MovHint should be a strong use
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-19  Filip Pizlo  <fpizlo@apple.com>
2
3         MovHint should be a strong use
4         https://bugs.webkit.org/show_bug.cgi?id=143734
5
6         Reviewed by Geoffrey Garen.
7         
8         This disables any DCE that assumes equivalence between DFG IR uses and bytecode uses. Doing
9         so is a major step towards allowing more fancy DFG transformations and also probably fixing
10         some bugs.
11         
12         Just making MovHint a strong use would also completely disable DCE. So we mitigate this by
13         introducing a MovHint removal phase that runs in FTL.
14         
15         This is a slight slowdown on Octane/gbemu, but it's basically neutral on suite averages.
16
17         * CMakeLists.txt:
18         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19         * JavaScriptCore.xcodeproj/project.pbxproj:
20         * bytecode/CodeOrigin.cpp:
21         (JSC::InlineCallFrame::dumpInContext):
22         * dfg/DFGDCEPhase.cpp:
23         (JSC::DFG::DCEPhase::fixupBlock):
24         * dfg/DFGDisassembler.cpp:
25         (JSC::DFG::Disassembler::createDumpList):
26         * dfg/DFGEpoch.cpp: Added.
27         (JSC::DFG::Epoch::dump):
28         * dfg/DFGEpoch.h: Added.
29         (JSC::DFG::Epoch::Epoch):
30         (JSC::DFG::Epoch::first):
31         (JSC::DFG::Epoch::operator!):
32         (JSC::DFG::Epoch::next):
33         (JSC::DFG::Epoch::bump):
34         (JSC::DFG::Epoch::operator==):
35         (JSC::DFG::Epoch::operator!=):
36         * dfg/DFGMayExit.cpp:
37         (JSC::DFG::mayExit):
38         * dfg/DFGMovHintRemovalPhase.cpp: Added.
39         (JSC::DFG::performMovHintRemoval):
40         * dfg/DFGMovHintRemovalPhase.h: Added.
41         * dfg/DFGNodeType.h:
42         * dfg/DFGPlan.cpp:
43         (JSC::DFG::Plan::compileInThreadImpl):
44         * dfg/DFGSpeculativeJIT.cpp:
45         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
46         * dfg/DFGSpeculativeJIT64.cpp:
47         (JSC::DFG::SpeculativeJIT::compile):
48         * runtime/Options.h:
49
50 2015-04-21  Basile Clement  <basile_clement@apple.com>
51
52         REGRESSION (r182899): icloud.com crashes
53         https://bugs.webkit.org/show_bug.cgi?id=143960
54
55         Reviewed by Filip Pizlo.
56
57         * runtime/JSFunction.h:
58         (JSC::JSFunction::allocationStructure):
59         * tests/stress/dfg-rare-data.js: Added.
60         (F): Regression test
61
62 2015-04-21  Michael Saboff  <msaboff@apple.com>
63
64         Crash in JSC::Interpreter::execute
65         https://bugs.webkit.org/show_bug.cgi?id=142625
66
67         Reviewed by Filip Pizlo.
68
69         We need to keep the FunctionExecutables in the code block for the eval flavor of 
70         Interpreter::execute() in order to create the scope used to eval.
71
72         * bytecode/CodeBlock.cpp:
73         (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): Deleted.
74         * bytecode/CodeBlock.h:
75         * dfg/DFGGraph.cpp:
76         (JSC::DFG::Graph::registerFrozenValues):
77
78 2015-04-21  Chris Dumez  <cdumez@apple.com>
79
80         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) constructor explicit
81         https://bugs.webkit.org/show_bug.cgi?id=143970
82
83         Reviewed by Darin Adler.
84
85         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&)
86         constructor explicit as it copies the vector and it is easy to call it
87         by mistake.
88
89         * bytecode/UnlinkedInstructionStream.cpp:
90         (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
91         * bytecode/UnlinkedInstructionStream.h:
92         * ftl/FTLLowerDFGToLLVM.cpp:
93         (JSC::FTL::LowerDFGToLLVM::lower):
94
95 2015-04-20  Basile Clement  <basile_clement@apple.com>
96
97         PhantomNewObject should be marked NodeMustGenerate
98         https://bugs.webkit.org/show_bug.cgi?id=143974
99
100         Reviewed by Filip Pizlo.
101
102         * dfg/DFGNodeType.h: Mark PhantomNewObject as NodeMustGenerate
103
104 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
105
106         Cleanup some StringBuilder use
107         https://bugs.webkit.org/show_bug.cgi?id=143550
108
109         Reviewed by Darin Adler.
110
111         * runtime/Symbol.cpp:
112         (JSC::Symbol::descriptiveString):
113         * runtime/TypeProfiler.cpp:
114         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
115         * runtime/TypeSet.cpp:
116         (JSC::TypeSet::toJSONString):
117         (JSC::StructureShape::propertyHash):
118         (JSC::StructureShape::stringRepresentation):
119         (JSC::StructureShape::toJSONString):
120
121 2015-04-20  Mark Lam  <mark.lam@apple.com>
122
123         Add debugging tools to test if a given pointer is a valid object and in the heap.
124         https://bugs.webkit.org/show_bug.cgi?id=143910
125
126         Reviewed by Geoffrey Garen.
127
128         When doing debugging from lldb, sometimes, it is useful to be able to tell if a
129         purported JSObject is really a valid object in the heap or not.  We can add the
130         following utility functions to help:
131             isValidCell(heap, candidate) - returns true if the candidate is a "live" cell in the heap.
132             isInHeap(heap, candidate) - returns true if the candidate is the heap's Object space or Storage space.
133             isInObjectSpace(heap, candidate) - returns true if the candidate is the heap's Object space.
134             isInStorageSpace(heap, candidate) - returns true if the candidate is the heap's Storage space.
135
136         Also moved lldb callable debug utility function prototypes from
137         JSDollarVMPrototype.cpp to JSDollarVMPrototype.h as static members of the
138         JSDollarVMPrototype class.  This is so that we can conveniently #include that
139         file to get the prototypes when we need to call them programmatically from
140         instrumentation that we add while debugging an issue.
141
142         * heap/Heap.h:
143         (JSC::Heap::storageSpace):
144         * tools/JSDollarVMPrototype.cpp:
145         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
146         (JSC::ensureCurrentThreadOwnsJSLock):
147         (JSC::JSDollarVMPrototype::gc):
148         (JSC::functionGC):
149         (JSC::JSDollarVMPrototype::edenGC):
150         (JSC::functionEdenGC):
151         (JSC::JSDollarVMPrototype::isInHeap):
152         (JSC::JSDollarVMPrototype::isInObjectSpace):
153         (JSC::JSDollarVMPrototype::isInStorageSpace):
154         (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor):
155         (JSC::ObjectAddressCheckFunctor::operator()):
156         (JSC::JSDollarVMPrototype::isValidCell):
157         (JSC::JSDollarVMPrototype::isValidCodeBlock):
158         (JSC::JSDollarVMPrototype::codeBlockForFrame):
159         (JSC::functionCodeBlockForFrame):
160         (JSC::codeBlockFromArg):
161         (JSC::JSDollarVMPrototype::printCallFrame):
162         (JSC::JSDollarVMPrototype::printStack):
163         (JSC::JSDollarVMPrototype::printValue):
164         (JSC::currentThreadOwnsJSLock): Deleted.
165         (JSC::gc): Deleted.
166         (JSC::edenGC): Deleted.
167         (JSC::isValidCodeBlock): Deleted.
168         (JSC::codeBlockForFrame): Deleted.
169         (JSC::printCallFrame): Deleted.
170         (JSC::printStack): Deleted.
171         (JSC::printValue): Deleted.
172         * tools/JSDollarVMPrototype.h:
173
174 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
175
176         Web Inspector: Improve Support for WeakSet in Console
177         https://bugs.webkit.org/show_bug.cgi?id=143951
178
179         Reviewed by Darin Adler.
180
181         * inspector/InjectedScriptSource.js:
182         * inspector/JSInjectedScriptHost.cpp:
183         (Inspector::JSInjectedScriptHost::subtype):
184         (Inspector::JSInjectedScriptHost::weakSetSize):
185         (Inspector::JSInjectedScriptHost::weakSetEntries):
186         * inspector/JSInjectedScriptHost.h:
187         * inspector/JSInjectedScriptHostPrototype.cpp:
188         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
189         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
190         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
191         Treat WeakSets like special sets.
192
193         * inspector/protocol/Runtime.json:
194         Add a new object subtype, "weakset".
195
196 2015-04-20  Yusuke Suzuki  <utatane.tea@gmail.com>
197
198         HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols
199         https://bugs.webkit.org/show_bug.cgi?id=143947
200
201         Reviewed by Darin Adler.
202
203         Type profiler has map between PropertyKey (StringImpl*) and offset.
204         StringImpl* is also used for Symbol PropertyKey.
205         So equality of hash tables is considered by interned StringImpl*'s pointer value.
206         To do so, use IdentifierRepHash instead of StringHash.
207
208         * runtime/SymbolTable.h:
209
210 2015-04-20  Jordan Harband  <ljharb@gmail.com>
211
212         Implement `Object.is`
213         https://bugs.webkit.org/show_bug.cgi?id=143865
214
215         Reviewed by Darin Adler.
216
217         Expose sameValue to JS, via Object.is
218         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.is
219
220         * runtime/ObjectConstructor.cpp:
221         (JSC::objectConstructorIs):
222         * runtime/PropertyDescriptor.cpp:
223         (JSC::sameValue):
224
225 2015-04-19  Darin Adler  <darin@apple.com>
226
227         Remove all the remaining uses of OwnPtr and PassOwnPtr in JavaScriptCore
228         https://bugs.webkit.org/show_bug.cgi?id=143941
229
230         Reviewed by Gyuyoung Kim.
231
232         * API/JSCallbackObject.h: Use unique_ptr for m_callbackObjectData.
233         * API/JSCallbackObjectFunctions.h: Ditto.
234
235         * API/ObjCCallbackFunction.h: Use unique_ptr for the arguments to the
236         create function and the constructor and for m_impl.
237         * API/ObjCCallbackFunction.mm:
238         (CallbackArgumentOfClass::CallbackArgumentOfClass): Streamline this
239         class by using RetainPtr<Class>.
240         (ArgumentTypeDelegate::typeInteger): Use make_unique.
241         (ArgumentTypeDelegate::typeDouble): Ditto.
242         (ArgumentTypeDelegate::typeBool): Ditto.
243         (ArgumentTypeDelegate::typeVoid): Ditto.
244         (ArgumentTypeDelegate::typeId): Ditto.
245         (ArgumentTypeDelegate::typeOfClass): Ditto.
246         (ArgumentTypeDelegate::typeBlock): Ditto.
247         (ArgumentTypeDelegate::typeStruct): Ditto.
248         (ResultTypeDelegate::typeInteger): Ditto.
249         (ResultTypeDelegate::typeDouble): Ditto.
250         (ResultTypeDelegate::typeBool): Ditto.
251         (ResultTypeDelegate::typeVoid): Ditto.
252         (ResultTypeDelegate::typeId): Ditto.
253         (ResultTypeDelegate::typeOfClass): Ditto.
254         (ResultTypeDelegate::typeBlock): Ditto.
255         (ResultTypeDelegate::typeStruct): Ditto.
256         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): Use
257         unique_ptr for the arguments to the constructor, m_arguments, and m_result.
258         Use RetainPtr<Class> for m_instanceClass.
259         (JSC::objCCallbackFunctionCallAsConstructor): Use nullptr instead of nil or 0
260         for non-Objective-C object pointer null.
261         (JSC::ObjCCallbackFunction::ObjCCallbackFunction): Use unique_ptr for
262         the arguments to the constructor and for m_impl.
263         (JSC::ObjCCallbackFunction::create): Use unique_ptr for arguments.
264         (skipNumber): Mark this static since it's local to this source file.
265         (objCCallbackFunctionForInvocation): Call parseObjCType without doing any
266         explicit adoptPtr since the types in the traits are now unique_ptr. Also use
267         nullptr instead of nil for JSObjectRef values.
268         (objCCallbackFunctionForMethod): Tweaked comment.
269         (objCCallbackFunctionForBlock): Use nullptr instead of 0 for JSObjectRef.
270
271         * bytecode/CallLinkInfo.h: Removed unneeded include of OwnPtr.h.
272
273         * heap/GCThread.cpp:
274         (JSC::GCThread::GCThread): Use unique_ptr.
275         * heap/GCThread.h: Use unique_ptr for arguments to the constructor and for
276         m_slotVisitor and m_copyVisitor.
277         * heap/GCThreadSharedData.cpp:
278         (JSC::GCThreadSharedData::GCThreadSharedData): Ditto.
279
280         * parser/SourceProvider.h: Removed unneeded include of PassOwnPtr.h.
281
282 2015-04-19  Benjamin Poulain  <benjamin@webkit.org>
283
284         Improve the feature.json files
285
286         * features.json:
287
288 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
289
290         Introduce bytecode intrinsics
291         https://bugs.webkit.org/show_bug.cgi?id=143926
292
293         Reviewed by Filip Pizlo.
294
295         This patch introduces bytecode level intrinsics into builtins/*.js JS code.
296         When implementing functions in builtins/*.js,
297         sometimes we require lower level functionality.
298
299         For example, in the current Array.from, we use `result[k] = value`.
300         The spec requires `[[DefineOwnProperty]]` operation here.
301         However, usual `result[k] = value` is evaluated as `[[Set]]`. (`PutValue` => `[[Set]]`)
302         So if we implement `Array.prototype[k]` getter/setter, the difference is observable.
303
304         Ideally, reaching here, we would like to use put_by_val_direct bytecode.
305         However, there's no syntax to generate it directly.
306
307         This patch introduces bytecode level intrinsics into JSC BytecodeCompiler.
308         Like @call, @apply, we introduce a new node, Intrinsic.
309         These are generated when calling appropriate private symbols in privileged code.
310         AST parser detects them and generates Intrinsic nodes and
311         BytecodeCompiler detects them and generate required bytecodes.
312
313         Currently, Array.from implementation works fine without this patch.
314         This is because when the target code is builtin JS,
315         BytecodeGenerator emits put_by_val_direct instead of put_by_val.
316         This solves the above issue. However, instead of solving this issue,
317         it raises another issue; There's no way to emit `[[Set]]` operation.
318         `[[Set]]` operation is actually used in the spec (Array.from's "length" is set by `[[Set]]`).
319         So to implement it precisely, introducing bytecode level intrinsics is necessary.
320
321         In the subsequent fixes, we'll remove that special path emitting put_by_val_direct
322         for `result[k] = value` under builtin JS environment. Instead of that special handling,
323         use bytecode intrinsics instead. It solves problems and it is more intuitive
324         because written JS code in builtin works as the same to the usual JS code.
325
326         * CMakeLists.txt:
327         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
328         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
329         * JavaScriptCore.xcodeproj/project.pbxproj:
330         * builtins/ArrayConstructor.js:
331         (from):
332         * bytecode/BytecodeIntrinsicRegistry.cpp: Added.
333         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
334         (JSC::BytecodeIntrinsicRegistry::lookup):
335         * bytecode/BytecodeIntrinsicRegistry.h: Added.
336         * bytecompiler/NodesCodegen.cpp:
337         (JSC::BytecodeIntrinsicNode::emitBytecode):
338         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
339         * parser/ASTBuilder.h:
340         (JSC::ASTBuilder::makeFunctionCallNode):
341         * parser/NodeConstructors.h:
342         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
343         * parser/Nodes.h:
344         (JSC::BytecodeIntrinsicNode::identifier):
345         * runtime/CommonIdentifiers.cpp:
346         (JSC::CommonIdentifiers::CommonIdentifiers):
347         * runtime/CommonIdentifiers.h:
348         (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry):
349         * tests/stress/array-from-with-accessors.js: Added.
350         (shouldBe):
351
352 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
353
354         Make Builtin functions non constructible
355         https://bugs.webkit.org/show_bug.cgi?id=143923
356
357         Reviewed by Darin Adler.
358
359         Builtin functions defined by builtins/*.js accidentally have [[Construct]].
360         According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]].
361         This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error.
362
363         Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough.
364         However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType.
365         In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]].
366         So in this patch, we check `isBuiltinFunction()` in those places.
367
368         * dfg/DFGByteCodeParser.cpp:
369         (JSC::DFG::ByteCodeParser::inliningCost):
370         * jit/JITOperations.cpp:
371         * llint/LLIntSlowPaths.cpp:
372         (JSC::LLInt::setUpCall):
373         * runtime/JSFunction.cpp:
374         (JSC::JSFunction::getConstructData):
375         * tests/stress/builtin-function-is-construct-type-none.js: Added.
