Web Inspector: Regression: Preview for [[null]] shouldn't be []
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: Regression: Preview for [[null]] shouldn't be []
4         https://bugs.webkit.org/show_bug.cgi?id=143208
5
6         Reviewed by Mark Lam.
7
8         * inspector/InjectedScriptSource.js:
9         Handle null when generating simple object previews.
10
11 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
12
13         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
14         https://bugs.webkit.org/show_bug.cgi?id=143134
15
16         Reviewed by Geoffrey Garen.
17
18         * jit/JSInterfaceJIT.h:
19         * jit/Repatch.cpp:
20         (JSC::tryCacheGetByID):
21
22 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
23
24         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
25         https://bugs.webkit.org/show_bug.cgi?id=143104
26
27         Reviewed by Geoffrey Garen.
28         
29         Created a test that is a 100% repro of the flaky failure. This test is called
30         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
31         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
32         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
33         
34         Also created three more tests for three similar, but not identical, failures.
35         
36         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
37         only reading those parts of the stack that are relevant to the current semantic code origin.
38         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
39         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
40         read parts of the stack associated with the inline call frame for the phantom arguments. This
41         may not be subsumed by the current semantic origin's stack area in cases that the arguments
42         were allowed to "locally" escape.
43         
44         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
45         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
46         the stack due to function.arguments, but there are a bunch of other ways that we could also
47         read the stack and those operations may read any stack slot. I believe that this change makes
48         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
49         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
50         readTop() in PreciseLocalClobberize does the right thing.
51
52         * dfg/DFGClobberize.h:
53         (JSC::DFG::clobberize):
54         * dfg/DFGPreciseLocalClobberize.h:
55         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
56         * dfg/DFGPutStackSinkingPhase.cpp:
57         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
58         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
59         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
60         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
61         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
62
63 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
64
65         Start the features.json files
66         https://bugs.webkit.org/show_bug.cgi?id=143207
67
68         Reviewed by Darin Adler.
69
70         Start the features.json files to have something to experiment
71         with for the UI.
72
73         * features.json: Added.
74
75 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
76
77         [Win] Addresing post-review comment after r182122
78         https://bugs.webkit.org/show_bug.cgi?id=143189
79
80         Unreviewed.
81
82 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
83
84         [Win] Allow building JavaScriptCore without Cygwin
85         https://bugs.webkit.org/show_bug.cgi?id=143189
86
87         Reviewed by Brent Fulgham.
88
89         Paths like /usr/bin/ don't exist on Windows.
90         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
91         Prefixing commands with environment variables doesn't work on Windows.
92         Windows doesn't have 'cmp'
93         Windows uses 'del' instead of 'rm'
94         Windows uses 'type NUL' intead of 'touch'
95
96         * DerivedSources.make:
97         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
98         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
99         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
100         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
101         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
102         * JavaScriptCore.vcxproj/build-generated-files.pl:
103         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
104
105 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
106
107         Clean up JavaScriptCore/builtins
108         https://bugs.webkit.org/show_bug.cgi?id=143177
109
110         Reviewed by Ryosuke Niwa.
111
112         * builtins/ArrayConstructor.js:
113         (from):
114         - We can compare to undefined instead of using a typeof undefined check.
115         - Converge on double quoted strings everywhere.
116
117         * builtins/ArrayIterator.prototype.js:
118         (next):
119         * builtins/StringIterator.prototype.js:
120         (next):
121         - Use shorthand object construction to avoid duplication.
122         - Improve grammar in error messages.
123
124         * tests/stress/array-iterators-next-with-call.js:
125         * tests/stress/string-iterators.js:
126         - Update for new error message strings.
127
128 2015-03-28  Saam Barati  <saambarati1@gmail.com>
129
130         Web Inspector: ES6: Better support for Symbol types in Type Profiler
131         https://bugs.webkit.org/show_bug.cgi?id=141257
132
133         Reviewed by Joseph Pecoraro.
134
135         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
136         type profiler support this new primitive type.
137
138         * dfg/DFGFixupPhase.cpp:
139         (JSC::DFG::FixupPhase::fixupNode):
140         * inspector/protocol/Runtime.json:
141         * runtime/RuntimeType.cpp:
142         (JSC::runtimeTypeForValue):
143         * runtime/RuntimeType.h:
144         (JSC::runtimeTypeIsPrimitive):
145         * runtime/TypeSet.cpp:
146         (JSC::TypeSet::addTypeInformation):
147         (JSC::TypeSet::dumpTypes):
148         (JSC::TypeSet::doesTypeConformTo):
149         (JSC::TypeSet::displayName):
150         (JSC::TypeSet::inspectorTypeSet):
151         (JSC::TypeSet::toJSONString):
152         * runtime/TypeSet.h:
153         (JSC::TypeSet::seenTypes):
154         * tests/typeProfiler/driver/driver.js:
155         * tests/typeProfiler/symbol.js: Added.
156         (wrapper.foo):
157         (wrapper.bar):
158         (wrapper.bar.bar.baz):
159         (wrapper):
160
161 2015-03-27  Saam Barati  <saambarati1@gmail.com>
162
163         Deconstruction parameters are bound too late
164         https://bugs.webkit.org/show_bug.cgi?id=143148
165
166         Reviewed by Filip Pizlo.
167
168         Currently, a deconstruction pattern named with the same
169         name as a function will shadow the function. This is
170         wrong. It should be the other way around.
171
172         * bytecompiler/BytecodeGenerator.cpp:
173         (JSC::BytecodeGenerator::generate):
174
175 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
176
177         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
178         https://bugs.webkit.org/show_bug.cgi?id=143170
179
180         Reviewed by Benjamin Poulain.
181
182         Assert that we never use 16-bit version of the parser to parse a default constructor
183         since both base and derived default constructors should be using a 8-bit string.
184
185         * parser/Parser.h:
186         (JSC::parse):
187
188 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
189
190         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
191         https://bugs.webkit.org/show_bug.cgi?id=142862
192
193         Reviewed by Benjamin Poulain.
194
195         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
196
197         * tests/stress/class-syntax-derived-default-constructor.js: Added.
198
199 2015-03-27  Michael Saboff  <msaboff@apple.com>
200
201         load8Signed() and load16Signed() should be renamed to avoid confusion
202         https://bugs.webkit.org/show_bug.cgi?id=143168
203
204         Reviewed by Benjamin Poulain.
205
206         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
207
208         * assembler/MacroAssemblerARM.h:
209         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
210         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
211         (JSC::MacroAssemblerARM::load8Signed): Deleted.
212         (JSC::MacroAssemblerARM::load16Signed): Deleted.
213         * assembler/MacroAssemblerARM64.h:
214         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
215         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
216         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
217         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
218         * assembler/MacroAssemblerARMv7.h:
219         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
220         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
221         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
222         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
223         * assembler/MacroAssemblerMIPS.h:
224         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
225         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
226         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
227         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
228         * assembler/MacroAssemblerSH4.h:
229         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
230         (JSC::MacroAssemblerSH4::load8):
231         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
232         (JSC::MacroAssemblerSH4::load16):
233         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
234         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
235         * assembler/MacroAssemblerX86Common.h:
236         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
237         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
238         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
239         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
240         * dfg/DFGSpeculativeJIT.cpp:
241         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
242         * jit/JITPropertyAccess.cpp:
243         (JSC::JIT::emitIntTypedArrayGetByVal):
244
245 2015-03-27  Michael Saboff  <msaboff@apple.com>
246
247         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
248         https://bugs.webkit.org/show_bug.cgi?id=138390
249
250         Reviewed by Mark Lam.
251
252         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
253         instead of 64 bits.  This is what X86-64 does.
254
255         * assembler/MacroAssemblerARM64.h:
256         (JSC::MacroAssemblerARM64::load16Signed):
257         (JSC::MacroAssemblerARM64::load8Signed):
258
259 2015-03-27  Saam Barati  <saambarati1@gmail.com>
260
261         Add back previously broken assert from bug 141869
262         https://bugs.webkit.org/show_bug.cgi?id=143005
263
264         Reviewed by Michael Saboff.
265
266         * runtime/ExceptionHelpers.cpp:
267         (JSC::invalidParameterInSourceAppender):
268
269 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
270
271         Make some more objects use FastMalloc
272         https://bugs.webkit.org/show_bug.cgi?id=143122
273
274         Reviewed by Csaba Osztrogonác.
275
276         * API/JSCallbackObject.h:
277         * heap/IncrementalSweeper.h:
278         * jit/JITThunks.h:
279         * runtime/JSGlobalObjectDebuggable.h:
280         * runtime/RegExpCache.h:
281
282 2015-03-27  Michael Saboff  <msaboff@apple.com>
283
284         Objects with numeric properties intermittently get a phantom 'length' property
285         https://bugs.webkit.org/show_bug.cgi?id=142792
286
287         Reviewed by Csaba Osztrogonác.
288
289         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
290         test and branch instructions.  This function is used for linking tbz/tbnz branches between
291         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
292         the failure case checks in the GetById array length stub created for "obj.length" access.
293         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
294         being set when we should have been looking for bit 0.
295
296         * assembler/ARM64Assembler.h:
297         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
298
299 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
300
301         Insert exception check around toPropertyKey call
302         https://bugs.webkit.org/show_bug.cgi?id=142922
303
304         Reviewed by Geoffrey Garen.
305
306         In some places, exception check is missing after/before toPropertyKey.
307         However, since it calls toString, it's observable to users,
308
309         Missing exception checks in Object.prototype methods can be
310         observed since it would be overridden with toObject(null/undefined) errors.
311         We inserted exception checks after toPropertyKey.
312
313         Missing exception checks in GetById related code can be
314         observed since it would be overridden with toObject(null/undefined) errors.
315         In this case, we need to insert exception checks before/after toPropertyKey
316         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
317
318         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
319         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
320         According to the spec, we first perform RequireObjectCoercible and check the exception.
321         And second, we perform ToPropertyKey and check the exception.
322         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
323         For example, if the target is not object coercible,
324         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
325         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
326
327         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
328
329         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
330
331         toObject converts primitive types into wrapper objects.
332         But it is not efficient since wrapper objects are not necessary
333         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
334
335         2. Using the result of toObject is not correct to the spec.
336
337         To align to the spec correctly, we cannot use JSObject::get
338         by using the wrapper object produced by the toObject suggested in (1).
339         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
340         It is not correct since getter should be called with the original |this| value that may be primitive types.
341
342         So in this patch, we use JSValue::requireObjectCoercible
343         to check the target is object coercible and raise an error if it's not.
344
345         * dfg/DFGOperations.cpp:
346         * jit/JITOperations.cpp:
347         (JSC::getByVal):
348         * llint/LLIntSlowPaths.cpp:
349         (JSC::LLInt::getByVal):
350         * runtime/CommonSlowPaths.cpp:
351         (JSC::SLOW_PATH_DECL):
352         * runtime/JSCJSValue.h:
353         * runtime/JSCJSValueInlines.h:
354         (JSC::JSValue::requireObjectCoercible):
355         * runtime/ObjectPrototype.cpp:
356         (JSC::objectProtoFuncHasOwnProperty):
357         (JSC::objectProtoFuncDefineGetter):
358         (JSC::objectProtoFuncDefineSetter):
359         (JSC::objectProtoFuncLookupGetter):
360         (JSC::objectProtoFuncLookupSetter):
361         (JSC::objectProtoFuncPropertyIsEnumerable):
362         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
363         (shouldThrow):
364         (if):
365         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
366         (shouldThrow):
367         (.):
368
369 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
370
371         WebContent Crash when instantiating class with Type Profiling enabled
372         https://bugs.webkit.org/show_bug.cgi?id=143037
373
374         Reviewed by Ryosuke Niwa.
375
376         * bytecompiler/BytecodeGenerator.h:
377         * bytecompiler/BytecodeGenerator.cpp:
378         (JSC::BytecodeGenerator::BytecodeGenerator):
379         (JSC::BytecodeGenerator::emitMoveEmptyValue):
380         We cannot profile the type of an uninitialized empty JSValue.
381         Nor do we expect this to be necessary, since it is effectively
382         an unseen undefined value. So add a way to put the empty value
383         without profiling.
384
385         (JSC::BytecodeGenerator::emitMove):
386         Add an assert to try to catch this issue early on, and force
387         callers to explicitly use emitMoveEmptyValue instead.
388
389         * tests/typeProfiler/classes.js: Added.
390         (wrapper.Base):
391         (wrapper.Derived):
392         (wrapper):
393         Add test coverage both for this case and classes in general.
394
395 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
396
397         Web Inspector: ES6: Provide a better view for Classes in the console
398         https://bugs.webkit.org/show_bug.cgi?id=142999
399
400         Reviewed by Timothy Hatcher.
401
402         * inspector/protocol/Runtime.json:
403         Provide a new `subtype` enum "class". This is a subtype of `type`
404         "function", all other subtypes are subtypes of `object` types.
405         For a class, the frontend will immediately want to get the prototype
406         to enumerate its methods, so include the `classPrototype`.
407
408         * inspector/JSInjectedScriptHost.cpp:
409         (Inspector::JSInjectedScriptHost::subtype):
410         Denote class construction functions as "class" subtypes.
411
412         * inspector/InjectedScriptSource.js:
413         Handling for the new "class" type.
414
415         * bytecode/UnlinkedCodeBlock.h:
416         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
417         * runtime/Executable.h:
418         (JSC::FunctionExecutable::isClassConstructorFunction):
419         * runtime/JSFunction.h:
420         * runtime/JSFunctionInlines.h:
421         (JSC::JSFunction::isClassConstructorFunction):
422         Check if this function is a class constructor function. That information
423         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
424
425 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
426
427         Function.prototype.toString should not decompile the AST
428         https://bugs.webkit.org/show_bug.cgi?id=142853
429
430         Reviewed by Darin Adler.
431
432         Following up on Darin's review comments.
433
434         * runtime/FunctionConstructor.cpp:
435         (JSC::constructFunctionSkippingEvalEnabledCheck):
436
437 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
438
439         "lineNo" does not match WebKit coding style guidelines
440         https://bugs.webkit.org/show_bug.cgi?id=143119
441
442         Reviewed by Michael Saboff.
443
444         We can afford to use whole words.
445
446         * bytecode/CodeBlock.cpp:
447         (JSC::CodeBlock::lineNumberForBytecodeOffset):
448         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
449         * bytecode/UnlinkedCodeBlock.cpp:
450         (JSC::UnlinkedFunctionExecutable::link):
451         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
452         * bytecode/UnlinkedCodeBlock.h:
453         * bytecompiler/NodesCodegen.cpp:
454         (JSC::WhileNode::emitBytecode):
455         * debugger/Debugger.cpp:
456         (JSC::Debugger::toggleBreakpoint):
457         * interpreter/Interpreter.cpp:
458         (JSC::StackFrame::computeLineAndColumn):
459         (JSC::GetStackTraceFunctor::operator()):
460         (JSC::Interpreter::execute):
461         * interpreter/StackVisitor.cpp:
462         (JSC::StackVisitor::Frame::computeLineAndColumn):
463         * parser/Nodes.h:
464         (JSC::Node::firstLine):
465         (JSC::Node::lineNo): Deleted.
466         (JSC::StatementNode::firstLine): Deleted.
467         * parser/ParserError.h:
468         (JSC::ParserError::toErrorObject):
469         * profiler/LegacyProfiler.cpp:
470         (JSC::createCallIdentifierFromFunctionImp):
471         * runtime/CodeCache.cpp:
472         (JSC::CodeCache::getGlobalCodeBlock):
473         * runtime/Executable.cpp:
474         (JSC::ScriptExecutable::ScriptExecutable):
475         (JSC::ScriptExecutable::newCodeBlockFor):
476         (JSC::FunctionExecutable::fromGlobalCode):
477         * runtime/Executable.h:
478         (JSC::ScriptExecutable::firstLine):
479         (JSC::ScriptExecutable::setOverrideLineNumber):
480         (JSC::ScriptExecutable::hasOverrideLineNumber):
481         (JSC::ScriptExecutable::overrideLineNumber):
482         (JSC::ScriptExecutable::lineNo): Deleted.
483         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
484         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
485         (JSC::ScriptExecutable::overrideLineNo): Deleted.
486         * runtime/FunctionConstructor.cpp:
487         (JSC::constructFunctionSkippingEvalEnabledCheck):
488         * runtime/FunctionConstructor.h:
489         * tools/CodeProfile.cpp:
490         (JSC::CodeProfile::report):
491         * tools/CodeProfile.h:
492         (JSC::CodeProfile::CodeProfile):
493
494 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
495
496         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
497         https://bugs.webkit.org/show_bug.cgi?id=142974
498
499         Reviewed by Joseph Pecoraro.
500
501         This patch does two things:
502
503         (1) Restore JavaScriptCore's sanitization of line and column numbers to
504         one-based values.
505
506         We need this because WebCore sometimes provides huge negative column
507         numbers.
