition in Options::dumpSourceAtDFGTime().
997         https://bugs.webkit.org/show_bug.cgi?id=143898
998
999         Reviewed by Filip Pizlo.
1000
1001         CodeBlock::dumpSource() will access SourceCode strings in a way that requires
1002         ref'ing of the underlying StringImpls. This is unsafe to do from arbitrary
1003         compilation threads because StringImpls are not thread safe. As a result, we get
1004         an assertion failure when we run with JSC_dumpSourceAtDFGTime=true on a debug
1005         build.
1006
1007         This patch fixes the issue by only collecting the CodeBlock (and associated info)
1008         into a DeferredSourceDump record while compiling, and stashing it away in a
1009         deferredSourceDump list in the DeferredCompilationCallback object to be dumped
1010         later.
1011
1012         When compilation is done, the callback object will be notified that
1013         compilationDidComplete().  We will dump the SourceCode strings from there. 
1014         Since compilationDidComplete() is guaranteed to only be called on the thread
1015         doing JS execution, it is safe to access the SourceCode strings there and ref
1016         their underlying StringImpls as needed.        
1017
1018         * CMakeLists.txt:
1019         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1020         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1021         * JavaScriptCore.xcodeproj/project.pbxproj:
1022         * bytecode/DeferredCompilationCallback.cpp:
1023         (JSC::DeferredCompilationCallback::compilationDidComplete):
1024         (JSC::DeferredCompilationCallback::sourceDumpInfo):
1025         (JSC::DeferredCompilationCallback::dumpCompiledSources):
1026         * bytecode/DeferredCompilationCallback.h:
1027         * bytecode/DeferredSourceDump.cpp: Added.
1028         (JSC::DeferredSourceDump::DeferredSourceDump):
1029         (JSC::DeferredSourceDump::dump):
1030         * bytecode/DeferredSourceDump.h: Added.
1031         * dfg/DFGByteCodeParser.cpp:
1032         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1033         * dfg/DFGDriver.cpp:
1034         (JSC::DFG::compileImpl):
1035
1036 2015-04-22  Benjamin Poulain  <benjamin@webkit.org>
1037
1038         Implement String.codePointAt()
1039         https://bugs.webkit.org/show_bug.cgi?id=143934
1040
1041         Reviewed by Darin Adler.
1042
1043         This patch adds String.codePointAt() as defined by ES6.
1044         I opted for a C++ implementation for now.
1045
1046         * runtime/StringPrototype.cpp:
1047         (JSC::StringPrototype::finishCreation):
1048         (JSC::codePointAt):
1049         (JSC::stringProtoFuncCodePointAt):
1050
1051 2015-04-22  Mark Lam  <mark.lam@apple.com>
1052
1053         SparseArrayEntry's write barrier owner should be the SparseArrayValueMap.
1054         https://bugs.webkit.org/show_bug.cgi?id=144067
1055
1056         Reviewed by Michael Saboff.
1057
1058         Currently, there are a few places where the JSObject that owns the
1059         SparseArrayValueMap is designated as the owner of the SparseArrayEntry
1060         write barrier.  This is a bug and can result in the GC collecting the
1061         SparseArrayEntry even though it is being referenced by the
1062         SparseArrayValueMap.  This patch fixes the bug.
1063
1064         * runtime/JSObject.cpp:
1065         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1066         (JSC::JSObject::putIndexedDescriptor):
1067         * tests/stress/sparse-array-entry-update-144067.js: Added.
1068         (useMemoryToTriggerGCs):
1069         (foo):
1070
1071 2015-04-22  Mark Lam  <mark.lam@apple.com>
1072
1073         Give the heap object iterators the ability to return early.
1074         https://bugs.webkit.org/show_bug.cgi?id=144011
1075
1076         Reviewed by Michael Saboff.
1077
1078         JSDollarVMPrototype::isValidCell() uses a heap object iterator to validate
1079         candidate cell pointers, and, when in use, is called a lot more often than
1080         the normal way those iterators are used.  As a result, I see my instrumented
1081         VM killed with a SIGXCPU (CPU time limit exceeded).  This patch gives the
1082         callback functor the ability to tell the iterators to return early when the
1083         functor no longer needs to continue iterating.  With this, my instrumented
1084         VM is useful again for debugging.
1085
1086         Since heap iteration is not something that we do in a typical fast path,
1087         I don't expect this to have any noticeable impact on performance.
1088
1089         I also renamed ObjectAddressCheckFunctor to CellAddressCheckFunctor since
1090         it checks JSCell addresses, not just JSObjects.
1091
1092         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1093         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1094         * JavaScriptCore.xcodeproj/project.pbxproj:
1095         * debugger/Debugger.cpp:
1096         * heap/GCLogging.cpp:
1097         (JSC::LoggingFunctor::operator()):
1098         * heap/Heap.cpp:
1099         (JSC::Zombify::visit):
1100         (JSC::Zombify::operator()):
1101         * heap/HeapStatistics.cpp:
1102         (JSC::StorageStatistics::visit):
1103         (JSC::StorageStatistics::operator()):
1104         * heap/HeapVerifier.cpp:
1105         (JSC::GatherLiveObjFunctor::visit):
1106         (JSC::GatherLiveObjFunctor::operator()):
1107         * heap/MarkedBlock.cpp:
1108         (JSC::SetNewlyAllocatedFunctor::operator()):
1109         * heap/MarkedBlock.h:
1110         (JSC::MarkedBlock::forEachCell):
1111         (JSC::MarkedBlock::forEachLiveCell):
1112         (JSC::MarkedBlock::forEachDeadCell):
1113         * heap/MarkedSpace.h:
1114         (JSC::MarkedSpace::forEachLiveCell):
1115         (JSC::MarkedSpace::forEachDeadCell):
1116         * inspector/agents/InspectorRuntimeAgent.cpp:
1117         (Inspector::TypeRecompiler::visit):
1118         (Inspector::TypeRecompiler::operator()):
1119         * runtime/IterationStatus.h: Added.
1120         * runtime/JSGlobalObject.cpp:
1121         * runtime/VM.cpp:
1122         (JSC::StackPreservingRecompiler::visit):
1123         (JSC::StackPreservingRecompiler::operator()):
1124         * tools/JSDollarVMPrototype.cpp:
1125         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1126         (JSC::CellAddressCheckFunctor::operator()):
1127         (JSC::JSDollarVMPrototype::isValidCell):
1128         (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor): Deleted.
1129         (JSC::ObjectAddressCheckFunctor::operator()): Deleted.
1130
1131 2015-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1132
1133         [[Set]] should be properly executed in JS builtins
1134         https://bugs.webkit.org/show_bug.cgi?id=143996
1135
1136         Reviewed by Geoffrey Garen.
1137
1138         Currently, all assignments in builtins JS code is compiled into put_by_val_direct.
1139         However,
1140
1141         1. Some functions (like Array.from) needs [[Set]]. (but it is now compiled into put_by_val_direct, [[DefineOwnProperty]]).
1142         2. It's different from the default JS behavior.
1143
1144         In this patch, we implement the bytecode intrinsic emitting put_by_val_direct and use it explicitly.
1145         And dropping the current hack for builtins.
1146
1147         * builtins/Array.prototype.js:
1148         (filter):
1149         (map):
1150         (find):
1151         * bytecompiler/BytecodeGenerator.cpp:
1152         (JSC::BytecodeGenerator::emitPutByVal):
1153         * tests/stress/array-fill-put-by-val.js: Added.
1154         (shouldThrow):
1155         (.set get array):
1156         * tests/stress/array-filter-put-by-val-direct.js: Added.
1157         (shouldBe):
1158         (.set get var):
1159         * tests/stress/array-find-does-not-lookup-twice.js: Added.
1160         (shouldBe):
1161         (shouldThrow):
1162         (.get shouldBe):
1163         * tests/stress/array-from-put-by-val-direct.js: Added.
1164         (shouldBe):
1165         (.set get var):
1166         * tests/stress/array-from-set-length.js: Added.
1167         (shouldBe):
1168         (ArrayLike):
1169         (ArrayLike.prototype.set length):
1170         (ArrayLike.prototype.get length):
1171         * tests/stress/array-map-put-by-val-direct.js: Added.
1172         (shouldBe):
1173         (.set get var):
1174
1175 2015-04-22  Basile Clement  <basile_clement@apple.com>
1176  
1177         Don't de-allocate FunctionRareData
1178         https://bugs.webkit.org/show_bug.cgi?id=144000
1179
1180         Reviewed by Michael Saboff.
1181
1182         A function rare data (containing most notably its allocation profile) is currently
1183         freed and re-allocated each time the function's prototype is cleared.
1184         This is not optimal as it means we are invalidating the watchpoint and recompiling the
1185         scope each time the prototype is cleared.
1186
1187         This makes it so that a single rare data is reused, clearing the underlying
1188         ObjectAllocationProfile instead of throwing away the whole rare data on
1189         .prototype updates.
1190
1191         * runtime/FunctionRareData.cpp:
1192         (JSC::FunctionRareData::create):
1193         (JSC::FunctionRareData::finishCreation):
1194         * runtime/FunctionRareData.h:
1195         * runtime/JSFunction.cpp:
1196         (JSC::JSFunction::allocateAndInitializeRareData):
1197         (JSC::JSFunction::initializeRareData):
1198
1199 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
1200
1201         Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well.
1202
1203         * dfg/DFGSpeculativeJIT32_64.cpp:
1204         (JSC::DFG::SpeculativeJIT::compile):
1205
1206 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
1207
1208         DFG should allow Phantoms after terminals
1209         https://bugs.webkit.org/show_bug.cgi?id=126778
1210
1211         Reviewed by Mark Lam.
1212         
1213         It's important for us to be able to place liveness-marking nodes after nodes that do
1214         things. These liveness-marking nodes are nops. Previously, we disallowed such nodes after
1215         terminals. That made things awkward, especially for Switch and Branch, which may do
1216         things that necessitate liveness markers (for example they might want to use a converted
1217         version of a value rather than the value that was MovHinted). We previously made this
1218         work by disallowing certain optimizations on Switch and Branch, which was probably a bad
1219         thing.
1220         
1221         This changes our IR to allow for the terminal to not be the last node in a block. Asking
1222         for the terminal involves a search. DFG::validate() checks that the nodes after the
1223         terminal are liveness markers that have no effects or checks.
1224         
1225         This is perf-neutral but will allow more optimizations in the future. It will also make
1226         it cleaner to fix https://bugs.webkit.org/show_bug.cgi?id=143735.
1227
1228         * dfg/DFGBasicBlock.cpp:
1229         (JSC::DFG::BasicBlock::replaceTerminal):
1230         * dfg/DFGBasicBlock.h:
1231         (JSC::DFG::BasicBlock::findTerminal):
1232         (JSC::DFG::BasicBlock::terminal):
1233         (JSC::DFG::BasicBlock::insertBeforeTerminal):
1234         (JSC::DFG::BasicBlock::numSuccessors):
1235         (JSC::DFG::BasicBlock::successor):
1236         (JSC::DFG::BasicBlock::successorForCondition):
1237         (JSC::DFG::BasicBlock::successors):
1238         (JSC::DFG::BasicBlock::last): Deleted.
1239         (JSC::DFG::BasicBlock::takeLast): Deleted.
1240         (JSC::DFG::BasicBlock::insertBeforeLast): Deleted.
1241         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable): Deleted.
1242         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator): Deleted.
1243         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*): Deleted.
1244         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++): Deleted.
1245         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==): Deleted.
1246         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=): Deleted.
1247         (JSC::DFG::BasicBlock::SuccessorsIterable::begin): Deleted.
1248         (JSC::DFG::BasicBlock::SuccessorsIterable::end): Deleted.
1249         * dfg/DFGBasicBlockInlines.h:
1250         (JSC::DFG::BasicBlock::appendNonTerminal):
1251         (JSC::DFG::BasicBlock::replaceTerminal):
1252         * dfg/DFGByteCodeParser.cpp:
1253         (JSC::DFG::ByteCodeParser::addToGraph):
1254         (JSC::DFG::ByteCodeParser::inlineCall):
1255         (JSC::DFG::ByteCodeParser::handleInlining):
1256         (JSC::DFG::ByteCodeParser::parseBlock):
1257         (JSC::DFG::ByteCodeParser::linkBlock):
1258         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1259         * dfg/DFGCFGSimplificationPhase.cpp:
1260         (JSC::DFG::CFGSimplificationPhase::run):
1261         (JSC::DFG::CFGSimplificationPhase::convertToJump):
1262         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1263         * dfg/DFGCPSRethreadingPhase.cpp:
1264         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1265         * dfg/DFGCommon.h:
1266         (JSC::DFG::NodeAndIndex::NodeAndIndex):
1267         (JSC::DFG::NodeAndIndex::operator!):
1268         * dfg/DFGFixupPhase.cpp:
1269         (JSC::DFG::FixupPhase::fixupBlock):
1270         (JSC::DFG::FixupPhase::fixupNode):
1271         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
1272         (JSC::DFG::FixupPhase::clearPhantomsAtEnd): Deleted.