376         (shouldThrow):
377
378 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
379
380         [ES6] Implement WeakSet
381         https://bugs.webkit.org/show_bug.cgi?id=142408
382
383         Reviewed by Darin Adler.
384
385         This patch implements ES6 WeakSet.
386         Current implementation simply leverages WeakMapData with undefined value.
387         This WeakMapData should be optimized in the same manner as MapData/SetData in the subsequent patch[1].
388
389         And in this patch, we also fix WeakMap/WeakSet behavior to conform the ES6 spec.
390         Except for adders (WeakMap.prototype.set/WeakSet.prototype.add),
391         methods return false (or undefined for WeakMap.prototype.get)
392         when a key is not Object instead of throwing a type error.
393
394         [1]: https://bugs.webkit.org/show_bug.cgi?id=143919
395
396         * CMakeLists.txt:
397         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
398         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
399         * JavaScriptCore.xcodeproj/project.pbxproj:
400         * runtime/CommonIdentifiers.h:
401         * runtime/JSGlobalObject.cpp:
402         * runtime/JSGlobalObject.h:
403         * runtime/JSWeakSet.cpp: Added.
404         (JSC::JSWeakSet::finishCreation):
405         (JSC::JSWeakSet::visitChildren):
406         * runtime/JSWeakSet.h: Added.
407         (JSC::JSWeakSet::createStructure):
408         (JSC::JSWeakSet::create):
409         (JSC::JSWeakSet::weakMapData):
410         (JSC::JSWeakSet::JSWeakSet):
411         * runtime/WeakMapPrototype.cpp:
412         (JSC::getWeakMapData):
413         (JSC::protoFuncWeakMapDelete):
414         (JSC::protoFuncWeakMapGet):
415         (JSC::protoFuncWeakMapHas):
416         * runtime/WeakSetConstructor.cpp: Added.
417         (JSC::WeakSetConstructor::finishCreation):
418         (JSC::callWeakSet):
419         (JSC::constructWeakSet):
420         (JSC::WeakSetConstructor::getConstructData):
421         (JSC::WeakSetConstructor::getCallData):
422         * runtime/WeakSetConstructor.h: Added.
423         (JSC::WeakSetConstructor::create):
424         (JSC::WeakSetConstructor::createStructure):
425         (JSC::WeakSetConstructor::WeakSetConstructor):
426         * runtime/WeakSetPrototype.cpp: Added.
427         (JSC::WeakSetPrototype::finishCreation):
428         (JSC::getWeakMapData):
429         (JSC::protoFuncWeakSetDelete):
430         (JSC::protoFuncWeakSetHas):
431         (JSC::protoFuncWeakSetAdd):
432         * runtime/WeakSetPrototype.h: Added.
433         (JSC::WeakSetPrototype::create):
434         (JSC::WeakSetPrototype::createStructure):
435         (JSC::WeakSetPrototype::WeakSetPrototype):
436         * tests/stress/weak-set-constructor-adder.js: Added.
437         (WeakSet.prototype.add):
438         * tests/stress/weak-set-constructor.js: Added.
439
440 2015-04-17  Alexey Proskuryakov  <ap@apple.com>
441
442         Remove unused BoundsCheckedPointer
443         https://bugs.webkit.org/show_bug.cgi?id=143896
444
445         Reviewed by Geoffrey Garen.
446
447         * bytecode/SpeculatedType.cpp: The header was included here.
448
449 2015-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
450
451         [ES6] Fix name enumeration of static functions for Symbol constructor
452         https://bugs.webkit.org/show_bug.cgi?id=143891
453
454         Reviewed by Geoffrey Garen.
455
456         Fix missing symbolPrototypeTable registration to the js class object.
457         This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor.
458
459         * runtime/SymbolConstructor.cpp:
460
461 2015-04-17  Basile Clement  <basile_clement@apple.com>
462
463         Inline JSFunction allocation in DFG
464         https://bugs.webkit.org/show_bug.cgi?id=143858
465
466         Reviewed by Filip Pizlo.
467
468         Followup to my previous patch which inlines JSFunction allocation when
469         using FTL, now also enabled in DFG.
470
471         * dfg/DFGSpeculativeJIT.cpp:
472         (JSC::DFG::SpeculativeJIT::compileNewFunction):
473
474 2015-04-16  Jordan Harband  <ljharb@gmail.com>
475
476         Number.parseInt is not === global parseInt in nightly r182673
477         https://bugs.webkit.org/show_bug.cgi?id=143799
478
479         Reviewed by Darin Adler.
480
481         Ensuring parseInt === Number.parseInt, per spec
482         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
483
484         * runtime/CommonIdentifiers.h:
485         * runtime/JSGlobalObject.cpp:
486         (JSC::JSGlobalObject::init):
487         * runtime/JSGlobalObject.h:
488         (JSC::JSGlobalObject::parseIntFunction):
489         * runtime/NumberConstructor.cpp:
490         (JSC::NumberConstructor::finishCreation):
491
492 2015-04-16  Mark Lam  <mark.lam@apple.com>
493
494         Gardening: fix CLOOP build after r182927.
495
496         Not reviewed.
497
498         * interpreter/StackVisitor.cpp:
499         (JSC::StackVisitor::Frame::print):
500
501 2015-04-16  Basile Clement  <basile_clement@apple.com>
502
503         Inline JSFunction allocation in FTL
504         https://bugs.webkit.org/show_bug.cgi?id=143851
505
506         Reviewed by Filip Pizlo.
507
508         JSFunction allocation is a simple operation that should be inlined when possible.
509
510         * ftl/FTLAbstractHeapRepository.h:
511         * ftl/FTLLowerDFGToLLVM.cpp:
512         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
513         * runtime/JSFunction.h:
514         (JSC::JSFunction::allocationSize):
515
516 2015-04-16  Mark Lam  <mark.lam@apple.com>
517
518         Add $vm debugging tool.
519         https://bugs.webkit.org/show_bug.cgi?id=143809
520
521         Reviewed by Geoffrey Garen.
522
523         For debugging VM bugs, it would be useful to be able to dump VM data structures
524         from JS code that we instrument.  To this end, let's introduce a
525         JS_enableDollarVM option that, if true, installs an $vm property into each JS
526         global object at creation time.  The $vm property refers to an object that
527         provides a collection of useful utility functions.  For this initial
528         implementation, $vm will have the following:
529
530             crash() - trigger an intentional crash.
531
532             dfgTrue() - returns true if the current function is DFG compiled, else returns false.
533             jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
534             llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
535
536             gc() - runs a full GC.
537             edenGC() - runs an eden GC.
538
539             codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
540             printSourceFor(codeBlock) - prints the source code for the codeBlock.
541             printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
542
543             print(str) - prints a string to dataLog output.
544             printCallFrame() - prints the current CallFrame.
545             printStack() - prints the JS stack.
546             printInternal(value) - prints the JSC internal info for the specified value.
547
548         With JS_enableDollarVM=true, JS code can use the above functions like so:
549
550             $vm.print("Using $vm features\n");
551
552         * CMakeLists.txt:
553         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
554         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
555         * JavaScriptCore.xcodeproj/project.pbxproj:
556         * bytecode/CodeBlock.cpp:
557         (JSC::CodeBlock::printCallOp):
558         - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
559           Hence, we skip this step if we're dumping an FTL codeBlock.
560
561         * heap/Heap.cpp:
562         (JSC::Heap::collectAndSweep):
563         (JSC::Heap::collectAllGarbage): Deleted.
564         * heap/Heap.h:
565         (JSC::Heap::collectAllGarbage):
566         - Add ability to do an Eden collection and sweep.
567
568         * interpreter/StackVisitor.cpp:
569         (JSC::printIndents):
570         (JSC::log):
571         (JSC::logF):
572         (JSC::StackVisitor::Frame::print):
573         (JSC::jitTypeName): Deleted.
574         (JSC::printif): Deleted.
575         - Modernize the implementation of StackVisitor::Frame::print(), and remove some
576           now redundant code.
577         - Also fix it so that it downgrades gracefully when encountering inlined DFG
578           and compiled FTL functions.
579
580         (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
581         (DebugPrintFrameFunctor::operator()): Deleted.
582         (debugPrintCallFrame): Deleted.
583         (debugPrintStack): Deleted.
584         - these have been moved into JSDollarVMPrototype.cpp. 
585
586         * interpreter/StackVisitor.h:
587         - StackVisitor::Frame::print() is now enabled for release builds as well so that
588           we can call it from $vm.
589
590         * runtime/JSGlobalObject.cpp:
591         (JSC::JSGlobalObject::init):
592         (JSC::JSGlobalObject::visitChildren):
593         * runtime/JSGlobalObject.h:
594         - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
595           option.
596
597         * runtime/Options.h:
598         - Added the JSC_enableDollarVM option.
599
600         * tools/JSDollarVM.cpp: Added.
601         * tools/JSDollarVM.h: Added.
602         (JSC::JSDollarVM::createStructure):
603         (JSC::JSDollarVM::create):
604         (JSC::JSDollarVM::JSDollarVM):
605
606         * tools/JSDollarVMPrototype.cpp: Added.
607         - This file contains 2 sets of functions:
608
609           a. a C++ implementation of debugging utility functions that are callable when
610              doing debugging from lldb.  To the extent possible, these functions try to
611              be cautious and not cause unintended crashes should the user call them with
612              the wrong info.  Hence, they are designed to be robust rather than speedy.
613
614           b. the native implementations of JS functions in the $vm object.  Where there
615              is overlapping functionality, these are built on top of the C++ functions
616              above to do the work.
617
618           Note: it does not make sense for all of the $vm functions to have a C++
619           counterpart for lldb debugging.  For example, the $vm.dfgTrue() function is
620           only useful for JS code, and works via the DFG intrinsics mechanism.
621           When doing debugging via lldb, the optimization level of the currently
622           executing JS function can be gotten by dumping the current CallFrame instead.
623
624         (JSC::currentThreadOwnsJSLock):
625         (JSC::ensureCurrentThreadOwnsJSLock):
626         (JSC::JSDollarVMPrototype::addFunction):
627         (JSC::functionCrash): - $vm.crash()
628         (JSC::functionDFGTrue): - $vm.dfgTrue()
629         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
630         (JSC::CallerFrameJITTypeFunctor::operator()):
631         (JSC::CallerFrameJITTypeFunctor::jitType):
632         (JSC::functionLLintTrue): - $vm.llintTrue()
633         (JSC::functionJITTrue): - $vm.jitTrue()
634         (JSC::gc):
635         (JSC::functionGC): - $vm.gc()
636         (JSC::edenGC):
637         (JSC::functionEdenGC): - $vm.edenGC()
638         (JSC::isValidCodeBlock):
639         (JSC::codeBlockForFrame):
640         (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
641         (JSC::codeBlockFromArg):
642         (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
643         (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
644         (JSC::functionPrint): - $vm.print(str)
645         (JSC::PrintFrameFunctor::PrintFrameFunctor):
646         (JSC::PrintFrameFunctor::operator()):
647         (JSC::printCallFrame):
648         (JSC::printStack):
649         (JSC::functionPrintCallFrame): - $vm.printCallFrame()
650         (JSC::functionPrintStack): - $vm.printStack()
651         (JSC::printValue):
652         (JSC::functionPrintValue): - $vm.printValue()
653         (JSC::JSDollarVMPrototype::finishCreation):
654         * tools/JSDollarVMPrototype.h: Added.
655         (JSC::JSDollarVMPrototype::create):
656         (JSC::JSDollarVMPrototype::createStructure):
657         (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
658
659 2015-04-16  Geoffrey Garen  <ggaren@apple.com>
660
661         Speculative fix after r182915
662         https://bugs.webkit.org/show_bug.cgi?id=143404
663
664         Reviewed by Alexey Proskuryakov.
665
666         * runtime/SymbolConstructor.h:
667
668 2015-04-16  Mark Lam  <mark.lam@apple.com>
669
670         Fixed some typos in a comment.
671
672         Not reviewed.
673
674         * dfg/DFGGenerationInfo.h:
675
676 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
677
678         [ES6] Implement Symbol.for and Symbol.keyFor
679         https://bugs.webkit.org/show_bug.cgi?id=143404
680
681         Reviewed by Geoffrey Garen.
682
683         This patch implements Symbol.for and Symbol.keyFor.
684         SymbolRegistry maintains registered StringImpl* symbols.
685         And to make this mapping enabled over realms,
686         VM owns this mapping (not JSGlobalObject).
687
688         While there's Default AtomicStringTable per thread,
689         SymbolRegistry should not exist over VMs.
690         So everytime VM is created, SymbolRegistry is also created.
691
692         In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
693         Theres are several reasons.
694         1. StringImpl* which represents identity of Symbols is not GC-managed object.
695            So we cannot use WeakGCMap directly.
696            While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
697            because distinct Symbol* can exist.
698            Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
699
700         2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
701            However there's problem about when we prune staled entries in SymbolRegistry.
702            Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
703            and it is not in GC-heap.
704            While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
705            So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
706            As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
707
708         So instead of using Weak reference, we take relatively easy design.
709         When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
710         And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
711
712         * CMakeLists.txt:
713         * DerivedSources.make:
714         * runtime/SymbolConstructor.cpp:
715         (JSC::SymbolConstructor::getOwnPropertySlot):
716         (JSC::symbolConstructorFor):
717         (JSC::symbolConstructorKeyFor):
718         * runtime/SymbolConstructor.h:
719         * runtime/VM.cpp:
720         * runtime/VM.h:
721         (JSC::VM::symbolRegistry):
722         * tests/stress/symbol-registry.js: Added.
723         (test):
724
725 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
726
727         [ES6] Use specific functions for @@iterator functions
728         https://bugs.webkit.org/show_bug.cgi?id=143838
729
730         Reviewed by Geoffrey Garen.
731
732         In ES6, some methods are defined with the different names.
733
734         For example,
735
736         Map.prototype[Symbol.iterator] === Map.prototype.entries
737         Set.prototype[Symbol.iterator] === Set.prototype.values
738         Array.prototype[Symbol.iterator] === Array.prototype.values
739         %Arguments%[Symbol.iterator] === Array.prototype.values
740
741         However, current implementation creates different function objects per name.
742         This patch fixes it by setting the object that is used for the other method to @@iterator.
743         e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
744
745         And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
746         with Array.prototype.values to conform to the spec.
747
748         * CMakeLists.txt:
749         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
750         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
751         * JavaScriptCore.xcodeproj/project.pbxproj:
752         * inspector/JSInjectedScriptHost.cpp:
753         (Inspector::JSInjectedScriptHost::subtype):
754         (Inspector::JSInjectedScriptHost::getInternalProperties):
755         (Inspector::JSInjectedScriptHost::iteratorEntries):
756         * runtime/ArgumentsIteratorConstructor.cpp: Removed.
757         * runtime/ArgumentsIteratorConstructor.h: Removed.
758         * runtime/ArgumentsIteratorPrototype.cpp: Removed.
759         * runtime/ArgumentsIteratorPrototype.h: Removed.
760         * runtime/ArrayPrototype.cpp:
761         (JSC::ArrayPrototype::finishCreation):
762         * runtime/ArrayPrototype.h:
763         * runtime/ClonedArguments.cpp:
764         (JSC::ClonedArguments::getOwnPropertySlot):
765         (JSC::ClonedArguments::put):
766         (JSC::ClonedArguments::deleteProperty):
767         (JSC::ClonedArguments::defineOwnProperty):
768         (JSC::ClonedArguments::materializeSpecials):
769         * runtime/ClonedArguments.h:
770         * runtime/CommonIdentifiers.h:
771         * runtime/DirectArguments.cpp:
772         (JSC::DirectArguments::overrideThings):
773         * runtime/GenericArgumentsInlines.h:
774         (JSC::GenericArguments<Type>::getOwnPropertySlot):
775         (JSC::GenericArguments<Type>::getOwnPropertyNames):
776         (JSC::GenericArguments<Type>::put):
777         (JSC::GenericArguments<Type>::deleteProperty):
778         (JSC::GenericArguments<Type>::defineOwnProperty):
779         * runtime/JSArgumentsIterator.cpp: Removed.
780         * runtime/JSArgumentsIterator.h: Removed.
781         * runtime/JSGlobalObject.cpp:
782         (JSC::JSGlobalObject::init):
783         (JSC::JSGlobalObject::visitChildren):
784         * runtime/JSGlobalObject.h:
785         (JSC::JSGlobalObject::arrayProtoValuesFunction):
786         * runtime/MapPrototype.cpp:
787         (JSC::MapPrototype::finishCreation):
788         * runtime/ScopedArguments.cpp:
789         (JSC::ScopedArguments::overrideThings):
790         * runtime/SetPrototype.cpp:
791         (JSC::SetPrototype::finishCreation):
792         * tests/stress/arguments-iterator.js: Added.