508
509         (2) Solve the attribute event listener line numbering problem a different
510         way: Rather than offseting all line numbers by -1 in an attribute event
511         listener in order to arrange for a custom result, instead use an explicit
512         feature for saying "all errors in this code should map to this line number".
513
514         * bytecode/UnlinkedCodeBlock.cpp:
515         (JSC::UnlinkedFunctionExecutable::link):
516         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
517         * bytecode/UnlinkedCodeBlock.h:
518         * interpreter/Interpreter.cpp:
519         (JSC::StackFrame::computeLineAndColumn):
520         (JSC::GetStackTraceFunctor::operator()):
521         * interpreter/Interpreter.h:
522         * interpreter/StackVisitor.cpp:
523         (JSC::StackVisitor::Frame::computeLineAndColumn):
524         * parser/ParserError.h:
525         (JSC::ParserError::toErrorObject): Plumb through an override line number.
526         When a function has an override line number, all syntax and runtime
527         errors in the function will map to it. This is useful for attribute event
528         listeners.
529  
530         * parser/SourceCode.h:
531         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
532         column numbers to one-based integers. It was kind of a hack to remove this.
533
534         * runtime/Executable.cpp:
535         (JSC::ScriptExecutable::ScriptExecutable):
536         (JSC::FunctionExecutable::fromGlobalCode):
537         * runtime/Executable.h:
538         (JSC::ScriptExecutable::setOverrideLineNo):
539         (JSC::ScriptExecutable::hasOverrideLineNo):
540         (JSC::ScriptExecutable::overrideLineNo):
541         * runtime/FunctionConstructor.cpp:
542         (JSC::constructFunctionSkippingEvalEnabledCheck):
543         * runtime/FunctionConstructor.h: Plumb through an override line number.
544
545 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
546
547         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
548
549         Reviewed by Michael Saboff.
550
551         * jit/JITPropertyAccess.cpp:
552         (JSC::JIT::emitScopedArgumentsGetByVal):
553         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
554
555 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
556
557         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
558         https://bugs.webkit.org/show_bug.cgi?id=143098
559
560         Reviewed by Csaba Osztrogonác.
561
562         * ftl/FTLLowerDFGToLLVM.cpp:
563         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
564         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
565
566 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
567
568         Unreviewed gardening, skip failing tests on AArch64 Linux.
569
570         * tests/mozilla/mozilla-tests.yaml:
571         * tests/stress/cached-prototype-setter.js:
572
573 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
574
575         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
576
577         * dfg/DFGConstantFoldingPhase.cpp:
578         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
579         * ftl/FTLCompile.cpp:
580         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
581         * ftl/FTLState.cpp:
582         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
583         * ftl/FTLState.h:
584
585 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
586
587         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
588         right, so this just makes 32-bit do the same.
589
590         * dfg/DFGSpeculativeJIT32_64.cpp:
591         (JSC::DFG::SpeculativeJIT::emitCall):
592
593 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
594
595         Fix a typo that ggaren found but that I didn't fix before.
596
597         * runtime/DirectArgumentsOffset.h:
598
599 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
600
601         Unreviewed, VC found a bug. This fixes the bug.
602
603         * dfg/DFGConstantFoldingPhase.cpp:
604         (JSC::DFG::ConstantFoldingPhase::foldConstants):
605
606 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
607
608         Unreviewed, try to fix Windows build.
609
610         * runtime/ClonedArguments.cpp:
611         (JSC::ClonedArguments::createWithInlineFrame):
612
613 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
614
615         Unreviewed, fix debug build.
616
617         * bytecompiler/NodesCodegen.cpp:
618         (JSC::ConstDeclNode::emitCodeSingle):
619
620 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
621
622         Unreviewed, fix CLOOP build.
623
624         * dfg/DFGMinifiedID.h:
625
626 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
627
628         Heap variables shouldn't end up in the stack frame
629         https://bugs.webkit.org/show_bug.cgi?id=141174
630
631         Reviewed by Geoffrey Garen.
632         
633         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
634         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
635         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
636         simplifications:
637         
638         - Accesses to variables no longer need checks or indirections to determine where the variable is
639           at that moment in time. For example, loading a closure variable now takes just one load instead
640           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
641           (when no arguments object allocation is required) while previously that same operation required
642           a "did I allocate arguments yet" check, a bounds check, and then the load.
643         
644         - Reasoning about the allocation of an activation or arguments object now follows the same simple
645           logic as the allocation of any other kind of object. Previously, those objects were lazily
646           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
647           allocate anything at all. This made the implementation of traditional escape analyses really
648           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
649           arguments object using the usual SSA tricks which allows for more comprehensive removal.
650         
651         - The allocations of arguments objects, functions, and activations are now much faster. While
652           this patch generally expands our ability to eliminate arguments object allocations, an earlier
653           version of the patch - which lacked that functionality - was a progression on some arguments-
654           and closure-happy benchmarks because although no allocations were eliminated, all allocations
655           were faster.
656         
657         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
658           its arguments objects or activations. The runtime doesn't have to do things to the arguments
659           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
660           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
661           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
662           now gone. This also enables implementing block-scoping. Without this change, block-scope
663           support would require telling CodeBlock and all of the rest of the runtime about all of the
664           variables that store currently-live scopes. That would have been so disastrously hard that it
665           might as well be impossible. With this change, it's fair game for the bytecode generator to
666           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
667           however long it wants. This all works, because after bytecode generation, an activation is just
668           an object and variables that refer to it are just normal variables.
669         
670         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
671           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
672           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
673           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
674           an arguments object.
675         
676         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
677           using activations used to prevent inlining; now functions that use activations can be inlined
678           just fine.
679         
680         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
681         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
682         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
683         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
684         
685         The easiest way of understanding this change is to start by looking at the changes in runtime/,
686         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
687
688         * CMakeLists.txt:
689         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
690         * JavaScriptCore.xcodeproj/project.pbxproj:
691         * assembler/AbortReason.h:
692         * assembler/AbstractMacroAssembler.h:
693         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
694         * bytecode/ByValInfo.h:
695         (JSC::hasOptimizableIndexingForJSType):
696         (JSC::hasOptimizableIndexing):
697         (JSC::jitArrayModeForJSType):
698         (JSC::jitArrayModePermitsPut):
699         (JSC::jitArrayModeForStructure):
700         * bytecode/BytecodeKills.h: Added.
701         (JSC::BytecodeKills::BytecodeKills):
702         (JSC::BytecodeKills::operandIsKilled):
703         (JSC::BytecodeKills::forEachOperandKilledAt):
704         (JSC::BytecodeKills::KillSet::KillSet):
705         (JSC::BytecodeKills::KillSet::add):
706         (JSC::BytecodeKills::KillSet::forEachLocal):
707         (JSC::BytecodeKills::KillSet::contains):
708         * bytecode/BytecodeList.json:
709         * bytecode/BytecodeLivenessAnalysis.cpp:
710         (JSC::isValidRegisterForLiveness):
711         (JSC::stepOverInstruction):
712         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
713         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
714         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
715         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
716         (JSC::BytecodeLivenessAnalysis::computeKills):
717         (JSC::indexForOperand): Deleted.
718         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
719         (JSC::getLivenessInfo): Deleted.
720         * bytecode/BytecodeLivenessAnalysis.h:
721         * bytecode/BytecodeLivenessAnalysisInlines.h:
722         (JSC::operandIsAlwaysLive):
723         (JSC::operandThatIsNotAlwaysLiveIsLive):
724         (JSC::operandIsLive):
725         * bytecode/BytecodeUseDef.h:
726         (JSC::computeUsesForBytecodeOffset):
727         (JSC::computeDefsForBytecodeOffset):
728         * bytecode/CodeBlock.cpp:
729         (JSC::CodeBlock::dumpBytecode):
730         (JSC::CodeBlock::CodeBlock):
731         (JSC::CodeBlock::nameForRegister):
732         (JSC::CodeBlock::validate):
733         (JSC::CodeBlock::isCaptured): Deleted.
734         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
735         (JSC::CodeBlock::machineSlowArguments): Deleted.
736         * bytecode/CodeBlock.h:
737         (JSC::unmodifiedArgumentsRegister): Deleted.
738         (JSC::CodeBlock::setArgumentsRegister): Deleted.
739         (JSC::CodeBlock::argumentsRegister): Deleted.
740         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
741         (JSC::CodeBlock::usesArguments): Deleted.
742         (JSC::CodeBlock::captureCount): Deleted.
743         (JSC::CodeBlock::captureStart): Deleted.
744         (JSC::CodeBlock::captureEnd): Deleted.
745         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
746         (JSC::CodeBlock::hasSlowArguments): Deleted.
747         (JSC::ExecState::argumentAfterCapture): Deleted.
748         * bytecode/CodeOrigin.h:
749         * bytecode/DataFormat.h:
750         (JSC::dataFormatToString):
751         * bytecode/FullBytecodeLiveness.h:
752         (JSC::FullBytecodeLiveness::getLiveness):
753         (JSC::FullBytecodeLiveness::operandIsLive):
754         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
755         (JSC::FullBytecodeLiveness::getOut): Deleted.
756         * bytecode/Instruction.h:
757         (JSC::Instruction::Instruction):
758         * bytecode/Operands.h:
759         (JSC::Operands::virtualRegisterForIndex):
760         * bytecode/SpeculatedType.cpp:
761         (JSC::dumpSpeculation):
762         (JSC::speculationToAbbreviatedString):
763         (JSC::speculationFromClassInfo):
764         * bytecode/SpeculatedType.h:
765         (JSC::isDirectArgumentsSpeculation):
766         (JSC::isScopedArgumentsSpeculation):
767         (JSC::isActionableMutableArraySpeculation):
768         (JSC::isActionableArraySpeculation):
769         (JSC::isArgumentsSpeculation): Deleted.
770         * bytecode/UnlinkedCodeBlock.cpp:
771         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
772         * bytecode/UnlinkedCodeBlock.h:
773         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
774         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
775         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
776         * bytecode/ValueRecovery.cpp:
777         (JSC::ValueRecovery::dumpInContext):
778         * bytecode/ValueRecovery.h:
779         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
780         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
781         (JSC::ValueRecovery::nodeID):
782         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
783         * bytecode/VirtualRegister.h:
784         (JSC::VirtualRegister::operator==):
785         (JSC::VirtualRegister::operator!=):
786         (JSC::VirtualRegister::operator<):
787         (JSC::VirtualRegister::operator>):
788         (JSC::VirtualRegister::operator<=):
789         (JSC::VirtualRegister::operator>=):
790         * bytecompiler/BytecodeGenerator.cpp:
791         (JSC::BytecodeGenerator::generate):
792         (JSC::BytecodeGenerator::BytecodeGenerator):
793         (JSC::BytecodeGenerator::initializeNextParameter):
794         (JSC::BytecodeGenerator::visibleNameForParameter):
795         (JSC::BytecodeGenerator::emitMove):
796         (JSC::BytecodeGenerator::variable):
797         (JSC::BytecodeGenerator::createVariable):
798         (JSC::BytecodeGenerator::emitResolveScope):
799         (JSC::BytecodeGenerator::emitGetFromScope):
800         (JSC::BytecodeGenerator::emitPutToScope):
801         (JSC::BytecodeGenerator::initializeVariable):
802         (JSC::BytecodeGenerator::emitInstanceOf):
803         (JSC::BytecodeGenerator::emitNewFunction):
804         (JSC::BytecodeGenerator::emitNewFunctionInternal):
805         (JSC::BytecodeGenerator::emitCall):
806         (JSC::BytecodeGenerator::emitReturn):
807         (JSC::BytecodeGenerator::emitConstruct):
808         (JSC::BytecodeGenerator::isArgumentNumber):
809         (JSC::BytecodeGenerator::emitEnumeration):
810         (JSC::BytecodeGenerator::addVar): Deleted.
811         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
812         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
813         (JSC::BytecodeGenerator::resolveCallee): Deleted.
814         (JSC::BytecodeGenerator::addCallee): Deleted.
815         (JSC::BytecodeGenerator::addParameter): Deleted.
816         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
817         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
818         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
819         (JSC::BytecodeGenerator::isCaptured): Deleted.
820         (JSC::BytecodeGenerator::local): Deleted.
821         (JSC::BytecodeGenerator::constLocal): Deleted.
822         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
823         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
824         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
825         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
826         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
827         * bytecompiler/BytecodeGenerator.h:
828         (JSC::Variable::Variable):
829         (JSC::Variable::isResolved):
830         (JSC::Variable::ident):
831         (JSC::Variable::offset):
832         (JSC::Variable::isLocal):
833         (JSC::Variable::local):
834         (JSC::Variable::isSpecial):
835         (JSC::BytecodeGenerator::argumentsRegister):
836         (JSC::BytecodeGenerator::emitNode):
837         (JSC::BytecodeGenerator::registerFor):
838         (JSC::Local::Local): Deleted.
839         (JSC::Local::operator bool): Deleted.
840         (JSC::Local::get): Deleted.
841         (JSC::Local::isSpecial): Deleted.
842         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
843         (JSC::ResolveScopeInfo::isLocal): Deleted.
844         (JSC::ResolveScopeInfo::localIndex): Deleted.
845         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
846         (JSC::BytecodeGenerator::captureMode): Deleted.
847         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
848         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
849         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
850         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
851         * bytecompiler/NodesCodegen.cpp:
852         (JSC::ResolveNode::isPure):
853         (JSC::ResolveNode::emitBytecode):
854         (JSC::BracketAccessorNode::emitBytecode):
855         (JSC::DotAccessorNode::emitBytecode):
856         (JSC::EvalFunctionCallNode::emitBytecode):
857         (JSC::FunctionCallResolveNode::emitBytecode):
858         (JSC::CallFunctionCallDotNode::emitBytecode):
859         (JSC::ApplyFunctionCallDotNode::emitBytecode):
860         (JSC::PostfixNode::emitResolve):
861         (JSC::DeleteResolveNode::emitBytecode):
862         (JSC::TypeOfResolveNode::emitBytecode):
863         (JSC::PrefixNode::emitResolve):
864         (JSC::ReadModifyResolveNode::emitBytecode):
865         (JSC::AssignResolveNode::emitBytecode):
866         (JSC::ConstDeclNode::emitCodeSingle):
867         (JSC::EmptyVarExpression::emitBytecode):
868         (JSC::ForInNode::tryGetBoundLocal):
869         (JSC::ForInNode::emitLoopHeader):
870         (JSC::ForOfNode::emitBytecode):
871         (JSC::ArrayPatternNode::emitDirectBinding):
872         (JSC::BindingNode::bindValue):
873         (JSC::getArgumentByVal): Deleted.
874         * dfg/DFGAbstractHeap.h:
875         * dfg/DFGAbstractInterpreter.h:
876         * dfg/DFGAbstractInterpreterInlines.h:
877         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
878         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
879         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
880         * dfg/DFGAbstractValue.h:
881         * dfg/DFGArgumentPosition.h:
882         (JSC::DFG::ArgumentPosition::addVariable):
883         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
884         (JSC::DFG::performArgumentsElimination):
885         * dfg/DFGArgumentsEliminationPhase.h: Added.
886         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
887         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
888         * dfg/DFGArgumentsUtilities.cpp: Added.
889         (JSC::DFG::argumentsInvolveStackSlot):
890         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
891         * dfg/DFGArgumentsUtilities.h: Added.
892         * dfg/DFGArrayMode.cpp:
893         (JSC::DFG::ArrayMode::refine):
894         (JSC::DFG::ArrayMode::alreadyChecked):
895         (JSC::DFG::arrayTypeToString):
896         * dfg/DFGArrayMode.h:
897         (JSC::DFG::ArrayMode::canCSEStorage):
898         (JSC::DFG::ArrayMode::modeForPut):
899         * dfg/DFGAvailabilityMap.cpp:
900         (JSC::DFG::AvailabilityMap::prune):
901         * dfg/DFGAvailabilityMap.h:
902         (JSC::DFG::AvailabilityMap::closeOverNodes):
903         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
904         * dfg/DFGBackwardsPropagationPhase.cpp:
905         (JSC::DFG::BackwardsPropagationPhase::propagate):
906         * dfg/DFGByteCodeParser.cpp:
907         (JSC::DFG::ByteCodeParser::newVariableAccessData):
908         (JSC::DFG::ByteCodeParser::getLocal):
909         (JSC::DFG::ByteCodeParser::setLocal):
910         (JSC::DFG::ByteCodeParser::getArgument):
911         (JSC::DFG::ByteCodeParser::setArgument):
912         (JSC::DFG::ByteCodeParser::flushDirect):
913         (JSC::DFG::ByteCodeParser::flush):
914         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
915         (JSC::DFG::ByteCodeParser::handleVarargsCall):
916         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
917         (JSC::DFG::ByteCodeParser::handleInlining):
918         (JSC::DFG::ByteCodeParser::parseBlock):
919         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
920         (JSC::DFG::ByteCodeParser::parseCodeBlock):
921         * dfg/DFGCPSRethreadingPhase.cpp:
922         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
923         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
924         * dfg/DFGCSEPhase.cpp:
925         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
926         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
927         * dfg/DFGCapabilities.cpp:
928         (JSC::DFG::isSupportedForInlining):
929         (JSC::DFG::capabilityLevel):
930         * dfg/DFGClobberize.h:
931         (JSC::DFG::clobberize):
932         * dfg/DFGCommon.h:
933         * dfg/DFGCommonData.h:
934         (JSC::DFG::CommonData::CommonData):
935         * dfg/DFGConstantFoldingPhase.cpp:
936         (JSC::DFG::ConstantFoldingPhase::foldConstants):
937         * dfg/DFGDCEPhase.cpp:
938         (JSC::DFG::DCEPhase::cleanVariables):
939         * dfg/DFGDisassembler.h:
940         * dfg/DFGDoesGC.cpp:
941         (JSC::DFG::doesGC):
942         * dfg/DFGFixupPhase.cpp:
943         (JSC::DFG::FixupPhase::fixupNode):
944         * dfg/DFGFlushFormat.cpp:
945         (WTF::printInternal):
946         * dfg/DFGFlushFormat.h:
947         (JSC::DFG::resultFor):
948         (JSC::DFG::useKindFor):
949         (JSC::DFG::dataFormatFor):
950         * dfg/DFGForAllKills.h: Added.