1273         * dfg/DFGForAllKills.h:
1274         (JSC::DFG::forAllLiveNodesAtTail):
1275         * dfg/DFGGraph.cpp:
1276         (JSC::DFG::Graph::terminalsAreValid):
1277         (JSC::DFG::Graph::dumpBlockHeader):
1278         * dfg/DFGGraph.h:
1279         * dfg/DFGInPlaceAbstractState.cpp:
1280         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1281         * dfg/DFGLICMPhase.cpp:
1282         (JSC::DFG::LICMPhase::run):
1283         (JSC::DFG::LICMPhase::attemptHoist):
1284         * dfg/DFGMovHintRemovalPhase.cpp:
1285         * dfg/DFGNode.h:
1286         (JSC::DFG::Node::SuccessorsIterable::SuccessorsIterable):
1287         (JSC::DFG::Node::SuccessorsIterable::iterator::iterator):
1288         (JSC::DFG::Node::SuccessorsIterable::iterator::operator*):
1289         (JSC::DFG::Node::SuccessorsIterable::iterator::operator++):
1290         (JSC::DFG::Node::SuccessorsIterable::iterator::operator==):
1291         (JSC::DFG::Node::SuccessorsIterable::iterator::operator!=):
1292         (JSC::DFG::Node::SuccessorsIterable::begin):
1293         (JSC::DFG::Node::SuccessorsIterable::end):
1294         (JSC::DFG::Node::successors):
1295         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1296         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
1297         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
1298         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
1299         * dfg/DFGPhantomRemovalPhase.cpp:
1300         (JSC::DFG::PhantomRemovalPhase::run):
1301         * dfg/DFGPutStackSinkingPhase.cpp:
1302         * dfg/DFGSSAConversionPhase.cpp:
1303         (JSC::DFG::SSAConversionPhase::run):
1304         * dfg/DFGSpeculativeJIT.h:
1305         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1306         * dfg/DFGSpeculativeJIT32_64.cpp:
1307         (JSC::DFG::SpeculativeJIT::compile):
1308         * dfg/DFGSpeculativeJIT64.cpp:
1309         (JSC::DFG::SpeculativeJIT::compile):
1310         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1311         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1312         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1313         (JSC::DFG::TierUpCheckInjectionPhase::run):
1314         * dfg/DFGValidate.cpp:
1315         (JSC::DFG::Validate::validate):
1316         * ftl/FTLLowerDFGToLLVM.cpp:
1317         (JSC::FTL::LowerDFGToLLVM::compileNode):
1318         * tests/stress/closure-call-exit.js: Added.
1319         (foo):
1320
1321 2015-04-21  Basile Clement  <basile_clement@apple.com>
1322
1323         PhantomNewObject should be marked NodeMustGenerate
1324         https://bugs.webkit.org/show_bug.cgi?id=143974
1325
1326         Reviewed by Filip Pizlo.
1327
1328         * dfg/DFGNode.h:
1329         (JSC::DFG::Node::convertToPhantomNewObject):
1330         Was not properly marking NodeMustGenerate when converting.
1331
1332 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
1333
1334         DFG Call/ConstructForwardVarargs fails to restore the stack pointer
1335         https://bugs.webkit.org/show_bug.cgi?id=144007
1336
1337         Reviewed by Mark Lam.
1338         
1339         We were conditioning the stack pointer restoration on isVarargs, but we also need to do it
1340         if isForwardVarargs.
1341
1342         * dfg/DFGSpeculativeJIT32_64.cpp:
1343         (JSC::DFG::SpeculativeJIT::emitCall):
1344         * dfg/DFGSpeculativeJIT64.cpp:
1345         (JSC::DFG::SpeculativeJIT::emitCall):
1346         * tests/stress/varargs-then-slow-call.js: Added.
1347         (foo):
1348         (bar):
1349         (fuzz):
1350         (baz):
1351
1352 2015-04-21  Basile Clement  <basile_clement@apple.com>
1353
1354         Remove AllocationProfileWatchpoint node
1355         https://bugs.webkit.org/show_bug.cgi?id=143999
1356
1357         Reviewed by Filip Pizlo.
1358
1359         * dfg/DFGAbstractInterpreterInlines.h:
1360         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1361         * dfg/DFGByteCodeParser.cpp:
1362         (JSC::DFG::ByteCodeParser::parseBlock):
1363         * dfg/DFGClobberize.h:
1364         (JSC::DFG::clobberize):
1365         * dfg/DFGDoesGC.cpp:
1366         (JSC::DFG::doesGC):
1367         * dfg/DFGFixupPhase.cpp:
1368         (JSC::DFG::FixupPhase::fixupNode):
1369         * dfg/DFGHeapLocation.cpp:
1370         (WTF::printInternal):
1371         * dfg/DFGHeapLocation.h:
1372         * dfg/DFGNode.h:
1373         (JSC::DFG::Node::hasCellOperand):
1374         * dfg/DFGNodeType.h:
1375         * dfg/DFGPredictionPropagationPhase.cpp:
1376         (JSC::DFG::PredictionPropagationPhase::propagate):
1377         * dfg/DFGSafeToExecute.h:
1378         (JSC::DFG::safeToExecute):
1379         * dfg/DFGSpeculativeJIT32_64.cpp:
1380         (JSC::DFG::SpeculativeJIT::compile):
1381         * dfg/DFGSpeculativeJIT64.cpp:
1382         (JSC::DFG::SpeculativeJIT::compile):
1383         * dfg/DFGWatchpointCollectionPhase.cpp:
1384         (JSC::DFG::WatchpointCollectionPhase::handle):
1385         * ftl/FTLCapabilities.cpp:
1386         (JSC::FTL::canCompile):
1387         * ftl/FTLLowerDFGToLLVM.cpp:
1388         (JSC::FTL::LowerDFGToLLVM::compileNode):
1389         * runtime/JSFunction.h:
1390         (JSC::JSFunction::rareData):
1391         (JSC::JSFunction::allocationProfileWatchpointSet): Deleted.
1392
1393 2015-04-19  Filip Pizlo  <fpizlo@apple.com>
1394
1395         MovHint should be a strong use
1396         https://bugs.webkit.org/show_bug.cgi?id=143734
1397
1398         Reviewed by Geoffrey Garen.
1399         
1400         This disables any DCE that assumes equivalence between DFG IR uses and bytecode uses. Doing
1401         so is a major step towards allowing more fancy DFG transformations and also probably fixing
1402         some bugs.
1403         
1404         Just making MovHint a strong use would also completely disable DCE. So we mitigate this by
1405         introducing a MovHint removal phase that runs in FTL.
1406         
1407         This is a slight slowdown on Octane/gbemu, but it's basically neutral on suite averages.
1408
1409         * CMakeLists.txt:
1410         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1411         * JavaScriptCore.xcodeproj/project.pbxproj:
1412         * bytecode/CodeOrigin.cpp:
1413         (JSC::InlineCallFrame::dumpInContext):
1414         * dfg/DFGDCEPhase.cpp:
1415         (JSC::DFG::DCEPhase::fixupBlock):
1416         * dfg/DFGDisassembler.cpp:
1417         (JSC::DFG::Disassembler::createDumpList):
1418         * dfg/DFGEpoch.cpp: Added.
1419         (JSC::DFG::Epoch::dump):
1420         * dfg/DFGEpoch.h: Added.
1421         (JSC::DFG::Epoch::Epoch):
1422         (JSC::DFG::Epoch::first):
1423         (JSC::DFG::Epoch::operator!):
1424         (JSC::DFG::Epoch::next):
1425         (JSC::DFG::Epoch::bump):
1426         (JSC::DFG::Epoch::operator==):
1427         (JSC::DFG::Epoch::operator!=):
1428         * dfg/DFGMayExit.cpp:
1429         (JSC::DFG::mayExit):
1430         * dfg/DFGMovHintRemovalPhase.cpp: Added.
1431         (JSC::DFG::performMovHintRemoval):
1432         * dfg/DFGMovHintRemovalPhase.h: Added.
1433         * dfg/DFGNodeType.h:
1434         * dfg/DFGPlan.cpp:
1435         (JSC::DFG::Plan::compileInThreadImpl):
1436         * dfg/DFGSpeculativeJIT.cpp:
1437         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1438         * dfg/DFGSpeculativeJIT64.cpp:
1439         (JSC::DFG::SpeculativeJIT::compile):
1440         * runtime/Options.h:
1441
1442 2015-04-21  Basile Clement  <basile_clement@apple.com>
1443
1444         REGRESSION (r182899): icloud.com crashes
1445         https://bugs.webkit.org/show_bug.cgi?id=143960
1446
1447         Reviewed by Filip Pizlo.
1448
1449         * runtime/JSFunction.h:
1450         (JSC::JSFunction::allocationStructure):
1451         * tests/stress/dfg-rare-data.js: Added.
1452         (F): Regression test
1453
1454 2015-04-21  Michael Saboff  <msaboff@apple.com>
1455
1456         Crash in JSC::Interpreter::execute
1457         https://bugs.webkit.org/show_bug.cgi?id=142625
1458
1459         Reviewed by Filip Pizlo.
1460
1461         We need to keep the FunctionExecutables in the code block for the eval flavor of 
1462         Interpreter::execute() in order to create the scope used to eval.
1463
1464         * bytecode/CodeBlock.cpp:
1465         (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): Deleted.
1466         * bytecode/CodeBlock.h:
1467         * dfg/DFGGraph.cpp:
1468         (JSC::DFG::Graph::registerFrozenValues):
1469
1470 2015-04-21  Chris Dumez  <cdumez@apple.com>
1471
1472         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) constructor explicit
1473         https://bugs.webkit.org/show_bug.cgi?id=143970
1474
1475         Reviewed by Darin Adler.
1476
1477         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&)
1478         constructor explicit as it copies the vector and it is easy to call it
1479         by mistake.
1480
1481         * bytecode/UnlinkedInstructionStream.cpp:
1482         (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
1483         * bytecode/UnlinkedInstructionStream.h:
1484         * ftl/FTLLowerDFGToLLVM.cpp:
1485         (JSC::FTL::LowerDFGToLLVM::lower):
1486
1487 2015-04-20  Basile Clement  <basile_clement@apple.com>
1488
1489         PhantomNewObject should be marked NodeMustGenerate
1490         https://bugs.webkit.org/show_bug.cgi?id=143974
1491
1492         Reviewed by Filip Pizlo.
1493
1494         * dfg/DFGNodeType.h: Mark PhantomNewObject as NodeMustGenerate
1495
1496 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
1497
1498         Cleanup some StringBuilder use
1499         https://bugs.webkit.org/show_bug.cgi?id=143550
1500
1501         Reviewed by Darin Adler.
1502
1503         * runtime/Symbol.cpp:
1504         (JSC::Symbol::descriptiveString):
1505         * runtime/TypeProfiler.cpp:
1506         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
1507         * runtime/TypeSet.cpp:
1508         (JSC::TypeSet::toJSONString):
1509         (JSC::StructureShape::propertyHash):
1510         (JSC::StructureShape::stringRepresentation):
1511         (JSC::StructureShape::toJSONString):
1512
1513 2015-04-20  Mark Lam  <mark.lam@apple.com>
1514
1515         Add debugging tools to test if a given pointer is a valid object and in the heap.
1516         https://bugs.webkit.org/show_bug.cgi?id=143910
1517
1518         Reviewed by Geoffrey Garen.
1519
1520         When doing debugging from lldb, sometimes, it is useful to be able to tell if a
1521         purported JSObject is really a valid object in the heap or not.  We can add the
1522         following utility functions to help:
1523             isValidCell(heap, candidate) - returns true if the candidate is a "live" cell in the heap.
1524             isInHeap(heap, candidate) - returns true if the candidate is the heap's Object space or Storage space.
1525             isInObjectSpace(heap, candidate) - returns true if the candidate is the heap's Object space.
1526             isInStorageSpace(heap, candidate) - returns true if the candidate is the heap's Storage space.
1527
1528         Also moved lldb callable debug utility function prototypes from
1529         JSDollarVMPrototype.cpp to JSDollarVMPrototype.h as static members of the
1530         JSDollarVMPrototype class.  This is so that we can conveniently #include that
1531         file to get the prototypes when we need to call them programmatically from
1532         instrumentation that we add while debugging an issue.