793         (test):
794         (testArguments):
795         * tests/stress/iterator-functions.js: Added.
796         (test):
797         (argumentsTests):
798
799 2015-04-14  Mark Lam  <mark.lam@apple.com>
800
801         Add JSC_functionOverrides=<overrides file> debugging tool.
802         https://bugs.webkit.org/show_bug.cgi?id=143717
803
804         Reviewed by Geoffrey Garen.
805
806         This tool allows us to do runtime replacement of function bodies with alternatives
807         for debugging purposes.  For example, this is useful when we need to debug VM bugs
808         which manifest in scripts executing in webpages downloaded from remote servers
809         that we don't control.  The tool allows us to augment those scripts with logging
810         or test code to help isolate the bugs.
811
812         This tool works by substituting the SourceCode at FunctionExecutable creation
813         time.  It identifies which SourceCode to substitute by comparing the source
814         string against keys in a set of key value pairs.
815
816         The keys are function body strings defined by 'override' clauses in the overrides
817         file specified by in the JSC_functionOverrides option.  The values are function
818         body strings defines by 'with' clauses in the overrides file.
819         See comment blob at top of FunctionOverrides.cpp on the formatting
820         of the overrides file.
821
822         At FunctionExecutable creation time, if the SourceCode string matches one of the
823         'override' keys from the overrides file, the tool will replace the SourceCode with
824         a new one based on the corresponding 'with' value string.  The FunctionExecutable
825         will then be created with the new SourceCode instead.
826
827         Some design decisions:
828         1. We opted to require that the 'with' clause appear on a separate line than the
829            'override' clause because this makes it easier to read and write when the
830            'override' clause's function body is single lined and long.
831
832         2. The user can use any sequence of characters for the delimiter (except for '{',
833            '}' and white space characters) because this ensures that there can always be
834            some delimiter pattern that does not appear in the function body in the clause
835            e.g. in the body of strings in the JS code.
836
837            '{' and '}' are disallowed because they are used to mark the boundaries of the
838            function body string.  White space characters are disallowed because they can
839            be error prone (the user may not be able to tell between spaces and tabs).
840
841         3. The start and end delimiter must be an identical sequence of characters.
842
843            I had considered allowing the use of complementary characters like <>, [], and
844            () for making delimiter pairs like:
845                [[[[ ... ]]]]
846                <[([( ... )])]>
847
848            But in the end, decided against it because:
849            a. These sequences of complementary characters can exists in JS code.
850               In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
851               code.
852            b. It can be error prone for the user to have to type the exact complement
853               character for the end delimiter in reverse order.
854               In contrast, a repeating delimiter like %%%% is much easier to type and
855               less error prone.  Even a sequence like @#$%^ is less error prone than
856               a complementary sequence because it can be copy-pasted, and need not be
857               typed in reverse order.
858            c. It is easier to parse for the same delimiter string for both start and end.
859
860         4. The tool does a lot of checks for syntax errors in the overrides file because
861            we don't want any overrides to fail silently.  If a syntax error is detected,
862            the tool will print an error message and call exit().  This avoids the user
863            wasting time doing debugging only to be surprised later that their specified
864            overrides did not take effect because of some unnoticed typo.
865
866         * CMakeLists.txt:
867         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
868         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
869         * JavaScriptCore.xcodeproj/project.pbxproj:
870         * bytecode/UnlinkedCodeBlock.cpp:
871         (JSC::UnlinkedFunctionExecutable::link):
872         * runtime/Executable.h:
873         * runtime/Options.h:
874         * tools/FunctionOverrides.cpp: Added.
875         (JSC::FunctionOverrides::overrides):
876         (JSC::FunctionOverrides::FunctionOverrides):
877         (JSC::initializeOverrideInfo):
878         (JSC::FunctionOverrides::initializeOverrideFor):
879         (JSC::hasDisallowedCharacters):
880         (JSC::parseClause):
881         (JSC::FunctionOverrides::parseOverridesInFile):
882         * tools/FunctionOverrides.h: Added.
883
884 2015-04-16  Basile Clement  <basile_clement@apple.com>
885  
886         Extract the allocation profile from JSFunction into a rare object
887         https://bugs.webkit.org/show_bug.cgi?id=143807
888  
889         Reviewed by Filip Pizlo.
890  
891         The allocation profile is only needed for those functions that are used
892         to create objects with [new].
893         Extracting it into its own JSCell removes the need for JSFunction and
894         JSCallee to be JSDestructibleObjects, which should improve performances in most
895         cases at the cost of an extra pointer dereference when the allocation profile
896         is actually needed.
897  
898         * CMakeLists.txt:
899         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
900         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
901         * JavaScriptCore.xcodeproj/project.pbxproj:
902         * dfg/DFGOperations.cpp:
903         * dfg/DFGSpeculativeJIT32_64.cpp:
904         (JSC::DFG::SpeculativeJIT::compile):
905         * dfg/DFGSpeculativeJIT64.cpp:
906         (JSC::DFG::SpeculativeJIT::compile):
907         * jit/JITOpcodes.cpp:
908         (JSC::JIT::emit_op_create_this):
909         * jit/JITOpcodes32_64.cpp:
910         (JSC::JIT::emit_op_create_this):
911         * llint/LowLevelInterpreter32_64.asm:
912         * llint/LowLevelInterpreter64.asm:
913         * runtime/CommonSlowPaths.cpp:
914         (JSC::SLOW_PATH_DECL):
915         * runtime/FunctionRareData.cpp: Added.
916         (JSC::FunctionRareData::create):
917         (JSC::FunctionRareData::destroy):
918         (JSC::FunctionRareData::createStructure):
919         (JSC::FunctionRareData::visitChildren):
920         (JSC::FunctionRareData::FunctionRareData):
921         (JSC::FunctionRareData::~FunctionRareData):
922         (JSC::FunctionRareData::finishCreation):
923         * runtime/FunctionRareData.h: Added.
924         (JSC::FunctionRareData::offsetOfAllocationProfile):
925         (JSC::FunctionRareData::allocationProfile):
926         (JSC::FunctionRareData::allocationStructure):
927         (JSC::FunctionRareData::allocationProfileWatchpointSet):
928         * runtime/JSBoundFunction.cpp:
929         (JSC::JSBoundFunction::destroy): Deleted.
930         * runtime/JSBoundFunction.h:
931         * runtime/JSCallee.cpp:
932         (JSC::JSCallee::destroy): Deleted.
933         * runtime/JSCallee.h:
934         * runtime/JSFunction.cpp:
935         (JSC::JSFunction::JSFunction):
936         (JSC::JSFunction::createRareData):
937         (JSC::JSFunction::visitChildren):
938         (JSC::JSFunction::put):
939         (JSC::JSFunction::defineOwnProperty):
940         (JSC::JSFunction::destroy): Deleted.
941         (JSC::JSFunction::createAllocationProfile): Deleted.
942         * runtime/JSFunction.h:
943         (JSC::JSFunction::offsetOfRareData):
944         (JSC::JSFunction::rareData):
945         (JSC::JSFunction::allocationStructure):
946         (JSC::JSFunction::allocationProfileWatchpointSet):
947         (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
948         (JSC::JSFunction::allocationProfile): Deleted.
949         * runtime/JSFunctionInlines.h:
950         (JSC::JSFunction::JSFunction):
951         * runtime/VM.cpp:
952         (JSC::VM::VM):
953         * runtime/VM.h:
954  
955 2015-04-16  Csaba Osztrogonác  <ossy@webkit.org>
956
957         Remove the unnecessary WTF_CHANGES define
958         https://bugs.webkit.org/show_bug.cgi?id=143825
959
960         Reviewed by Andreas Kling.
961
962         * config.h:
963
964 2015-04-15  Andreas Kling  <akling@apple.com>
965
966         Make MarkedBlock and WeakBlock 4x smaller.
967         <https://webkit.org/b/143802>
968
969         Reviewed by Mark Hahnenberg.
970
971         To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
972         and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
973
974         In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
975         Some examples:
976
977                    apple.com:  6.3MB ->  5.5MB (14.5% smaller)
978                   reddit.com:  4.5MB ->  4.1MB ( 9.7% smaller)
979                  twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
980             cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
981
982         Benchmarks look mostly neutral.
983         Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
984
985         * heap/MarkedBlock.h:
986         * heap/WeakBlock.h:
987         * llint/LLIntData.cpp:
988         (JSC::LLInt::Data::performAssertions):
989         * llint/LowLevelInterpreter.asm:
990
991 2015-04-15  Jordan Harband  <ljharb@gmail.com>
992
993         String.prototype.startsWith/endsWith/includes have wrong length in r182673
994         https://bugs.webkit.org/show_bug.cgi?id=143659
995
996         Reviewed by Benjamin Poulain.
997
998         Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
999         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
1000         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
1001         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
1002
1003         * runtime/StringPrototype.cpp:
1004         (JSC::StringPrototype::finishCreation):
1005
1006 2015-04-15  Mark Lam  <mark.lam@apple.com>
1007
1008         Remove obsolete VMInspector debugging tool.
1009         https://bugs.webkit.org/show_bug.cgi?id=143798
1010
1011         Reviewed by Michael Saboff.
1012
1013         I added the VMInspector tool 3 years ago to aid in VM hacking work.  Some of it
1014         has bit rotted, and now the VM also has better ways to achieve its functionality.
1015         Hence this code is now obsolete and should be removed.
1016
1017         * CMakeLists.txt:
1018         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1019         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1020         * JavaScriptCore.xcodeproj/project.pbxproj:
1021         * interpreter/CallFrame.h:
1022         * interpreter/VMInspector.cpp: Removed.
1023         * interpreter/VMInspector.h: Removed.
1024         * llint/LowLevelInterpreter.cpp:
1025
1026 2015-04-15  Jordan Harband  <ljharb@gmail.com>
1027
1028         Math.imul has wrong length in Safari 8.0.4
1029         https://bugs.webkit.org/show_bug.cgi?id=143658
1030
1031         Reviewed by Benjamin Poulain.
1032
1033         Correcting function length from 1, to 2, to match spec
1034         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
1035
1036         * runtime/MathObject.cpp:
1037         (JSC::MathObject::finishCreation):
1038
1039 2015-04-15  Jordan Harband  <ljharb@gmail.com>
1040
1041         Number.parseInt in nightly r182673 has wrong length
1042         https://bugs.webkit.org/show_bug.cgi?id=143657
1043
1044         Reviewed by Benjamin Poulain.
1045
1046         Correcting function length from 1, to 2, to match spec
1047         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
1048
1049         * runtime/NumberConstructor.cpp:
1050         (JSC::NumberConstructor::finishCreation):
1051
1052 2015-04-15  Filip Pizlo  <fpizlo@apple.com>
1053
1054         Harden DFGForAllKills
1055         https://bugs.webkit.org/show_bug.cgi?id=143792
1056
1057         Reviewed by Geoffrey Garen.
1058         
1059         Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
1060         bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
1061         
1062         Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
1063         that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
1064         
1065         - It looks for kill sites at forExit origin boundaries. But, something might have been killed
1066           by an operation that was logically in between the forExit origins at the boundary, but was
1067           removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
1068           gaps.
1069         
1070         - It overlooked the fact that a MovHint that addresses a local that is always live kills that
1071           local. For example, storing to an argument means that the prior value of the argument is
1072           killed.
1073         
1074         This fixes the analysis by making it handle MovHints directly, and making it define kills in
1075         the most conservative way possible: it asks if you were live before but dead after. If we
1076         have the compile time budget to afford this more direct approach, then it's definitel a good
1077         idea since it's so fool-proof.
1078
1079         * dfg/DFGArgumentsEliminationPhase.cpp:
1080         * dfg/DFGForAllKills.h:
1081         (JSC::DFG::forAllKilledOperands):
1082         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1083         (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
1084
1085 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1086
1087         Provide SPI to allow changing whether JSContexts are remote debuggable by default
1088         https://bugs.webkit.org/show_bug.cgi?id=143681
1089
1090         Reviewed by Darin Adler.
1091
1092         * API/JSRemoteInspector.h:
1093         * API/JSRemoteInspector.cpp:
1094         (JSRemoteInspectorGetInspectionEnabledByDefault):
1095         (JSRemoteInspectorSetInspectionEnabledByDefault):
1096         Provide SPI to toggle the default enabled inspection state of debuggables.
1097
1098         * API/JSContextRef.cpp:
1099         (JSGlobalContextCreateInGroup):
1100         Respect the default setting.
1101
1102 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1103
1104         JavaScriptCore: Use kCFAllocatorDefault where possible
1105         https://bugs.webkit.org/show_bug.cgi?id=143747
1106
1107         Reviewed by Darin Adler.
1108
1109         * heap/HeapTimer.cpp:
1110         (JSC::HeapTimer::HeapTimer):
1111         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1112         (Inspector::RemoteInspectorInitializeGlobalQueue):
1113         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
1114         For consistency and readability use the constant instead of
1115         different representations of null.
1116
1117 2015-04-14  Michael Saboff  <msaboff@apple.com>
1118
1119         Remove JavaScriptCoreUseJIT default from JavaScriptCore
1120         https://bugs.webkit.org/show_bug.cgi?id=143746
1121
1122         Reviewed by Mark Lam.
1123
1124         * runtime/VM.cpp:
1125         (JSC::enableAssembler):
1126
1127 2015-04-14  Chris Dumez  <cdumez@apple.com>
1128
1129         Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
1130         https://bugs.webkit.org/show_bug.cgi?id=143745
1131         <rdar://problem/20243916>
1132
1133         Reviewed by Joseph Pecoraro.
1134
1135         Add assertion in ContentSearchUtilities::findMagicComment() to make
1136         sure the content String is not null or we would crash in
1137         JSC::Yarr::interpret() later.
1138
1139         * inspector/ContentSearchUtilities.cpp:
1140         (Inspector::ContentSearchUtilities::findMagicComment):
1141
1142 2015-04-14  Michael Saboff  <msaboff@apple.com>
1143
1144         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
1145         https://bugs.webkit.org/show_bug.cgi?id=143727
1146
1147         Reviewed by Geoffrey Garen.
1148
1149         Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
1150         with the requested fill format.  If filter() reports a contradiction, then we force an OSR exit.
1151         Removed individual checks made redundant by the new check.
1152
1153         * dfg/DFGSpeculativeJIT32_64.cpp:
1154         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1155         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1156         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1157         * dfg/DFGSpeculativeJIT64.cpp:
1158         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1159         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1160         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1161         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1162
1163 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1164
1165         Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
1166         https://bugs.webkit.org/show_bug.cgi?id=143691
1167
1168         Reviewed by Geoffrey Garen.
1169
1170         * API/JSRemoteInspector.h:
1171         * API/JSRemoteInspector.cpp:
1172         (JSRemoteInspectorSetLogToSystemConsole):
1173         Add SPI to enable/disable logging to the system console.
1174         This only affects JSContext `console` logs and warnings.
1175
1176         * inspector/JSGlobalObjectConsoleClient.h:
1177         * inspector/JSGlobalObjectConsoleClient.cpp:
1178         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
1179         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
1180         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
1181         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
1182         Simplify access to the setting now that it doesn't need to
1183         initialize its value from preferences.
1184
1185 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1186
1187         Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
1188         https://bugs.webkit.org/show_bug.cgi?id=143682
1189
1190         Reviewed by Timothy Hatcher.
1191
1192         * inspector/remote/RemoteInspector.mm:
1193         (Inspector::RemoteInspector::singleton):
1194         If we are on the main thread, run the initialization immediately.
1195         Otherwise dispatch to the main thread. This way if the first JSContext
1196         was created on the main thread it can get auto-attached if applicable.
1197
1198 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1199
1200         Unreviewed build fix for Mavericks.
1201
1202         Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
1203         so the Inspector namespace is not available when compiling this file.
1204
1205         * API/JSRemoteInspector.cpp:
1206
1207 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1208
1209         Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
1210         https://bugs.webkit.org/show_bug.cgi?id=143729
1211
1212         Reviewed by Timothy Hatcher.
1213
1214         * API/JSRemoteInspector.h: Added.
1215         * API/JSRemoteInspector.cpp: Added.
1216         (JSRemoteInspectorDisableAutoStart):
1217         (JSRemoteInspectorStart):
1218         (JSRemoteInspectorSetParentProcessInformation):
1219         Add the new SPIs for basic remote inspection behavior.
1220
1221         * JavaScriptCore.xcodeproj/project.pbxproj:
1222         Add the new files to Mac only, since remote inspection is only
1223         enabled there anyways.
1224
1225 2015-04-14  Mark Lam  <mark.lam@apple.com>
1226
1227         Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
1228         https://bugs.webkit.org/show_bug.cgi?id=143722
1229
1230         Reviewed by Michael Saboff.
1231
1232         Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
1233         shorter, and easier to remember (without having to look it up) and to
1234         type.  JSC options now support descriptions, and one can always look up
1235         the description if the option's purpose is not already obvious.