951         (JSC::DFG::forAllLiveNodesAtTail):
952         (JSC::DFG::forAllDirectlyKilledOperands):
953         (JSC::DFG::forAllKilledOperands):
954         (JSC::DFG::forAllKilledNodesAtNodeIndex):
955         (JSC::DFG::forAllKillsInBlock):
956         * dfg/DFGGraph.cpp:
957         (JSC::DFG::Graph::Graph):
958         (JSC::DFG::Graph::dump):
959         (JSC::DFG::Graph::substituteGetLocal):
960         (JSC::DFG::Graph::livenessFor):
961         (JSC::DFG::Graph::killsFor):
962         (JSC::DFG::Graph::tryGetConstantClosureVar):
963         (JSC::DFG::Graph::tryGetRegisters): Deleted.
964         * dfg/DFGGraph.h:
965         (JSC::DFG::Graph::symbolTableFor):
966         (JSC::DFG::Graph::uses):
967         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
968         (JSC::DFG::Graph::capturedVarsFor): Deleted.
969         (JSC::DFG::Graph::usesArguments): Deleted.
970         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
971         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
972         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
973         * dfg/DFGHeapLocation.cpp:
974         (WTF::printInternal):
975         * dfg/DFGHeapLocation.h:
976         * dfg/DFGInPlaceAbstractState.cpp:
977         (JSC::DFG::InPlaceAbstractState::initialize):
978         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
979         * dfg/DFGJITCompiler.cpp:
980         (JSC::DFG::JITCompiler::link):
981         * dfg/DFGMayExit.cpp:
982         (JSC::DFG::mayExit):
983         * dfg/DFGMinifiedID.h:
984         * dfg/DFGMinifiedNode.cpp:
985         (JSC::DFG::MinifiedNode::fromNode):
986         * dfg/DFGMinifiedNode.h:
987         (JSC::DFG::belongsInMinifiedGraph):
988         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
989         (JSC::DFG::MinifiedNode::inlineCallFrame):
990         * dfg/DFGNode.cpp:
991         (JSC::DFG::Node::convertToIdentityOn):
992         * dfg/DFGNode.h:
993         (JSC::DFG::Node::hasConstant):
994         (JSC::DFG::Node::constant):
995         (JSC::DFG::Node::hasScopeOffset):
996         (JSC::DFG::Node::scopeOffset):
997         (JSC::DFG::Node::hasDirectArgumentsOffset):
998         (JSC::DFG::Node::capturedArgumentsOffset):
999         (JSC::DFG::Node::variablePointer):
1000         (JSC::DFG::Node::hasCallVarargsData):
1001         (JSC::DFG::Node::hasLoadVarargsData):
1002         (JSC::DFG::Node::hasHeapPrediction):
1003         (JSC::DFG::Node::hasCellOperand):
1004         (JSC::DFG::Node::objectMaterializationData):
1005         (JSC::DFG::Node::isPhantomAllocation):
1006         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1007         (JSC::DFG::Node::shouldSpeculateDirectArguments):
1008         (JSC::DFG::Node::shouldSpeculateScopedArguments):
1009         (JSC::DFG::Node::isPhantomArguments): Deleted.
1010         (JSC::DFG::Node::hasVarNumber): Deleted.
1011         (JSC::DFG::Node::varNumber): Deleted.
1012         (JSC::DFG::Node::registerPointer): Deleted.
1013         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
1014         * dfg/DFGNodeType.h:
1015         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1016         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1017         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1018         * dfg/DFGOSRExitCompiler.cpp:
1019         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
1020         * dfg/DFGOSRExitCompiler.h:
1021         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
1022         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
1023         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
1024         * dfg/DFGOSRExitCompiler32_64.cpp:
1025         (JSC::DFG::OSRExitCompiler::compileExit):
1026         * dfg/DFGOSRExitCompiler64.cpp:
1027         (JSC::DFG::OSRExitCompiler::compileExit):
1028         * dfg/DFGOSRExitCompilerCommon.cpp:
1029         (JSC::DFG::reifyInlinedCallFrames):
1030         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
1031         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
1032         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
1033         * dfg/DFGOSRExitCompilerCommon.h:
1034         * dfg/DFGOperations.cpp:
1035         * dfg/DFGOperations.h:
1036         * dfg/DFGPlan.cpp:
1037         (JSC::DFG::Plan::compileInThreadImpl):
1038         * dfg/DFGPreciseLocalClobberize.h:
1039         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
1040         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
1041         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
1042         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1043         (JSC::DFG::preciseLocalClobberize):
1044         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
1045         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
1046         * dfg/DFGPredictionPropagationPhase.cpp:
1047         (JSC::DFG::PredictionPropagationPhase::run):
1048         (JSC::DFG::PredictionPropagationPhase::propagate):
1049         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1050         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
1051         * dfg/DFGPromoteHeapAccess.h:
1052         (JSC::DFG::promoteHeapAccess):
1053         * dfg/DFGPromotedHeapLocation.cpp:
1054         (WTF::printInternal):
1055         * dfg/DFGPromotedHeapLocation.h:
1056         * dfg/DFGSSAConversionPhase.cpp:
1057         (JSC::DFG::SSAConversionPhase::run):
1058         * dfg/DFGSafeToExecute.h:
1059         (JSC::DFG::safeToExecute):
1060         * dfg/DFGSpeculativeJIT.cpp:
1061         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1062         (JSC::DFG::SpeculativeJIT::emitGetLength):
1063         (JSC::DFG::SpeculativeJIT::emitGetCallee):
1064         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
1065         (JSC::DFG::SpeculativeJIT::checkArray):
1066         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1067         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1068         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1069         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1070         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1071         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1072         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1073         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1074         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1075         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1076         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1077         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
1078         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
1079         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
1080         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
1081         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
1082         * dfg/DFGSpeculativeJIT.h:
1083         (JSC::DFG::SpeculativeJIT::callOperation):
1084         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1085         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1086         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
1087         * dfg/DFGSpeculativeJIT32_64.cpp:
1088         (JSC::DFG::SpeculativeJIT::emitCall):
1089         (JSC::DFG::SpeculativeJIT::compile):
1090         * dfg/DFGSpeculativeJIT64.cpp:
1091         (JSC::DFG::SpeculativeJIT::emitCall):
1092         (JSC::DFG::SpeculativeJIT::compile):
1093         * dfg/DFGStackLayoutPhase.cpp:
1094         (JSC::DFG::StackLayoutPhase::run):
1095         * dfg/DFGStrengthReductionPhase.cpp:
1096         (JSC::DFG::StrengthReductionPhase::handleNode):
1097         * dfg/DFGStructureRegistrationPhase.cpp:
1098         (JSC::DFG::StructureRegistrationPhase::run):
1099         * dfg/DFGUnificationPhase.cpp:
1100         (JSC::DFG::UnificationPhase::run):
1101         * dfg/DFGValidate.cpp:
1102         (JSC::DFG::Validate::validateCPS):
1103         * dfg/DFGValueSource.cpp:
1104         (JSC::DFG::ValueSource::dump):
1105         * dfg/DFGValueSource.h:
1106         (JSC::DFG::dataFormatToValueSourceKind):
1107         (JSC::DFG::valueSourceKindToDataFormat):
1108         (JSC::DFG::ValueSource::ValueSource):
1109         (JSC::DFG::ValueSource::forFlushFormat):
1110         (JSC::DFG::ValueSource::valueRecovery):
1111         * dfg/DFGVarargsForwardingPhase.cpp: Added.
1112         (JSC::DFG::performVarargsForwarding):
1113         * dfg/DFGVarargsForwardingPhase.h: Added.
1114         * dfg/DFGVariableAccessData.cpp:
1115         (JSC::DFG::VariableAccessData::VariableAccessData):
1116         (JSC::DFG::VariableAccessData::flushFormat):
1117         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1118         * dfg/DFGVariableAccessData.h:
1119         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
1120         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1121         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
1122         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
1123         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
1124         * dfg/DFGVariableAccessDataDump.cpp:
1125         (JSC::DFG::VariableAccessDataDump::dump):
1126         * dfg/DFGVariableAccessDataDump.h:
1127         * dfg/DFGVariableEventStream.cpp:
1128         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1129         * dfg/DFGVariableEventStream.h:
1130         * ftl/FTLAbstractHeap.cpp:
1131         (JSC::FTL::AbstractHeap::dump):
1132         (JSC::FTL::AbstractField::dump):
1133         (JSC::FTL::IndexedAbstractHeap::dump):
1134         (JSC::FTL::NumberedAbstractHeap::dump):
1135         (JSC::FTL::AbsoluteAbstractHeap::dump):
1136         * ftl/FTLAbstractHeap.h:
1137         * ftl/FTLAbstractHeapRepository.cpp:
1138         * ftl/FTLAbstractHeapRepository.h:
1139         * ftl/FTLCapabilities.cpp:
1140         (JSC::FTL::canCompile):
1141         * ftl/FTLCompile.cpp:
1142         (JSC::FTL::mmAllocateDataSection):
1143         * ftl/FTLExitArgument.cpp:
1144         (JSC::FTL::ExitArgument::dump):
1145         * ftl/FTLExitPropertyValue.cpp:
1146         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
1147         * ftl/FTLExitPropertyValue.h:
1148         * ftl/FTLExitTimeObjectMaterialization.cpp:
1149         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1150         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
1151         * ftl/FTLExitTimeObjectMaterialization.h:
1152         (JSC::FTL::ExitTimeObjectMaterialization::origin):
1153         * ftl/FTLExitValue.cpp:
1154         (JSC::FTL::ExitValue::withLocalsOffset):
1155         (JSC::FTL::ExitValue::valueFormat):
1156         (JSC::FTL::ExitValue::dumpInContext):
1157         * ftl/FTLExitValue.h:
1158         (JSC::FTL::ExitValue::isArgument):
1159         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
1160         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
1161         (JSC::FTL::ExitValue::valueFormat): Deleted.
1162         * ftl/FTLInlineCacheSize.cpp:
1163         (JSC::FTL::sizeOfCallForwardVarargs):
1164         (JSC::FTL::sizeOfConstructForwardVarargs):
1165         (JSC::FTL::sizeOfICFor):
1166         * ftl/FTLInlineCacheSize.h:
1167         * ftl/FTLIntrinsicRepository.h:
1168         * ftl/FTLJSCallVarargs.cpp:
1169         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1170         (JSC::FTL::JSCallVarargs::emit):
1171         * ftl/FTLJSCallVarargs.h:
1172         * ftl/FTLLowerDFGToLLVM.cpp:
1173         (JSC::FTL::LowerDFGToLLVM::lower):
1174         (JSC::FTL::LowerDFGToLLVM::compileNode):
1175         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
1176         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1177         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1178         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1179         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1180         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1181         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1182         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1183         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1184         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
1185         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
1186         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
1187         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1188         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
1189         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1190         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
1191         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
1192         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1193         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
1194         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
1195         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
1196         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1197         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
1198         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
1199         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
1200         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
1201         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
1202         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
1203         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1204         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1205         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
1206         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1207         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1208         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1209         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1210         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1211         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1212         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
1213         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
1214         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
1215         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
1216         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
1217         * ftl/FTLOSRExitCompiler.cpp:
1218         (JSC::FTL::compileRecovery):
1219         (JSC::FTL::compileStub):
1220         * ftl/FTLOperations.cpp:
1221         (JSC::FTL::operationMaterializeObjectInOSR):
1222         * ftl/FTLOutput.h:
1223         (JSC::FTL::Output::aShr):
1224         (JSC::FTL::Output::lShr):
1225         (JSC::FTL::Output::zeroExtPtr):
1226         * heap/CopyToken.h:
1227         * interpreter/CallFrame.h:
1228         (JSC::ExecState::getArgumentUnsafe):
1229         * interpreter/Interpreter.cpp:
1230         (JSC::sizeOfVarargs):
1231         (JSC::sizeFrameForVarargs):
1232         (JSC::loadVarargs):
1233         (JSC::unwindCallFrame):
1234         * interpreter/Interpreter.h:
1235         * interpreter/StackVisitor.cpp:
1236         (JSC::StackVisitor::Frame::createArguments):
1237         (JSC::StackVisitor::Frame::existingArguments): Deleted.
1238         * interpreter/StackVisitor.h:
1239         * jit/AssemblyHelpers.h:
1240         (JSC::AssemblyHelpers::storeValue):
1241         (JSC::AssemblyHelpers::loadValue):
1242         (JSC::AssemblyHelpers::storeTrustedValue):
1243         (JSC::AssemblyHelpers::branchIfNotCell):
1244         (JSC::AssemblyHelpers::branchIsEmpty):
1245         (JSC::AssemblyHelpers::argumentsStart):
1246         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
1247         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
1248         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
1249         * jit/CCallHelpers.h:
1250         (JSC::CCallHelpers::setupArgument):
1251         * jit/GPRInfo.h:
1252         (JSC::JSValueRegs::withTwoAvailableRegs):
1253         * jit/JIT.cpp:
1254         (JSC::JIT::privateCompileMainPass):
1255         (JSC::JIT::privateCompileSlowCases):
1256         * jit/JIT.h:
1257         * jit/JITCall.cpp:
1258         (JSC::JIT::compileSetupVarargsFrame):
1259         * jit/JITCall32_64.cpp:
1260         (JSC::JIT::compileSetupVarargsFrame):
1261         * jit/JITInlines.h:
1262         (JSC::JIT::callOperation):
1263         * jit/JITOpcodes.cpp:
1264         (JSC::JIT::emit_op_create_lexical_environment):
1265         (JSC::JIT::emit_op_new_func):
1266         (JSC::JIT::emit_op_create_direct_arguments):
1267         (JSC::JIT::emit_op_create_scoped_arguments):
1268         (JSC::JIT::emit_op_create_out_of_band_arguments):
1269         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1270         (JSC::JIT::emit_op_create_arguments): Deleted.
1271         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1272         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1273         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1274         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1275         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1276         * jit/JITOpcodes32_64.cpp:
1277         (JSC::JIT::emit_op_create_lexical_environment):
1278         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1279         (JSC::JIT::emit_op_create_arguments): Deleted.
1280         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1281         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1282         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1283         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1284         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1285         * jit/JITOperations.cpp:
1286         * jit/JITOperations.h:
1287         * jit/JITPropertyAccess.cpp:
1288         (JSC::JIT::emitGetClosureVar):
1289         (JSC::JIT::emitPutClosureVar):
1290         (JSC::JIT::emit_op_get_from_arguments):
1291         (JSC::JIT::emit_op_put_to_arguments):
1292         (JSC::JIT::emit_op_init_global_const):
1293         (JSC::JIT::privateCompileGetByVal):
1294         (JSC::JIT::emitDirectArgumentsGetByVal):
1295         (JSC::JIT::emitScopedArgumentsGetByVal):
1296         * jit/JITPropertyAccess32_64.cpp:
1297         (JSC::JIT::emitGetClosureVar):
1298         (JSC::JIT::emitPutClosureVar):
1299         (JSC::JIT::emit_op_get_from_arguments):
1300         (JSC::JIT::emit_op_put_to_arguments):
1301         (JSC::JIT::emit_op_init_global_const):
1302         * jit/SetupVarargsFrame.cpp:
1303         (JSC::emitSetupVarargsFrameFastCase):
1304         * llint/LLIntOffsetsExtractor.cpp:
1305         * llint/LLIntSlowPaths.cpp:
1306         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1307         * llint/LowLevelInterpreter.asm:
1308         * llint/LowLevelInterpreter32_64.asm:
1309         * llint/LowLevelInterpreter64.asm:
1310         * parser/Nodes.h:
1311         (JSC::ScopeNode::captures):
1312         * runtime/Arguments.cpp: Removed.