1533
1534         * heap/Heap.h:
1535         (JSC::Heap::storageSpace):
1536         * tools/JSDollarVMPrototype.cpp:
1537         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
1538         (JSC::ensureCurrentThreadOwnsJSLock):
1539         (JSC::JSDollarVMPrototype::gc):
1540         (JSC::functionGC):
1541         (JSC::JSDollarVMPrototype::edenGC):
1542         (JSC::functionEdenGC):
1543         (JSC::JSDollarVMPrototype::isInHeap):
1544         (JSC::JSDollarVMPrototype::isInObjectSpace):
1545         (JSC::JSDollarVMPrototype::isInStorageSpace):
1546         (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor):
1547         (JSC::ObjectAddressCheckFunctor::operator()):
1548         (JSC::JSDollarVMPrototype::isValidCell):
1549         (JSC::JSDollarVMPrototype::isValidCodeBlock):
1550         (JSC::JSDollarVMPrototype::codeBlockForFrame):
1551         (JSC::functionCodeBlockForFrame):
1552         (JSC::codeBlockFromArg):
1553         (JSC::JSDollarVMPrototype::printCallFrame):
1554         (JSC::JSDollarVMPrototype::printStack):
1555         (JSC::JSDollarVMPrototype::printValue):
1556         (JSC::currentThreadOwnsJSLock): Deleted.
1557         (JSC::gc): Deleted.
1558         (JSC::edenGC): Deleted.
1559         (JSC::isValidCodeBlock): Deleted.
1560         (JSC::codeBlockForFrame): Deleted.
1561         (JSC::printCallFrame): Deleted.
1562         (JSC::printStack): Deleted.
1563         (JSC::printValue): Deleted.
1564         * tools/JSDollarVMPrototype.h:
1565
1566 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
1567
1568         Web Inspector: Improve Support for WeakSet in Console
1569         https://bugs.webkit.org/show_bug.cgi?id=143951
1570
1571         Reviewed by Darin Adler.
1572
1573         * inspector/InjectedScriptSource.js:
1574         * inspector/JSInjectedScriptHost.cpp:
1575         (Inspector::JSInjectedScriptHost::subtype):
1576         (Inspector::JSInjectedScriptHost::weakSetSize):
1577         (Inspector::JSInjectedScriptHost::weakSetEntries):
1578         * inspector/JSInjectedScriptHost.h:
1579         * inspector/JSInjectedScriptHostPrototype.cpp:
1580         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1581         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
1582         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
1583         Treat WeakSets like special sets.
1584
1585         * inspector/protocol/Runtime.json:
1586         Add a new object subtype, "weakset".
1587
1588 2015-04-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1589
1590         HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols
1591         https://bugs.webkit.org/show_bug.cgi?id=143947
1592
1593         Reviewed by Darin Adler.
1594
1595         Type profiler has map between PropertyKey (StringImpl*) and offset.
1596         StringImpl* is also used for Symbol PropertyKey.
1597         So equality of hash tables is considered by interned StringImpl*'s pointer value.
1598         To do so, use IdentifierRepHash instead of StringHash.
1599
1600         * runtime/SymbolTable.h:
1601
1602 2015-04-20  Jordan Harband  <ljharb@gmail.com>
1603
1604         Implement `Object.is`
1605         https://bugs.webkit.org/show_bug.cgi?id=143865
1606
1607         Reviewed by Darin Adler.
1608
1609         Expose sameValue to JS, via Object.is
1610         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.is
1611
1612         * runtime/ObjectConstructor.cpp:
1613         (JSC::objectConstructorIs):
1614         * runtime/PropertyDescriptor.cpp:
1615         (JSC::sameValue):
1616
1617 2015-04-19  Darin Adler  <darin@apple.com>
1618
1619         Remove all the remaining uses of OwnPtr and PassOwnPtr in JavaScriptCore
1620         https://bugs.webkit.org/show_bug.cgi?id=143941
1621
1622         Reviewed by Gyuyoung Kim.
1623
1624         * API/JSCallbackObject.h: Use unique_ptr for m_callbackObjectData.
1625         * API/JSCallbackObjectFunctions.h: Ditto.
1626
1627         * API/ObjCCallbackFunction.h: Use unique_ptr for the arguments to the
1628         create function and the constructor and for m_impl.
1629         * API/ObjCCallbackFunction.mm:
1630         (CallbackArgumentOfClass::CallbackArgumentOfClass): Streamline this
1631         class by using RetainPtr<Class>.
1632         (ArgumentTypeDelegate::typeInteger): Use make_unique.
1633         (ArgumentTypeDelegate::typeDouble): Ditto.
1634         (ArgumentTypeDelegate::typeBool): Ditto.
1635         (ArgumentTypeDelegate::typeVoid): Ditto.
1636         (ArgumentTypeDelegate::typeId): Ditto.
1637         (ArgumentTypeDelegate::typeOfClass): Ditto.
1638         (ArgumentTypeDelegate::typeBlock): Ditto.
1639         (ArgumentTypeDelegate::typeStruct): Ditto.
1640         (ResultTypeDelegate::typeInteger): Ditto.
1641         (ResultTypeDelegate::typeDouble): Ditto.
1642         (ResultTypeDelegate::typeBool): Ditto.
1643         (ResultTypeDelegate::typeVoid): Ditto.
1644         (ResultTypeDelegate::typeId): Ditto.
1645         (ResultTypeDelegate::typeOfClass): Ditto.
1646         (ResultTypeDelegate::typeBlock): Ditto.
1647         (ResultTypeDelegate::typeStruct): Ditto.
1648         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): Use
1649         unique_ptr for the arguments to the constructor, m_arguments, and m_result.
1650         Use RetainPtr<Class> for m_instanceClass.
1651         (JSC::objCCallbackFunctionCallAsConstructor): Use nullptr instead of nil or 0
1652         for non-Objective-C object pointer null.
1653         (JSC::ObjCCallbackFunction::ObjCCallbackFunction): Use unique_ptr for
1654         the arguments to the constructor and for m_impl.
1655         (JSC::ObjCCallbackFunction::create): Use unique_ptr for arguments.
1656         (skipNumber): Mark this static since it's local to this source file.
1657         (objCCallbackFunctionForInvocation): Call parseObjCType without doing any
1658         explicit adoptPtr since the types in the traits are now unique_ptr. Also use
1659         nullptr instead of nil for JSObjectRef values.
1660         (objCCallbackFunctionForMethod): Tweaked comment.
1661         (objCCallbackFunctionForBlock): Use nullptr instead of 0 for JSObjectRef.
1662
1663         * bytecode/CallLinkInfo.h: Removed unneeded include of OwnPtr.h.
1664
1665         * heap/GCThread.cpp:
1666         (JSC::GCThread::GCThread): Use unique_ptr.
1667         * heap/GCThread.h: Use unique_ptr for arguments to the constructor and for
1668         m_slotVisitor and m_copyVisitor.
1669         * heap/GCThreadSharedData.cpp:
1670         (JSC::GCThreadSharedData::GCThreadSharedData): Ditto.
1671
1672         * parser/SourceProvider.h: Removed unneeded include of PassOwnPtr.h.
1673
1674 2015-04-19  Benjamin Poulain  <benjamin@webkit.org>
1675
1676         Improve the feature.json files
1677
1678         * features.json:
1679
1680 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1681
1682         Introduce bytecode intrinsics
1683         https://bugs.webkit.org/show_bug.cgi?id=143926
1684
1685         Reviewed by Filip Pizlo.
1686
1687         This patch introduces bytecode level intrinsics into builtins/*.js JS code.
1688         When implementing functions in builtins/*.js,
1689         sometimes we require lower level functionality.
1690
1691         For example, in the current Array.from, we use `result[k] = value`.
1692         The spec requires `[[DefineOwnProperty]]` operation here.
1693         However, usual `result[k] = value` is evaluated as `[[Set]]`. (`PutValue` => `[[Set]]`)
1694         So if we implement `Array.prototype[k]` getter/setter, the difference is observable.
1695
1696         Ideally, reaching here, we would like to use put_by_val_direct bytecode.
1697         However, there's no syntax to generate it directly.
1698
1699         This patch introduces bytecode level intrinsics into JSC BytecodeCompiler.
1700         Like @call, @apply, we introduce a new node, Intrinsic.
1701         These are generated when calling appropriate private symbols in privileged code.
1702         AST parser detects them and generates Intrinsic nodes and
1703         BytecodeCompiler detects them and generate required bytecodes.
1704
1705         Currently, Array.from implementation works fine without this patch.
1706         This is because when the target code is builtin JS,
1707         BytecodeGenerator emits put_by_val_direct instead of put_by_val.
1708         This solves the above issue. However, instead of solving this issue,
1709         it raises another issue; There's no way to emit `[[Set]]` operation.
1710         `[[Set]]` operation is actually used in the spec (Array.from's "length" is set by `[[Set]]`).
1711         So to implement it precisely, introducing bytecode level intrinsics is necessary.
1712
1713         In the subsequent fixes, we'll remove that special path emitting put_by_val_direct
1714         for `result[k] = value` under builtin JS environment. Instead of that special handling,
1715         use bytecode intrinsics instead. It solves problems and it is more intuitive
1716         because written JS code in builtin works as the same to the usual JS code.
1717
1718         * CMakeLists.txt:
1719         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1720         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1721         * JavaScriptCore.xcodeproj/project.pbxproj:
1722         * builtins/ArrayConstructor.js:
1723         (from):
1724         * bytecode/BytecodeIntrinsicRegistry.cpp: Added.
1725         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1726         (JSC::BytecodeIntrinsicRegistry::lookup):
1727         * bytecode/BytecodeIntrinsicRegistry.h: Added.
1728         * bytecompiler/NodesCodegen.cpp:
1729         (JSC::BytecodeIntrinsicNode::emitBytecode):
1730         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
1731         * parser/ASTBuilder.h:
1732         (JSC::ASTBuilder::makeFunctionCallNode):
1733         * parser/NodeConstructors.h:
1734         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
1735         * parser/Nodes.h:
1736         (JSC::BytecodeIntrinsicNode::identifier):
1737         * runtime/CommonIdentifiers.cpp:
1738         (JSC::CommonIdentifiers::CommonIdentifiers):
1739         * runtime/CommonIdentifiers.h:
1740         (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry):
1741         * tests/stress/array-from-with-accessors.js: Added.
1742         (shouldBe):
1743
1744 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1745
1746         Make Builtin functions non constructible
1747         https://bugs.webkit.org/show_bug.cgi?id=143923
1748
1749         Reviewed by Darin Adler.
1750
1751         Builtin functions defined by builtins/*.js accidentally have [[Construct]].
1752         According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]].
1753         This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error.
1754
1755         Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough.
1756         However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType.
1757         In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]].
1758         So in this patch, we check `isBuiltinFunction()` in those places.
1759
1760         * dfg/DFGByteCodeParser.cpp:
1761         (JSC::DFG::ByteCodeParser::inliningCost):
1762         * jit/JITOperations.cpp:
1763         * llint/LLIntSlowPaths.cpp:
1764         (JSC::LLInt::setUpCall):
1765         * runtime/JSFunction.cpp:
1766         (JSC::JSFunction::getConstructData):
1767         * tests/stress/builtin-function-is-construct-type-none.js: Added.
1768         (shouldThrow):
1769
1770 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1771
1772         [ES6] Implement WeakSet
1773         https://bugs.webkit.org/show_bug.cgi?id=142408
1774
1775         Reviewed by Darin Adler.
1776
1777         This patch implements ES6 WeakSet.
1778         Current implementation simply leverages WeakMapData with undefined value.
1779         This WeakMapData should be optimized in the same manner as MapData/SetData in the subsequent patch[1].
1780
1781         And in this patch, we also fix WeakMap/WeakSet behavior to conform the ES6 spec.
1782         Except for adders (WeakMap.prototype.set/WeakSet.prototype.add),
1783         methods return false (or undefined for WeakMap.prototype.get)
1784         when a key is not Object instead of throwing a type error.
1785
1786         [1]: https://bugs.webkit.org/show_bug.cgi?id=143919
1787
1788         * CMakeLists.txt:
1789         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1790         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1791         * JavaScriptCore.xcodeproj/project.pbxproj:
1792         * runtime/CommonIdentifiers.h:
1793         * runtime/JSGlobalObject.cpp:
1794         * runtime/JSGlobalObject.h:
1795         * runtime/JSWeakSet.cpp: Added.
1796         (JSC::JSWeakSet::finishCreation):
1797         (JSC::JSWeakSet::visitChildren):
1798         * runtime/JSWeakSet.h: Added.