1236
1237         * dfg/DFGFunctionWhitelist.cpp:
1238         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1239         (JSC::DFG::FunctionWhitelist::contains):
1240         * runtime/Options.h:
1241
1242 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
1243
1244         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
1245
1246         * runtime/InferredValue.h:
1247
1248 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
1249
1250         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
1251
1252         * runtime/InferredValue.h:
1253
1254 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1255
1256         JSC should detect singleton functions
1257         https://bugs.webkit.org/show_bug.cgi?id=143232
1258
1259         Reviewed by Geoffrey Garen.
1260         
1261         This started out as an attempt to make constructors faster by detecting when a constructor is a
1262         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
1263         along with an inferred value - that detects if only one JSFunction has been allocated for that
1264         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
1265         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
1266         we can constant-fold GetCallee.
1267         
1268         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
1269         process I realized a bunch of things:
1270         
1271         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
1272           had even in code where our singleton-closure detection worked. That's because singleton-closure
1273           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
1274           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
1275           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
1276           values.
1277           
1278         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
1279           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
1280           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
1281         
1282         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
1283           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
1284           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
1285           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
1286           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
1287           scope. Ths saves compile times and it allows prediction propagation to benefit from the
1288           constant folding. Second, it means that we will detect a singleton scope even if it is
1289           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
1290           allows us to eliminate the function reentry watchpoint.
1291         
1292         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
1293           constant values in scopes. Previously when the DFG inferred that a closure variable was
1294           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
1295           value. But now we are first inferring that the function is a singleton, which means that we
1296           know exactly what scope it points to, and we can load the value from the scope. Using a
1297           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
1298           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
1299           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
1300           FunctionExecutable wants.
1301         
1302         This also has the effect of simplifying the implementation of block scoping. Prior to this
1303         change, block scoping would have needed to have some story for the function reentry watchpoint on
1304         any nested symbol table. That's totally weird to think about; it's not really a function reentry
1305         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
1306         will "just work": if we prove that we know the constant value of the scope then the machinery
1307         kicks in, otherwise it doesn't.
1308         
1309         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
1310
1311         * CMakeLists.txt:
1312         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1313         * JavaScriptCore.xcodeproj/project.pbxproj:
1314         * bytecode/BytecodeList.json:
1315         * bytecode/BytecodeUseDef.h:
1316         (JSC::computeUsesForBytecodeOffset):
1317         (JSC::computeDefsForBytecodeOffset):
1318         * bytecode/CodeBlock.cpp:
1319         (JSC::CodeBlock::dumpBytecode):
1320         (JSC::CodeBlock::CodeBlock):
1321         (JSC::CodeBlock::finalizeUnconditionally):
1322         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1323         * bytecode/CodeBlock.h:
1324         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
1325         * bytecode/CodeOrigin.cpp:
1326         (JSC::InlineCallFrame::calleeConstant):
1327         (JSC::InlineCallFrame::visitAggregate):
1328         * bytecode/CodeOrigin.h:
1329         (JSC::InlineCallFrame::calleeConstant): Deleted.
1330         (JSC::InlineCallFrame::visitAggregate): Deleted.
1331         * bytecode/Instruction.h:
1332         * bytecode/VariableWatchpointSet.cpp: Removed.
1333         * bytecode/VariableWatchpointSet.h: Removed.
1334         * bytecode/VariableWatchpointSetInlines.h: Removed.
1335         * bytecode/VariableWriteFireDetail.cpp: Added.
1336         (JSC::VariableWriteFireDetail::dump):
1337         (JSC::VariableWriteFireDetail::touch):
1338         * bytecode/VariableWriteFireDetail.h: Added.
1339         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
1340         * bytecode/Watchpoint.h:
1341         (JSC::WatchpointSet::stateOnJSThread):
1342         (JSC::WatchpointSet::startWatching):
1343         (JSC::WatchpointSet::fireAll):
1344         (JSC::WatchpointSet::touch):
1345         (JSC::WatchpointSet::invalidate):
1346         (JSC::InlineWatchpointSet::stateOnJSThread):
1347         (JSC::InlineWatchpointSet::state):
1348         (JSC::InlineWatchpointSet::hasBeenInvalidated):
1349         (JSC::InlineWatchpointSet::invalidate):
1350         (JSC::InlineWatchpointSet::touch):
1351         * bytecompiler/BytecodeGenerator.cpp:
1352         (JSC::BytecodeGenerator::BytecodeGenerator):
1353         * dfg/DFGAbstractInterpreterInlines.h:
1354         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1355         * dfg/DFGByteCodeParser.cpp:
1356         (JSC::DFG::ByteCodeParser::get):
1357         (JSC::DFG::ByteCodeParser::parseBlock):
1358         (JSC::DFG::ByteCodeParser::getScope): Deleted.
1359         * dfg/DFGCapabilities.cpp:
1360         (JSC::DFG::capabilityLevel):
1361         * dfg/DFGClobberize.h:
1362         (JSC::DFG::clobberize):
1363         * dfg/DFGDesiredWatchpoints.cpp:
1364         (JSC::DFG::InferredValueAdaptor::add):
1365         (JSC::DFG::DesiredWatchpoints::addLazily):
1366         (JSC::DFG::DesiredWatchpoints::reallyAdd):
1367         (JSC::DFG::DesiredWatchpoints::areStillValid):
1368         * dfg/DFGDesiredWatchpoints.h:
1369         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
1370         (JSC::DFG::DesiredWatchpoints::isWatched):
1371         * dfg/DFGGraph.cpp:
1372         (JSC::DFG::Graph::dump):
1373         (JSC::DFG::Graph::tryGetConstantClosureVar):
1374         * dfg/DFGNode.h:
1375         (JSC::DFG::Node::hasWatchpointSet):
1376         (JSC::DFG::Node::watchpointSet):
1377         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
1378         (JSC::DFG::Node::variableWatchpointSet): Deleted.
1379         * dfg/DFGOperations.cpp:
1380         * dfg/DFGOperations.h:
1381         * dfg/DFGSpeculativeJIT.cpp:
1382         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1383         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1384         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1385         * dfg/DFGSpeculativeJIT.h:
1386         (JSC::DFG::SpeculativeJIT::callOperation):
1387         * dfg/DFGSpeculativeJIT32_64.cpp:
1388         (JSC::DFG::SpeculativeJIT::compile):
1389         * dfg/DFGSpeculativeJIT64.cpp:
1390         (JSC::DFG::SpeculativeJIT::compile):
1391         * dfg/DFGVarargsForwardingPhase.cpp:
1392         * ftl/FTLIntrinsicRepository.h:
1393         * ftl/FTLLowerDFGToLLVM.cpp:
1394         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1395         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1396         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
1397         * interpreter/Interpreter.cpp:
1398         (JSC::StackFrame::friendlySourceURL):
1399         (JSC::StackFrame::friendlyFunctionName):
1400         * interpreter/Interpreter.h:
1401         (JSC::StackFrame::friendlySourceURL): Deleted.
1402         (JSC::StackFrame::friendlyFunctionName): Deleted.
1403         * jit/JIT.cpp:
1404         (JSC::JIT::emitNotifyWrite):
1405         (JSC::JIT::privateCompileMainPass):
1406         * jit/JIT.h:
1407         * jit/JITOpcodes.cpp:
1408         (JSC::JIT::emit_op_touch_entry): Deleted.
1409         * jit/JITOperations.cpp:
1410         * jit/JITOperations.h:
1411         * jit/JITPropertyAccess.cpp:
1412         (JSC::JIT::emitPutGlobalVar):
1413         (JSC::JIT::emitPutClosureVar):
1414         (JSC::JIT::emitNotifyWrite): Deleted.
1415         * jit/JITPropertyAccess32_64.cpp:
1416         (JSC::JIT::emitPutGlobalVar):
1417         (JSC::JIT::emitPutClosureVar):
1418         (JSC::JIT::emitNotifyWrite): Deleted.
1419         * llint/LLIntSlowPaths.cpp:
1420         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1421         * llint/LowLevelInterpreter.asm:
1422         * llint/LowLevelInterpreter32_64.asm:
1423         * llint/LowLevelInterpreter64.asm:
1424         * runtime/CommonSlowPaths.cpp:
1425         (JSC::SLOW_PATH_DECL): Deleted.
1426         * runtime/CommonSlowPaths.h:
1427         * runtime/Executable.cpp:
1428         (JSC::FunctionExecutable::finishCreation):
1429         (JSC::FunctionExecutable::visitChildren):
1430         * runtime/Executable.h:
1431         (JSC::FunctionExecutable::singletonFunction):
1432         * runtime/InferredValue.cpp: Added.
1433         (JSC::InferredValue::create):
1434         (JSC::InferredValue::destroy):
1435         (JSC::InferredValue::createStructure):
1436         (JSC::InferredValue::visitChildren):
1437         (JSC::InferredValue::InferredValue):
1438         (JSC::InferredValue::~InferredValue):
1439         (JSC::InferredValue::notifyWriteSlow):
1440         (JSC::InferredValue::ValueCleanup::ValueCleanup):
1441         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
1442         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
1443         * runtime/InferredValue.h: Added.
1444         (JSC::InferredValue::inferredValue):
1445         (JSC::InferredValue::state):
1446         (JSC::InferredValue::isStillValid):
1447         (JSC::InferredValue::hasBeenInvalidated):
1448         (JSC::InferredValue::add):
1449         (JSC::InferredValue::notifyWrite):
1450         (JSC::InferredValue::invalidate):
1451         * runtime/JSEnvironmentRecord.cpp:
1452         (JSC::JSEnvironmentRecord::visitChildren):
1453         * runtime/JSEnvironmentRecord.h:
1454         (JSC::JSEnvironmentRecord::isValid):
1455         (JSC::JSEnvironmentRecord::finishCreation):
1456         * runtime/JSFunction.cpp:
1457         (JSC::JSFunction::create):
1458         * runtime/JSFunction.h:
1459         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1460         (JSC::JSFunction::createImpl):
1461         (JSC::JSFunction::create): Deleted.
1462         * runtime/JSGlobalObject.cpp:
1463         (JSC::JSGlobalObject::addGlobalVar):
1464         (JSC::JSGlobalObject::addFunction):
1465         * runtime/JSGlobalObject.h:
1466         * runtime/JSLexicalEnvironment.cpp:
1467         (JSC::JSLexicalEnvironment::symbolTablePut):
1468         * runtime/JSScope.h:
1469         (JSC::ResolveOp::ResolveOp):
1470         * runtime/JSSegmentedVariableObject.h:
1471         (JSC::JSSegmentedVariableObject::finishCreation):
1472         * runtime/JSSymbolTableObject.h:
1473         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1474         (JSC::JSSymbolTableObject::setSymbolTable):
1475         (JSC::symbolTablePut):
1476         (JSC::symbolTablePutWithAttributes):
1477         * runtime/PutPropertySlot.h:
1478         * runtime/SymbolTable.cpp:
1479         (JSC::SymbolTableEntry::prepareToWatch):
1480         (JSC::SymbolTable::SymbolTable):
1481         (JSC::SymbolTable::finishCreation):
1482         (JSC::SymbolTable::visitChildren):
1483         (JSC::SymbolTableEntry::inferredValue): Deleted.
1484         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
1485         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
1486         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
1487         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
1488         * runtime/SymbolTable.h:
1489         (JSC::SymbolTableEntry::disableWatching):
1490         (JSC::SymbolTableEntry::watchpointSet):
1491         (JSC::SymbolTable::singletonScope):
1492         (JSC::SymbolTableEntry::notifyWrite): Deleted.
1493         * runtime/TypeProfiler.cpp:
1494         * runtime/VM.cpp:
1495         (JSC::VM::VM):
1496         * runtime/VM.h:
1497         * tests/stress/infer-uninitialized-closure-var.js: Added.
1498         (foo.f):
1499         (foo):
1500         * tests/stress/singleton-scope-then-overwrite.js: Added.
1501         (foo.f):
1502         (foo):
1503         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
1504         (foo):
1505         * tests/stress/singleton-scope-then-realloc.js: Added.
1506         (foo):
1507
1508 2015-04-13  Andreas Kling  <akling@apple.com>
1509
1510         Don't segregate heap objects based on Structure immortality.
1511         <https://webkit.org/b/143638>
1512
1513         Reviewed by Darin Adler.
1514
1515         Put all objects that need a destructor call into the same MarkedBlock.
1516         This reduces memory consumption in many situations, while improving locality,
1517         since much more of the MarkedBlock space can be shared.
1518
1519         Instead of branching on the MarkedBlock type, we now check a bit in the
1520         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
1521         to access the cell's Structure during destruction or not.
1522
1523         Performance benchmarks look mostly neutral. Maybe a small regression on
1524         SunSpider's date objects.
1525
1526         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
1527         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
1528         end of savings we can get from this, but still a very real improvement.
1529
1530         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
1531         derived classes and passing that responsibility to the StructureIsImmortal flag.
1532         StructureFlags is made public so that it's accessible from non-member functions.
1533         I made sure to declare it everywhere and make classes final to try to make it
1534         explicit what each class is doing to its inherited flags.
1535
1536         * API/JSCallbackConstructor.h:
1537         * API/JSCallbackObject.h:
1538         * bytecode/UnlinkedCodeBlock.h:
1539         * debugger/DebuggerScope.h:
1540         * dfg/DFGSpeculativeJIT.cpp:
1541         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1542         * ftl/FTLLowerDFGToLLVM.cpp:
1543         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1544         * heap/Heap.h:
1545         (JSC::Heap::subspaceForObjectDestructor):
1546         (JSC::Heap::allocatorForObjectWithDestructor):
1547         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
1548         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
1549         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
1550         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
1551         * heap/HeapInlines.h:
1552         (JSC::Heap::allocateWithDestructor):
1553         (JSC::Heap::allocateObjectOfType):
1554         (JSC::Heap::subspaceForObjectOfType):
1555         (JSC::Heap::allocatorForObjectOfType):
1556         (JSC::Heap::allocateWithNormalDestructor): Deleted.
1557         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
1558         * heap/MarkedAllocator.cpp:
1559         (JSC::MarkedAllocator::allocateBlock):
1560         * heap/MarkedAllocator.h:
1561         (JSC::MarkedAllocator::needsDestruction):
1562         (JSC::MarkedAllocator::MarkedAllocator):
1563         (JSC::MarkedAllocator::init):
1564         (JSC::MarkedAllocator::destructorType): Deleted.
1565         * heap/MarkedBlock.cpp:
1566         (JSC::MarkedBlock::create):
1567         (JSC::MarkedBlock::MarkedBlock):
1568         (JSC::MarkedBlock::callDestructor):
1569         (JSC::MarkedBlock::specializedSweep):
1570         (JSC::MarkedBlock::sweep):
1571         (JSC::MarkedBlock::sweepHelper):
1572         * heap/MarkedBlock.h:
1573         (JSC::MarkedBlock::needsDestruction):
1574         (JSC::MarkedBlock::destructorType): Deleted.