1313         * runtime/Arguments.h: Removed.
1314         * runtime/ArgumentsMode.h: Added.
1315         * runtime/DirectArgumentsOffset.cpp: Added.
1316         (JSC::DirectArgumentsOffset::dump):
1317         * runtime/DirectArgumentsOffset.h: Added.
1318         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
1319         * runtime/CommonSlowPaths.cpp:
1320         (JSC::SLOW_PATH_DECL):
1321         * runtime/CommonSlowPaths.h:
1322         * runtime/ConstantMode.cpp: Added.
1323         (WTF::printInternal):
1324         * runtime/ConstantMode.h:
1325         (JSC::modeForIsConstant):
1326         * runtime/DirectArguments.cpp: Added.
1327         (JSC::DirectArguments::DirectArguments):
1328         (JSC::DirectArguments::createUninitialized):
1329         (JSC::DirectArguments::create):
1330         (JSC::DirectArguments::createByCopying):
1331         (JSC::DirectArguments::visitChildren):
1332         (JSC::DirectArguments::copyBackingStore):
1333         (JSC::DirectArguments::createStructure):
1334         (JSC::DirectArguments::overrideThings):
1335         (JSC::DirectArguments::overrideThingsIfNecessary):
1336         (JSC::DirectArguments::overrideArgument):
1337         (JSC::DirectArguments::copyToArguments):
1338         (JSC::DirectArguments::overridesSize):
1339         * runtime/DirectArguments.h: Added.
1340         (JSC::DirectArguments::internalLength):
1341         (JSC::DirectArguments::length):
1342         (JSC::DirectArguments::canAccessIndexQuickly):
1343         (JSC::DirectArguments::getIndexQuickly):
1344         (JSC::DirectArguments::setIndexQuickly):
1345         (JSC::DirectArguments::callee):
1346         (JSC::DirectArguments::argument):
1347         (JSC::DirectArguments::overrodeThings):
1348         (JSC::DirectArguments::offsetOfCallee):
1349         (JSC::DirectArguments::offsetOfLength):
1350         (JSC::DirectArguments::offsetOfMinCapacity):
1351         (JSC::DirectArguments::offsetOfOverrides):
1352         (JSC::DirectArguments::storageOffset):
1353         (JSC::DirectArguments::offsetOfSlot):
1354         (JSC::DirectArguments::allocationSize):
1355         (JSC::DirectArguments::storage):
1356         * runtime/FunctionPrototype.cpp:
1357         * runtime/GenericArguments.h: Added.
1358         (JSC::GenericArguments::GenericArguments):
1359         * runtime/GenericArgumentsInlines.h: Added.
1360         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1361         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1362         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1363         (JSC::GenericArguments<Type>::put):
1364         (JSC::GenericArguments<Type>::putByIndex):
1365         (JSC::GenericArguments<Type>::deleteProperty):
1366         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1367         (JSC::GenericArguments<Type>::defineOwnProperty):
1368         (JSC::GenericArguments<Type>::copyToArguments):
1369         * runtime/GenericOffset.h: Added.
1370         (JSC::GenericOffset::GenericOffset):
1371         (JSC::GenericOffset::operator!):
1372         (JSC::GenericOffset::offsetUnchecked):
1373         (JSC::GenericOffset::offset):
1374         (JSC::GenericOffset::operator==):
1375         (JSC::GenericOffset::operator!=):
1376         (JSC::GenericOffset::operator<):
1377         (JSC::GenericOffset::operator>):
1378         (JSC::GenericOffset::operator<=):
1379         (JSC::GenericOffset::operator>=):
1380         (JSC::GenericOffset::operator+):
1381         (JSC::GenericOffset::operator-):
1382         (JSC::GenericOffset::operator+=):
1383         (JSC::GenericOffset::operator-=):
1384         * runtime/JSArgumentsIterator.cpp:
1385         (JSC::JSArgumentsIterator::finishCreation):
1386         (JSC::argumentsFuncIterator):
1387         * runtime/JSArgumentsIterator.h:
1388         (JSC::JSArgumentsIterator::create):
1389         (JSC::JSArgumentsIterator::next):
1390         * runtime/JSEnvironmentRecord.cpp:
1391         (JSC::JSEnvironmentRecord::visitChildren):
1392         * runtime/JSEnvironmentRecord.h:
1393         (JSC::JSEnvironmentRecord::variables):
1394         (JSC::JSEnvironmentRecord::isValid):
1395         (JSC::JSEnvironmentRecord::variableAt):
1396         (JSC::JSEnvironmentRecord::offsetOfVariables):
1397         (JSC::JSEnvironmentRecord::offsetOfVariable):
1398         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
1399         (JSC::JSEnvironmentRecord::allocationSize):
1400         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1401         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1402         (JSC::JSEnvironmentRecord::finishCreation):
1403         (JSC::JSEnvironmentRecord::registers): Deleted.
1404         (JSC::JSEnvironmentRecord::registerAt): Deleted.
1405         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
1406         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
1407         * runtime/JSFunction.cpp:
1408         * runtime/JSGlobalObject.cpp:
1409         (JSC::JSGlobalObject::init):
1410         (JSC::JSGlobalObject::addGlobalVar):
1411         (JSC::JSGlobalObject::addFunction):
1412         (JSC::JSGlobalObject::visitChildren):
1413         (JSC::JSGlobalObject::addStaticGlobals):
1414         * runtime/JSGlobalObject.h:
1415         (JSC::JSGlobalObject::directArgumentsStructure):
1416         (JSC::JSGlobalObject::scopedArgumentsStructure):
1417         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
1418         (JSC::JSGlobalObject::argumentsStructure): Deleted.
1419         * runtime/JSLexicalEnvironment.cpp:
1420         (JSC::JSLexicalEnvironment::symbolTableGet):
1421         (JSC::JSLexicalEnvironment::symbolTablePut):
1422         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1423         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1424         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
1425         * runtime/JSLexicalEnvironment.h:
1426         (JSC::JSLexicalEnvironment::create):
1427         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1428         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
1429         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
1430         (JSC::JSLexicalEnvironment::storage): Deleted.
1431         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
1432         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
1433         (JSC::JSLexicalEnvironment::isValid): Deleted.
1434         (JSC::JSLexicalEnvironment::registerAt): Deleted.
1435         * runtime/JSNameScope.cpp:
1436         (JSC::JSNameScope::visitChildren): Deleted.
1437         * runtime/JSNameScope.h:
1438         (JSC::JSNameScope::create):
1439         (JSC::JSNameScope::value):
1440         (JSC::JSNameScope::finishCreation):
1441         (JSC::JSNameScope::JSNameScope):
1442         * runtime/JSScope.cpp:
1443         (JSC::abstractAccess):
1444         * runtime/JSSegmentedVariableObject.cpp:
1445         (JSC::JSSegmentedVariableObject::findVariableIndex):
1446         (JSC::JSSegmentedVariableObject::addVariables):
1447         (JSC::JSSegmentedVariableObject::visitChildren):
1448         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
1449         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
1450         * runtime/JSSegmentedVariableObject.h:
1451         (JSC::JSSegmentedVariableObject::variableAt):
1452         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
1453         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
1454         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
1455         * runtime/JSSymbolTableObject.h:
1456         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
1457         (JSC::symbolTableGet):
1458         (JSC::symbolTablePut):
1459         (JSC::symbolTablePutWithAttributes):
1460         * runtime/JSType.h:
1461         * runtime/Options.h:
1462         * runtime/ClonedArguments.cpp: Added.
1463         (JSC::ClonedArguments::ClonedArguments):
1464         (JSC::ClonedArguments::createEmpty):
1465         (JSC::ClonedArguments::createWithInlineFrame):
1466         (JSC::ClonedArguments::createWithMachineFrame):
1467         (JSC::ClonedArguments::createByCopyingFrom):
1468         (JSC::ClonedArguments::createStructure):
1469         (JSC::ClonedArguments::getOwnPropertySlot):
1470         (JSC::ClonedArguments::getOwnPropertyNames):
1471         (JSC::ClonedArguments::put):
1472         (JSC::ClonedArguments::deleteProperty):
1473         (JSC::ClonedArguments::defineOwnProperty):
1474         (JSC::ClonedArguments::materializeSpecials):
1475         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
1476         * runtime/ClonedArguments.h: Added.
1477         (JSC::ClonedArguments::specialsMaterialized):
1478         * runtime/ScopeOffset.cpp: Added.
1479         (JSC::ScopeOffset::dump):
1480         * runtime/ScopeOffset.h: Added.
1481         (JSC::ScopeOffset::ScopeOffset):
1482         * runtime/ScopedArguments.cpp: Added.
1483         (JSC::ScopedArguments::ScopedArguments):
1484         (JSC::ScopedArguments::finishCreation):
1485         (JSC::ScopedArguments::createUninitialized):
1486         (JSC::ScopedArguments::create):
1487         (JSC::ScopedArguments::createByCopying):
1488         (JSC::ScopedArguments::createByCopyingFrom):
1489         (JSC::ScopedArguments::visitChildren):
1490         (JSC::ScopedArguments::createStructure):
1491         (JSC::ScopedArguments::overrideThings):
1492         (JSC::ScopedArguments::overrideThingsIfNecessary):
1493         (JSC::ScopedArguments::overrideArgument):
1494         (JSC::ScopedArguments::copyToArguments):
1495         * runtime/ScopedArguments.h: Added.
1496         (JSC::ScopedArguments::internalLength):
1497         (JSC::ScopedArguments::length):
1498         (JSC::ScopedArguments::canAccessIndexQuickly):
1499         (JSC::ScopedArguments::getIndexQuickly):
1500         (JSC::ScopedArguments::setIndexQuickly):
1501         (JSC::ScopedArguments::callee):
1502         (JSC::ScopedArguments::overrodeThings):
1503         (JSC::ScopedArguments::offsetOfOverrodeThings):
1504         (JSC::ScopedArguments::offsetOfTotalLength):
1505         (JSC::ScopedArguments::offsetOfTable):
1506         (JSC::ScopedArguments::offsetOfScope):
1507         (JSC::ScopedArguments::overflowStorageOffset):
1508         (JSC::ScopedArguments::allocationSize):
1509         (JSC::ScopedArguments::overflowStorage):
1510         * runtime/ScopedArgumentsTable.cpp: Added.
1511         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
1512         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
1513         (JSC::ScopedArgumentsTable::destroy):
1514         (JSC::ScopedArgumentsTable::create):
1515         (JSC::ScopedArgumentsTable::clone):
1516         (JSC::ScopedArgumentsTable::setLength):
1517         (JSC::ScopedArgumentsTable::set):
1518         (JSC::ScopedArgumentsTable::createStructure):
1519         * runtime/ScopedArgumentsTable.h: Added.
1520         (JSC::ScopedArgumentsTable::length):
1521         (JSC::ScopedArgumentsTable::get):
1522         (JSC::ScopedArgumentsTable::lock):
1523         (JSC::ScopedArgumentsTable::offsetOfLength):
1524         (JSC::ScopedArgumentsTable::offsetOfArguments):
1525         (JSC::ScopedArgumentsTable::at):
1526         * runtime/SymbolTable.cpp:
1527         (JSC::SymbolTableEntry::prepareToWatch):
1528         (JSC::SymbolTable::SymbolTable):
1529         (JSC::SymbolTable::visitChildren):
1530         (JSC::SymbolTable::localToEntry):
1531         (JSC::SymbolTable::entryFor):
1532         (JSC::SymbolTable::cloneScopePart):
1533         (JSC::SymbolTable::prepareForTypeProfiling):
1534         (JSC::SymbolTable::uniqueIDForOffset):
1535         (JSC::SymbolTable::globalTypeSetForOffset):
1536         (JSC::SymbolTable::cloneCapturedNames): Deleted.
1537         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1538         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1539         * runtime/SymbolTable.h:
1540         (JSC::SymbolTableEntry::varOffsetFromBits):
1541         (JSC::SymbolTableEntry::scopeOffsetFromBits):
1542         (JSC::SymbolTableEntry::Fast::varOffset):
1543         (JSC::SymbolTableEntry::Fast::scopeOffset):
1544         (JSC::SymbolTableEntry::Fast::isDontEnum):
1545         (JSC::SymbolTableEntry::Fast::getAttributes):
1546         (JSC::SymbolTableEntry::SymbolTableEntry):
1547         (JSC::SymbolTableEntry::varOffset):
1548         (JSC::SymbolTableEntry::isWatchable):
1549         (JSC::SymbolTableEntry::scopeOffset):
1550         (JSC::SymbolTableEntry::setAttributes):
1551         (JSC::SymbolTableEntry::constantMode):
1552         (JSC::SymbolTableEntry::isDontEnum):
1553         (JSC::SymbolTableEntry::disableWatching):
1554         (JSC::SymbolTableEntry::pack):
1555         (JSC::SymbolTableEntry::isValidVarOffset):
1556         (JSC::SymbolTable::createNameScopeTable):
1557         (JSC::SymbolTable::maxScopeOffset):
1558         (JSC::SymbolTable::didUseScopeOffset):
1559         (JSC::SymbolTable::didUseVarOffset):
1560         (JSC::SymbolTable::scopeSize):
1561         (JSC::SymbolTable::nextScopeOffset):
1562         (JSC::SymbolTable::takeNextScopeOffset):
1563         (JSC::SymbolTable::add):
1564         (JSC::SymbolTable::set):
1565         (JSC::SymbolTable::argumentsLength):
1566         (JSC::SymbolTable::setArgumentsLength):
1567         (JSC::SymbolTable::argumentOffset):
1568         (JSC::SymbolTable::setArgumentOffset):
1569         (JSC::SymbolTable::arguments):
1570         (JSC::SlowArgument::SlowArgument): Deleted.
1571         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
1572         (JSC::SymbolTableEntry::getIndex): Deleted.
1573         (JSC::SymbolTableEntry::isValidIndex): Deleted.
1574         (JSC::SymbolTable::captureStart): Deleted.
1575         (JSC::SymbolTable::setCaptureStart): Deleted.
1576         (JSC::SymbolTable::captureEnd): Deleted.
1577         (JSC::SymbolTable::setCaptureEnd): Deleted.
1578         (JSC::SymbolTable::captureCount): Deleted.
1579         (JSC::SymbolTable::isCaptured): Deleted.
1580         (JSC::SymbolTable::parameterCount): Deleted.
1581         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
1582         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
1583         (JSC::SymbolTable::slowArguments): Deleted.
1584         (JSC::SymbolTable::setSlowArguments): Deleted.
1585         * runtime/VM.cpp:
1586         (JSC::VM::VM):
1587         * runtime/VM.h:
1588         * runtime/VarOffset.cpp: Added.
1589         (JSC::VarOffset::dump):
1590         (WTF::printInternal):
1591         * runtime/VarOffset.h: Added.
1592         (JSC::VarOffset::VarOffset):
1593         (JSC::VarOffset::assemble):
1594         (JSC::VarOffset::isValid):
1595         (JSC::VarOffset::operator!):
1596         (JSC::VarOffset::kind):
1597         (JSC::VarOffset::isStack):
1598         (JSC::VarOffset::isScope):
1599         (JSC::VarOffset::isDirectArgument):
1600         (JSC::VarOffset::stackOffsetUnchecked):
1601         (JSC::VarOffset::scopeOffsetUnchecked):
1602         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
1603         (JSC::VarOffset::stackOffset):
1604         (JSC::VarOffset::scopeOffset):
1605         (JSC::VarOffset::capturedArgumentsOffset):
1606         (JSC::VarOffset::rawOffset):
1607         (JSC::VarOffset::checkSanity):
1608         (JSC::VarOffset::operator==):
1609         (JSC::VarOffset::operator!=):
1610         (JSC::VarOffset::hash):
1611         (JSC::VarOffset::isHashTableDeletedValue):
1612         (JSC::VarOffsetHash::hash):
1613         (JSC::VarOffsetHash::equal):
1614         * tests/stress/arguments-exit-strict-mode.js: Added.
1615         * tests/stress/arguments-exit.js: Added.
1616         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
1617         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
1618         * tests/stress/arguments-inlined-exit.js: Added.
1619         * tests/stress/arguments-interference.js: Added.
1620         * tests/stress/arguments-interference-cfg.js: Added.
1621         * tests/stress/dead-get-closure-var.js: Added.
1622         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
1623         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
1624         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
1625         * tests/stress/varargs-closure-inlined-exit.js: Added.
1626         * tests/stress/varargs-exit.js: Added.
1627         * tests/stress/varargs-inlined-exit.js: Added.
1628         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
1629         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
1630         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
1631         * tests/stress/varargs-inlined-simple-exit.js: Added.
1632         * tests/stress/varargs-too-few-arguments.js: Added.