1799         (JSC::JSWeakSet::createStructure):
1800         (JSC::JSWeakSet::create):
1801         (JSC::JSWeakSet::weakMapData):
1802         (JSC::JSWeakSet::JSWeakSet):
1803         * runtime/WeakMapPrototype.cpp:
1804         (JSC::getWeakMapData):
1805         (JSC::protoFuncWeakMapDelete):
1806         (JSC::protoFuncWeakMapGet):
1807         (JSC::protoFuncWeakMapHas):
1808         * runtime/WeakSetConstructor.cpp: Added.
1809         (JSC::WeakSetConstructor::finishCreation):
1810         (JSC::callWeakSet):
1811         (JSC::constructWeakSet):
1812         (JSC::WeakSetConstructor::getConstructData):
1813         (JSC::WeakSetConstructor::getCallData):
1814         * runtime/WeakSetConstructor.h: Added.
1815         (JSC::WeakSetConstructor::create):
1816         (JSC::WeakSetConstructor::createStructure):
1817         (JSC::WeakSetConstructor::WeakSetConstructor):
1818         * runtime/WeakSetPrototype.cpp: Added.
1819         (JSC::WeakSetPrototype::finishCreation):
1820         (JSC::getWeakMapData):
1821         (JSC::protoFuncWeakSetDelete):
1822         (JSC::protoFuncWeakSetHas):
1823         (JSC::protoFuncWeakSetAdd):
1824         * runtime/WeakSetPrototype.h: Added.
1825         (JSC::WeakSetPrototype::create):
1826         (JSC::WeakSetPrototype::createStructure):
1827         (JSC::WeakSetPrototype::WeakSetPrototype):
1828         * tests/stress/weak-set-constructor-adder.js: Added.
1829         (WeakSet.prototype.add):
1830         * tests/stress/weak-set-constructor.js: Added.
1831
1832 2015-04-17  Alexey Proskuryakov  <ap@apple.com>
1833
1834         Remove unused BoundsCheckedPointer
1835         https://bugs.webkit.org/show_bug.cgi?id=143896
1836
1837         Reviewed by Geoffrey Garen.
1838
1839         * bytecode/SpeculatedType.cpp: The header was included here.
1840
1841 2015-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1842
1843         [ES6] Fix name enumeration of static functions for Symbol constructor
1844         https://bugs.webkit.org/show_bug.cgi?id=143891
1845
1846         Reviewed by Geoffrey Garen.
1847
1848         Fix missing symbolPrototypeTable registration to the js class object.
1849         This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor.
1850
1851         * runtime/SymbolConstructor.cpp:
1852
1853 2015-04-17  Basile Clement  <basile_clement@apple.com>
1854
1855         Inline JSFunction allocation in DFG
1856         https://bugs.webkit.org/show_bug.cgi?id=143858
1857
1858         Reviewed by Filip Pizlo.
1859
1860         Followup to my previous patch which inlines JSFunction allocation when
1861         using FTL, now also enabled in DFG.
1862
1863         * dfg/DFGSpeculativeJIT.cpp:
1864         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1865
1866 2015-04-16  Jordan Harband  <ljharb@gmail.com>
1867
1868         Number.parseInt is not === global parseInt in nightly r182673
1869         https://bugs.webkit.org/show_bug.cgi?id=143799
1870
1871         Reviewed by Darin Adler.
1872
1873         Ensuring parseInt === Number.parseInt, per spec
1874         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
1875
1876         * runtime/CommonIdentifiers.h:
1877         * runtime/JSGlobalObject.cpp:
1878         (JSC::JSGlobalObject::init):
1879         * runtime/JSGlobalObject.h:
1880         (JSC::JSGlobalObject::parseIntFunction):
1881         * runtime/NumberConstructor.cpp:
1882         (JSC::NumberConstructor::finishCreation):
1883
1884 2015-04-16  Mark Lam  <mark.lam@apple.com>
1885
1886         Gardening: fix CLOOP build after r182927.
1887
1888         Not reviewed.
1889
1890         * interpreter/StackVisitor.cpp:
1891         (JSC::StackVisitor::Frame::print):
1892
1893 2015-04-16  Basile Clement  <basile_clement@apple.com>
1894
1895         Inline JSFunction allocation in FTL
1896         https://bugs.webkit.org/show_bug.cgi?id=143851
1897
1898         Reviewed by Filip Pizlo.
1899
1900         JSFunction allocation is a simple operation that should be inlined when possible.
1901
1902         * ftl/FTLAbstractHeapRepository.h:
1903         * ftl/FTLLowerDFGToLLVM.cpp:
1904         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1905         * runtime/JSFunction.h:
1906         (JSC::JSFunction::allocationSize):
1907
1908 2015-04-16  Mark Lam  <mark.lam@apple.com>
1909
1910         Add $vm debugging tool.
1911         https://bugs.webkit.org/show_bug.cgi?id=143809
1912
1913         Reviewed by Geoffrey Garen.
1914
1915         For debugging VM bugs, it would be useful to be able to dump VM data structures
1916         from JS code that we instrument.  To this end, let's introduce a
1917         JS_enableDollarVM option that, if true, installs an $vm property into each JS
1918         global object at creation time.  The $vm property refers to an object that
1919         provides a collection of useful utility functions.  For this initial
1920         implementation, $vm will have the following:
1921
1922             crash() - trigger an intentional crash.
1923
1924             dfgTrue() - returns true if the current function is DFG compiled, else returns false.
1925             jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
1926             llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
1927
1928             gc() - runs a full GC.
1929             edenGC() - runs an eden GC.
1930
1931             codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
1932             printSourceFor(codeBlock) - prints the source code for the codeBlock.
1933             printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
1934
1935             print(str) - prints a string to dataLog output.
1936             printCallFrame() - prints the current CallFrame.
1937             printStack() - prints the JS stack.
1938             printInternal(value) - prints the JSC internal info for the specified value.
1939
1940         With JS_enableDollarVM=true, JS code can use the above functions like so:
1941
1942             $vm.print("Using $vm features\n");
1943
1944         * CMakeLists.txt:
1945         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1946         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1947         * JavaScriptCore.xcodeproj/project.pbxproj:
1948         * bytecode/CodeBlock.cpp:
1949         (JSC::CodeBlock::printCallOp):
1950         - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
1951           Hence, we skip this step if we're dumping an FTL codeBlock.
1952
1953         * heap/Heap.cpp:
1954         (JSC::Heap::collectAndSweep):
1955         (JSC::Heap::collectAllGarbage): Deleted.
1956         * heap/Heap.h:
1957         (JSC::Heap::collectAllGarbage):
1958         - Add ability to do an Eden collection and sweep.
1959
1960         * interpreter/StackVisitor.cpp:
1961         (JSC::printIndents):
1962         (JSC::log):
1963         (JSC::logF):
1964         (JSC::StackVisitor::Frame::print):
1965         (JSC::jitTypeName): Deleted.
1966         (JSC::printif): Deleted.
1967         - Modernize the implementation of StackVisitor::Frame::print(), and remove some
1968           now redundant code.
1969         - Also fix it so that it downgrades gracefully when encountering inlined DFG
1970           and compiled FTL functions.
1971
1972         (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
1973         (DebugPrintFrameFunctor::operator()): Deleted.
1974         (debugPrintCallFrame): Deleted.
1975         (debugPrintStack): Deleted.
1976         - these have been moved into JSDollarVMPrototype.cpp. 
1977
1978         * interpreter/StackVisitor.h:
1979         - StackVisitor::Frame::print() is now enabled for release builds as well so that
1980           we can call it from $vm.
1981
1982         * runtime/JSGlobalObject.cpp:
1983         (JSC::JSGlobalObject::init):
1984         (JSC::JSGlobalObject::visitChildren):
1985         * runtime/JSGlobalObject.h:
1986         - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
1987           option.
1988
1989         * runtime/Options.h:
1990         - Added the JSC_enableDollarVM option.
1991
1992         * tools/JSDollarVM.cpp: Added.
1993         * tools/JSDollarVM.h: Added.
1994         (JSC::JSDollarVM::createStructure):
1995         (JSC::JSDollarVM::create):
1996         (JSC::JSDollarVM::JSDollarVM):
1997
1998         * tools/JSDollarVMPrototype.cpp: Added.
1999         - This file contains 2 sets of functions:
2000
2001           a. a C++ implementation of debugging utility functions that are callable when
2002              doing debugging from lldb.  To the extent possible, these functions try to
2003              be cautious and not cause unintended crashes should the user call them with
2004              the wrong info.  Hence, they are designed to be robust rather than speedy.
2005
2006           b. the native implementations of JS functions in the $vm object.  Where there
2007              is overlapping functionality, these are built on top of the C++ functions
2008              above to do the work.
2009
2010           Note: it does not make sense for all of the $vm functions to have a C++
2011           counterpart for lldb debugging.  For example, the $vm.dfgTrue() function is
2012           only useful for JS code, and works via the DFG intrinsics mechanism.
2013           When doing debugging via lldb, the optimization level of the currently
2014           executing JS function can be gotten by dumping the current CallFrame instead.
2015
2016         (JSC::currentThreadOwnsJSLock):
2017         (JSC::ensureCurrentThreadOwnsJSLock):
2018         (JSC::JSDollarVMPrototype::addFunction):
2019         (JSC::functionCrash): - $vm.crash()
2020         (JSC::functionDFGTrue): - $vm.dfgTrue()
2021         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2022         (JSC::CallerFrameJITTypeFunctor::operator()):
2023         (JSC::CallerFrameJITTypeFunctor::jitType):
2024         (JSC::functionLLintTrue): - $vm.llintTrue()
2025         (JSC::functionJITTrue): - $vm.jitTrue()
2026         (JSC::gc):
2027         (JSC::functionGC): - $vm.gc()
2028         (JSC::edenGC):
2029         (JSC::functionEdenGC): - $vm.edenGC()
2030         (JSC::isValidCodeBlock):
2031         (JSC::codeBlockForFrame):
2032         (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
2033         (JSC::codeBlockFromArg):
2034         (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
2035         (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
2036         (JSC::functionPrint): - $vm.print(str)
2037         (JSC::PrintFrameFunctor::PrintFrameFunctor):
2038         (JSC::PrintFrameFunctor::operator()):
2039         (JSC::printCallFrame):
2040         (JSC::printStack):
2041         (JSC::functionPrintCallFrame): - $vm.printCallFrame()
2042         (JSC::functionPrintStack): - $vm.printStack()
2043         (JSC::printValue):
2044         (JSC::functionPrintValue): - $vm.printValue()
2045         (JSC::JSDollarVMPrototype::finishCreation):
2046         * tools/JSDollarVMPrototype.h: Added.
2047         (JSC::JSDollarVMPrototype::create):
2048         (JSC::JSDollarVMPrototype::createStructure):
2049         (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
2050
2051 2015-04-16  Geoffrey Garen  <ggaren@apple.com>
2052
2053         Speculative fix after r182915
2054         https://bugs.webkit.org/show_bug.cgi?id=143404
2055
2056         Reviewed by Alexey Proskuryakov.
2057
2058         * runtime/SymbolConstructor.h:
2059
2060 2015-04-16  Mark Lam  <mark.lam@apple.com>
2061
2062         Fixed some typos in a comment.
2063
2064         Not reviewed.
2065
2066         * dfg/DFGGenerationInfo.h:
2067
2068 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2069
2070         [ES6] Implement Symbol.for and Symbol.keyFor
2071         https://bugs.webkit.org/show_bug.cgi?id=143404
2072
2073         Reviewed by Geoffrey Garen.
2074
2075         This patch implements Symbol.for and Symbol.keyFor.
2076         SymbolRegistry maintains registered StringImpl* symbols.
2077         And to make this mapping enabled over realms,
2078         VM owns this mapping (not JSGlobalObject).
2079
2080         While there's Default AtomicStringTable per thread,
2081         SymbolRegistry should not exist over VMs.
2082         So everytime VM is created, SymbolRegistry is also created.
2083
2084         In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
2085         Theres are several reasons.
2086         1. StringImpl* which represents identity of Symbols is not GC-managed object.
2087            So we cannot use WeakGCMap directly.
2088            While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
2089            because distinct Symbol* can exist.
2090            Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
2091
2092         2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
2093            However there's problem about when we prune staled entries in SymbolRegistry.
2094            Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
2095            and it is not in GC-heap.
2096            While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
2097            So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
2098            As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
2099
2100         So instead of using Weak reference, we take relatively easy design.
2101         When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
2102         And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
2103
2104         * CMakeLists.txt:
2105         * DerivedSources.make:
2106         * runtime/SymbolConstructor.cpp:
2107         (JSC::SymbolConstructor::getOwnPropertySlot):
2108         (JSC::symbolConstructorFor):
2109         (JSC::symbolConstructorKeyFor):
2110         * runtime/SymbolConstructor.h:
2111         * runtime/VM.cpp:
2112         * runtime/VM.h:
2113         (JSC::VM::symbolRegistry):
2114         * tests/stress/symbol-registry.js: Added.