1575         * heap/MarkedSpace.cpp:
1576         (JSC::MarkedSpace::MarkedSpace):
1577         (JSC::MarkedSpace::resetAllocators):
1578         (JSC::MarkedSpace::forEachAllocator):
1579         (JSC::MarkedSpace::isPagedOut):
1580         (JSC::MarkedSpace::clearNewlyAllocated):
1581         * heap/MarkedSpace.h:
1582         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1583         (JSC::MarkedSpace::destructorAllocatorFor):
1584         (JSC::MarkedSpace::allocateWithDestructor):
1585         (JSC::MarkedSpace::forEachBlock):
1586         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
1587         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
1588         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
1589         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
1590         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
1591         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
1592         * inspector/JSInjectedScriptHost.h:
1593         * inspector/JSInjectedScriptHostPrototype.h:
1594         * inspector/JSJavaScriptCallFrame.h:
1595         * inspector/JSJavaScriptCallFramePrototype.h:
1596         * jsc.cpp:
1597         * runtime/ArrayBufferNeuteringWatchpoint.h:
1598         * runtime/ArrayConstructor.h:
1599         * runtime/ArrayIteratorPrototype.h:
1600         * runtime/BooleanPrototype.h:
1601         * runtime/ClonedArguments.h:
1602         * runtime/CustomGetterSetter.h:
1603         * runtime/DateConstructor.h:
1604         * runtime/DatePrototype.h:
1605         * runtime/ErrorPrototype.h:
1606         * runtime/ExceptionHelpers.h:
1607         * runtime/Executable.h:
1608         * runtime/GenericArguments.h:
1609         * runtime/GetterSetter.h:
1610         * runtime/InternalFunction.h:
1611         * runtime/JSAPIValueWrapper.h:
1612         * runtime/JSArgumentsIterator.h:
1613         * runtime/JSArray.h:
1614         * runtime/JSArrayBuffer.h:
1615         * runtime/JSArrayBufferView.h:
1616         * runtime/JSBoundFunction.h:
1617         * runtime/JSCallee.h:
1618         * runtime/JSCell.h:
1619         * runtime/JSCellInlines.h:
1620         (JSC::JSCell::classInfo):
1621         * runtime/JSDataViewPrototype.h:
1622         * runtime/JSEnvironmentRecord.h:
1623         * runtime/JSFunction.h:
1624         * runtime/JSGenericTypedArrayView.h:
1625         * runtime/JSGlobalObject.h:
1626         * runtime/JSLexicalEnvironment.h:
1627         * runtime/JSNameScope.h:
1628         * runtime/JSNotAnObject.h:
1629         * runtime/JSONObject.h:
1630         * runtime/JSObject.h:
1631         (JSC::JSFinalObject::JSFinalObject):
1632         * runtime/JSPromiseConstructor.h:
1633         * runtime/JSPromiseDeferred.h:
1634         * runtime/JSPromisePrototype.h:
1635         * runtime/JSPromiseReaction.h:
1636         * runtime/JSPropertyNameEnumerator.h:
1637         * runtime/JSProxy.h:
1638         * runtime/JSScope.h:
1639         * runtime/JSString.h:
1640         * runtime/JSSymbolTableObject.h:
1641         * runtime/JSTypeInfo.h:
1642         (JSC::TypeInfo::structureIsImmortal):
1643         * runtime/MathObject.h:
1644         * runtime/NumberConstructor.h:
1645         * runtime/NumberPrototype.h:
1646         * runtime/ObjectConstructor.h:
1647         * runtime/PropertyMapHashTable.h:
1648         * runtime/RegExp.h:
1649         * runtime/RegExpConstructor.h:
1650         * runtime/RegExpObject.h:
1651         * runtime/RegExpPrototype.h:
1652         * runtime/ScopedArgumentsTable.h:
1653         * runtime/SparseArrayValueMap.h:
1654         * runtime/StrictEvalActivation.h:
1655         * runtime/StringConstructor.h:
1656         * runtime/StringIteratorPrototype.h:
1657         * runtime/StringObject.h:
1658         * runtime/StringPrototype.h:
1659         * runtime/Structure.cpp:
1660         (JSC::Structure::Structure):
1661         * runtime/Structure.h:
1662         * runtime/StructureChain.h:
1663         * runtime/StructureRareData.h:
1664         * runtime/Symbol.h:
1665         * runtime/SymbolPrototype.h:
1666         * runtime/SymbolTable.h:
1667         * runtime/WeakMapData.h:
1668
1669 2015-04-13  Mark Lam  <mark.lam@apple.com>
1670
1671         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
1672         https://bugs.webkit.org/show_bug.cgi?id=143407
1673
1674         Reviewed by Filip Pizlo.
1675
1676         DFG inlining of a varargs call / construct needs to keep the local
1677         containing the callee alive with a Phantom node because the LoadVarargs
1678         node may OSR exit.  After the OSR exit, the baseline JIT executes the
1679         op_call_varargs with that callee in the local.
1680
1681         Previously, because that callee local was not explicitly kept alive,
1682         the op_call_varargs case can OSR exit a DFG function and leave an
1683         undefined value in that local.  As a result, the baseline observes the
1684         side effect of an op_call_varargs on an undefined value instead of the
1685         function it expected.
1686
1687         Note: this issue does not manifest with op_construct_varargs because
1688         the inlined constructor will have an op_create_this which operates on
1689         the incoming callee value, thereby keeping it alive.
1690
1691         * dfg/DFGByteCodeParser.cpp:
1692         (JSC::DFG::ByteCodeParser::handleInlining):
1693         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
1694         (foo):
1695         (Foo):
1696         (doTest):
1697
1698 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1699
1700         [ES6] Implement Array.prototype.values
1701         https://bugs.webkit.org/show_bug.cgi?id=143633
1702
1703         Reviewed by Darin Adler.
1704
1705         Symbol.unscopables is implemented, so we can implement Array.prototype.values
1706         without largely breaking the web. The following script passes.
1707
1708         var array = [];
1709         var values = 42;
1710         with (array) {
1711             assert(values, 42);
1712         }
1713
1714         * runtime/ArrayPrototype.cpp:
1715         * tests/stress/array-iterators-next.js:
1716         * tests/stress/map-iterators-next.js:
1717         * tests/stress/set-iterators-next.js:
1718         * tests/stress/values-unscopables.js: Added.
1719         (test):
1720
1721 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1722
1723         Run flaky conservative GC related test first before polluting stack and registers
1724         https://bugs.webkit.org/show_bug.cgi?id=143634
1725
1726         Reviewed by Ryosuke Niwa.
1727
1728         After r182653, JSC API tests fail. However, it's not related to the change.
1729         After investigating the cause of this failure, I've found that the failed test is flaky
1730         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
1731         due to conservative roots in C stack and registers, this test fails.
1732
1733         Since GC marks C stack and registers as roots conservatively,
1734         objects not referenced logically can be accidentally marked and alive.
1735         To avoid this situation as possible as we can,
1736         1. run this test first before stack is polluted,
1737         2. extract this test as a function to suppress stack height.
1738
1739         * API/tests/testapi.mm:
1740         (testWeakValue):
1741         (testObjectiveCAPIMain):
1742         (testObjectiveCAPI):
1743
1744 2015-04-11  Matt Baker  <mattbaker@apple.com>
1745
1746         Web Inspector: create content view and details sidebar for Frames timeline
1747         https://bugs.webkit.org/show_bug.cgi?id=143533
1748
1749         Reviewed by Timothy Hatcher.
1750
1751         Refactoring: RunLoop prefix changed to RenderingFrame.
1752
1753         * inspector/protocol/Timeline.json:
1754
1755 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1756
1757         [ES6] Enable Symbol in web pages
1758         https://bugs.webkit.org/show_bug.cgi?id=143375
1759
1760         Reviewed by Ryosuke Niwa.
1761
1762         Expose Symbol to web pages.
1763         Symbol was exposed, but it was hidden since it breaks Facebook comments.
1764         This is because at that time Symbol is implemented,
1765         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
1766         and it breaks React.js and immutable.js.
1767
1768         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
1769         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
1770
1771         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
1772         and makes enabling symbols by default.
1773
1774         * runtime/ArrayPrototype.cpp:
1775         (JSC::ArrayPrototype::finishCreation):
1776         * runtime/CommonIdentifiers.h:
1777         * runtime/JSGlobalObject.cpp:
1778         (JSC::JSGlobalObject::init):
1779         * runtime/ObjectConstructor.cpp:
1780         (JSC::ObjectConstructor::finishCreation):
1781         * runtime/RuntimeFlags.h:
1782
1783 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1784
1785         ES6: Iterator toString names should be consistent
1786         https://bugs.webkit.org/show_bug.cgi?id=142424
1787
1788         Reviewed by Geoffrey Garen.
1789
1790         Iterator Object Names in the spec right now have spaces.
1791         In our implementation some do and some don't.
1792         This patch aligns JSC to the spec.
1793
1794         * runtime/JSArrayIterator.cpp:
1795         * runtime/JSStringIterator.cpp:
1796         * tests/stress/iterator-names.js: Added.
1797         (test):
1798         (iter):
1799         (check):
1800
1801 2015-04-10  Michael Saboff  <msaboff@apple.com>
1802
1803         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
1804         https://bugs.webkit.org/show_bug.cgi?id=143582
1805
1806         Reviewed by Mark Lam.
1807
1808         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
1809         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
1810         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
1811         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
1812         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
1813         we would still OSR exit after the speculation check.
1814
1815         * dfg/DFGFixupPhase.cpp:
1816         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
1817         * dfg/DFGSpeculativeJIT32_64.cpp:
1818         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1819
1820 2015-04-10  Milan Crha  <mcrha@redhat.com>
1821
1822         Disable Linux-specific code in a Windows build
1823         https://bugs.webkit.org/show_bug.cgi?id=137973
1824
1825         Reviewed by Joseph Pecoraro.
1826
1827         * inspector/JSGlobalObjectInspectorController.cpp:
1828         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1829
1830 2015-04-10  Csaba Osztrogonác  <ossy@webkit.org>
1831
1832         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
1833         https://bugs.webkit.org/show_bug.cgi?id=143368
1834
1835         Reviewed by Michael Saboff.
1836
1837         * jit/RegisterSet.cpp:
1838         (JSC::RegisterSet::calleeSaveRegisters):
1839
1840 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
1841
1842         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
1843         https://bugs.webkit.org/show_bug.cgi?id=143430
1844
1845         Reviewed by Darin Adler.
1846
1847         * runtime/ExceptionHelpers.cpp:
1848         (JSC::errorDescriptionForValue):
1849         * runtime/NumberPrototype.cpp:
1850         (JSC::numberProtoFuncToExponential):
1851         (JSC::numberProtoFuncToPrecision):
1852         (JSC::numberProtoFuncToString):
1853         * runtime/SymbolPrototype.cpp:
1854         (JSC::symbolProtoFuncToString):
1855
1856 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1857
1858         JSArray::sortNumeric should handle ArrayWithUndecided
1859         https://bugs.webkit.org/show_bug.cgi?id=143535
1860
1861         Reviewed by Geoffrey Garen.
1862         
1863         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
1864
1865         * runtime/JSArray.cpp:
1866         (JSC::JSArray::sortNumeric):
1867         * tests/stress/sort-array-with-undecided.js: Added.
1868
1869 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1870
1871         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
1872         https://bugs.webkit.org/show_bug.cgi?id=143532
1873
1874         Reviewed by Gavin Barraclough.
1875         
1876         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
1877         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
1878         would think that there never was wrap-around.
1879         
1880         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
1881
1882         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1883         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
1884
1885 2015-04-07  Michael Saboff  <msaboff@apple.com>
1886
1887         Lazily initialize LogToSystemConsole flag to reduce memory usage
1888         https://bugs.webkit.org/show_bug.cgi?id=143506
1889
1890         Reviewed by Mark Lam.
1891
1892         Only call into CF preferences code when we need to in order to reduce memory usage.
1893
1894         * inspector/JSGlobalObjectConsoleClient.cpp:
1895         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
1896         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
1897         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
1898         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
1899
1900 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
1901
1902         Get the features.json files ready for open contributions
1903         https://bugs.webkit.org/show_bug.cgi?id=143436
1904
1905         Reviewed by Darin Adler.
1906
1907         * features.json:
1908
1909 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
1910
1911         Constant folding of typed array properties should be handled by AI rather than strength reduction
1912         https://bugs.webkit.org/show_bug.cgi?id=143496
1913
1914         Reviewed by Geoffrey Garen.
1915         
1916         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
1917         phase and whatever other phase did the folding in order to find all constants.
1918         
1919         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
1920         directly.
1921         
1922         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
1923         found because all of the tests for it involved the property getting constant folded. I found that
1924         the codegen was bad because an earlier version of the patch broke that constant folding. This
1925         adds a new test for that node type, which makes constant folding impossible by allocating a new
1926         typed array every type. The lesson here is: if you write a test for something, run the test with
1927         full IR dumps to make sure it's actually testing the thing you want it to test.
1928
1929         * dfg/DFGAbstractInterpreterInlines.h:
1930         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1931         * dfg/DFGClobberize.h:
1932         (JSC::DFG::clobberize):
1933         * dfg/DFGConstantFoldingPhase.cpp:
1934         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1935         * dfg/DFGDoesGC.cpp:
1936         (JSC::DFG::doesGC):
1937         * dfg/DFGFixupPhase.cpp:
1938         (JSC::DFG::FixupPhase::fixupNode):
1939         * dfg/DFGGraph.cpp:
1940         (JSC::DFG::Graph::dump):
1941         (JSC::DFG::Graph::tryGetFoldableView):
1942         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
1943         * dfg/DFGGraph.h:
1944         * dfg/DFGNode.h:
1945         (JSC::DFG::Node::hasTypedArray): Deleted.
1946         (JSC::DFG::Node::typedArray): Deleted.
1947         * dfg/DFGNodeType.h:
1948         * dfg/DFGPredictionPropagationPhase.cpp:
1949         (JSC::DFG::PredictionPropagationPhase::propagate):
1950         * dfg/DFGSafeToExecute.h:
1951         (JSC::DFG::safeToExecute):
1952         * dfg/DFGSpeculativeJIT.cpp:
1953         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
1954         * dfg/DFGSpeculativeJIT32_64.cpp:
1955         (JSC::DFG::SpeculativeJIT::compile):
1956         * dfg/DFGSpeculativeJIT64.cpp:
1957         (JSC::DFG::SpeculativeJIT::compile):
1958         * dfg/DFGStrengthReductionPhase.cpp:
1959         (JSC::DFG::StrengthReductionPhase::handleNode):
1960         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
1961         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
1962         * dfg/DFGWatchpointCollectionPhase.cpp:
1963         (JSC::DFG::WatchpointCollectionPhase::handle):
1964         (JSC::DFG::WatchpointCollectionPhase::addLazily):
1965         * ftl/FTLCapabilities.cpp:
1966         (JSC::FTL::canCompile):
1967         * ftl/FTLLowerDFGToLLVM.cpp:
1968         (JSC::FTL::LowerDFGToLLVM::compileNode):
1969         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
1970         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
1971         * tests/stress/fold-typed-array-properties.js:
1972         (foo):
1973         * tests/stress/typed-array-byte-offset.js: Added.
1974         (foo):
1975
1976 2015-04-07  Matthew Mirman  <mmirman@apple.com>
1977
1978         Source and stack information should get appended only to native errors
1979         and should be added directly after construction rather than when thrown. 
1980         This fixes frozen objects being unfrozen when thrown while conforming to 
1981         ecma script standard and other browser behavior.
1982         rdar://problem/19927293
1983         https://bugs.webkit.org/show_bug.cgi?id=141871
1984         
1985         Reviewed by Geoffrey Garen.
1986
1987         Appending stack, source, line, and column information to an object whenever that object is thrown 
1988         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
1989         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
1990         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
1991         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
1992         a control flow construct rather than just an error reporting mechanism.  
1993         
1994         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
1995         appending the error properties as a seperate call after construction of the error is required 
1996         to avoid having to manually truncate the stack and gather local source information due to 
1997         the stack being extended by a nested call to construct one of the native jsc error.
1998         
1999         * interpreter/Interpreter.cpp:
2000         (JSC::Interpreter::execute):
2001         * interpreter/Interpreter.h:
2002         * parser/ParserError.h:
2003         (JSC::ParserError::toErrorObject):
2004         * runtime/CommonIdentifiers.h:
2005         * runtime/Error.cpp:
2006         (JSC::createError):
2007         (JSC::createEvalError):
2008         (JSC::createRangeError):
2009         (JSC::createReferenceError):
2010         (JSC::createSyntaxError):
2011         (JSC::createTypeError):
2012         (JSC::createNotEnoughArgumentsError):
2013         (JSC::createURIError):
2014         (JSC::createOutOfMemoryError):
2015         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
2016         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
2017         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
2018         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
2019         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
2020         (JSC::addErrorInfo): Added special case for appending complete error info 
2021         to a newly constructed error object.
2022         * runtime/Error.h:
2023         * runtime/ErrorConstructor.cpp:
2024         (JSC::Interpreter::constructWithErrorConstructor):
2025         (JSC::Interpreter::callErrorConstructor):
2026         * runtime/ErrorInstance.cpp:
2027         (JSC::appendSourceToError): Moved from VM.cpp
2028         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
2029         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
2030         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
2031         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
2032         (JSC::addErrorInfoAndGetBytecodeOffset):
2033         (JSC::ErrorInstance::finishCreation):
2034         * runtime/ErrorInstance.h:
2035         (JSC::ErrorInstance::create):
2036         * runtime/ErrorPrototype.cpp:
2037         (JSC::ErrorPrototype::finishCreation):
2038         * runtime/ExceptionFuzz.cpp:
2039         (JSC::doExceptionFuzzing):
2040         * runtime/ExceptionHelpers.cpp:
2041         (JSC::createError):
2042         (JSC::createInvalidFunctionApplyParameterError):
2043         (JSC::createInvalidInParameterError):
2044         (JSC::createInvalidInstanceofParameterError):
2045         (JSC::createNotAConstructorError):
2046         (JSC::createNotAFunctionError):
2047         (JSC::createNotAnObjectError):
2048         (JSC::throwOutOfMemoryError):
2049         (JSC::createStackOverflowError): Deleted.
2050         (JSC::createOutOfMemoryError): Deleted.