1633         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
1634         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
1635         * tests/stress/varargs-varargs-inlined-exit.js: Added.
1636
1637 2015-03-25  Andy Estes  <aestes@apple.com>
1638
1639         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
1640         https://bugs.webkit.org/show_bug.cgi?id=143068
1641
1642         Reviewed by Dan Bernstein.
1643
1644         * inspector/remote/RemoteInspectorXPCConnection.mm:
1645         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
1646
1647 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1648
1649         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
1650         https://bugs.webkit.org/show_bug.cgi?id=142993
1651
1652         Reviewed by Geoffrey Garen and Mark Lam.
1653         
1654         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
1655         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
1656         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
1657         failure, but also involves adding the same kind of thing to the stub generators in
1658         Repatch.
1659         
1660         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
1661         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
1662         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
1663         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
1664         printout.
1665         
1666         Also add a way of inducing executable allocation failure, so that we can test this.
1667
1668         * CMakeLists.txt:
1669         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1670         * JavaScriptCore.xcodeproj/project.pbxproj:
1671         * dfg/DFGJITCompiler.cpp:
1672         (JSC::DFG::JITCompiler::compile):
1673         (JSC::DFG::JITCompiler::compileFunction):
1674         (JSC::DFG::JITCompiler::link): Deleted.
1675         (JSC::DFG::JITCompiler::linkFunction): Deleted.
1676         * dfg/DFGJITCompiler.h:
1677         * dfg/DFGPlan.cpp:
1678         (JSC::DFG::Plan::compileInThreadImpl):
1679         * ftl/FTLCompile.cpp:
1680         (JSC::FTL::mmAllocateCodeSection):
1681         (JSC::FTL::mmAllocateDataSection):
1682         * ftl/FTLLink.cpp:
1683         (JSC::FTL::link):
1684         * ftl/FTLState.h:
1685         * jit/ArityCheckFailReturnThunks.cpp:
1686         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1687         * jit/ExecutableAllocationFuzz.cpp: Added.
1688         (JSC::numberOfExecutableAllocationFuzzChecks):
1689         (JSC::doExecutableAllocationFuzzing):
1690         * jit/ExecutableAllocationFuzz.h: Added.
1691         (JSC::doExecutableAllocationFuzzingIfEnabled):
1692         * jit/ExecutableAllocatorFixedVMPool.cpp:
1693         (JSC::ExecutableAllocator::allocate):
1694         * jit/JIT.cpp:
1695         (JSC::JIT::privateCompile):
1696         * jit/JITCompilationEffort.h:
1697         * jit/Repatch.cpp:
1698         (JSC::generateByIdStub):
1699         (JSC::tryCacheGetByID):
1700         (JSC::tryBuildGetByIDList):
1701         (JSC::emitPutReplaceStub):
1702         (JSC::emitPutTransitionStubAndGetOldStructure):
1703         (JSC::tryCachePutByID):
1704         (JSC::tryBuildPutByIdList):
1705         (JSC::tryRepatchIn):
1706         (JSC::linkPolymorphicCall):
1707         * jsc.cpp:
1708         (jscmain):
1709         * runtime/Options.h:
1710         * runtime/TestRunnerUtils.h:
1711         * runtime/VM.cpp:
1712         * tests/executableAllocationFuzz: Added.
1713         * tests/executableAllocationFuzz.yaml: Added.
1714         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
1715
1716 2015-03-25  Mark Lam  <mark.lam@apple.com>
1717
1718         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
1719         <https://webkit.org/b/135719>
1720
1721         Reviewed by Geoffrey Garen.
1722
1723         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
1724         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
1725         update the LLINT to access it as such.
1726
1727         The issue has only manifested so far on the CLoop tests because those are LLINT
1728         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
1729         hiding the bug in the LLINT.
1730
1731         * API/JSContextRef.cpp:
1732         (createWatchdogIfNeeded):
1733         (JSContextGroupSetExecutionTimeLimit):
1734         (JSContextGroupClearExecutionTimeLimit):
1735         * llint/LowLevelInterpreter.asm:
1736
1737 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1738
1739         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
1740
1741         Rubber stamped by Geoffrey Garen.
1742
1743         * bytecode/CodeBlock.cpp:
1744         (JSC::CodeBlock::visitAggregate):
1745
1746 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1747
1748         Fix formatting in BuiltinExecutables
1749         https://bugs.webkit.org/show_bug.cgi?id=143061
1750
1751         Reviewed by Ryosuke Niwa.
1752
1753         * builtins/BuiltinExecutables.cpp:
1754         (JSC::BuiltinExecutables::createExecutableInternal):
1755
1756 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1757
1758         ES6: Classes: Program level class statement throws exception in strict mode
1759         https://bugs.webkit.org/show_bug.cgi?id=143038
1760
1761         Reviewed by Ryosuke Niwa.
1762
1763         Classes expose a name to the current lexical environment. This treats
1764         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
1765         Also, improve error messages for class statements where the class is missing a name.
1766
1767         * parser/Parser.h:
1768         * parser/Parser.cpp:
1769         (JSC::Parser<LexerType>::parseClass):
1770         Fill name in info parameter if needed. Better error message if name is needed and missing.
1771
1772         (JSC::Parser<LexerType>::parseClassDeclaration):
1773         Pass info parameter to get name, and expose the name as a variable name.
1774
1775         (JSC::Parser<LexerType>::parsePrimaryExpression):
1776         Pass info parameter that is ignored.
1777
1778         * parser/ParserFunctionInfo.h:
1779         Add a parser info for class, to extract the name.
1780
1781 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1782
1783         New map and set modification tests in r181922 fails
1784         https://bugs.webkit.org/show_bug.cgi?id=143031
1785
1786         Reviewed and tweaked by Geoffrey Garen.
1787
1788         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
1789         to adjust for the packed backing store.
1790
1791         Consider the following map data.
1792
1793         x: deleted, o: exists
1794         0 1 2 3 4
1795         x x x x o
1796
1797         And iterator with m_index 3.
1798
1799         When packing the map data, map data will become,
1800
1801         0
1802         o
1803
1804         At that time, we perfom didRemoveEntry 4 times on iterators.
1805         times => m_index/index/result
1806         1 => 3/0/dec
1807         2 => 2/1/dec
1808         3 => 1/2/nothing
1809         4 => 1/3/nothing
1810
1811         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
1812         This is because if we use decremented m_index for comparison,
1813         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
1814
1815         In this patch, we compare against the packed index instead.
1816         times => m_index/packedIndex/result
1817         1 => 3/0/dec
1818         2 => 2/0/dec
1819         3 => 1/0/dec
1820         4 => 0/0/nothing
1821
1822         So m_index becomes 0 as expected.
1823
1824         And according to the spec, once the iterator is closed (becomes done: true),
1825         its internal [[Map]]/[[Set]] is set to undefined.
1826         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
1827
1828         In this patch, we change 2 things.
1829         1.
1830         Compare an iterator's index against the packed index when removing an entry.
1831
1832         2.
1833         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
1834
1835         * runtime/MapData.h:
1836         (JSC::MapDataImpl::IteratorData::finish):
1837         (JSC::MapDataImpl::IteratorData::isFinished):
1838         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
1839         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
1840         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
1841         * runtime/MapDataInlines.h:
1842         (JSC::JSIterator>::replaceAndPackBackingStore):
1843         * tests/stress/modify-map-during-iteration.js:
1844         * tests/stress/modify-set-during-iteration.js:
1845
1846 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1847
1848         Setter should have a single formal parameter, Getter no parameters
1849         https://bugs.webkit.org/show_bug.cgi?id=142903
1850
1851         Reviewed by Geoffrey Garen.
1852
1853         * parser/Parser.cpp:
1854         (JSC::Parser<LexerType>::parseFunctionInfo):
1855         Enforce no parameters for getters and a single parameter
1856         for setters, with informational error messages.
1857
1858 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1859
1860         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
1861         https://bugs.webkit.org/show_bug.cgi?id=143012
1862
1863         Reviewed by Ryosuke Niwa.
1864
1865         * bytecompiler/BytecodeGenerator.cpp:
1866         (JSC::BytecodeGenerator::emitReturn):
1867         Fix handling of "undefined" when returned from a Derived class. It was
1868         returning "undefined" when it should have returned "this".
1869
1870 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1871
1872         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
1873         https://bugs.webkit.org/show_bug.cgi?id=142696
1874
1875         Reviewed and tweaked by Geoffrey Garen.
1876
1877         Before r142556, JSSetIterator::destroy was not defined.
1878         So accidentally MapData::const_iterator in JSSet was never destroyed.
1879         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
1880
1881         After r142556, JSSetIterator::destroy works.
1882         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
1883         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
1884
1885         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
1886         and marks it in visitChildren (WriteBarrier<Unknown>).
1887         However, the order of destructions is not guaranteed in GC-ed system.
1888
1889         Consider the following case,
1890         allocate JSSet and subsequently allocate JSSetIterator.
1891         And they resides in the separated MarkedBlock, <1> and <2>.
1892
1893         JSSet<1> <- JSSetIterator<2>
1894
1895         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
1896         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
1897
1898         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
1899         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
1900         However, JSSetIterator<2>'s destructor,
1901         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
1902
1903         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
1904         When packing the removed elements in JSSet/JSMap, we apply the change to all live
1905         iterators tracked by WeakGCMap.
1906
1907         WeakGCMap can only track JSCell since they are managed by GC.
1908         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
1909         introduces JS style iterator signatures into C++ class IteratorData.
1910         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
1911         IteratorData directly.
1912
1913         * runtime/JSMap.cpp:
1914         (JSC::JSMap::destroy):
1915         * runtime/JSMap.h:
1916         (JSC::JSMap::JSMap):
1917         (JSC::JSMap::begin): Deleted.
1918         (JSC::JSMap::end): Deleted.
1919         * runtime/JSMapIterator.cpp:
1920         (JSC::JSMapIterator::destroy):
1921         * runtime/JSMapIterator.h:
1922         (JSC::JSMapIterator::next):
1923         (JSC::JSMapIterator::nextKeyValue):
1924         (JSC::JSMapIterator::iteratorData):
1925         (JSC::JSMapIterator::JSMapIterator):
1926         * runtime/JSSet.cpp:
1927         (JSC::JSSet::destroy):
1928         * runtime/JSSet.h:
1929         (JSC::JSSet::JSSet):
1930         (JSC::JSSet::begin): Deleted.
1931         (JSC::JSSet::end): Deleted.
1932         * runtime/JSSetIterator.cpp:
1933         (JSC::JSSetIterator::destroy):
1934         * runtime/JSSetIterator.h:
1935         (JSC::JSSetIterator::next):
1936         (JSC::JSSetIterator::iteratorData):
1937         (JSC::JSSetIterator::JSSetIterator):
1938         * runtime/MapData.h:
1939         (JSC::MapDataImpl::IteratorData::finish):
1940         (JSC::MapDataImpl::IteratorData::isFinished):
1941         (JSC::MapDataImpl::shouldPack):
1942         (JSC::JSIterator>::MapDataImpl):
1943         (JSC::JSIterator>::KeyType::KeyType):
1944         (JSC::JSIterator>::IteratorData::IteratorData):
1945         (JSC::JSIterator>::IteratorData::next):
1946         (JSC::JSIterator>::IteratorData::ensureSlot):
1947         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
1948         (JSC::JSIterator>::IteratorData::refreshCursor):
1949         (JSC::MapDataImpl::const_iterator::key): Deleted.
1950         (JSC::MapDataImpl::const_iterator::value): Deleted.
1951         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
1952         (JSC::MapDataImpl::const_iterator::finish): Deleted.
1953         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
1954         (JSC::MapDataImpl::begin): Deleted.
1955         (JSC::MapDataImpl::end): Deleted.
1956         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
1957         (JSC::MapDataImpl<Entry>::clear): Deleted.
1958         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
1959         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
1960         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
1961         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
1962         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
1963         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
1964         (JSC::=): Deleted.
1965         * runtime/MapDataInlines.h:
1966         (JSC::JSIterator>::clear):
1967         (JSC::JSIterator>::find):
1968         (JSC::JSIterator>::contains):
1969         (JSC::JSIterator>::add):
1970         (JSC::JSIterator>::set):
1971         (JSC::JSIterator>::get):
1972         (JSC::JSIterator>::remove):
1973         (JSC::JSIterator>::replaceAndPackBackingStore):
1974         (JSC::JSIterator>::replaceBackingStore):
1975         (JSC::JSIterator>::ensureSpaceForAppend):
1976         (JSC::JSIterator>::visitChildren):
1977         (JSC::JSIterator>::copyBackingStore):
1978         (JSC::JSIterator>::applyMapDataPatch):
1979         (JSC::MapDataImpl<Entry>::find): Deleted.
1980         (JSC::MapDataImpl<Entry>::contains): Deleted.
1981         (JSC::MapDataImpl<Entry>::add): Deleted.
1982         (JSC::MapDataImpl<Entry>::set): Deleted.
1983         (JSC::MapDataImpl<Entry>::get): Deleted.
1984         (JSC::MapDataImpl<Entry>::remove): Deleted.
1985         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
1986         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
1987         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
1988         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
1989         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
1990         * runtime/MapPrototype.cpp:
1991         (JSC::mapProtoFuncForEach):
1992         * runtime/SetPrototype.cpp:
1993         (JSC::setProtoFuncForEach):
1994         * runtime/WeakGCMap.h:
1995         (JSC::WeakGCMap::forEach):
1996         * tests/stress/modify-map-during-iteration.js: Added.
1997         (testValue):
1998         (identityPairs):
1999         (.set if):
2000         (var):
2001         (set map):
2002         * tests/stress/modify-set-during-iteration.js: Added.
2003         (testValue):
2004         (set forEach):
2005         (set delete):
2006
2007 2015-03-24  Mark Lam  <mark.lam@apple.com>
2008
2009         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
2010         <https://webkit.org/b/143024>
2011
2012         Reviewed by Geoffrey Garen.
2013
2014         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
2015         passed in from testapi.c.  It should create its own for better
2016         encapsulation of the test.
2017
2018         * API/tests/ExecutionTimeLimitTest.cpp:
2019         (currentCPUTimeAsJSFunctionCallback):
2020         (testExecutionTimeLimit):
2021         * API/tests/ExecutionTimeLimitTest.h:
2022         * API/tests/testapi.c:
2023         (main):
2024
2025 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2026
2027         ES6: Object Literal Methods toString is missing method name
2028         https://bugs.webkit.org/show_bug.cgi?id=142992
2029
2030         Reviewed by Geoffrey Garen.
2031
2032         Always stringify functions in the pattern:
2033
2034           "function " + <function name> + <text from opening parenthesis to closing brace>.
2035
2036         * runtime/FunctionPrototype.cpp:
2037         (JSC::functionProtoFuncToString):
2038         Update the path that was not stringifying in this pattern.
2039
2040         * bytecode/UnlinkedCodeBlock.cpp:
2041         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2042         * bytecode/UnlinkedCodeBlock.h:
2043         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
2044         * parser/Nodes.h:
2045         * runtime/Executable.cpp:
2046         (JSC::FunctionExecutable::FunctionExecutable):
2047         * runtime/Executable.h:
2048         (JSC::FunctionExecutable::parametersStartOffset):
2049         Pass the already known function parameter opening parenthesis
2050         start offset through to the FunctionExecutable. 
2051
2052         * tests/mozilla/js1_5/Scope/regress-185485.js:
2053         (with.g):
2054         Add back original space in this test that was removed by r181810
2055         now that we have the space again in stringification.
2056
2057 2015-03-24  Michael Saboff  <msaboff@apple.com>
2058
2059         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
2060         https://bugs.webkit.org/show_bug.cgi?id=142856
2061
2062         Reviewed by Filip Pizlo.
2063
2064         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
2065         get info for three loops to iterate over indexed properties, structure properties and other properties,
2066         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
2067         for all loops before we exectue any enumeration.
2068
2069         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
2070         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
2071         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
2072
2073         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
2074         op_next_enumerator_pname.
2075         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
2076         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
2077         end value we stop iterating on.