2115         (test):
2116
2117 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2118
2119         [ES6] Use specific functions for @@iterator functions
2120         https://bugs.webkit.org/show_bug.cgi?id=143838
2121
2122         Reviewed by Geoffrey Garen.
2123
2124         In ES6, some methods are defined with the different names.
2125
2126         For example,
2127
2128         Map.prototype[Symbol.iterator] === Map.prototype.entries
2129         Set.prototype[Symbol.iterator] === Set.prototype.values
2130         Array.prototype[Symbol.iterator] === Array.prototype.values
2131         %Arguments%[Symbol.iterator] === Array.prototype.values
2132
2133         However, current implementation creates different function objects per name.
2134         This patch fixes it by setting the object that is used for the other method to @@iterator.
2135         e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
2136
2137         And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
2138         with Array.prototype.values to conform to the spec.
2139
2140         * CMakeLists.txt:
2141         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2142         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2143         * JavaScriptCore.xcodeproj/project.pbxproj:
2144         * inspector/JSInjectedScriptHost.cpp:
2145         (Inspector::JSInjectedScriptHost::subtype):
2146         (Inspector::JSInjectedScriptHost::getInternalProperties):
2147         (Inspector::JSInjectedScriptHost::iteratorEntries):
2148         * runtime/ArgumentsIteratorConstructor.cpp: Removed.
2149         * runtime/ArgumentsIteratorConstructor.h: Removed.
2150         * runtime/ArgumentsIteratorPrototype.cpp: Removed.
2151         * runtime/ArgumentsIteratorPrototype.h: Removed.
2152         * runtime/ArrayPrototype.cpp:
2153         (JSC::ArrayPrototype::finishCreation):
2154         * runtime/ArrayPrototype.h:
2155         * runtime/ClonedArguments.cpp:
2156         (JSC::ClonedArguments::getOwnPropertySlot):
2157         (JSC::ClonedArguments::put):
2158         (JSC::ClonedArguments::deleteProperty):
2159         (JSC::ClonedArguments::defineOwnProperty):
2160         (JSC::ClonedArguments::materializeSpecials):
2161         * runtime/ClonedArguments.h:
2162         * runtime/CommonIdentifiers.h:
2163         * runtime/DirectArguments.cpp:
2164         (JSC::DirectArguments::overrideThings):
2165         * runtime/GenericArgumentsInlines.h:
2166         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2167         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2168         (JSC::GenericArguments<Type>::put):
2169         (JSC::GenericArguments<Type>::deleteProperty):
2170         (JSC::GenericArguments<Type>::defineOwnProperty):
2171         * runtime/JSArgumentsIterator.cpp: Removed.
2172         * runtime/JSArgumentsIterator.h: Removed.
2173         * runtime/JSGlobalObject.cpp:
2174         (JSC::JSGlobalObject::init):
2175         (JSC::JSGlobalObject::visitChildren):
2176         * runtime/JSGlobalObject.h:
2177         (JSC::JSGlobalObject::arrayProtoValuesFunction):
2178         * runtime/MapPrototype.cpp:
2179         (JSC::MapPrototype::finishCreation):
2180         * runtime/ScopedArguments.cpp:
2181         (JSC::ScopedArguments::overrideThings):
2182         * runtime/SetPrototype.cpp:
2183         (JSC::SetPrototype::finishCreation):
2184         * tests/stress/arguments-iterator.js: Added.
2185         (test):
2186         (testArguments):
2187         * tests/stress/iterator-functions.js: Added.
2188         (test):
2189         (argumentsTests):
2190
2191 2015-04-14  Mark Lam  <mark.lam@apple.com>
2192
2193         Add JSC_functionOverrides=<overrides file> debugging tool.
2194         https://bugs.webkit.org/show_bug.cgi?id=143717
2195
2196         Reviewed by Geoffrey Garen.
2197
2198         This tool allows us to do runtime replacement of function bodies with alternatives
2199         for debugging purposes.  For example, this is useful when we need to debug VM bugs
2200         which manifest in scripts executing in webpages downloaded from remote servers
2201         that we don't control.  The tool allows us to augment those scripts with logging
2202         or test code to help isolate the bugs.
2203
2204         This tool works by substituting the SourceCode at FunctionExecutable creation
2205         time.  It identifies which SourceCode to substitute by comparing the source
2206         string against keys in a set of key value pairs.
2207
2208         The keys are function body strings defined by 'override' clauses in the overrides
2209         file specified by in the JSC_functionOverrides option.  The values are function
2210         body strings defines by 'with' clauses in the overrides file.
2211         See comment blob at top of FunctionOverrides.cpp on the formatting
2212         of the overrides file.
2213
2214         At FunctionExecutable creation time, if the SourceCode string matches one of the
2215         'override' keys from the overrides file, the tool will replace the SourceCode with
2216         a new one based on the corresponding 'with' value string.  The FunctionExecutable
2217         will then be created with the new SourceCode instead.
2218
2219         Some design decisions:
2220         1. We opted to require that the 'with' clause appear on a separate line than the
2221            'override' clause because this makes it easier to read and write when the
2222            'override' clause's function body is single lined and long.
2223
2224         2. The user can use any sequence of characters for the delimiter (except for '{',
2225            '}' and white space characters) because this ensures that there can always be
2226            some delimiter pattern that does not appear in the function body in the clause
2227            e.g. in the body of strings in the JS code.
2228
2229            '{' and '}' are disallowed because they are used to mark the boundaries of the
2230            function body string.  White space characters are disallowed because they can
2231            be error prone (the user may not be able to tell between spaces and tabs).
2232
2233         3. The start and end delimiter must be an identical sequence of characters.
2234
2235            I had considered allowing the use of complementary characters like <>, [], and
2236            () for making delimiter pairs like:
2237                [[[[ ... ]]]]
2238                <[([( ... )])]>
2239
2240            But in the end, decided against it because:
2241            a. These sequences of complementary characters can exists in JS code.
2242               In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
2243               code.
2244            b. It can be error prone for the user to have to type the exact complement
2245               character for the end delimiter in reverse order.
2246               In contrast, a repeating delimiter like %%%% is much easier to type and
2247               less error prone.  Even a sequence like @#$%^ is less error prone than
2248               a complementary sequence because it can be copy-pasted, and need not be
2249               typed in reverse order.
2250            c. It is easier to parse for the same delimiter string for both start and end.
2251
2252         4. The tool does a lot of checks for syntax errors in the overrides file because
2253            we don't want any overrides to fail silently.  If a syntax error is detected,
2254            the tool will print an error message and call exit().  This avoids the user
2255            wasting time doing debugging only to be surprised later that their specified
2256            overrides did not take effect because of some unnoticed typo.
2257
2258         * CMakeLists.txt:
2259         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2260         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2261         * JavaScriptCore.xcodeproj/project.pbxproj:
2262         * bytecode/UnlinkedCodeBlock.cpp:
2263         (JSC::UnlinkedFunctionExecutable::link):
2264         * runtime/Executable.h:
2265         * runtime/Options.h:
2266         * tools/FunctionOverrides.cpp: Added.
2267         (JSC::FunctionOverrides::overrides):
2268         (JSC::FunctionOverrides::FunctionOverrides):
2269         (JSC::initializeOverrideInfo):
2270         (JSC::FunctionOverrides::initializeOverrideFor):
2271         (JSC::hasDisallowedCharacters):
2272         (JSC::parseClause):
2273         (JSC::FunctionOverrides::parseOverridesInFile):
2274         * tools/FunctionOverrides.h: Added.
2275
2276 2015-04-16  Basile Clement  <basile_clement@apple.com>
2277  
2278         Extract the allocation profile from JSFunction into a rare object
2279         https://bugs.webkit.org/show_bug.cgi?id=143807
2280  
2281         Reviewed by Filip Pizlo.
2282  
2283         The allocation profile is only needed for those functions that are used
2284         to create objects with [new].
2285         Extracting it into its own JSCell removes the need for JSFunction and
2286         JSCallee to be JSDestructibleObjects, which should improve performances in most
2287         cases at the cost of an extra pointer dereference when the allocation profile
2288         is actually needed.
2289  
2290         * CMakeLists.txt:
2291         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2292         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2293         * JavaScriptCore.xcodeproj/project.pbxproj:
2294         * dfg/DFGOperations.cpp:
2295         * dfg/DFGSpeculativeJIT32_64.cpp:
2296         (JSC::DFG::SpeculativeJIT::compile):
2297         * dfg/DFGSpeculativeJIT64.cpp:
2298         (JSC::DFG::SpeculativeJIT::compile):
2299         * jit/JITOpcodes.cpp:
2300         (JSC::JIT::emit_op_create_this):
2301         * jit/JITOpcodes32_64.cpp:
2302         (JSC::JIT::emit_op_create_this):
2303         * llint/LowLevelInterpreter32_64.asm:
2304         * llint/LowLevelInterpreter64.asm:
2305         * runtime/CommonSlowPaths.cpp:
2306         (JSC::SLOW_PATH_DECL):
2307         * runtime/FunctionRareData.cpp: Added.
2308         (JSC::FunctionRareData::create):
2309         (JSC::FunctionRareData::destroy):
2310         (JSC::FunctionRareData::createStructure):
2311         (JSC::FunctionRareData::visitChildren):
2312         (JSC::FunctionRareData::FunctionRareData):
2313         (JSC::FunctionRareData::~FunctionRareData):
2314         (JSC::FunctionRareData::finishCreation):
2315         * runtime/FunctionRareData.h: Added.
2316         (JSC::FunctionRareData::offsetOfAllocationProfile):
2317         (JSC::FunctionRareData::allocationProfile):
2318         (JSC::FunctionRareData::allocationStructure):
2319         (JSC::FunctionRareData::allocationProfileWatchpointSet):
2320         * runtime/JSBoundFunction.cpp:
2321         (JSC::JSBoundFunction::destroy): Deleted.
2322         * runtime/JSBoundFunction.h:
2323         * runtime/JSCallee.cpp:
2324         (JSC::JSCallee::destroy): Deleted.
2325         * runtime/JSCallee.h:
2326         * runtime/JSFunction.cpp:
2327         (JSC::JSFunction::JSFunction):
2328         (JSC::JSFunction::createRareData):
2329         (JSC::JSFunction::visitChildren):
2330         (JSC::JSFunction::put):
2331         (JSC::JSFunction::defineOwnProperty):
2332         (JSC::JSFunction::destroy): Deleted.
2333         (JSC::JSFunction::createAllocationProfile): Deleted.
2334         * runtime/JSFunction.h:
2335         (JSC::JSFunction::offsetOfRareData):
2336         (JSC::JSFunction::rareData):
2337         (JSC::JSFunction::allocationStructure):
2338         (JSC::JSFunction::allocationProfileWatchpointSet):
2339         (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
2340         (JSC::JSFunction::allocationProfile): Deleted.
2341         * runtime/JSFunctionInlines.h:
2342         (JSC::JSFunction::JSFunction):
2343         * runtime/VM.cpp:
2344         (JSC::VM::VM):
2345         * runtime/VM.h:
2346  
2347 2015-04-16  Csaba Osztrogon√°c  <ossy@webkit.org>
2348
2349         Remove the unnecessary WTF_CHANGES define
2350         https://bugs.webkit.org/show_bug.cgi?id=143825
2351
2352         Reviewed by Andreas Kling.
2353
2354         * config.h:
2355
2356 2015-04-15  Andreas Kling  <akling@apple.com>
2357
2358         Make MarkedBlock and WeakBlock 4x smaller.
2359         <https://webkit.org/b/143802>
2360
2361         Reviewed by Mark Hahnenberg.
2362
2363         To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
2364         and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
2365
2366         In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
2367         Some examples:
2368
2369                    apple.com:  6.3MB ->  5.5MB (14.5% smaller)
2370                   reddit.com:  4.5MB ->  4.1MB ( 9.7% smaller)
2371                  twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
2372             cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
2373
2374         Benchmarks look mostly neutral.
2375         Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
2376
2377         * heap/MarkedBlock.h:
2378         * heap/WeakBlock.h:
2379         * llint/LLIntData.cpp:
2380         (JSC::LLInt::Data::performAssertions):
2381         * llint/LowLevelInterpreter.asm:
2382
2383 2015-04-15  Jordan Harband  <ljharb@gmail.com>
2384
2385         String.prototype.startsWith/endsWith/includes have wrong length in r182673
2386         https://bugs.webkit.org/show_bug.cgi?id=143659
2387
2388         Reviewed by Benjamin Poulain.
2389
2390         Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
2391         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
2392         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
2393         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
2394
2395         * runtime/StringPrototype.cpp:
2396         (JSC::StringPrototype::finishCreation):
2397
2398 2015-04-15  Mark Lam  <mark.lam@apple.com>
2399
2400         Remove obsolete VMInspector debugging tool.
2401         https://bugs.webkit.org/show_bug.cgi?id=143798
2402
2403         Reviewed by Michael Saboff.
2404
2405         I added the VMInspector tool 3 years ago to aid in VM hacking work.  Some of it
2406         has bit rotted, and now the VM also has better ways to achieve its functionality.