2051         * runtime/ExceptionHelpers.h:
2052         * runtime/JSArrayBufferConstructor.cpp:
2053         (JSC::constructArrayBuffer):
2054         * runtime/JSArrayBufferPrototype.cpp:
2055         (JSC::arrayBufferProtoFuncSlice):
2056         * runtime/JSGenericTypedArrayViewInlines.h:
2057         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2058         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
2059         * runtime/NativeErrorConstructor.cpp:
2060         (JSC::Interpreter::constructWithNativeErrorConstructor):
2061         (JSC::Interpreter::callNativeErrorConstructor):
2062         * runtime/VM.cpp:
2063         (JSC::VM::throwException):
2064         (JSC::appendSourceToError): Moved to Error.cpp
2065         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
2066         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
2067         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
2068         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
2069         * tests/stress/freeze_leek.js: Added.
2070
2071 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
2072
2073         Web Inspector: ES6: Show Symbol properties on Objects
2074         https://bugs.webkit.org/show_bug.cgi?id=141279
2075
2076         Reviewed by Timothy Hatcher.
2077
2078         * inspector/protocol/Runtime.json:
2079         Give PropertyDescriptor a reference to the Symbol RemoteObject
2080         if the property is a symbol property.
2081
2082         * inspector/InjectedScriptSource.js:
2083         Enumerate symbol properties on objects.
2084
2085 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
2086
2087         Make it possible to enable LLVM FastISel
2088         https://bugs.webkit.org/show_bug.cgi?id=143489
2089
2090         Reviewed by Michael Saboff.
2091
2092         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
2093         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
2094         if we should enable it.
2095
2096         * ftl/FTLCompile.cpp:
2097         (JSC::FTL::mmAllocateDataSection):
2098         * llvm/InitializeLLVM.cpp:
2099         (JSC::initializeLLVMImpl):
2100         * llvm/InitializeLLVM.h:
2101         * llvm/InitializeLLVMLinux.cpp:
2102         (JSC::getLLVMInitializerFunction):
2103         (JSC::initializeLLVMImpl): Deleted.
2104         * llvm/InitializeLLVMMac.cpp:
2105         (JSC::getLLVMInitializerFunction):
2106         (JSC::initializeLLVMImpl): Deleted.
2107         * llvm/InitializeLLVMPOSIX.cpp:
2108         (JSC::getLLVMInitializerFunctionPOSIX):
2109         (JSC::initializeLLVMPOSIX): Deleted.
2110         * llvm/InitializeLLVMPOSIX.h:
2111         * llvm/InitializeLLVMWin.cpp:
2112         (JSC::getLLVMInitializerFunction):
2113         (JSC::initializeLLVMImpl): Deleted.
2114         * llvm/LLVMAPI.cpp:
2115         * llvm/LLVMAPI.h:
2116         * llvm/library/LLVMExports.cpp:
2117         (initCommandLine):
2118         (initializeAndGetJSCLLVMAPI):
2119         * runtime/Options.cpp:
2120         (JSC::Options::initialize):
2121
2122 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2123
2124         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
2125         https://bugs.webkit.org/show_bug.cgi?id=140426
2126
2127         Reviewed by Darin Adler.
2128
2129         In the put_by_val_direct operation, we use JSObject::putDirect.
2130         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2131         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2132
2133         * dfg/DFGOperations.cpp:
2134         (JSC::DFG::putByVal):
2135         (JSC::DFG::operationPutByValInternal):
2136         * jit/JITOperations.cpp:
2137         * llint/LLIntSlowPaths.cpp:
2138         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2139         * runtime/Identifier.h:
2140         (JSC::isIndex):
2141         (JSC::parseIndex):
2142         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
2143         (lookupWithKey):
2144         (toStringThrowsError.toString):
2145
2146 2015-04-06  Alberto Garcia  <berto@igalia.com>
2147
2148         [GTK] Fix HPPA build
2149         https://bugs.webkit.org/show_bug.cgi?id=143453
2150
2151         Reviewed by Darin Adler.
2152
2153         Add HPPA to the list of supported CPUs.
2154
2155         * CMakeLists.txt:
2156
2157 2015-04-06  Mark Lam  <mark.lam@apple.com>
2158
2159         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
2160         <https://webkit.org/b/143396>
2161
2162         Reviewed by Filip Pizlo.
2163
2164         The DFG was neglecting to set the result boolean.  The FTL was setting it with
2165         an inverted value.  Both of these are now resolved.
2166
2167         * dfg/DFGSpeculativeJIT64.cpp:
2168         (JSC::DFG::SpeculativeJIT::compile):
2169         * ftl/FTLLowerDFGToLLVM.cpp:
2170         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
2171         * tests/stress/for-in-array-mode.js: Added.
2172         (.):
2173         (test):
2174
2175 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2176
2177         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
2178         https://bugs.webkit.org/show_bug.cgi?id=143424
2179
2180         Reviewed by Geoffrey Garen.
2181
2182         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
2183
2184         ToString(symbol) throws a type error.
2185         However, String(symbol) produces SymbolDescriptiveString(symbol).
2186
2187         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
2188
2189         Now, in the template literals patch, ToString DFG operation is planned to be used.
2190         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
2191         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
2192         In CallStringConstructor, all behavior in DFG analysis is the same.
2193         Only the difference from ToString is, when calling DFG operation functions, it calls
2194         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
2195         operationToStringOnCell and operationToString.
2196
2197         * dfg/DFGAbstractInterpreterInlines.h:
2198         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2199         * dfg/DFGBackwardsPropagationPhase.cpp:
2200         (JSC::DFG::BackwardsPropagationPhase::propagate):
2201         * dfg/DFGByteCodeParser.cpp:
2202         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2203         * dfg/DFGClobberize.h:
2204         (JSC::DFG::clobberize):
2205         * dfg/DFGDoesGC.cpp:
2206         (JSC::DFG::doesGC):
2207         * dfg/DFGFixupPhase.cpp:
2208         (JSC::DFG::FixupPhase::fixupNode):
2209         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2210         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
2211         (JSC::DFG::FixupPhase::fixupToString): Deleted.
2212         * dfg/DFGNodeType.h:
2213         * dfg/DFGOperations.cpp:
2214         * dfg/DFGOperations.h:
2215         * dfg/DFGPredictionPropagationPhase.cpp:
2216         (JSC::DFG::PredictionPropagationPhase::propagate):
2217         * dfg/DFGSafeToExecute.h:
2218         (JSC::DFG::safeToExecute):
2219         * dfg/DFGSpeculativeJIT.cpp:
2220         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
2221         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
2222         * dfg/DFGSpeculativeJIT.h:
2223         * dfg/DFGSpeculativeJIT32_64.cpp:
2224         (JSC::DFG::SpeculativeJIT::compile):
2225         * dfg/DFGSpeculativeJIT64.cpp:
2226         (JSC::DFG::SpeculativeJIT::compile):
2227         * dfg/DFGStructureRegistrationPhase.cpp:
2228         (JSC::DFG::StructureRegistrationPhase::run):
2229         * ftl/FTLCapabilities.cpp:
2230         (JSC::FTL::canCompile):
2231         * ftl/FTLLowerDFGToLLVM.cpp:
2232         (JSC::FTL::LowerDFGToLLVM::compileNode):
2233         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
2234         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
2235         * runtime/StringConstructor.cpp:
2236         (JSC::stringConstructor):
2237         (JSC::callStringConstructor):
2238         * runtime/StringConstructor.h:
2239         * tests/stress/symbol-and-string-constructor.js: Added.
2240         (performString):
2241
2242 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2243
2244         Return Optional<uint32_t> from PropertyName::asIndex
2245         https://bugs.webkit.org/show_bug.cgi?id=143422
2246
2247         Reviewed by Darin Adler.
2248
2249         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
2250         But it's not obvious to callers.
2251
2252         This patch changes
2253         1. PropertyName::asIndex() to return Optional<uint32_t> and
2254         2. function name `asIndex()` to `parseIndex()`.
2255         It forces callers to check the value is index or not explicitly.
2256
2257         * bytecode/GetByIdStatus.cpp:
2258         (JSC::GetByIdStatus::computeFor):
2259         * bytecode/PutByIdStatus.cpp:
2260         (JSC::PutByIdStatus::computeFor):
2261         * bytecompiler/BytecodeGenerator.cpp:
2262         (JSC::BytecodeGenerator::emitDirectPutById):
2263         * jit/Repatch.cpp:
2264         (JSC::emitPutTransitionStubAndGetOldStructure):
2265         * jsc.cpp:
2266         * runtime/ArrayPrototype.cpp:
2267         (JSC::arrayProtoFuncSort):
2268         * runtime/GenericArgumentsInlines.h:
2269         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2270         (JSC::GenericArguments<Type>::put):
2271         (JSC::GenericArguments<Type>::deleteProperty):
2272         (JSC::GenericArguments<Type>::defineOwnProperty):
2273         * runtime/Identifier.h:
2274         (JSC::parseIndex):
2275         (JSC::Identifier::isSymbol):
2276         * runtime/JSArray.cpp:
2277         (JSC::JSArray::defineOwnProperty):
2278         * runtime/JSCJSValue.cpp:
2279         (JSC::JSValue::putToPrimitive):
2280         * runtime/JSGenericTypedArrayViewInlines.h:
2281         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2282         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2283         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2284         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2285         * runtime/JSObject.cpp:
2286         (JSC::JSObject::put):
2287         (JSC::JSObject::putDirectAccessor):
2288         (JSC::JSObject::putDirectCustomAccessor):
2289         (JSC::JSObject::deleteProperty):
2290         (JSC::JSObject::putDirectMayBeIndex):
2291         (JSC::JSObject::defineOwnProperty):
2292         * runtime/JSObject.h:
2293         (JSC::JSObject::getOwnPropertySlot):
2294         (JSC::JSObject::getPropertySlot):
2295         (JSC::JSObject::putDirectInternal):
2296         * runtime/JSString.cpp:
2297         (JSC::JSString::getStringPropertyDescriptor):
2298         * runtime/JSString.h:
2299         (JSC::JSString::getStringPropertySlot):
2300         * runtime/LiteralParser.cpp:
2301         (JSC::LiteralParser<CharType>::parse):
2302         * runtime/PropertyName.h:
2303         (JSC::parseIndex):
2304         (JSC::toUInt32FromCharacters): Deleted.
2305         (JSC::toUInt32FromStringImpl): Deleted.
2306         (JSC::PropertyName::asIndex): Deleted.
2307         * runtime/PropertyNameArray.cpp:
2308         (JSC::PropertyNameArray::add):
2309         * runtime/StringObject.cpp:
2310         (JSC::StringObject::deleteProperty):
2311         * runtime/Structure.cpp:
2312         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2313
2314 2015-04-05  Andreas Kling  <akling@apple.com>
2315
2316         URI encoding/escaping should use efficient string building instead of calling snprintf().
2317         <https://webkit.org/b/143426>
2318
2319         Reviewed by Gavin Barraclough.
2320
2321         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
2322         which seemed pretty silly. This change gets that down to nothing in favor of using our
2323         existing JSStringBuilder and HexNumber.h facilities.
2324
2325         These APIs are well-exercised by our existing test suite.
2326
2327         * runtime/JSGlobalObjectFunctions.cpp:
2328         (JSC::encode):
2329         (JSC::globalFuncEscape):
2330
2331 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
2332
2333         documentation for ES Promises points to the wrong one
2334         https://bugs.webkit.org/show_bug.cgi?id=143263
2335
2336         Reviewed by Darin Adler.
2337
2338         * features.json:
2339
2340 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
2341
2342         Remove "go ahead and" from comments
2343         https://bugs.webkit.org/show_bug.cgi?id=143421
2344
2345         Reviewed by Darin Adler, Benjamin Poulain.
2346
2347         Remove the phrase "go ahead and" from comments where it doesn't add
2348         anything (which is almost all of them).
2349
2350         * interpreter/JSStack.cpp:
2351         (JSC::JSStack::growSlowCase):
2352
2353 2015-04-04  Andreas Kling  <akling@apple.com>
2354
2355         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
2356         <https://webkit.org/b/143210>
2357
2358         Reviewed by Geoffrey Garen.
2359
2360         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
2361         we had a little problem where WeakBlocks with only null pointers would still keep their
2362         MarkedBlock alive.
2363
2364         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
2365         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
2366         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
2367         destroying them once they're fully dead.
2368
2369         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
2370         a mysterious issue where doing two full garbage collections back-to-back would free additional
2371         memory in the second collection.
2372
2373         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
2374         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
2375         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
2376
2377         * heap/Heap.h:
2378         * heap/Heap.cpp:
2379         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
2380         owned by Heap, after everything else has been swept.
2381
2382         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
2383         after a full garbage collection ends. Note that we don't do this after Eden collections, since
2384         they are unlikely to cause entire WeakBlocks to go empty.
2385
2386         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
2387         to the Heap when it's detached from a WeakSet.
2388
2389         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
2390         of the logically empty WeakBlocks owned by Heap.
2391
2392         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
2393         and updates the next-logically-empty-weak-block-to-sweep index.
2394
2395         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
2396         won't be another chance after this.
2397
2398         * heap/IncrementalSweeper.h:
2399         (JSC::IncrementalSweeper::hasWork): Deleted.
2400
2401         * heap/IncrementalSweeper.cpp:
2402         (JSC::IncrementalSweeper::fullSweep):
2403         (JSC::IncrementalSweeper::doSweep):
2404         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
2405         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
2406         changed to return a bool (true if there's more work to be done.)
2407
2408         * heap/WeakBlock.cpp:
2409         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
2410         contain any pointers to live objects. The answer is stored in a new SweepResult member.
2411
2412         * heap/WeakBlock.h:
2413         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
2414         if the WeakBlock could be detached from the MarkedBlock.
2415
2416         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
2417         when declaring them.
2418
2419 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2420
2421         Implement ES6 Object.getOwnPropertySymbols
2422         https://bugs.webkit.org/show_bug.cgi?id=141106
2423
2424         Reviewed by Geoffrey Garen.
2425
2426         This patch implements `Object.getOwnPropertySymbols`.
2427         One technical issue is that, since we use private symbols (such as `@Object`) in the
2428         privileged JS code in `builtins/`, they should not be exposed.
2429         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
2430         before adding it into PropertyNameArray.
2431
2432         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
2433         since all private symbols are held in this map.
2434
2435         * builtins/BuiltinExecutables.cpp:
2436         (JSC::BuiltinExecutables::createExecutableInternal):
2437         * builtins/BuiltinNames.h:
2438         (JSC::BuiltinNames::isPrivateName):
2439         * runtime/CommonIdentifiers.cpp:
2440         (JSC::CommonIdentifiers::isPrivateName):
2441         * runtime/CommonIdentifiers.h:
2442         * runtime/EnumerationMode.h:
2443         (JSC::EnumerationMode::EnumerationMode):
2444         (JSC::EnumerationMode::includeSymbolProperties):
2445         * runtime/ExceptionHelpers.cpp:
2446         (JSC::createUndefinedVariableError):
2447         * runtime/JSGlobalObject.cpp:
2448         (JSC::JSGlobalObject::init):
2449         * runtime/JSLexicalEnvironment.cpp:
2450         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2451         * runtime/JSSymbolTableObject.cpp:
2452         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2453         * runtime/ObjectConstructor.cpp:
2454         (JSC::ObjectConstructor::finishCreation):
2455         (JSC::objectConstructorGetOwnPropertySymbols):
2456         (JSC::defineProperties):
2457         (JSC::objectConstructorSeal):
2458         (JSC::objectConstructorFreeze):
2459         (JSC::objectConstructorIsSealed):
2460         (JSC::objectConstructorIsFrozen):
2461         * runtime/ObjectConstructor.h:
2462         (JSC::ObjectConstructor::create):
2463         * runtime/Structure.cpp:
2464         (JSC::Structure::getPropertyNamesFromStructure):
2465         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
2466         (compare):
2467         * tests/stress/object-get-own-property-symbols.js: Added.
2468         (forIn):
2469         * tests/stress/symbol-define-property.js: Added.
2470         (testSymbol):
2471         * tests/stress/symbol-seal-and-freeze.js: Added.
2472         * tests/stress/symbol-with-json.js: Added.
2473
2474 2015-04-03  Mark Lam  <mark.lam@apple.com>
2475
2476         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
2477         <https://webkit.org/b/143385>
2478
2479         Reviewed by Geoffrey Garen.
2480
2481         For debugging purposes, sometimes, we want to be able to make compilation happen
2482         sooner to see if we can accelerate the manifestation of certain events / bugs.
2483         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
2484         which make up the compilation policy.  Let's add a single knob that can tune all
2485         the thresholds up / down in one go proportionately so that we can easily tweak
2486         how soon compilation occurs.