2078
2079         Made corresponding node changes to the DFG and FTL for the bytecode changes.
2080
2081         * bytecode/BytecodeList.json:
2082         * bytecode/BytecodeUseDef.h:
2083         (JSC::computeUsesForBytecodeOffset):
2084         (JSC::computeDefsForBytecodeOffset):
2085         * bytecode/CodeBlock.cpp:
2086         (JSC::CodeBlock::dumpBytecode):
2087         * bytecompiler/BytecodeGenerator.cpp:
2088         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
2089         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
2090         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
2091         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
2092         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
2093         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
2094         * bytecompiler/BytecodeGenerator.h:
2095         * bytecompiler/NodesCodegen.cpp:
2096         (JSC::ForInNode::emitMultiLoopBytecode):
2097         * dfg/DFGAbstractInterpreterInlines.h:
2098         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2099         * dfg/DFGByteCodeParser.cpp:
2100         (JSC::DFG::ByteCodeParser::parseBlock):
2101         * dfg/DFGCapabilities.cpp:
2102         (JSC::DFG::capabilityLevel):
2103         * dfg/DFGClobberize.h:
2104         (JSC::DFG::clobberize):
2105         * dfg/DFGDoesGC.cpp:
2106         (JSC::DFG::doesGC):
2107         * dfg/DFGFixupPhase.cpp:
2108         (JSC::DFG::FixupPhase::fixupNode):
2109         * dfg/DFGNodeType.h:
2110         * dfg/DFGPredictionPropagationPhase.cpp:
2111         (JSC::DFG::PredictionPropagationPhase::propagate):
2112         * dfg/DFGSafeToExecute.h:
2113         (JSC::DFG::safeToExecute):
2114         * dfg/DFGSpeculativeJIT32_64.cpp:
2115         (JSC::DFG::SpeculativeJIT::compile):
2116         * dfg/DFGSpeculativeJIT64.cpp:
2117         (JSC::DFG::SpeculativeJIT::compile):
2118         * ftl/FTLAbstractHeapRepository.h:
2119         * ftl/FTLCapabilities.cpp:
2120         (JSC::FTL::canCompile):
2121         * ftl/FTLLowerDFGToLLVM.cpp:
2122         (JSC::FTL::LowerDFGToLLVM::compileNode):
2123         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2124         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
2125         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
2126         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
2127         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
2128         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
2129         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
2130         * jit/JIT.cpp:
2131         (JSC::JIT::privateCompileMainPass):
2132         * jit/JIT.h:
2133         * jit/JITOpcodes.cpp:
2134         (JSC::JIT::emit_op_enumerator_structure_pname):
2135         (JSC::JIT::emit_op_enumerator_generic_pname):
2136         (JSC::JIT::emit_op_get_property_enumerator):
2137         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2138         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
2139         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
2140         * jit/JITOpcodes32_64.cpp:
2141         (JSC::JIT::emit_op_enumerator_structure_pname):
2142         (JSC::JIT::emit_op_enumerator_generic_pname):
2143         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2144         * jit/JITOperations.cpp:
2145         * jit/JITOperations.h:
2146         * llint/LowLevelInterpreter.asm:
2147         * runtime/CommonSlowPaths.cpp:
2148         (JSC::SLOW_PATH_DECL):
2149         * runtime/CommonSlowPaths.h:
2150         * runtime/JSPropertyNameEnumerator.cpp:
2151         (JSC::JSPropertyNameEnumerator::create):
2152         (JSC::JSPropertyNameEnumerator::finishCreation):
2153         * runtime/JSPropertyNameEnumerator.h:
2154         (JSC::JSPropertyNameEnumerator::indexedLength):
2155         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
2156         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
2157         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
2158         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
2159         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
2160         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
2161         (JSC::propertyNameEnumerator):
2162         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
2163         (JSC::structurePropertyNameEnumerator): Deleted.
2164         (JSC::genericPropertyNameEnumerator): Deleted.
2165         * runtime/Structure.cpp:
2166         (JSC::Structure::setCachedPropertyNameEnumerator):
2167         (JSC::Structure::cachedPropertyNameEnumerator):
2168         (JSC::Structure::canCachePropertyNameEnumerator):
2169         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
2170         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
2171         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
2172         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
2173         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
2174         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
2175         * runtime/Structure.h:
2176         * runtime/StructureRareData.cpp:
2177         (JSC::StructureRareData::visitChildren):
2178         (JSC::StructureRareData::cachedPropertyNameEnumerator):
2179         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
2180         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
2181         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
2182         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
2183         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
2184         * runtime/StructureRareData.h:
2185         * tests/stress/for-in-delete-during-iteration.js:
2186
2187 2015-03-24  Michael Saboff  <msaboff@apple.com>
2188
2189         Unreviewed build fix for debug builds.
2190
2191         * runtime/ExceptionHelpers.cpp:
2192         (JSC::invalidParameterInSourceAppender):
2193
2194 2015-03-24  Saam Barati  <saambarati1@gmail.com>
2195
2196         Improve error messages in JSC
2197         https://bugs.webkit.org/show_bug.cgi?id=141869
2198
2199         Reviewed by Geoffrey Garen.
2200
2201         JavaScriptCore has some unintuitive error messages associated
2202         with certain common errors. This patch changes some specific
2203         error messages to be more understandable and also creates a
2204         mechanism that will allow for easy modification of error messages
2205         in the future. The specific errors we change are not a function
2206         errors and invalid parameter errors.
2207
2208         * CMakeLists.txt:
2209         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2210         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2211         * JavaScriptCore.xcodeproj/project.pbxproj:
2212         * interpreter/Interpreter.cpp:
2213         (JSC::sizeOfVarargs):
2214         * jit/JITOperations.cpp:
2215         op_throw_static_error always has a JSString as its argument.
2216         There is no need to dance around this, and we should assert
2217         that this always holds. This JSString represents the error 
2218         message we want to display to the user, so there is no need
2219         to pass it into errorDescriptionForValue which will now place
2220         quotes around the string.
2221
2222         * llint/LLIntSlowPaths.cpp:
2223         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2224         * runtime/CommonSlowPaths.h:
2225         (JSC::CommonSlowPaths::opIn):
2226         * runtime/ErrorInstance.cpp:
2227         (JSC::ErrorInstance::ErrorInstance):
2228         * runtime/ErrorInstance.h:
2229         (JSC::ErrorInstance::hasSourceAppender):
2230         (JSC::ErrorInstance::sourceAppender):
2231         (JSC::ErrorInstance::setSourceAppender):
2232         (JSC::ErrorInstance::clearSourceAppender):
2233         (JSC::ErrorInstance::setRuntimeTypeForCause):
2234         (JSC::ErrorInstance::runtimeTypeForCause):
2235         (JSC::ErrorInstance::clearRuntimeTypeForCause):
2236         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
2237         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
2238         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
2239         * runtime/ExceptionHelpers.cpp:
2240         (JSC::errorDescriptionForValue):
2241         (JSC::defaultApproximateSourceError):
2242         (JSC::defaultSourceAppender):
2243         (JSC::functionCallBase):
2244         (JSC::notAFunctionSourceAppender):
2245         (JSC::invalidParameterInSourceAppender):
2246         (JSC::invalidParameterInstanceofSourceAppender):
2247         (JSC::createError):
2248         (JSC::createInvalidFunctionApplyParameterError):
2249         (JSC::createInvalidInParameterError):
2250         (JSC::createInvalidInstanceofParameterError):
2251         (JSC::createNotAConstructorError):
2252         (JSC::createNotAFunctionError):
2253         (JSC::createNotAnObjectError):
2254         (JSC::createInvalidParameterError): Deleted.
2255         * runtime/ExceptionHelpers.h:
2256         * runtime/JSObject.cpp:
2257         (JSC::JSObject::hasInstance):
2258         * runtime/RuntimeType.cpp: Added.
2259         (JSC::runtimeTypeForValue):
2260         (JSC::runtimeTypeAsString):
2261         * runtime/RuntimeType.h: Added.
2262         * runtime/TypeProfilerLog.cpp:
2263         (JSC::TypeProfilerLog::processLogEntries):
2264         * runtime/TypeSet.cpp:
2265         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
2266         * runtime/TypeSet.h:
2267         * runtime/VM.cpp:
2268         (JSC::appendSourceToError):
2269         (JSC::VM::throwException):
2270
2271 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
2272
2273         JSC should have a low-cost asynchronous disassembler
2274         https://bugs.webkit.org/show_bug.cgi?id=142997
2275
2276         Reviewed by Mark Lam.
2277         
2278         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
2279         doesn't block execution. Some code will live a little longer because of this, since the
2280         work tasks hold a ref to the code, but other than that there is basically no overhead.
2281         
2282         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
2283         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
2284         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
2285         JSC_asyncDisassembly has bizarre behavior - so just choose one.
2286         
2287         A simple way of understanding how great this is, is to run a small benchmark like
2288         V8Spider/earley-boyer.
2289         
2290         Performance without any disassembly flags: 60ms
2291         Performance with JSC_showDisassembly=true: 477ms
2292         Performance with JSC_asyncDisassembly=true: 65ms
2293         
2294         So, the overhead of disassembly goes from 8x to 8%.
2295         
2296         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
2297         measuring benchmark performance. This is because at VM exit, we wait for all async
2298         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
2299         after the benchmark completely finishes to finish the disassemblies. This small weirdness
2300         should be OK for the intended use-cases, since all you have to do to get around it is to
2301         measure the execution time of the benchmark payload rather than the end-to-end time of
2302         launching the VM.
2303
2304         * assembler/LinkBuffer.cpp:
2305         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2306         * assembler/LinkBuffer.h:
2307         (JSC::LinkBuffer::wasAlreadyDisassembled):
2308         (JSC::LinkBuffer::didAlreadyDisassemble):
2309         * dfg/DFGJITCompiler.cpp:
2310         (JSC::DFG::JITCompiler::disassemble):
2311         * dfg/DFGJITFinalizer.cpp:
2312         (JSC::DFG::JITFinalizer::finalize):
2313         (JSC::DFG::JITFinalizer::finalizeFunction):
2314         * disassembler/Disassembler.cpp:
2315         (JSC::disassembleAsynchronously):
2316         (JSC::waitForAsynchronousDisassembly):
2317         * disassembler/Disassembler.h:
2318         * ftl/FTLCompile.cpp:
2319         (JSC::FTL::mmAllocateDataSection):
2320         * ftl/FTLLink.cpp:
2321         (JSC::FTL::link):
2322         * jit/JIT.cpp:
2323         (JSC::JIT::privateCompile):
2324         * jsc.cpp:
2325         * runtime/Options.h:
2326         * runtime/VM.cpp:
2327         (JSC::VM::~VM):
2328
2329 2015-03-23  Dean Jackson  <dino@apple.com>
2330
2331         ES7: Implement Array.prototype.includes
2332         https://bugs.webkit.org/show_bug.cgi?id=142707
2333
2334         Reviewed by Geoffrey Garen.
2335
2336         Add support for the ES7 includes method on Arrays.
2337         https://github.com/tc39/Array.prototype.includes
2338
2339         * builtins/Array.prototype.js:
2340         (includes): Implementation in JS.
2341         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
2342
2343 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2344
2345         __defineGetter__/__defineSetter__ should throw exceptions
2346         https://bugs.webkit.org/show_bug.cgi?id=142934
2347
2348         Reviewed by Geoffrey Garen.
2349
2350         * runtime/ObjectPrototype.cpp:
2351         (JSC::objectProtoFuncDefineGetter):
2352         (JSC::objectProtoFuncDefineSetter):
2353         Throw exceptions when these functions are used directly.
2354
2355 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2356
2357         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
2358         https://bugs.webkit.org/show_bug.cgi?id=142952
2359
2360         Reviewed by Geoffrey Garen.
2361
2362         * runtime/Structure.cpp:
2363         (JSC::PropertyTable::checkConsistency):
2364         The check offset method doesn't exist in PropertyTable, it exists in Structure.
2365
2366         (JSC::Structure::checkConsistency):
2367         So move it here, and always put it at the start to match normal behavior.
2368
2369 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2370
2371         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
2372         https://bugs.webkit.org/show_bug.cgi?id=142956
2373
2374         Rubber stamped by Gyuyoung Kim.
2375         
2376         Just removing dead code.
2377
2378         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2379         * JavaScriptCore.xcodeproj/project.pbxproj:
2380         * dfg/DFGOSRExit.h:
2381         * dfg/DFGOSRExitCompiler.cpp:
2382         * dfg/DFGValueRecoveryOverride.h: Removed.
2383
2384 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2385
2386         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
2387         https://bugs.webkit.org/show_bug.cgi?id=142948
2388
2389         Reviewed by Sam Weinig.
2390         
2391         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
2392         since a signal may clobber the area below the stack pointer. When the DFG is executing,
2393         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
2394         baseline, we will use a different amount of stack. This is because baseline is a different
2395         compiler. It will make different decisions. So it will use a different amount of stack.
2396         
2397         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
2398         incrementally transforming the stack from how it looked in the DFG to how it will look in
2399         baseline. The most conservative approach would be to set the stack pointer to the max of
2400         DFG and baseline.
2401         
2402         When this code was written, a reckless assumption was made: that the stack usage in
2403         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
2404         assumption, the code first adjusts the stack pointer to account for the baseline stack
2405         usage. This sort of usually works, because usually baseline does happen to use more stack.
2406         But that's not an invariant. Nobody guarantees this. We will never make any changes that
2407         would make this be guaranteed, because that would be antithetical to how optimizing
2408         compilers work. The DFG should be allowed to use however much stack it decides that it
2409         should use in order to get good performance, and it shouldn't try to guarantee that it
2410         always uses less stack than baseline.
2411         
2412         As such, we must always assume that the frame size for DFG execution (i.e.
2413         frameRegisterCount) and the frame size in baseline once we exit (i.e.
2414         requiredRegisterCountForExit) are two independent quantities and they have no
2415         relationship.
2416         
2417         Fortunately, though, this code can be made correct by just moving the stack adjustment to
2418         just before we do conversions. This is because we have since changed the OSR exit
2419         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
2420         drop it out of the scratch buffer and into the stack according to the baseline layout. The
2421         point just before conversions is the point where we have finished reading the DFG frame
2422         and will not read it anymore, and we haven't started writing the baseline frame. So, at
2423         this point it is safe to set the stack pointer to account for the frame size at exit.
2424         
2425         This is benign because baseline happens to create larger frames than DFG.
2426
2427         * dfg/DFGOSRExitCompiler32_64.cpp:
2428         (JSC::DFG::OSRExitCompiler::compileExit):
2429         * dfg/DFGOSRExitCompiler64.cpp:
2430         (JSC::DFG::OSRExitCompiler::compileExit):
2431         * dfg/DFGOSRExitCompilerCommon.cpp:
2432         (JSC::DFG::adjustAndJumpToTarget):
2433
2434 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2435
2436         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
2437
2438         Rubber stamped by Sam Weinig.
2439
2440         * tests/stress/equals-masquerader.js:
2441
2442 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2443
2444         tests/stress/*tdz* tests do 10x more iterations than necessary
2445         https://bugs.webkit.org/show_bug.cgi?id=142946
2446
2447         Reviewed by Ryosuke Niwa.
2448         
2449         The stress test harness runs all of these tests in various configurations. This includes
2450         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
2451         enough to get to the highest tier. The only exceptions are very large functions or
2452         functions that have some reoptimizations. That happens rarely, and when it does happen,
2453         usually 20,000 iterations is enough.
2454         
2455         Therefore, these tests use 10x too many iterations. This is bad, since these tests
2456         allocate on each iteration, and so they run very slowly in debug mode.
2457
2458         * tests/stress/class-syntax-no-loop-tdz.js:
2459         * tests/stress/class-syntax-no-tdz-in-catch.js:
2460         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2461         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2462         * tests/stress/class-syntax-no-tdz-in-loop.js:
2463         * tests/stress/class-syntax-no-tdz.js:
2464         * tests/stress/class-syntax-tdz-in-catch.js:
2465         * tests/stress/class-syntax-tdz-in-conditional.js:
2466         * tests/stress/class-syntax-tdz-in-loop.js:
2467         * tests/stress/class-syntax-tdz.js:
2468
2469 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2470
2471         Fix a typo in Parser error message
2472         https://bugs.webkit.org/show_bug.cgi?id=142942
2473
2474         Reviewed by Alexey Proskuryakov.
2475
2476         * jit/JITPropertyAccess.cpp:
2477         (JSC::JIT::emitSlow_op_resolve_scope):
2478         * jit/JITPropertyAccess32_64.cpp:
2479         (JSC::JIT::emitSlow_op_resolve_scope):
2480         * parser/Parser.cpp:
2481         (JSC::Parser<LexerType>::parseClass):
2482         Fix a common identifier typo.
2483
2484 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2485
2486         Computed Property names should allow only AssignmentExpressions not any Expression
2487         https://bugs.webkit.org/show_bug.cgi?id=142902
2488
2489         Reviewed by Ryosuke Niwa.
2490
2491         * parser/Parser.cpp:
2492         (JSC::Parser<LexerType>::parseProperty):
2493         Limit computed expressions to just assignment expressions instead of
2494         any expression (which allowed comma expressions).
2495
2496 2015-03-21  Andreas Kling  <akling@apple.com>
2497
2498         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
2499         <https://webkit.org/b/142939>
2500
2501         Reviewed by Mark Hahnenberg.
2502
2503         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
2504         a 128-byte heap cell instead of requiring a 256-byte one.