2407         Hence this code is now obsolete and should be removed.
2408
2409         * CMakeLists.txt:
2410         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2411         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2412         * JavaScriptCore.xcodeproj/project.pbxproj:
2413         * interpreter/CallFrame.h:
2414         * interpreter/VMInspector.cpp: Removed.
2415         * interpreter/VMInspector.h: Removed.
2416         * llint/LowLevelInterpreter.cpp:
2417
2418 2015-04-15  Jordan Harband  <ljharb@gmail.com>
2419
2420         Math.imul has wrong length in Safari 8.0.4
2421         https://bugs.webkit.org/show_bug.cgi?id=143658
2422
2423         Reviewed by Benjamin Poulain.
2424
2425         Correcting function length from 1, to 2, to match spec
2426         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
2427
2428         * runtime/MathObject.cpp:
2429         (JSC::MathObject::finishCreation):
2430
2431 2015-04-15  Jordan Harband  <ljharb@gmail.com>
2432
2433         Number.parseInt in nightly r182673 has wrong length
2434         https://bugs.webkit.org/show_bug.cgi?id=143657
2435
2436         Reviewed by Benjamin Poulain.
2437
2438         Correcting function length from 1, to 2, to match spec
2439         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
2440
2441         * runtime/NumberConstructor.cpp:
2442         (JSC::NumberConstructor::finishCreation):
2443
2444 2015-04-15  Filip Pizlo  <fpizlo@apple.com>
2445
2446         Harden DFGForAllKills
2447         https://bugs.webkit.org/show_bug.cgi?id=143792
2448
2449         Reviewed by Geoffrey Garen.
2450         
2451         Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
2452         bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
2453         
2454         Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
2455         that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
2456         
2457         - It looks for kill sites at forExit origin boundaries. But, something might have been killed
2458           by an operation that was logically in between the forExit origins at the boundary, but was
2459           removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
2460           gaps.
2461         
2462         - It overlooked the fact that a MovHint that addresses a local that is always live kills that
2463           local. For example, storing to an argument means that the prior value of the argument is
2464           killed.
2465         
2466         This fixes the analysis by making it handle MovHints directly, and making it define kills in
2467         the most conservative way possible: it asks if you were live before but dead after. If we
2468         have the compile time budget to afford this more direct approach, then it's definitel a good
2469         idea since it's so fool-proof.
2470
2471         * dfg/DFGArgumentsEliminationPhase.cpp:
2472         * dfg/DFGForAllKills.h:
2473         (JSC::DFG::forAllKilledOperands):
2474         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2475         (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
2476
2477 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
2478
2479         Provide SPI to allow changing whether JSContexts are remote debuggable by default
2480         https://bugs.webkit.org/show_bug.cgi?id=143681
2481
2482         Reviewed by Darin Adler.
2483
2484         * API/JSRemoteInspector.h:
2485         * API/JSRemoteInspector.cpp:
2486         (JSRemoteInspectorGetInspectionEnabledByDefault):
2487         (JSRemoteInspectorSetInspectionEnabledByDefault):
2488         Provide SPI to toggle the default enabled inspection state of debuggables.
2489
2490         * API/JSContextRef.cpp:
2491         (JSGlobalContextCreateInGroup):
2492         Respect the default setting.
2493
2494 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
2495
2496         JavaScriptCore: Use kCFAllocatorDefault where possible
2497         https://bugs.webkit.org/show_bug.cgi?id=143747
2498
2499         Reviewed by Darin Adler.
2500
2501         * heap/HeapTimer.cpp:
2502         (JSC::HeapTimer::HeapTimer):
2503         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2504         (Inspector::RemoteInspectorInitializeGlobalQueue):
2505         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
2506         For consistency and readability use the constant instead of
2507         different representations of null.
2508
2509 2015-04-14  Michael Saboff  <msaboff@apple.com>
2510
2511         Remove JavaScriptCoreUseJIT default from JavaScriptCore
2512         https://bugs.webkit.org/show_bug.cgi?id=143746
2513
2514         Reviewed by Mark Lam.
2515
2516         * runtime/VM.cpp:
2517         (JSC::enableAssembler):
2518
2519 2015-04-14  Chris Dumez  <cdumez@apple.com>
2520
2521         Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
2522         https://bugs.webkit.org/show_bug.cgi?id=143745
2523         <rdar://problem/20243916>
2524
2525         Reviewed by Joseph Pecoraro.
2526
2527         Add assertion in ContentSearchUtilities::findMagicComment() to make
2528         sure the content String is not null or we would crash in
2529         JSC::Yarr::interpret() later.
2530
2531         * inspector/ContentSearchUtilities.cpp:
2532         (Inspector::ContentSearchUtilities::findMagicComment):
2533
2534 2015-04-14  Michael Saboff  <msaboff@apple.com>
2535
2536         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
2537         https://bugs.webkit.org/show_bug.cgi?id=143727
2538
2539         Reviewed by Geoffrey Garen.
2540
2541         Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
2542         with the requested fill format.  If filter() reports a contradiction, then we force an OSR exit.
2543         Removed individual checks made redundant by the new check.
2544
2545         * dfg/DFGSpeculativeJIT32_64.cpp:
2546         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2547         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2548         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2549         * dfg/DFGSpeculativeJIT64.cpp:
2550         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2551         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2552         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2553         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2554
2555 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
2556
2557         Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
2558         https://bugs.webkit.org/show_bug.cgi?id=143691
2559
2560         Reviewed by Geoffrey Garen.
2561
2562         * API/JSRemoteInspector.h:
2563         * API/JSRemoteInspector.cpp:
2564         (JSRemoteInspectorSetLogToSystemConsole):
2565         Add SPI to enable/disable logging to the system console.
2566         This only affects JSContext `console` logs and warnings.
2567
2568         * inspector/JSGlobalObjectConsoleClient.h:
2569         * inspector/JSGlobalObjectConsoleClient.cpp:
2570         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
2571         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
2572         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
2573         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
2574         Simplify access to the setting now that it doesn't need to
2575         initialize its value from preferences.
2576
2577 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
2578
2579         Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
2580         https://bugs.webkit.org/show_bug.cgi?id=143682
2581
2582         Reviewed by Timothy Hatcher.
2583
2584         * inspector/remote/RemoteInspector.mm:
2585         (Inspector::RemoteInspector::singleton):
2586         If we are on the main thread, run the initialization immediately.
2587         Otherwise dispatch to the main thread. This way if the first JSContext
2588         was created on the main thread it can get auto-attached if applicable.
2589
2590 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
2591
2592         Unreviewed build fix for Mavericks.
2593
2594         Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
2595         so the Inspector namespace is not available when compiling this file.
2596
2597         * API/JSRemoteInspector.cpp:
2598
2599 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
2600
2601         Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
2602         https://bugs.webkit.org/show_bug.cgi?id=143729
2603
2604         Reviewed by Timothy Hatcher.
2605
2606         * API/JSRemoteInspector.h: Added.
2607         * API/JSRemoteInspector.cpp: Added.
2608         (JSRemoteInspectorDisableAutoStart):
2609         (JSRemoteInspectorStart):
2610         (JSRemoteInspectorSetParentProcessInformation):
2611         Add the new SPIs for basic remote inspection behavior.
2612
2613         * JavaScriptCore.xcodeproj/project.pbxproj:
2614         Add the new files to Mac only, since remote inspection is only
2615         enabled there anyways.
2616
2617 2015-04-14  Mark Lam  <mark.lam@apple.com>
2618
2619         Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
2620         https://bugs.webkit.org/show_bug.cgi?id=143722
2621
2622         Reviewed by Michael Saboff.
2623
2624         Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
2625         shorter, and easier to remember (without having to look it up) and to
2626         type.  JSC options now support descriptions, and one can always look up
2627         the description if the option's purpose is not already obvious.
2628
2629         * dfg/DFGFunctionWhitelist.cpp:
2630         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
2631         (JSC::DFG::FunctionWhitelist::contains):
2632         * runtime/Options.h:
2633
2634 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
2635
2636         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
2637
2638         * runtime/InferredValue.h:
2639
2640 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
2641
2642         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
2643
2644         * runtime/InferredValue.h:
2645
2646 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
2647
2648         JSC should detect singleton functions
2649         https://bugs.webkit.org/show_bug.cgi?id=143232
2650
2651         Reviewed by Geoffrey Garen.
2652         
2653         This started out as an attempt to make constructors faster by detecting when a constructor is a
2654         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
2655         along with an inferred value - that detects if only one JSFunction has been allocated for that
2656         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
2657         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
2658         we can constant-fold GetCallee.
2659         
2660         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
2661         process I realized a bunch of things:
2662         
2663         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
2664           had even in code where our singleton-closure detection worked. That's because singleton-closure
2665           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
2666           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
2667           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
2668           values.
2669           
2670         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
2671           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
2672           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
2673         
2674         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
2675           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
2676           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
2677           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
2678           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
2679           scope. Ths saves compile times and it allows prediction propagation to benefit from the
2680           constant folding. Second, it means that we will detect a singleton scope even if it is
2681           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
2682           allows us to eliminate the function reentry watchpoint.
2683         
2684         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
2685           constant values in scopes. Previously when the DFG inferred that a closure variable was
2686           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
2687           value. But now we are first inferring that the function is a singleton, which means that we
2688           know exactly what scope it points to, and we can load the value from the scope. Using a
2689           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
2690           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
2691           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
2692           FunctionExecutable wants.
2693         
2694         This also has the effect of simplifying the implementation of block scoping. Prior to this
2695         change, block scoping would have needed to have some story for the function reentry watchpoint on
2696         any nested symbol table. That's totally weird to think about; it's not really a function reentry
2697         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
2698         will "just work": if we prove that we know the constant value of the scope then the machinery
2699         kicks in, otherwise it doesn't.
2700         
2701         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
2702
2703         * CMakeLists.txt:
2704         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2705         * JavaScriptCore.xcodeproj/project.pbxproj:
2706         * bytecode/BytecodeList.json:
2707         * bytecode/BytecodeUseDef.h:
2708         (JSC::computeUsesForBytecodeOffset):
2709         (JSC::computeDefsForBytecodeOffset):
2710         * bytecode/CodeBlock.cpp:
2711         (JSC::CodeBlock::dumpBytecode):
2712         (JSC::CodeBlock::CodeBlock):
2713         (JSC::CodeBlock::finalizeUnconditionally):
2714         (JSC::CodeBlock::valueProfileForBytecodeOffset):
2715         * bytecode/CodeBlock.h:
2716         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
2717         * bytecode/CodeOrigin.cpp:
2718         (JSC::InlineCallFrame::calleeConstant):
2719         (JSC::InlineCallFrame::visitAggregate):
2720         * bytecode/CodeOrigin.h:
2721         (JSC::InlineCallFrame::calleeConstant): Deleted.
2722         (JSC::InlineCallFrame::visitAggregate): Deleted.
2723         * bytecode/Instruction.h:
2724         * bytecode/VariableWatchpointSet.cpp: Removed.
2725         * bytecode/VariableWatchpointSet.h: Removed.
2726         * bytecode/VariableWatchpointSetInlines.h: Removed.
2727         * bytecode/VariableWriteFireDetail.cpp: Added.
2728         (JSC::VariableWriteFireDetail::dump):
2729         (JSC::VariableWriteFireDetail::touch):
2730         * bytecode/VariableWriteFireDetail.h: Added.
2731         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
2732         * bytecode/Watchpoint.h:
2733         (JSC::WatchpointSet::stateOnJSThread):
2734         (JSC::WatchpointSet::startWatching):
2735         (JSC::WatchpointSet::fireAll):
2736         (JSC::WatchpointSet::touch):
2737         (JSC::WatchpointSet::invalidate):
2738         (JSC::InlineWatchpointSet::stateOnJSThread):
2739         (JSC::InlineWatchpointSet::state):
2740         (JSC::InlineWatchpointSet::hasBeenInvalidated):
2741         (JSC::InlineWatchpointSet::invalidate):
2742         (JSC::InlineWatchpointSet::touch):
2743         * bytecompiler/BytecodeGenerator.cpp:
2744         (JSC::BytecodeGenerator::BytecodeGenerator):
2745         * dfg/DFGAbstractInterpreterInlines.h:
2746         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2747         * dfg/DFGByteCodeParser.cpp:
2748         (JSC::DFG::ByteCodeParser::get):
2749         (JSC::DFG::ByteCodeParser::parseBlock):
2750         (JSC::DFG::ByteCodeParser::getScope): Deleted.