2487
2488         * runtime/Options.cpp:
2489         (JSC::scaleJITPolicy):
2490         (JSC::recomputeDependentOptions):
2491         * runtime/Options.h:
2492
2493 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2494
2495         is* API methods should be @properties
2496         https://bugs.webkit.org/show_bug.cgi?id=143388
2497
2498         Reviewed by Mark Lam.
2499
2500         This appears to be the preferred idiom in WebKit, CA, AppKit, and
2501         Foundation.
2502
2503         * API/JSValue.h: Be @properties.
2504
2505         * API/tests/testapi.mm:
2506         (testObjectiveCAPI): Use the @properties.
2507
2508 2015-04-03  Mark Lam  <mark.lam@apple.com>
2509
2510         Some JSC Options refactoring and enhancements.
2511         <https://webkit.org/b/143384>
2512
2513         Rubber stamped by Benjamin Poulain.
2514
2515         Create a better encapsulated Option class to make working with options easier.  This
2516         is a building block towards a JIT policy scaling debugging option I will introduce later.
2517
2518         This work entails:
2519         1. Convert Options::Option into a public class Option (who works closely with Options).
2520         2. Convert Options::EntryType into an enum class Options::Type and make it public.
2521         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
2522         4. Add misc methods to class Option to make it more useable.
2523
2524         * runtime/Options.cpp:
2525         (JSC::Options::dumpOption):
2526         (JSC::Option::dump):
2527         (JSC::Option::operator==):
2528         (JSC::Options::Option::dump): Deleted.
2529         (JSC::Options::Option::operator==): Deleted.
2530         * runtime/Options.h:
2531         (JSC::Option::Option):
2532         (JSC::Option::operator!=):
2533         (JSC::Option::name):
2534         (JSC::Option::description):
2535         (JSC::Option::type):
2536         (JSC::Option::isOverridden):
2537         (JSC::Option::defaultOption):
2538         (JSC::Option::boolVal):
2539         (JSC::Option::unsignedVal):
2540         (JSC::Option::doubleVal):
2541         (JSC::Option::int32Val):
2542         (JSC::Option::optionRangeVal):
2543         (JSC::Option::optionStringVal):
2544         (JSC::Option::gcLogLevelVal):
2545         (JSC::Options::Option::Option): Deleted.
2546         (JSC::Options::Option::operator!=): Deleted.
2547
2548 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2549
2550         JavaScriptCore API should support type checking for Array and Date
2551         https://bugs.webkit.org/show_bug.cgi?id=143324
2552
2553         Follow-up to address a comment by Dan.
2554
2555         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
2556         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
2557         is equal to 101100.
2558
2559 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2560
2561         JavaScriptCore API should support type checking for Array and Date
2562         https://bugs.webkit.org/show_bug.cgi?id=143324
2563
2564         Follow-up to address a comment by Dan.
2565
2566         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
2567         Added a comment explaining why.
2568
2569 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
2570
2571         FTL JIT tests should fail if LLVM library isn't available
2572         https://bugs.webkit.org/show_bug.cgi?id=143374
2573
2574         Reviewed by Mark Lam.
2575
2576         * dfg/DFGPlan.cpp:
2577         (JSC::DFG::Plan::compileInThreadImpl):
2578         * runtime/Options.h:
2579
2580 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2581
2582         Fix the EFL and GTK build after r182243
2583         https://bugs.webkit.org/show_bug.cgi?id=143361
2584
2585         Reviewed by Csaba Osztrogonác.
2586
2587         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
2588         DerivedSources/JavaScriptCore/inspector/ directory.
2589
2590 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2591
2592         Unreviewed, fixing Clang builds of the GTK port on Linux.
2593
2594         * runtime/Options.cpp:
2595         Include the <math.h> header for isnan().
2596
2597 2015-04-02  Mark Lam  <mark.lam@apple.com>
2598
2599         Enhance ability to dump JSC Options.
2600         <https://webkit.org/b/143357>
2601
2602         Reviewed by Benjamin Poulain.
2603
2604         Some enhancements to how the JSC options work:
2605
2606         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
2607            2 = All, 3 = Verbose.
2608
2609            The default is 0 (None).  This dumps nothing.
2610            With the Overridden setting, at VM initialization time, we will dump all
2611            option values that have been changed from their default.
2612            With the All setting, at VM initialization time, we will dump all option values.
2613            With the Verbose setting, at VM initialization time, we will dump all option
2614            values along with their descriptions (if available).
2615
2616         2. We now store a copy of the default option values.
2617
2618            We later use this for comparison to tell if an option has been overridden, and
2619            print the default value for reference.  As a result, we no longer need the
2620            didOverride flag since we can compute whether the option is overridden at any time.
2621
2622         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
2623
2624            This will come in handy later when we want to rename some of the options to more sane
2625            names that are easier to remember.  For example, we can change
2626            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
2627            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
2628            of the description, we can afford to use shorter and less descriptive option names,
2629            but they will be easier to remember and use for day to day debugging work.
2630
2631            In this patch, I did not change the names of any of the options yet.  I only added
2632            description strings for options that I know about, and where I think the option name
2633            isn't already descriptive enough.
2634
2635         4. Also deleted some unused code.
2636
2637         * jsc.cpp:
2638         (CommandLine::parseArguments):
2639         * runtime/Options.cpp:
2640         (JSC::Options::initialize):
2641         (JSC::Options::setOption):
2642         (JSC::Options::dumpAllOptions):
2643         (JSC::Options::dumpOption):
2644         (JSC::Options::Option::dump):
2645         (JSC::Options::Option::operator==):
2646         * runtime/Options.h:
2647         (JSC::OptionRange::rangeString):
2648         (JSC::Options::Option::Option):
2649         (JSC::Options::Option::operator!=):
2650
2651 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
2652
2653         JavaScriptCore API should support type checking for Array and Date
2654         https://bugs.webkit.org/show_bug.cgi?id=143324
2655
2656         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
2657
2658         * API/JSValue.h:
2659         * API/JSValue.mm:
2660         (-[JSValue isArray]):
2661         (-[JSValue isDate]): Added an ObjC API.
2662
2663         * API/JSValueRef.cpp:
2664         (JSValueIsArray):
2665         (JSValueIsDate):
2666         * API/JSValueRef.h: Added a C API.
2667
2668         * API/WebKitAvailability.h: Brought our availability macros up to date
2669         and fixed a harmless bug where "10_10" translated to "10.0".
2670
2671         * API/tests/testapi.c:
2672         (main): Added a test and corrected a pre-existing leak.
2673
2674         * API/tests/testapi.mm:
2675         (testObjectiveCAPI): Added a test.
2676
2677 2015-04-02  Mark Lam  <mark.lam@apple.com>
2678
2679         Add Options::dumpSourceAtDFGTime().
2680         <https://webkit.org/b/143349>
2681
2682         Reviewed by Oliver Hunt, and Michael Saboff.
2683
2684         Sometimes, we will want to see the JS source code that we're compiling, and it
2685         would be nice to be able to do this without having to jump thru a lot of hoops.
2686         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
2687         Options::dumpBytecodeAtDFGTime() option.
2688
2689         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
2690         that explicitly take no arguments (instead of relying on the version that takes
2691         the default argument).  These versions are friendlier to use when we want to call
2692         them from an interactive debugging session.
2693
2694         * bytecode/CodeBlock.cpp:
2695         (JSC::CodeBlock::dumpSource):
2696         (JSC::CodeBlock::dumpBytecode):
2697         * bytecode/CodeBlock.h:
2698         * dfg/DFGByteCodeParser.cpp:
2699         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2700         * runtime/Options.h:
2701
2702 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2703
2704         Clean up EnumerationMode to easily extend
2705         https://bugs.webkit.org/show_bug.cgi?id=143276
2706
2707         Reviewed by Geoffrey Garen.
2708
2709         To make the followings easily,
2710         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
2711         2. Make ExcludeSymbols implicitly default for the existing flags
2712         we encapsulate EnumerationMode flags into EnumerationMode class.
2713
2714         And this class manages 2 flags. Later it will be extended to 3.
2715         1. DontEnumPropertiesMode (default is Exclude)
2716         2. JSObjectPropertiesMode (default is Include)
2717         3. SymbolPropertiesMode (default is Exclude)
2718             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
2719
2720         This patch replaces places using ExcludeDontEnumProperties
2721         to EnumerationMode() value which represents default mode.
2722
2723         * API/JSCallbackObjectFunctions.h:
2724         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2725         * API/JSObjectRef.cpp:
2726         (JSObjectCopyPropertyNames):
2727         * bindings/ScriptValue.cpp:
2728         (Deprecated::jsToInspectorValue):
2729         * bytecode/ObjectAllocationProfile.h:
2730         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2731         * runtime/ArrayPrototype.cpp:
2732         (JSC::arrayProtoFuncSort):
2733         * runtime/EnumerationMode.h:
2734         (JSC::EnumerationMode::EnumerationMode):
2735         (JSC::EnumerationMode::includeDontEnumProperties):
2736         (JSC::EnumerationMode::includeJSObjectProperties):
2737         (JSC::shouldIncludeDontEnumProperties): Deleted.
2738         (JSC::shouldExcludeDontEnumProperties): Deleted.
2739         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
2740         (JSC::modeThatSkipsJSObject): Deleted.
2741         * runtime/GenericArgumentsInlines.h:
2742         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2743         * runtime/JSArray.cpp:
2744         (JSC::JSArray::getOwnNonIndexPropertyNames):
2745         * runtime/JSArrayBuffer.cpp:
2746         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2747         * runtime/JSArrayBufferView.cpp:
2748         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2749         * runtime/JSFunction.cpp:
2750         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2751         * runtime/JSFunction.h:
2752         * runtime/JSGenericTypedArrayViewInlines.h:
2753         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
2754         * runtime/JSLexicalEnvironment.cpp:
2755         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2756         * runtime/JSONObject.cpp:
2757         (JSC::Stringifier::Holder::appendNextProperty):
2758         (JSC::Walker::walk):
2759         * runtime/JSObject.cpp:
2760         (JSC::getClassPropertyNames):
2761         (JSC::JSObject::getOwnPropertyNames):
2762         (JSC::JSObject::getOwnNonIndexPropertyNames):
2763         (JSC::JSObject::getGenericPropertyNames):
2764         * runtime/JSPropertyNameEnumerator.h:
2765         (JSC::propertyNameEnumerator):
2766         * runtime/JSSymbolTableObject.cpp:
2767         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2768         * runtime/ObjectConstructor.cpp:
2769         (JSC::objectConstructorGetOwnPropertyNames):
2770         (JSC::objectConstructorKeys):
2771         (JSC::defineProperties):
2772         (JSC::objectConstructorSeal):
2773         (JSC::objectConstructorFreeze):
2774         (JSC::objectConstructorIsSealed):
2775         (JSC::objectConstructorIsFrozen):
2776         * runtime/RegExpObject.cpp:
2777         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2778         (JSC::RegExpObject::getPropertyNames):
2779         (JSC::RegExpObject::getGenericPropertyNames):
2780         * runtime/StringObject.cpp:
2781         (JSC::StringObject::getOwnPropertyNames):
2782         * runtime/Structure.cpp:
2783         (JSC::Structure::getPropertyNamesFromStructure):
2784
2785 2015-04-01  Alex Christensen  <achristensen@webkit.org>
2786
2787         Progress towards CMake on Windows and Mac.
2788         https://bugs.webkit.org/show_bug.cgi?id=143293
2789
2790         Reviewed by Filip Pizlo.
2791
2792         * CMakeLists.txt:
2793         Enabled using assembly on Windows.
2794         Replaced unix commands with CMake commands.
2795         * PlatformMac.cmake:
2796         Tell open source builders where to find unicode headers.
2797
2798 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2799
2800         IteratorClose should be called when jumping over the target for-of loop
2801         https://bugs.webkit.org/show_bug.cgi?id=143140
2802
2803         Reviewed by Geoffrey Garen.
2804
2805         This patch fixes labeled break/continue behaviors with for-of and iterators.
2806
2807         1. Support IteratorClose beyond multiple loop contexts
2808         Previously, IteratorClose is only executed in for-of's breakTarget().
2809         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
2810         For example,
2811         outer: for (var e1 of outer) {
2812             inner: for (var e2 of inner) {
2813                 break outer;
2814             }
2815         }
2816         In this case, return method of inner should be called.
2817         We leverage the existing system for `finally` to execute inner.return method correctly.
2818         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
2819         `throw` case is already supported by emitting try-catch handlers in for-of.
2820
2821         2. Incorrect LabelScope creation is done in ForOfNode
2822         ForOfNode creates duplicated LabelScope.
2823         It causes infinite loop when executing the following program that contains
2824         explicitly labeled for-of loop.
2825         For example,
2826         inner: for (var elm of array) {
2827             continue inner;
2828         }
2829
2830         * bytecompiler/BytecodeGenerator.cpp:
2831         (JSC::BytecodeGenerator::pushFinallyContext):
2832         (JSC::BytecodeGenerator::pushIteratorCloseContext):
2833         (JSC::BytecodeGenerator::popFinallyContext):
2834         (JSC::BytecodeGenerator::popIteratorCloseContext):
2835         (JSC::BytecodeGenerator::emitComplexPopScopes):
2836         (JSC::BytecodeGenerator::emitEnumeration):
2837         (JSC::BytecodeGenerator::emitIteratorClose):
2838         * bytecompiler/BytecodeGenerator.h:
2839         * bytecompiler/NodesCodegen.cpp:
2840         (JSC::ForOfNode::emitBytecode):
2841         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
2842         (createIterator.iterator.return):
2843         (createIterator):
2844         * tests/stress/raise-error-in-iterator-close.js: Added.
2845         (createIterator.iterator.return):
2846         (createIterator):
2847
2848 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2849
2850         [ES6] Implement Symbol.unscopables
2851         https://bugs.webkit.org/show_bug.cgi?id=142829
2852
2853         Reviewed by Geoffrey Garen.
2854
2855         This patch introduces Symbol.unscopables functionality.
2856         In ES6, some generic names (like keys, values) are introduced
2857         as Array's method name. And this breaks the web since some web sites
2858         use like the following code.
2859
2860         var values = ...;
2861         with (array) {
2862             values;  // This values is trapped by array's method "values".
2863         }
2864
2865         To fix this, Symbol.unscopables introduces blacklist
2866         for with scope's trapping. When resolving scope,
2867         if name is found in the target scope and the target scope is with scope,
2868         we check Symbol.unscopables object to filter generic names.
2869
2870         This functionality is only active for with scopes.
2871         Global scope does not have unscopables functionality.
2872
2873         And since
2874         1) op_resolve_scope for with scope always return Dynamic resolve type,
2875         2) in that case, JSScope::resolve is always used in JIT and LLInt,
2876         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
2877         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
2878         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
2879
2880         * runtime/ArrayPrototype.cpp:
2881         (JSC::ArrayPrototype::finishCreation):
2882         * runtime/CommonIdentifiers.h:
2883         * runtime/JSGlobalObject.h:
2884         (JSC::JSGlobalObject::runtimeFlags):
2885         * runtime/JSScope.cpp:
2886         (JSC::isUnscopable):
2887         (JSC::JSScope::resolve):
2888         * runtime/JSScope.h:
2889         (JSC::ScopeChainIterator::scope):
2890         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
2891         (test):
2892         * tests/stress/unscopables.js: Added.
2893         (test):
2894         (.):
2895
2896 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2897
2898         ES6 class syntax should allow static setters and getters
2899         https://bugs.webkit.org/show_bug.cgi?id=143180
2900
2901         Reviewed by Filip Pizlo
2902
2903         Apparently I misread the spec when I initially implemented parseClass.
2904         ES6 class syntax allows static getters and setters so just allow that.
2905
2906         * parser/Parser.cpp:
2907         (JSC::Parser<LexerType>::parseClass):
2908
2909 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
2910
2911         PutClosureVar CSE def() rule has a wrong base
2912         https://bugs.webkit.org/show_bug.cgi?id=143280
2913
2914         Reviewed by Michael Saboff.
2915         
2916         I think that this code was incorrect in a benign way, since the base of a
2917         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
2918
2919         * dfg/DFGClobberize.h:
2920         (JSC::DFG::clobberize):
2921
2922 2015-03-31  Commit Queue  <commit-queue@webkit.org>
2923
2924         Unreviewed, rolling out r182200.
2925         https://bugs.webkit.org/show_bug.cgi?id=143279
2926
2927         Probably causing assertion extravaganza on bots. (Requested by
2928         kling on #webkit).