2505
2506         Threw in a static_assert to catch anyone pushing it over the limit again.
2507
2508         * bytecode/UnlinkedCodeBlock.cpp:
2509         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2510         * bytecode/UnlinkedCodeBlock.h:
2511         (JSC::UnlinkedFunctionExecutable::functionMode):
2512
2513 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
2514
2515         GCTimer should know keep track of nested GC phases
2516         https://bugs.webkit.org/show_bug.cgi?id=142675
2517
2518         Reviewed by Darin Adler.
2519
2520         This improves the GC phase timing output in Heap.cpp by linking
2521         phases nested inside other phases together, allowing tools
2522         to compute how much time we're spending in various nested phases.
2523
2524         * heap/Heap.cpp:
2525
2526 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
2527
2528         FunctionBodyNode should known where its parameters started
2529         https://bugs.webkit.org/show_bug.cgi?id=142926
2530
2531         Reviewed by Ryosuke Niwa.
2532
2533         This will allow us to re-parse parameters instead of keeping the
2534         parameters piece of the AST around forever.
2535
2536         I also took the opportunity to initialize most FunctionBodyNode data
2537         members at construction time, to help clarify that they are set right.
2538
2539         * parser/ASTBuilder.h:
2540         (JSC::ASTBuilder::createFunctionExpr): No need to pass
2541         functionKeywordStart here; we now provide it at FunctionBodyNode
2542         creation time.
2543
2544         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
2545         construction time, including the start of our parameters.
2546
2547         (JSC::ASTBuilder::createGetterOrSetterProperty):
2548         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
2549         functionKeywordStart here; we now provide it at FunctionBodyNode
2550         creation time.
2551
2552         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
2553
2554         * parser/Nodes.cpp:
2555         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
2556         construction time.
2557
2558         * parser/Nodes.h: Added a field for the location of our parameters.
2559
2560         * parser/Parser.cpp:
2561         (JSC::Parser<LexerType>::parseFunctionBody):
2562         (JSC::Parser<LexerType>::parseFunctionInfo):
2563         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2564         (JSC::Parser<LexerType>::parseClass):
2565         (JSC::Parser<LexerType>::parsePropertyMethod):
2566         (JSC::Parser<LexerType>::parseGetterSetter):
2567         (JSC::Parser<LexerType>::parsePrimaryExpression):
2568         * parser/Parser.h: Refactored to match above interface changes.
2569
2570         * parser/SyntaxChecker.h:
2571         (JSC::SyntaxChecker::createFunctionExpr):
2572         (JSC::SyntaxChecker::createFunctionBody):
2573         (JSC::SyntaxChecker::createFuncDeclStatement):
2574         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
2575         above interface changes.
2576
2577         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
2578
2579 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
2580
2581         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
2582         https://bugs.webkit.org/show_bug.cgi?id=142920
2583
2584         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
2585         
2586         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
2587         executed, then something other than the bytecode instruction's specified outcome will
2588         happen.
2589
2590         We almost never had observably effectful nodes except at the end of the bytecode
2591         instruction.  The exception is a lowered transitioning PutById:
2592
2593         PutStructure(@o, S1 -> S2)
2594         PutByOffset(@o, @o, @v)
2595
2596         The PutStructure is observably effectful: if you try to reexecute the bytecode after
2597         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
2598         first checking what the old structure of the object is; but if we reexecute, the old
2599         structure will seem to be the new structure.  But the property ensured by the new
2600         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
2601
2602         Intriguingly, however, none of the other operations involved in the PutById are
2603         observably effectful.  Consider this example:
2604
2605         PutByOffset(@o, @o, @v)
2606         PutStructure(@o, S1 -> S2)
2607
2608         Note that the PutStructure node doesn't reallocate property storage; see further below
2609         for an example that does that. Because no property storage is happening, we know that we
2610         already had room for the new property.  This means that the PutByOffset is no observable
2611         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
2612         observably effectful.
2613
2614         Now consider this:
2615
2616         b: AllocatePropertyStorage(@o)
2617         PutByOffset(@b, @o, @v)
2618         PutStructure(@o, S1 -> S2)
2619
2620         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
2621         effectful. It *does* reallocate the property storage and the new property storage pointer
2622         is stored into the object. But until the PutStructure occurs, the world will just think
2623         that the reallocation didn't happen, in the sense that we'll think that the property
2624         storage is using less memory than what we just allocated. That's harmless.
2625
2626         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
2627         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
2628         everything could be expected to be fine, so long as all of @o, @v and @b are on the
2629         stack. If they are all on the stack, then the GC will leave the property storage alone
2630         (so the extra memory we just allocated would be safe). The GC will not scan the part of
2631         the property storage that contains @v, but that's fine, so long as @v is on the stack.
2632         
2633         The better long-term solution is probably bug 142921.
2634         
2635         But for now, this:
2636         
2637         - Fixes an object materialization bug, exemplified by the two tests, that previously
2638           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
2639         
2640         - Allows us to remove the workaround introduced in r174856.
2641
2642         * dfg/DFGByteCodeParser.cpp:
2643         (JSC::DFG::ByteCodeParser::handlePutById):
2644         * dfg/DFGConstantFoldingPhase.cpp:
2645         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2646         * dfg/DFGFixupPhase.cpp:
2647         (JSC::DFG::FixupPhase::insertCheck):
2648         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
2649         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
2650         * dfg/DFGInsertionSet.h:
2651         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
2652         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
2653         * tests/stress/materialize-past-butterfly-allocation.js: Added.
2654         (bar):
2655         (foo0):
2656         (foo1):
2657         (foo2):
2658         (foo3):
2659         (foo4):
2660         * tests/stress/materialize-past-put-structure.js: Added.
2661         (foo):
2662
2663 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2664
2665         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
2666         https://bugs.webkit.org/show_bug.cgi?id=142410
2667
2668         Reviewed by Geoffrey Garen.
2669
2670         Before this patch, added function JSValue::toPropertyKey returns PropertyName.
2671         Since PropertyName doesn't have AtomicStringImpl ownership,
2672         if Identifier is implicitly converted to PropertyName and Identifier is destructed,
2673         PropertyName may refer freed AtomicStringImpl*.
2674
2675         This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
2676         to keep AtomicStringImpl* ownership after the toPropertyName call is done.
2677         And receive the result value as Identifier type to keep ownership in the caller side.
2678
2679         To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
2680
2681         However, now we don't need to have both Identifier and PropertyName.
2682         So we'll merge PropertyName to Identifier in the subsequent patch.
2683
2684         * dfg/DFGOperations.cpp:
2685         (JSC::DFG::operationPutByValInternal):
2686         * jit/JITOperations.cpp:
2687         (JSC::getByVal):
2688         * llint/LLIntSlowPaths.cpp:
2689         (JSC::LLInt::getByVal):
2690         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2691         * runtime/CommonSlowPaths.cpp:
2692         (JSC::SLOW_PATH_DECL):
2693         * runtime/CommonSlowPaths.h:
2694         (JSC::CommonSlowPaths::opIn):
2695         * runtime/JSCJSValue.h:
2696         * runtime/JSCJSValueInlines.h:
2697         (JSC::JSValue::toPropertyKey):
2698         * runtime/ObjectConstructor.cpp:
2699         (JSC::objectConstructorGetOwnPropertyDescriptor):
2700         (JSC::objectConstructorDefineProperty):
2701         * runtime/ObjectPrototype.cpp:
2702         (JSC::objectProtoFuncPropertyIsEnumerable):
2703
2704 2015-03-18  Geoffrey Garen  <ggaren@apple.com>
2705
2706         Function.prototype.toString should not decompile the AST
2707         https://bugs.webkit.org/show_bug.cgi?id=142853
2708
2709         Reviewed by Sam Weinig.
2710
2711         To recover the function parameter string, Function.prototype.toString
2712         decompiles the function parameters from the AST. This is bad for a few
2713         reasons:
2714
2715         (1) It requires us to keep pieces of the AST live forever. This is an
2716         awkward design and a waste of memory.
2717
2718         (2) It doesn't match Firefox or Chrome (because it changes whitespace
2719         and ES6 destructuring expressions).
2720
2721         (3) It doesn't scale to ES6 default argument parameters, which require
2722         arbitrarily complex decompilation.
2723
2724         (4) It can counterfeit all the line numbers in a function (because
2725         whitespace can include newlines).
2726
2727         (5) It's expensive, and we've seen cases where websites invoke
2728         Function.prototype.toString a lot by accident.
2729
2730         The fix is to do what we do for the rest of the function: Just quote the
2731         original source text.
2732
2733         Since this change inevitably changes some function stringification, I
2734         took the opportunity to make our stringification match Firefox's and
2735         Chrome's.
2736
2737         * API/tests/testapi.c:
2738         (assertEqualsAsUTF8String): Be more informative when this fails.
2739
2740         (main): Updated to match new stringification rules.
2741
2742         * bytecode/UnlinkedCodeBlock.cpp:
2743         (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
2744         * bytecode/UnlinkedCodeBlock.h:
2745
2746         * parser/Nodes.h:
2747         (JSC::StatementNode::isFuncDeclNode): New helper for constructing
2748         anonymous functions.
2749
2750         * parser/SourceCode.h:
2751         (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.
2752
2753         * runtime/CodeCache.cpp:
2754         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
2755         of function declaration over function expression.
2756
2757         * runtime/Executable.cpp:
2758         (JSC::FunctionExecutable::paramString): Deleted. Yay!
2759         * runtime/Executable.h:
2760         (JSC::FunctionExecutable::parameterCount):
2761
2762         * runtime/FunctionConstructor.cpp:
2763         (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
2764         the opening brace to match Firefox and Chrome, and a space after the comma
2765         to match Firefox and WebKit coding style. Added the function name to
2766         the text of the function so it would look right when stringify-ing. Switched
2767         from parentheses to braces to produce a function declaration instead of
2768         a function expression because we are required to exclude the function's
2769         name from its scope, and that's what a function declaration does.
2770
2771         * runtime/FunctionPrototype.cpp:
2772         (JSC::functionProtoFuncToString): Removed an old workaround because the
2773         library it worked around doesn't really exist anymore, and the behavior
2774         doesn't match Firefox or Chrome. Use type profiling offsets instead of
2775         function body offsets because we want to include the function name and
2776         the parameter string, rather than stitching them in manually by
2777         decompiling the AST.
2778
2779         (JSC::insertSemicolonIfNeeded): Deleted.
2780
2781         * tests/mozilla/js1_2/function/tostring-1.js:
2782         * tests/mozilla/js1_5/Scope/regress-185485.js:
2783         (with.g): Updated these test results for formatting changes.
2784
2785 2015-03-20  Joseph Pecoraro  <pecoraro@apple.com>
2786
2787         SyntaxChecker assertion is trapped with computed property name and getter
2788         https://bugs.webkit.org/show_bug.cgi?id=142863
2789
2790         Reviewed by Ryosuke Niwa.
2791
2792         * parser/SyntaxChecker.h:
2793         (JSC::SyntaxChecker::getName):
2794         Remove invalid assert. Computed properties will not have a name
2795         and the calling code is checking for null expecting it. The
2796         AST path (non-CheckingPath) already does this without the assert
2797         so it is well tested.
2798
2799 2015-03-19  Mark Lam  <mark.lam@apple.com>
2800
2801         JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
2802         <https://webkit.org/b/142846>
2803
2804         Reviewed by Geoffrey Garen.
2805
2806         Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
2807         1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
2808            that a JSCallbackObject references.
2809         2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
2810            vm.heap.addFinalizer() which destroys the JSCallbackObject.
2811
2812         The first finalizer is implemented as a virtual function of a JSCallbackObjectData
2813         instance that will be destructed if the 2nd finalizer is called.  Hence, if the
2814         2nd finalizer if called first, the later invocation of the 1st finalizer will
2815         result in a crash.
2816
2817         This patch fixes the issue by eliminating the finalizer registration in init().
2818         Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
2819         if needed.  This ensures that these finalizers are called before the JSCallbackObject
2820         is destructor.
2821
2822         Also added assertions to a few Heap functions because JSCell::classInfo() expects
2823         all objects that are allocated from MarkedBlock::Normal blocks to be derived from
2824         JSDestructibleObject.  These assertions will help us catch violations of this
2825         expectation earlier.
2826
2827         * API/JSCallbackObject.cpp:
2828         (JSC::JSCallbackObjectData::finalize): Deleted.
2829         * API/JSCallbackObject.h:
2830         (JSC::JSCallbackObjectData::~JSCallbackObjectData):
2831         * API/JSCallbackObjectFunctions.h:
2832         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2833         (JSC::JSCallbackObject<Parent>::init):
2834         * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
2835         (finalize):
2836         (testGlobalContextWithFinalizer):
2837         * API/tests/GlobalContextWithFinalizerTest.h: Added.
2838         * API/tests/testapi.c:
2839         (main):
2840         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
2841         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
2842         * JavaScriptCore.xcodeproj/project.pbxproj:
2843         * heap/HeapInlines.h:
2844         (JSC::Heap::allocateObjectOfType):
2845         (JSC::Heap::subspaceForObjectOfType):
2846         (JSC::Heap::allocatorForObjectOfType):
2847
2848 2015-03-19  Andreas Kling  <akling@apple.com>
2849
2850         JSCallee unnecessarily overrides a bunch of things in the method table.
2851         <https://webkit.org/b/142855>
2852
2853         Reviewed by Geoffrey Garen.
2854
2855         Remove JSCallee method table overrides that simply call to base class.
2856         This makes JSFunction property slot lookups slightly more efficient since
2857         they can take the fast path when passing over JSCallee in the base class chain.
2858
2859         * runtime/JSCallee.cpp:
2860         (JSC::JSCallee::getOwnPropertySlot): Deleted.
2861         (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted.
2862         (JSC::JSCallee::put): Deleted.
2863         (JSC::JSCallee::deleteProperty): Deleted.
2864         (JSC::JSCallee::defineOwnProperty): Deleted.
2865         * runtime/JSCallee.h:
2866
2867 2015-03-19  Andreas Kling  <akling@apple.com>
2868
2869         DFGAllocator should use bmalloc's aligned allocator.
2870         <https://webkit.org/b/142871>
2871
2872         Reviewed by Geoffrey Garen.
2873
2874         Switch DFGAllocator to using bmalloc through fastAlignedMalloc().
2875
2876         * dfg/DFGAllocator.h:
2877         (JSC::DFG::Allocator<T>::allocateSlow):
2878         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
2879         * heap/CopiedSpace.h:
2880         * heap/MarkedBlock.h:
2881         * heap/MarkedSpace.h:
2882
2883 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2884
2885         ES6 Classes: Extends should accept an expression without parenthesis
2886         https://bugs.webkit.org/show_bug.cgi?id=142840
2887
2888         Reviewed by Ryosuke Niwa.
2889
2890         * parser/Parser.cpp:
2891         (JSC::Parser<LexerType>::parseClass):
2892         "extends" allows a LeftHandExpression (new expression / call expression,
2893         which includes a member expression), not a primary expression. Our
2894         parseMemberExpression does all of these.
2895
2896 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2897
2898         Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection
2899         https://bugs.webkit.org/show_bug.cgi?id=142830
2900
2901         Reviewed by Timothy Hatcher.
2902
2903         * inspector/agents/InspectorDebuggerAgent.cpp:
2904         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2905         Give Probe Samples object previews.
2906
2907 2015-03-17  Ryuan Choi  <ryuan.choi@navercorp.com>
2908
2909         [EFL] Expose JavaScript binding interface through ewk_extension
2910         https://bugs.webkit.org/show_bug.cgi?id=142033
2911
2912         Reviewed by Gyuyoung Kim.
2913
2914         * PlatformEfl.cmake: Install Javascript APIs.
2915
2916 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2917
2918         Function bodies should always include braces
2919         https://bugs.webkit.org/show_bug.cgi?id=142795
2920
2921         Reviewed by Michael Saboff.
2922
2923         Having a mode for excluding the opening and closing braces from a function
2924         body was unnecessary and confusing.
2925
2926         * bytecode/CodeBlock.cpp:
2927         (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function.
2928
2929         * bytecode/UnlinkedCodeBlock.cpp:
2930         (JSC::generateFunctionCodeBlock):
2931         (JSC::UnlinkedFunctionExecutable::link):
2932         (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through
2933         a boolean: there is only one kind of function now.
2934
2935         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted.
2936         (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only
2937         have one way to do things. This removes the old mode that would pretend
2938         that a function always started at column 1. That pretense was not true:
2939         an attribute event listener does not necessarily start at column 1.
2940
2941         * bytecode/UnlinkedCodeBlock.h:
2942         * generate-js-builtins: Adopt the new one true linking function.
2943
2944         * parser/Parser.h:
2945         (JSC::Parser<LexerType>::parse):
2946         (JSC::parse): needsReparsingAdjustment is always true now, so I removed it.
2947
2948         * runtime/Executable.cpp:
2949         (JSC::ScriptExecutable::newCodeBlockFor):
2950         (JSC::FunctionExecutable::FunctionExecutable):
2951         (JSC::ProgramExecutable::initializeGlobalProperties):
2952         (JSC::FunctionExecutable::fromGlobalCode):
2953         * runtime/Executable.h:
2954         (JSC::FunctionExecutable::create):
2955         (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff.