2751         * dfg/DFGCapabilities.cpp:
2752         (JSC::DFG::capabilityLevel):
2753         * dfg/DFGClobberize.h:
2754         (JSC::DFG::clobberize):
2755         * dfg/DFGDesiredWatchpoints.cpp:
2756         (JSC::DFG::InferredValueAdaptor::add):
2757         (JSC::DFG::DesiredWatchpoints::addLazily):
2758         (JSC::DFG::DesiredWatchpoints::reallyAdd):
2759         (JSC::DFG::DesiredWatchpoints::areStillValid):
2760         * dfg/DFGDesiredWatchpoints.h:
2761         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
2762         (JSC::DFG::DesiredWatchpoints::isWatched):
2763         * dfg/DFGGraph.cpp:
2764         (JSC::DFG::Graph::dump):
2765         (JSC::DFG::Graph::tryGetConstantClosureVar):
2766         * dfg/DFGNode.h:
2767         (JSC::DFG::Node::hasWatchpointSet):
2768         (JSC::DFG::Node::watchpointSet):
2769         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
2770         (JSC::DFG::Node::variableWatchpointSet): Deleted.
2771         * dfg/DFGOperations.cpp:
2772         * dfg/DFGOperations.h:
2773         * dfg/DFGSpeculativeJIT.cpp:
2774         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2775         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2776         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
2777         * dfg/DFGSpeculativeJIT.h:
2778         (JSC::DFG::SpeculativeJIT::callOperation):
2779         * dfg/DFGSpeculativeJIT32_64.cpp:
2780         (JSC::DFG::SpeculativeJIT::compile):
2781         * dfg/DFGSpeculativeJIT64.cpp:
2782         (JSC::DFG::SpeculativeJIT::compile):
2783         * dfg/DFGVarargsForwardingPhase.cpp:
2784         * ftl/FTLIntrinsicRepository.h:
2785         * ftl/FTLLowerDFGToLLVM.cpp:
2786         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2787         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2788         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
2789         * interpreter/Interpreter.cpp:
2790         (JSC::StackFrame::friendlySourceURL):
2791         (JSC::StackFrame::friendlyFunctionName):
2792         * interpreter/Interpreter.h:
2793         (JSC::StackFrame::friendlySourceURL): Deleted.
2794         (JSC::StackFrame::friendlyFunctionName): Deleted.
2795         * jit/JIT.cpp:
2796         (JSC::JIT::emitNotifyWrite):
2797         (JSC::JIT::privateCompileMainPass):
2798         * jit/JIT.h:
2799         * jit/JITOpcodes.cpp:
2800         (JSC::JIT::emit_op_touch_entry): Deleted.
2801         * jit/JITOperations.cpp:
2802         * jit/JITOperations.h:
2803         * jit/JITPropertyAccess.cpp:
2804         (JSC::JIT::emitPutGlobalVar):
2805         (JSC::JIT::emitPutClosureVar):
2806         (JSC::JIT::emitNotifyWrite): Deleted.
2807         * jit/JITPropertyAccess32_64.cpp:
2808         (JSC::JIT::emitPutGlobalVar):
2809         (JSC::JIT::emitPutClosureVar):
2810         (JSC::JIT::emitNotifyWrite): Deleted.
2811         * llint/LLIntSlowPaths.cpp:
2812         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2813         * llint/LowLevelInterpreter.asm:
2814         * llint/LowLevelInterpreter32_64.asm:
2815         * llint/LowLevelInterpreter64.asm:
2816         * runtime/CommonSlowPaths.cpp:
2817         (JSC::SLOW_PATH_DECL): Deleted.
2818         * runtime/CommonSlowPaths.h:
2819         * runtime/Executable.cpp:
2820         (JSC::FunctionExecutable::finishCreation):
2821         (JSC::FunctionExecutable::visitChildren):
2822         * runtime/Executable.h:
2823         (JSC::FunctionExecutable::singletonFunction):
2824         * runtime/InferredValue.cpp: Added.
2825         (JSC::InferredValue::create):
2826         (JSC::InferredValue::destroy):
2827         (JSC::InferredValue::createStructure):
2828         (JSC::InferredValue::visitChildren):
2829         (JSC::InferredValue::InferredValue):
2830         (JSC::InferredValue::~InferredValue):
2831         (JSC::InferredValue::notifyWriteSlow):
2832         (JSC::InferredValue::ValueCleanup::ValueCleanup):
2833         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
2834         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
2835         * runtime/InferredValue.h: Added.
2836         (JSC::InferredValue::inferredValue):
2837         (JSC::InferredValue::state):
2838         (JSC::InferredValue::isStillValid):
2839         (JSC::InferredValue::hasBeenInvalidated):
2840         (JSC::InferredValue::add):
2841         (JSC::InferredValue::notifyWrite):
2842         (JSC::InferredValue::invalidate):
2843         * runtime/JSEnvironmentRecord.cpp:
2844         (JSC::JSEnvironmentRecord::visitChildren):
2845         * runtime/JSEnvironmentRecord.h:
2846         (JSC::JSEnvironmentRecord::isValid):
2847         (JSC::JSEnvironmentRecord::finishCreation):
2848         * runtime/JSFunction.cpp:
2849         (JSC::JSFunction::create):
2850         * runtime/JSFunction.h:
2851         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2852         (JSC::JSFunction::createImpl):
2853         (JSC::JSFunction::create): Deleted.
2854         * runtime/JSGlobalObject.cpp:
2855         (JSC::JSGlobalObject::addGlobalVar):
2856         (JSC::JSGlobalObject::addFunction):
2857         * runtime/JSGlobalObject.h:
2858         * runtime/JSLexicalEnvironment.cpp:
2859         (JSC::JSLexicalEnvironment::symbolTablePut):
2860         * runtime/JSScope.h:
2861         (JSC::ResolveOp::ResolveOp):
2862         * runtime/JSSegmentedVariableObject.h:
2863         (JSC::JSSegmentedVariableObject::finishCreation):
2864         * runtime/JSSymbolTableObject.h:
2865         (JSC::JSSymbolTableObject::JSSymbolTableObject):
2866         (JSC::JSSymbolTableObject::setSymbolTable):
2867         (JSC::symbolTablePut):
2868         (JSC::symbolTablePutWithAttributes):
2869         * runtime/PutPropertySlot.h:
2870         * runtime/SymbolTable.cpp:
2871         (JSC::SymbolTableEntry::prepareToWatch):
2872         (JSC::SymbolTable::SymbolTable):
2873         (JSC::SymbolTable::finishCreation):
2874         (JSC::SymbolTable::visitChildren):
2875         (JSC::SymbolTableEntry::inferredValue): Deleted.
2876         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
2877         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
2878         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
2879         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
2880         * runtime/SymbolTable.h:
2881         (JSC::SymbolTableEntry::disableWatching):
2882         (JSC::SymbolTableEntry::watchpointSet):
2883         (JSC::SymbolTable::singletonScope):
2884         (JSC::SymbolTableEntry::notifyWrite): Deleted.
2885         * runtime/TypeProfiler.cpp:
2886         * runtime/VM.cpp:
2887         (JSC::VM::VM):
2888         * runtime/VM.h:
2889         * tests/stress/infer-uninitialized-closure-var.js: Added.
2890         (foo.f):
2891         (foo):
2892         * tests/stress/singleton-scope-then-overwrite.js: Added.
2893         (foo.f):
2894         (foo):
2895         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
2896         (foo):
2897         * tests/stress/singleton-scope-then-realloc.js: Added.
2898         (foo):
2899
2900 2015-04-13  Andreas Kling  <akling@apple.com>
2901
2902         Don't segregate heap objects based on Structure immortality.
2903         <https://webkit.org/b/143638>
2904
2905         Reviewed by Darin Adler.
2906
2907         Put all objects that need a destructor call into the same MarkedBlock.
2908         This reduces memory consumption in many situations, while improving locality,
2909         since much more of the MarkedBlock space can be shared.
2910
2911         Instead of branching on the MarkedBlock type, we now check a bit in the
2912         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
2913         to access the cell's Structure during destruction or not.
2914
2915         Performance benchmarks look mostly neutral. Maybe a small regression on
2916         SunSpider's date objects.
2917
2918         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
2919         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
2920         end of savings we can get from this, but still a very real improvement.
2921
2922         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
2923         derived classes and passing that responsibility to the StructureIsImmortal flag.
2924         StructureFlags is made public so that it's accessible from non-member functions.
2925         I made sure to declare it everywhere and make classes final to try to make it
2926         explicit what each class is doing to its inherited flags.
2927
2928         * API/JSCallbackConstructor.h:
2929         * API/JSCallbackObject.h:
2930         * bytecode/UnlinkedCodeBlock.h:
2931         * debugger/DebuggerScope.h:
2932         * dfg/DFGSpeculativeJIT.cpp:
2933         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2934         * ftl/FTLLowerDFGToLLVM.cpp:
2935         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2936         * heap/Heap.h:
2937         (JSC::Heap::subspaceForObjectDestructor):
2938         (JSC::Heap::allocatorForObjectWithDestructor):
2939         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
2940         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
2941         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
2942         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
2943         * heap/HeapInlines.h:
2944         (JSC::Heap::allocateWithDestructor):
2945         (JSC::Heap::allocateObjectOfType):
2946         (JSC::Heap::subspaceForObjectOfType):
2947         (JSC::Heap::allocatorForObjectOfType):
2948         (JSC::Heap::allocateWithNormalDestructor): Deleted.
2949         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
2950         * heap/MarkedAllocator.cpp:
2951         (JSC::MarkedAllocator::allocateBlock):
2952         * heap/MarkedAllocator.h:
2953         (JSC::MarkedAllocator::needsDestruction):
2954         (JSC::MarkedAllocator::MarkedAllocator):
2955         (JSC::MarkedAllocator::init):
2956         (JSC::MarkedAllocator::destructorType): Deleted.
2957         * heap/MarkedBlock.cpp:
2958         (JSC::MarkedBlock::create):
2959         (JSC::MarkedBlock::MarkedBlock):
2960         (JSC::MarkedBlock::callDestructor):
2961         (JSC::MarkedBlock::specializedSweep):
2962         (JSC::MarkedBlock::sweep):
2963         (JSC::MarkedBlock::sweepHelper):
2964         * heap/MarkedBlock.h:
2965         (JSC::MarkedBlock::needsDestruction):
2966         (JSC::MarkedBlock::destructorType): Deleted.