2929
2930         Reverted changeset:
2931
2932         "Logically empty WeakBlocks should not pin down their
2933         MarkedBlocks indefinitely."
2934         https://bugs.webkit.org/show_bug.cgi?id=143210
2935         http://trac.webkit.org/changeset/182200
2936
2937 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2938
2939         Clean up Identifier factories to clarify the meaning of StringImpl*
2940         https://bugs.webkit.org/show_bug.cgi?id=143146
2941
2942         Reviewed by Filip Pizlo.
2943
2944         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
2945         However, it's ambiguous because `StringImpl*` has 2 different meanings.
2946         1) normal string, it is replacable with `WTFString` and
2947         2) `uid`, which holds `isSymbol` information to represent Symbols.
2948         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
2949         + `Identifier::fromString(VM*/ExecState*, const String&)`.
2950         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
2951         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
2952         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
2953
2954         And to clean up `StringImpl` which is used as uid,
2955         we introduce `StringKind` into `StringImpl`. There's 3 kinds
2956         1. StringNormal (non-atomic, non-symbol)
2957         2. StringAtomic (atomic, non-symbol)
2958         3. StringSymbol (non-atomic, symbol)
2959         They are mutually exclusive. And (atomic, symbol) case should not exist.
2960
2961         * API/JSCallbackObjectFunctions.h:
2962         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2963         * API/JSObjectRef.cpp:
2964         (JSObjectMakeFunction):
2965         * API/OpaqueJSString.cpp:
2966         (OpaqueJSString::identifier):
2967         * bindings/ScriptFunctionCall.cpp:
2968         (Deprecated::ScriptFunctionCall::call):
2969         * builtins/BuiltinExecutables.cpp:
2970         (JSC::BuiltinExecutables::createExecutableInternal):
2971         * builtins/BuiltinNames.h:
2972         (JSC::BuiltinNames::BuiltinNames):
2973         * bytecompiler/BytecodeGenerator.cpp:
2974         (JSC::BytecodeGenerator::BytecodeGenerator):
2975         (JSC::BytecodeGenerator::emitThrowReferenceError):
2976         (JSC::BytecodeGenerator::emitThrowTypeError):
2977         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2978         (JSC::BytecodeGenerator::emitEnumeration):
2979         * dfg/DFGDesiredIdentifiers.cpp:
2980         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2981         * inspector/JSInjectedScriptHost.cpp:
2982         (Inspector::JSInjectedScriptHost::functionDetails):
2983         (Inspector::constructInternalProperty):
2984         (Inspector::JSInjectedScriptHost::weakMapEntries):
2985         (Inspector::JSInjectedScriptHost::iteratorEntries):
2986         * inspector/JSInjectedScriptHostPrototype.cpp:
2987         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2988         * inspector/JSJavaScriptCallFramePrototype.cpp:
2989         * inspector/ScriptCallStackFactory.cpp:
2990         (Inspector::extractSourceInformationFromException):
2991         * jit/JITOperations.cpp:
2992         * jsc.cpp:
2993         (GlobalObject::finishCreation):
2994         (GlobalObject::addFunction):
2995         (GlobalObject::addConstructableFunction):
2996         (functionRun):
2997         (runWithScripts):
2998         * llint/LLIntData.cpp:
2999         (JSC::LLInt::Data::performAssertions):
3000         * llint/LowLevelInterpreter.asm:
3001         * parser/ASTBuilder.h:
3002         (JSC::ASTBuilder::addVar):
3003         * parser/Parser.cpp:
3004         (JSC::Parser<LexerType>::parseInner):
3005         (JSC::Parser<LexerType>::createBindingPattern):
3006         * parser/ParserArena.h:
3007         (JSC::IdentifierArena::makeIdentifier):
3008         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
3009         (JSC::IdentifierArena::makeNumericIdentifier):
3010         * runtime/ArgumentsIteratorPrototype.cpp:
3011         (JSC::ArgumentsIteratorPrototype::finishCreation):
3012         * runtime/ArrayIteratorPrototype.cpp:
3013         (JSC::ArrayIteratorPrototype::finishCreation):
3014         * runtime/ArrayPrototype.cpp:
3015         (JSC::ArrayPrototype::finishCreation):
3016         (JSC::arrayProtoFuncPush):
3017         * runtime/ClonedArguments.cpp:
3018         (JSC::ClonedArguments::getOwnPropertySlot):
3019         * runtime/CommonIdentifiers.cpp:
3020         (JSC::CommonIdentifiers::CommonIdentifiers):
3021         * runtime/CommonIdentifiers.h:
3022         * runtime/Error.cpp:
3023         (JSC::addErrorInfo):
3024         (JSC::hasErrorInfo):
3025         * runtime/ExceptionHelpers.cpp:
3026         (JSC::createUndefinedVariableError):
3027         * runtime/GenericArgumentsInlines.h:
3028         (JSC::GenericArguments<Type>::getOwnPropertySlot):
3029         * runtime/Identifier.h:
3030         (JSC::Identifier::isSymbol):
3031         (JSC::Identifier::Identifier):
3032         (JSC::Identifier::from): Deleted.
3033         * runtime/IdentifierInlines.h:
3034         (JSC::Identifier::Identifier):
3035         (JSC::Identifier::fromUid):
3036         (JSC::Identifier::fromString):
3037         * runtime/JSCJSValue.cpp:
3038         (JSC::JSValue::dumpInContextAssumingStructure):
3039         * runtime/JSCJSValueInlines.h:
3040         (JSC::JSValue::toPropertyKey):
3041         * runtime/JSGlobalObject.cpp:
3042         (JSC::JSGlobalObject::init):
3043         * runtime/JSLexicalEnvironment.cpp:
3044         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
3045         * runtime/JSObject.cpp:
3046         (JSC::getClassPropertyNames):
3047         (JSC::JSObject::reifyStaticFunctionsForDelete):
3048         * runtime/JSObject.h:
3049         (JSC::makeIdentifier):
3050         * runtime/JSPromiseConstructor.cpp:
3051         (JSC::JSPromiseConstructorFuncRace):
3052         (JSC::JSPromiseConstructorFuncAll):
3053         * runtime/JSString.h:
3054         (JSC::JSString::toIdentifier):
3055         * runtime/JSSymbolTableObject.cpp:
3056         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3057         * runtime/LiteralParser.cpp:
3058         (JSC::LiteralParser<CharType>::tryJSONPParse):
3059         (JSC::LiteralParser<CharType>::makeIdentifier):
3060         * runtime/Lookup.h:
3061         (JSC::reifyStaticProperties):
3062         * runtime/MapConstructor.cpp:
3063         (JSC::constructMap):
3064         * runtime/MapIteratorPrototype.cpp:
3065         (JSC::MapIteratorPrototype::finishCreation):
3066         * runtime/MapPrototype.cpp:
3067         (JSC::MapPrototype::finishCreation):
3068         * runtime/MathObject.cpp:
3069         (JSC::MathObject::finishCreation):
3070         * runtime/NumberConstructor.cpp:
3071         (JSC::NumberConstructor::finishCreation):
3072         * runtime/ObjectConstructor.cpp:
3073         (JSC::ObjectConstructor::finishCreation):
3074         * runtime/PrivateName.h:
3075         (JSC::PrivateName::PrivateName):
3076         * runtime/PropertyMapHashTable.h:
3077         (JSC::PropertyTable::find):
3078         (JSC::PropertyTable::get):
3079         * runtime/PropertyName.h:
3080         (JSC::PropertyName::PropertyName):
3081         (JSC::PropertyName::publicName):
3082         (JSC::PropertyName::asIndex):
3083         * runtime/PropertyNameArray.cpp:
3084         (JSC::PropertyNameArray::add):
3085         * runtime/PropertyNameArray.h:
3086         (JSC::PropertyNameArray::addKnownUnique):
3087         * runtime/RegExpConstructor.cpp:
3088         (JSC::RegExpConstructor::finishCreation):
3089         * runtime/SetConstructor.cpp:
3090         (JSC::constructSet):
3091         * runtime/SetIteratorPrototype.cpp:
3092         (JSC::SetIteratorPrototype::finishCreation):
3093         * runtime/SetPrototype.cpp:
3094         (JSC::SetPrototype::finishCreation):
3095         * runtime/StringIteratorPrototype.cpp:
3096         (JSC::StringIteratorPrototype::finishCreation):
3097         * runtime/StringPrototype.cpp:
3098         (JSC::StringPrototype::finishCreation):
3099         * runtime/Structure.cpp:
3100         (JSC::Structure::getPropertyNamesFromStructure):
3101         * runtime/SymbolConstructor.cpp:
3102         * runtime/VM.cpp:
3103         (JSC::VM::throwException):
3104         * runtime/WeakMapConstructor.cpp:
3105         (JSC::constructWeakMap):
3106
3107 2015-03-31  Andreas Kling  <akling@apple.com>
3108
3109         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
3110         <https://webkit.org/b/143210>
3111
3112         Reviewed by Geoffrey Garen.
3113
3114         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
3115         we had a little problem where WeakBlocks with only null pointers would still keep their
3116         MarkedBlock alive.
3117
3118         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
3119         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
3120         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
3121         destroying them once they're fully dead.
3122
3123         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
3124         a mysterious issue where doing two full garbage collections back-to-back would free additional
3125         memory in the second collection.
3126
3127         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
3128         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
3129         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
3130
3131         * heap/Heap.h:
3132         * heap/Heap.cpp:
3133         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
3134         owned by Heap, after everything else has been swept.
3135
3136         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
3137         after a full garbage collection ends. Note that we don't do this after Eden collections, since
3138         they are unlikely to cause entire WeakBlocks to go empty.
3139
3140         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
3141         to the Heap when it's detached from a WeakSet.
3142
3143         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
3144         of the logically empty WeakBlocks owned by Heap.
3145
3146         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
3147         and updates the next-logically-empty-weak-block-to-sweep index.
3148
3149         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
3150         won't be another chance after this.
3151
3152         * heap/IncrementalSweeper.h:
3153         (JSC::IncrementalSweeper::hasWork): Deleted.
3154
3155         * heap/IncrementalSweeper.cpp:
3156         (JSC::IncrementalSweeper::fullSweep):
3157         (JSC::IncrementalSweeper::doSweep):
3158         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
3159         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
3160         changed to return a bool (true if there's more work to be done.)
3161
3162         * heap/WeakBlock.cpp:
3163         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
3164         contain any pointers to live objects. The answer is stored in a new SweepResult member.
3165
3166         * heap/WeakBlock.h:
3167         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
3168         if the WeakBlock could be detached from the MarkedBlock.
3169
3170         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
3171         when declaring them.
3172
3173 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
3174
3175         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
3176         https://bugs.webkit.org/show_bug.cgi?id=142883
3177
3178         Reviewed by Filip Pizlo.
3179
3180         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
3181
3182         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
3183         in eval inside a derived class' constructor.
3184
3185         * bytecode/EvalCodeCache.h:
3186         (JSC::EvalCodeCache::getSlow):
3187         * bytecompiler/NodesCodegen.cpp:
3188         (JSC::ThisNode::emitBytecode):
3189         * debugger/DebuggerCallFrame.cpp:
3190         (JSC::DebuggerCallFrame::evaluate):
3191         * interpreter/Interpreter.cpp:
3192         (JSC::eval):
3193         * parser/ASTBuilder.h:
3194         (JSC::ASTBuilder::thisExpr):
3195         * parser/NodeConstructors.h:
3196         (JSC::ThisNode::ThisNode):
3197         * parser/Nodes.h:
3198         * parser/Parser.cpp:
3199         (JSC::Parser<LexerType>::Parser):
3200         (JSC::Parser<LexerType>::parsePrimaryExpression):
3201         * parser/Parser.h:
3202         (JSC::parse):
3203         * parser/ParserModes.h:
3204         * parser/SyntaxChecker.h:
3205         (JSC::SyntaxChecker::thisExpr):
3206         * runtime/CodeCache.cpp:
3207         (JSC::CodeCache::getGlobalCodeBlock):
3208         (JSC::CodeCache::getProgramCodeBlock):
3209         (JSC::CodeCache::getEvalCodeBlock):
3210         * runtime/CodeCache.h:
3211         (JSC::SourceCodeKey::SourceCodeKey):
3212         * runtime/Executable.cpp:
3213         (JSC::EvalExecutable::create):
3214         * runtime/Executable.h:
3215         * runtime/JSGlobalObject.cpp:
3216         (JSC::JSGlobalObject::createEvalCodeBlock):
3217         * runtime/JSGlobalObject.h:
3218         * runtime/JSGlobalObjectFunctions.cpp:
3219         (JSC::globalFuncEval):
3220         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
3221         * tests/stress/class-syntax-tdz-in-eval.js: Added.
3222
3223 2015-03-31  Commit Queue  <commit-queue@webkit.org>
3224
3225         Unreviewed, rolling out r182186.
3226         https://bugs.webkit.org/show_bug.cgi?id=143270
3227
3228         it crashes all the WebGL tests on the Debug bots (Requested by
3229         dino on #webkit).
3230
3231         Reverted changeset:
3232
3233         "Web Inspector: add 2D/WebGL canvas instrumentation
3234         infrastructure"
3235         https://bugs.webkit.org/show_bug.cgi?id=137278
3236         http://trac.webkit.org/changeset/182186
3237
3238 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3239
3240         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
3241         https://bugs.webkit.org/show_bug.cgi?id=142937
3242
3243         Reviewed by Darin Adler.
3244
3245         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
3246         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
3247         But now, several functions perform ToObject onto a non-object parameter.
3248         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
3249         It is described in ES6 Annex E.
3250         Functions different from ES5 are following.
3251
3252         1. An attempt is make to coerce the argument using ToObject.
3253             Object.getOwnPropertyDescriptor
3254             Object.getOwnPropertyNames
3255             Object.getPrototypeOf
3256             Object.keys
3257
3258         2. Treated as if it was a non-extensible ordinary object with no own properties.
3259             Object.freeze
3260             Object.isExtensible
3261             Object.isFrozen
3262             Object.isSealed
3263             Object.preventExtensions
3264             Object.seal
3265
3266         * runtime/ObjectConstructor.cpp:
3267         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
3268         (JSC::objectConstructorGetPrototypeOf):
3269         (JSC::objectConstructorGetOwnPropertyDescriptor):
3270         (JSC::objectConstructorGetOwnPropertyNames):
3271         (JSC::objectConstructorKeys):
3272         (JSC::objectConstructorSeal):
3273         (JSC::objectConstructorFreeze):
3274         (JSC::objectConstructorPreventExtensions):
3275         (JSC::objectConstructorIsSealed):
3276         (JSC::objectConstructorIsFrozen):
3277         (JSC::objectConstructorIsExtensible):
3278         * tests/stress/object-freeze-accept-non-object.js: Added.
3279         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
3280         (canary):
3281         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
3282         (compare):
3283         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
3284         * tests/stress/object-is-extensible-accept-non-object.js: Added.
3285         * tests/stress/object-is-frozen-accept-non-object.js: Added.
3286         * tests/stress/object-is-sealed-accept-non-object.js: Added.
3287         * tests/stress/object-keys-perform-to-object.js: Added.
3288         (compare):
3289         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
3290         * tests/stress/object-seal-accept-non-object.js: Added.
3291
3292 2015-03-31  Matt Baker  <mattbaker@apple.com>
3293
3294         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
3295         https://bugs.webkit.org/show_bug.cgi?id=137278
3296
3297         Reviewed by Timothy Hatcher.
3298
3299         Added Canvas protocol which defines types used by InspectorCanvasAgent.
3300
3301         * CMakeLists.txt:
3302         * DerivedSources.make:
3303         * inspector/protocol/Canvas.json: Added.
3304
3305         * inspector/scripts/codegen/generator.py:
3306         (Generator.stylized_name_for_enum_value):
3307         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
3308
3309 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
3310
3311         Extending null should set __proto__ to null
3312         https://bugs.webkit.org/show_bug.cgi?id=142882
3313
3314         Reviewed by Geoffrey Garen and Benjamin Poulain.
3315
3316         Set Derived.prototype.__proto__ to null when extending null.
3317
3318         * bytecompiler/NodesCodegen.cpp:
3319         (JSC::ClassExprNode::emitBytecode):
3320
3321 2015-03-30  Mark Lam  <mark.lam@apple.com>
3322
3323         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
3324         <https://webkit.org/b/143105>
3325
3326         Reviewed by Filip Pizlo.
3327
3328         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
3329         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
3330         JIT frames that may have its scope register not set.  The Debugger's current implementation
3331         which relies on the scope register is not happy about this.  For example, this results in a
3332         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
3333
3334         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
3335         ensure that the scope register value is flushed to the register in the stack frame.
3336
3337         * dfg/DFGByteCodeParser.cpp:
3338         (JSC::DFG::ByteCodeParser::ByteCodeParser):
3339         (JSC::DFG::ByteCodeParser::setLocal):
3340         (JSC::DFG::ByteCodeParser::flush):
3341         - Add code to flush the scope register.
3342         (JSC::DFG::ByteCodeParser::inliningCost):
3343         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
3344