2956
2957         * runtime/FunctionConstructor.cpp:
2958         (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a
2959         leading space because that's what this function's comment says is required
2960         for web compatibility. We used to fake this up after the fact when
2961         stringifying, based on the bodyIncludesBraces flag, but that flag is gone now.
2962
2963         * runtime/FunctionPrototype.cpp:
2964         (JSC::insertSemicolonIfNeeded):
2965         (JSC::functionProtoFuncToString): No need to add braces and/or a space
2966         after the fact -- we always have them now.
2967
2968 2015-03-17  Mark Lam  <mark.lam@apple.com>
2969
2970         Refactor execution time limit tests out of testapi.c.
2971         <https://webkit.org/b/142798>
2972
2973         Rubber stamped by Michael Saboff.
2974
2975         These tests were sometimes failing to time out on C loop builds.  Let's
2976         refactor them out of the big monolith that is testapi.c so that we can
2977         reason more easily about them and make adjustments if needed.
2978
2979         * API/tests/ExecutionTimeLimitTest.cpp: Added.
2980         (currentCPUTime):
2981         (currentCPUTimeAsJSFunctionCallback):
2982         (shouldTerminateCallback):
2983         (cancelTerminateCallback):
2984         (extendTerminateCallback):
2985         (testExecutionTimeLimit):
2986         * API/tests/ExecutionTimeLimitTest.h: Added.
2987         * API/tests/testapi.c:
2988         (main):
2989         (currentCPUTime): Deleted.
2990         (currentCPUTime_callAsFunction): Deleted.
2991         (shouldTerminateCallback): Deleted.
2992         (cancelTerminateCallback): Deleted.
2993         (extendTerminateCallback): Deleted.
2994         * JavaScriptCore.xcodeproj/project.pbxproj:
2995
2996 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2997
2998         Built-in functions should know that they use strict mode
2999         https://bugs.webkit.org/show_bug.cgi?id=142788
3000
3001         Reviewed by Mark Lam.
3002
3003         Even though all of our builtin functions use strict mode, the parser
3004         thinks that they don't. This is because Executable::toStrictness treats
3005         builtin-ness and strict-ness as mutually exclusive.
3006
3007         The fix is to disambiguate builtin-ness from strict-ness.
3008
3009         This bug is currently unobservable because of some other parser bugs. But
3010         it causes lots of test failures once those other bugs are fixed.
3011
3012         * API/JSScriptRef.cpp:
3013         (parseScript):
3014         * builtins/BuiltinExecutables.cpp:
3015         (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API
3016         for a separate value to indicate builtin-ness vs strict-ness.
3017
3018         * bytecode/UnlinkedCodeBlock.cpp:
3019         (JSC::generateFunctionCodeBlock):
3020         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto.
3021
3022         * bytecode/UnlinkedCodeBlock.h:
3023         (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function
3024         was misleading since it pretended that no builtin function was ever
3025         strict, which is the opposite of true.
3026
3027         * parser/Lexer.cpp:
3028         (JSC::Lexer<T>::Lexer):
3029         * parser/Lexer.h:
3030         * parser/Parser.cpp:
3031         (JSC::Parser<LexerType>::Parser):
3032         * parser/Parser.h:
3033         (JSC::parse): Adopt the new API.
3034
3035         * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give
3036         existing modes clearer names.
3037
3038         * runtime/CodeCache.cpp:
3039         (JSC::CodeCache::getGlobalCodeBlock):
3040         (JSC::CodeCache::getProgramCodeBlock):
3041         (JSC::CodeCache::getEvalCodeBlock):
3042         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API.
3043
3044         * runtime/CodeCache.h:
3045         (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and
3046         bulitin-ness as separate pieces of the code cache key. We would not want
3047         a user function to match a built-in function in the cache, even if they
3048         agreed about strictness, since builtin functions have different lexing
3049         rules.
3050
3051         * runtime/Completion.cpp:
3052         (JSC::checkSyntax):
3053         * runtime/Executable.cpp:
3054         (JSC::FunctionExecutable::FunctionExecutable):
3055         (JSC::ProgramExecutable::checkSyntax):
3056         * runtime/Executable.h:
3057         (JSC::FunctionExecutable::create):
3058         * runtime/JSGlobalObject.cpp:
3059         (JSC::JSGlobalObject::createProgramCodeBlock):
3060         (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API.
3061
3062 2015-03-16  Filip Pizlo  <fpizlo@apple.com>
3063
3064         DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor
3065         https://bugs.webkit.org/show_bug.cgi?id=142769
3066
3067         Reviewed by Michael Saboff.
3068         
3069         When we sink an object allocation, we need to have some way of tracking what stores would
3070         have happened had the allocation not been sunk, so that we know how to rematerialize the
3071         object on OSR exit. Prior to this change, trunk had two ways of describing such a "put
3072         hint":
3073         
3074         - The PutStrutureHint and PutByOffsetHint node types.
3075         - The PromotedLocationDescriptor class, which has an enum with cases StructurePLoc and
3076           NamedPropertyPLoc.
3077         
3078         We also had ways of converting from a Node with those two node types to a
3079         PromotedLocationDescriptor, and we had a way of converting a PromotedLocationDescriptor to
3080         a Node.
3081         
3082         This change removes the redundancy. We now have just one node type that corresponds to a
3083         put hint, and it's called PutHint. It has a PromotedLocationDescriptor as metadata.
3084         Converting between a PutHint node and a PromotedLocationDescriptor and vice-versa is now
3085         trivial.
3086         
3087         This means that if we add new kinds of sunken objects, we'll have less pro-forma to write
3088         for the put hints to those objects. This is mainly to simplify the implementation of
3089         arguments elimination in bug 141174.
3090
3091         * dfg/DFGAbstractInterpreterInlines.h:
3092         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3093         * dfg/DFGClobberize.h:
3094         (JSC::DFG::clobberize):
3095         * dfg/DFGDoesGC.cpp:
3096         (JSC::DFG::doesGC):
3097         * dfg/DFGFixupPhase.cpp:
3098         (JSC::DFG::FixupPhase::fixupNode):
3099         * dfg/DFGGraph.cpp:
3100         (JSC::DFG::Graph::dump):
3101         (JSC::DFG::Graph::mergeRelevantToOSR):
3102         * dfg/DFGMayExit.cpp:
3103         (JSC::DFG::mayExit):
3104         * dfg/DFGNode.cpp:
3105         (JSC::DFG::Node::convertToPutHint):
3106         (JSC::DFG::Node::convertToPutStructureHint):
3107         (JSC::DFG::Node::convertToPutByOffsetHint):
3108         (JSC::DFG::Node::promotedLocationDescriptor):
3109         * dfg/DFGNode.h:
3110         (JSC::DFG::Node::hasIdentifier):
3111         (JSC::DFG::Node::hasPromotedLocationDescriptor):
3112         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
3113         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
3114         * dfg/DFGNodeType.h:
3115         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3116         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3117         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3118         (JSC::DFG::ObjectAllocationSinkingPhase::run):
3119         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
3120         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3121         * dfg/DFGPredictionPropagationPhase.cpp:
3122         (JSC::DFG::PredictionPropagationPhase::propagate):
3123         * dfg/DFGPromoteHeapAccess.h:
3124         (JSC::DFG::promoteHeapAccess):
3125         * dfg/DFGPromotedHeapLocation.cpp:
3126         (JSC::DFG::PromotedHeapLocation::createHint):
3127         * dfg/DFGPromotedHeapLocation.h:
3128         (JSC::DFG::PromotedLocationDescriptor::imm1):
3129         (JSC::DFG::PromotedLocationDescriptor::imm2):
3130         * dfg/DFGSafeToExecute.h:
3131         (JSC::DFG::safeToExecute):
3132         * dfg/DFGSpeculativeJIT32_64.cpp:
3133         (JSC::DFG::SpeculativeJIT::compile):
3134         * dfg/DFGSpeculativeJIT64.cpp:
3135         (JSC::DFG::SpeculativeJIT::compile):
3136         * dfg/DFGValidate.cpp:
3137         (JSC::DFG::Validate::validateCPS):
3138         * ftl/FTLCapabilities.cpp:
3139         (JSC::FTL::canCompile):
3140         * ftl/FTLLowerDFGToLLVM.cpp:
3141         (JSC::FTL::LowerDFGToLLVM::compileNode):
3142
3143 2015-03-17  Michael Saboff  <msaboff@apple.com>
3144
3145         Windows X86-64 should use the fixed executable allocator
3146         https://bugs.webkit.org/show_bug.cgi?id=142749
3147
3148         Reviewed by Filip Pizlo.
3149
3150         Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build.
3151
3152         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3153         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3154         * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows.
3155
3156 2015-03-17  Matt Baker  <mattbaker@apple.com>
3157
3158         Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline
3159         https://bugs.webkit.org/show_bug.cgi?id=142029
3160
3161         Reviewed by Timothy Hatcher.
3162
3163         * inspector/protocol/Timeline.json:
3164         Added new event type for runloop timeline records.
3165
3166 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3167
3168         Enable ES6 classes by default
3169         https://bugs.webkit.org/show_bug.cgi?id=142774
3170
3171         Reviewed by Gavin Barraclough.
3172
3173         Enabled the feature and unskipped tests.
3174
3175         * Configurations/FeatureDefines.xcconfig:
3176         * tests/stress/class-syntax-no-loop-tdz.js:
3177         * tests/stress/class-syntax-no-tdz-in-catch.js:
3178         * tests/stress/class-syntax-no-tdz-in-conditional.js:
3179         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
3180         * tests/stress/class-syntax-no-tdz-in-loop.js:
3181         * tests/stress/class-syntax-no-tdz.js:
3182         * tests/stress/class-syntax-tdz-in-catch.js:
3183         * tests/stress/class-syntax-tdz-in-conditional.js:
3184         * tests/stress/class-syntax-tdz-in-loop.js:
3185         * tests/stress/class-syntax-tdz.js:
3186
3187 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3188
3189         Web Inspector: Better Console Previews for Arrays / Small Objects
3190         https://bugs.webkit.org/show_bug.cgi?id=142322
3191
3192         Reviewed by Timothy Hatcher.
3193
3194         * inspector/InjectedScriptSource.js:
3195         Create deep valuePreviews for simple previewable objects,
3196         such as arrays with 5 values, or basic objects with
3197         3 properties.
3198
3199 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3200
3201         Add support for default constructor
3202         https://bugs.webkit.org/show_bug.cgi?id=142388
3203
3204         Reviewed by Filip Pizlo.
3205
3206         Added the support for default constructors. They're generated by ClassExprNode::emitBytecode
3207         via BuiltinExecutables::createDefaultConstructor.
3208
3209         UnlinkedFunctionExecutable now has the ability to override SourceCode provided by the owner
3210         executable. We can't make store SourceCode in UnlinkedFunctionExecutable since CodeCache can use
3211         the same UnlinkedFunctionExecutable to generate code blocks for multiple functions.
3212
3213         Parser now has the ability to treat any function expression as a constructor of the kind specified
3214         by m_defaultConstructorKind member variable.
3215
3216         * builtins/BuiltinExecutables.cpp:
3217         (JSC::BuiltinExecutables::createDefaultConstructor): Added.
3218         (JSC::BuiltinExecutables::createExecutableInternal): Generalized from createBuiltinExecutable.
3219         Parse default constructors as normal non-builtin functions. Override SourceCode in the unlinked
3220         function executable since the Miranda function's code is definitely not in the owner executable's
3221         source code. That's the whole point.
3222         * builtins/BuiltinExecutables.h:
3223         (UnlinkedFunctionExecutable::createBuiltinExecutable): Added. Wraps createExecutableInternal.
3224         * bytecode/UnlinkedCodeBlock.cpp:
3225         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3226         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable):
3227         (JSC::UnlinkedFunctionExecutable::linkGlobalCode):
3228         * bytecode/UnlinkedCodeBlock.h:
3229         (JSC::UnlinkedFunctionExecutable::create):
3230         (JSC::UnlinkedFunctionExecutable::symbolTable): Deleted.
3231         * bytecompiler/BytecodeGenerator.cpp:
3232         (JSC::BytecodeGenerator::emitNewDefaultConstructor): Added.
3233         * bytecompiler/BytecodeGenerator.h:
3234         * bytecompiler/NodesCodegen.cpp:
3235         (JSC::ClassExprNode::emitBytecode): Generate the default constructor if needed.
3236         * parser/Parser.cpp:
3237         (JSC::Parser<LexerType>::Parser):
3238         (JSC::Parser<LexerType>::parseFunctionInfo): Override ownerClassKind and assume the function as
3239         a constructor if we're parsing a default constructor.
3240         (JSC::Parser<LexerType>::parseClass): Allow omission of the class constructor.
3241         * parser/Parser.h:
3242         (JSC::parse):
3243
3244 2015-03-16  Alex Christensen  <achristensen@webkit.org>
3245
3246         Progress towards CMake on Mac
3247         https://bugs.webkit.org/show_bug.cgi?id=142747
3248
3249         Reviewed by Chris Dumez.
3250
3251         * CMakeLists.txt:
3252         Include AugmentableInspectorController.h in CMake build.
3253
3254 2015-03-16  Csaba Osztrogonác  <ossy@webkit.org>
3255
3256         [ARM] Enable generating idiv instructions if it is supported
3257         https://bugs.webkit.org/show_bug.cgi?id=142725
3258
3259         Reviewed by Michael Saboff.
3260
3261         * assembler/ARMAssembler.h: Added sdiv and udiv implementation for ARM Traditional instruction set.
3262         (JSC::ARMAssembler::sdiv):
3263         (JSC::ARMAssembler::udiv):
3264         * assembler/ARMv7Assembler.h: Use HAVE(ARM_IDIV_INSTRUCTIONS) instead of CPU(APPLE_ARMV7S).
3265         * assembler/AbstractMacroAssembler.h:
3266         (JSC::isARMv7IDIVSupported):
3267         (JSC::optimizeForARMv7IDIVSupported):
3268         (JSC::isARMv7s): Renamed to isARMv7IDIVSupported().
3269         (JSC::optimizeForARMv7s): Renamed to optimizeForARMv7IDIVSupported().
3270         * dfg/DFGFixupPhase.cpp:
3271         (JSC::DFG::FixupPhase::fixupNode):
3272         * dfg/DFGSpeculativeJIT.cpp:
3273         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3274         (JSC::DFG::SpeculativeJIT::compileArithMod):
3275
3276 2015-03-15  Filip Pizlo  <fpizlo@apple.com>
3277
3278         DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source, and emit GetStacks when the stack's value is needed and none is deferred
3279         https://bugs.webkit.org/show_bug.cgi?id=141624
3280
3281         Reviewed by Geoffrey Garen.
3282
3283         Not eliminating GetStacks was an obvious omission from the original PutStackSinkingPhase.
3284         Previously, we would treat GetStacks conservatively and assume that the stack slot
3285         escaped. That's pretty dumb, since a GetStack is a local load of the stack. This change
3286         makes GetStack a no-op from the standpoint of this phase's deferral analysis. At the end
3287         we either keep the GetStack (if there was no concrete deferral) or we replace it with an
3288         identity over the value that would have been stored by the deferred PutStack. Note that
3289         this might be a Phi that the phase creates, so this is strictly stronger than what GCSE
3290         could do.
3291         
3292         But this change revealed the fact that this phase never correctly handled side effects in
3293         case that we had done a GetStack, then a side-effect, and then found ourselves wanting the
3294         value on the stack due to (for example) a Phi on a deferred PutStack and that GetStack.
3295         Basically, it's only correct to use the SSA converter's incoming value mapping if we have
3296         a concrete deferral - since anything but a concrete deferral may imply that the value has
3297         been clobbered.
3298         
3299         This has no performance change. I believe that the bug was previously benign because we
3300         have so few operations that clobber the stack anymore, and most of those get used in a
3301         very idiomatic way. The GetStack elimination will be very useful for the varargs
3302         simplification that is part of bug 141174.
3303         
3304         This includes a test for the case that Speedometer hit, plus tests for the other cases I
3305         thought of once I realized the deeper issue.
3306
3307         * dfg/DFGPutStackSinkingPhase.cpp:
3308         * tests/stress/get-stack-identity-due-to-sinking.js: Added.
3309         (foo):
3310         (bar):
3311         * tests/stress/get-stack-mapping-with-dead-get-stack.js: Added.
3312         (bar):
3313         (foo):
3314         * tests/stress/get-stack-mapping.js: Added.
3315         (bar):
3316         (foo):
3317         * tests/stress/weird-put-stack-varargs.js: Added.
3318         (baz):
3319         (foo):
3320         (fuzz):
3321         (bar):
3322
3323 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3324
3325         Update Map/Set to treat -0 and 0 as the same value
3326         https://bugs.webkit.org/show_bug.cgi?id=142709
3327
3328         Reviewed by Csaba Osztrogonác.
3329