2967         * heap/MarkedSpace.cpp:
2968         (JSC::MarkedSpace::MarkedSpace):
2969         (JSC::MarkedSpace::resetAllocators):
2970         (JSC::MarkedSpace::forEachAllocator):
2971         (JSC::MarkedSpace::isPagedOut):
2972         (JSC::MarkedSpace::clearNewlyAllocated):
2973         * heap/MarkedSpace.h:
2974         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
2975         (JSC::MarkedSpace::destructorAllocatorFor):
2976         (JSC::MarkedSpace::allocateWithDestructor):
2977         (JSC::MarkedSpace::forEachBlock):
2978         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
2979         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
2980         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
2981         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
2982         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
2983         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
2984         * inspector/JSInjectedScriptHost.h:
2985         * inspector/JSInjectedScriptHostPrototype.h:
2986         * inspector/JSJavaScriptCallFrame.h:
2987         * inspector/JSJavaScriptCallFramePrototype.h:
2988         * jsc.cpp:
2989         * runtime/ArrayBufferNeuteringWatchpoint.h:
2990         * runtime/ArrayConstructor.h:
2991         * runtime/ArrayIteratorPrototype.h:
2992         * runtime/BooleanPrototype.h:
2993         * runtime/ClonedArguments.h:
2994         * runtime/CustomGetterSetter.h:
2995         * runtime/DateConstructor.h:
2996         * runtime/DatePrototype.h:
2997         * runtime/ErrorPrototype.h:
2998         * runtime/ExceptionHelpers.h:
2999         * runtime/Executable.h:
3000         * runtime/GenericArguments.h:
3001         * runtime/GetterSetter.h:
3002         * runtime/InternalFunction.h:
3003         * runtime/JSAPIValueWrapper.h:
3004         * runtime/JSArgumentsIterator.h:
3005         * runtime/JSArray.h:
3006         * runtime/JSArrayBuffer.h:
3007         * runtime/JSArrayBufferView.h:
3008         * runtime/JSBoundFunction.h:
3009         * runtime/JSCallee.h:
3010         * runtime/JSCell.h:
3011         * runtime/JSCellInlines.h:
3012         (JSC::JSCell::classInfo):
3013         * runtime/JSDataViewPrototype.h:
3014         * runtime/JSEnvironmentRecord.h:
3015         * runtime/JSFunction.h:
3016         * runtime/JSGenericTypedArrayView.h:
3017         * runtime/JSGlobalObject.h:
3018         * runtime/JSLexicalEnvironment.h:
3019         * runtime/JSNameScope.h:
3020         * runtime/JSNotAnObject.h:
3021         * runtime/JSONObject.h:
3022         * runtime/JSObject.h:
3023         (JSC::JSFinalObject::JSFinalObject):
3024         * runtime/JSPromiseConstructor.h:
3025         * runtime/JSPromiseDeferred.h:
3026         * runtime/JSPromisePrototype.h:
3027         * runtime/JSPromiseReaction.h:
3028         * runtime/JSPropertyNameEnumerator.h:
3029         * runtime/JSProxy.h:
3030         * runtime/JSScope.h:
3031         * runtime/JSString.h:
3032         * runtime/JSSymbolTableObject.h:
3033         * runtime/JSTypeInfo.h:
3034         (JSC::TypeInfo::structureIsImmortal):
3035         * runtime/MathObject.h:
3036         * runtime/NumberConstructor.h:
3037         * runtime/NumberPrototype.h:
3038         * runtime/ObjectConstructor.h:
3039         * runtime/PropertyMapHashTable.h:
3040         * runtime/RegExp.h:
3041         * runtime/RegExpConstructor.h:
3042         * runtime/RegExpObject.h:
3043         * runtime/RegExpPrototype.h:
3044         * runtime/ScopedArgumentsTable.h:
3045         * runtime/SparseArrayValueMap.h:
3046         * runtime/StrictEvalActivation.h:
3047         * runtime/StringConstructor.h:
3048         * runtime/StringIteratorPrototype.h:
3049         * runtime/StringObject.h:
3050         * runtime/StringPrototype.h:
3051         * runtime/Structure.cpp:
3052         (JSC::Structure::Structure):
3053         * runtime/Structure.h:
3054         * runtime/StructureChain.h:
3055         * runtime/StructureRareData.h:
3056         * runtime/Symbol.h:
3057         * runtime/SymbolPrototype.h:
3058         * runtime/SymbolTable.h:
3059         * runtime/WeakMapData.h:
3060
3061 2015-04-13  Mark Lam  <mark.lam@apple.com>
3062
3063         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
3064         https://bugs.webkit.org/show_bug.cgi?id=143407
3065
3066         Reviewed by Filip Pizlo.
3067
3068         DFG inlining of a varargs call / construct needs to keep the local
3069         containing the callee alive with a Phantom node because the LoadVarargs
3070         node may OSR exit.  After the OSR exit, the baseline JIT executes the
3071         op_call_varargs with that callee in the local.
3072
3073         Previously, because that callee local was not explicitly kept alive,
3074         the op_call_varargs case can OSR exit a DFG function and leave an
3075         undefined value in that local.  As a result, the baseline observes the
3076         side effect of an op_call_varargs on an undefined value instead of the
3077         function it expected.
3078
3079         Note: this issue does not manifest with op_construct_varargs because
3080         the inlined constructor will have an op_create_this which operates on
3081         the incoming callee value, thereby keeping it alive.
3082
3083         * dfg/DFGByteCodeParser.cpp:
3084         (JSC::DFG::ByteCodeParser::handleInlining):
3085         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
3086         (foo):
3087         (Foo):
3088         (doTest):
3089
3090 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3091
3092         [ES6] Implement Array.prototype.values
3093         https://bugs.webkit.org/show_bug.cgi?id=143633
3094
3095         Reviewed by Darin Adler.
3096
3097         Symbol.unscopables is implemented, so we can implement Array.prototype.values
3098         without largely breaking the web. The following script passes.
3099
3100         var array = [];
3101         var values = 42;
3102         with (array) {
3103             assert(values, 42);
3104         }
3105
3106         * runtime/ArrayPrototype.cpp:
3107         * tests/stress/array-iterators-next.js:
3108         * tests/stress/map-iterators-next.js:
3109         * tests/stress/set-iterators-next.js:
3110         * tests/stress/values-unscopables.js: Added.
3111         (test):
3112
3113 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3114
3115         Run flaky conservative GC related test first before polluting stack and registers
3116         https://bugs.webkit.org/show_bug.cgi?id=143634
3117
3118         Reviewed by Ryosuke Niwa.
3119
3120         After r182653, JSC API tests fail. However, it's not related to the change.
3121         After investigating the cause of this failure, I've found that the failed test is flaky
3122         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
3123         due to conservative roots in C stack and registers, this test fails.
3124
3125         Since GC marks C stack and registers as roots conservatively,
3126         objects not referenced logically can be accidentally marked and alive.
3127         To avoid this situation as possible as we can,
3128         1. run this test first before stack is polluted,
3129         2. extract this test as a function to suppress stack height.
3130
3131         * API/tests/testapi.mm:
3132         (testWeakValue):
3133         (testObjectiveCAPIMain):
3134         (testObjectiveCAPI):
3135
3136 2015-04-11  Matt Baker  <mattbaker@apple.com>
3137
3138         Web Inspector: create content view and details sidebar for Frames timeline
3139         https://bugs.webkit.org/show_bug.cgi?id=143533
3140
3141         Reviewed by Timothy Hatcher.
3142
3143         Refactoring: RunLoop prefix changed to RenderingFrame.
3144
3145         * inspector/protocol/Timeline.json:
3146
3147 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3148
3149         [ES6] Enable Symbol in web pages
3150         https://bugs.webkit.org/show_bug.cgi?id=143375
3151
3152         Reviewed by Ryosuke Niwa.
3153
3154         Expose Symbol to web pages.
3155         Symbol was exposed, but it was hidden since it breaks Facebook comments.
3156         This is because at that time Symbol is implemented,
3157         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
3158         and it breaks React.js and immutable.js.
3159
3160         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
3161         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
3162
3163         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
3164         and makes enabling symbols by default.
3165
3166         * runtime/ArrayPrototype.cpp:
3167         (JSC::ArrayPrototype::finishCreation):
3168         * runtime/CommonIdentifiers.h:
3169         * runtime/JSGlobalObject.cpp:
3170         (JSC::JSGlobalObject::init):
3171         * runtime/ObjectConstructor.cpp:
3172         (JSC::ObjectConstructor::finishCreation):
3173         * runtime/RuntimeFlags.h:
3174
3175 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3176
3177         ES6: Iterator toString names should be consistent
3178         https://bugs.webkit.org/show_bug.cgi?id=142424
3179
3180         Reviewed by Geoffrey Garen.
3181
3182         Iterator Object Names in the spec right now have spaces.
3183         In our implementation some do and some don't.
3184         This patch aligns JSC to the spec.
3185
3186         * runtime/JSArrayIterator.cpp:
3187         * runtime/JSStringIterator.cpp:
3188         * tests/stress/iterator-names.js: Added.
3189         (test):
3190         (iter):
3191         (check):
3192
3193 2015-04-10  Michael Saboff  <msaboff@apple.com>
3194
3195         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
3196         https://bugs.webkit.org/show_bug.cgi?id=143582
3197
3198         Reviewed by Mark Lam.
3199
3200         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
3201         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
3202         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
3203         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
3204         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
3205         we would still OSR exit after the speculation check.
3206
3207         * dfg/DFGFixupPhase.cpp:
3208         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
3209         * dfg/DFGSpeculativeJIT32_64.cpp:
3210         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3211
3212 2015-04-10  Milan Crha  <mcrha@redhat.com>
3213
3214         Disable Linux-specific code in a Windows build
3215         https://bugs.webkit.org/show_bug.cgi?id=137973
3216
3217         Reviewed by Joseph Pecoraro.
3218
3219         * inspector/JSGlobalObjectInspectorController.cpp:
3220         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3221
3222 2015-04-10  Csaba Osztrogon√°c  <ossy@webkit.org>
3223
3224         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
3225         https://bugs.webkit.org/show_bug.cgi?id=143368
3226
3227         Reviewed by Michael Saboff.
3228
3229         * jit/RegisterSet.cpp:
3230         (JSC::RegisterSet::calleeSaveRegisters):
3231
3232 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
3233
3234         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
3235         https://bugs.webkit.org/show_bug.cgi?id=143430
3236
3237         Reviewed by Darin Adler.
3238
3239         * runtime/ExceptionHelpers.cpp:
3240         (JSC::errorDescriptionForValue):
3241         * runtime/NumberPrototype.cpp:
3242         (JSC::numberProtoFuncToExponential):
3243         (JSC::numberProtoFuncToPrecision):
3244         (JSC::numberProtoFuncToString):
3245         * runtime/SymbolPrototype.cpp:
3246         (JSC::symbolProtoFuncToString):
3247
3248 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
3249
3250         JSArray::sortNumeric should handle ArrayWithUndecided
3251         https://bugs.webkit.org/show_bug.cgi?id=143535
3252
3253         Reviewed by Geoffrey Garen.
3254         
3255         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
3256
3257         * runtime/JSArray.cpp:
3258         (JSC::JSArray::sortNumeric):
3259         * tests/stress/sort-array-with-undecided.js: Added.
3260
3261 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
3262
3263         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
3264         https://bugs.webkit.org/show_bug.cgi?id=143532
3265
3266         Reviewed by Gavin Barraclough.
3267         
3268         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
3269         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
3270         would think that there never was wrap-around.
3271         
3272         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
3273
3274         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3275         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
3276
3277 2015-04-07  Michael Saboff  <msaboff@apple.com>
3278
3279         Lazily initialize LogToSystemConsole flag to reduce memory usage
3280         https://bugs.webkit.org/show_bug.cgi?id=143506
3281
3282         Reviewed by Mark Lam.
3283
3284         Only call into CF preferences code when we need to in order to reduce memory usage.
3285
3286         * inspector/JSGlobalObjectConsoleClient.cpp:
3287         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
3288         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
3289         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
3290         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3291
3292 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
3293
3294         Get the features.json files ready for open contributions
3295         https://bugs.webkit.org/show_bug.cgi?id=143436
3296
3297         Reviewed by Darin Adler.
3298
3299         * features.json:
3300
3301 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
3302
3303         Constant folding of typed array properties should be handled by AI rather than strength reduction
3304         https://bugs.webkit.org/show_bug.cgi?id=143496
3305
3306         Reviewed by Geoffrey Garen.
3307         
3308         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
3309         phase and whatever other phase did the folding in order to find all constants.
3310         
3311         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
3312         directly.
3313         
3314         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
3315         found because all of the tests for it involved the property getting constant folded. I found that
3316         the codegen was bad because an earlier version of the patch broke that constant folding. This
3317         adds a new test for that node type, which makes constant folding impossible by allocating a new
3318         typed array every type. The lesson here is: if you write a test for something, run the test with
3319         full IR dumps to make sure it's actually testing the thing you want it to test.
3320
3321         * dfg/DFGAbstractInterpreterInlines.h:
3322         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3323         * dfg/DFGClobberize.h:
3324         (JSC::DFG::clobberize):
3325         * dfg/DFGConstantFoldingPhase.cpp:
3326         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3327         * dfg/DFGDoesGC.cpp:
3328         (JSC::DFG::doesGC):
3329         * dfg/DFGFixupPhase.cpp:
3330         (JSC::DFG::FixupPhase::fixupNode):
3331         * dfg/DFGGraph.cpp:
3332         (JSC::DFG::Graph::dump):
3333         (JSC::DFG::Graph::tryGetFoldableView):
3334         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
3335         * dfg/DFGGraph.h:
3336         * dfg/DFGNode.h:
3337         (JSC::DFG::Node::hasTypedArray): Deleted.
3338         (JSC::DFG::Node::typedArray): Deleted.
3339         * dfg/DFGNodeType.h:
3340         * dfg/DFGPredictionPropagationPhase.cpp:
3341         (JSC::DFG::PredictionPropagationPhase::propagate):
3342         * dfg/DFGSafeToExecute.h:
3343         (JSC::DFG::safeToExecute):
3344         * dfg/DFGSpeculativeJIT.cpp:
3345         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
3346         * dfg/DFGSpeculativeJIT32_64.cpp:
3347         (JSC::DFG::SpeculativeJIT::compile):
3348         * dfg/DFGSpeculativeJIT64.cpp: