2015-04-03 Geoffrey Garen <ggaren@apple.com>
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2
3         JavaScriptCore API should support type checking for Array and Date
4         https://bugs.webkit.org/show_bug.cgi?id=143324
5
6         Follow-up to address a comment by Dan.
7
8         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
9         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
10         is equal to 101100.
11
12 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
13
14         JavaScriptCore API should support type checking for Array and Date
15         https://bugs.webkit.org/show_bug.cgi?id=143324
16
17         Follow-up to address a comment by Dan.
18
19         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
20         Added a comment explaining why.
21
22 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
23
24         FTL JIT tests should fail if LLVM library isn't available
25         https://bugs.webkit.org/show_bug.cgi?id=143374
26
27         Reviewed by Mark Lam.
28
29         * dfg/DFGPlan.cpp:
30         (JSC::DFG::Plan::compileInThreadImpl):
31         * runtime/Options.h:
32
33 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
34
35         Fix the EFL and GTK build after r182243
36         https://bugs.webkit.org/show_bug.cgi?id=143361
37
38         Reviewed by Csaba Osztrogonác.
39
40         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
41         DerivedSources/JavaScriptCore/inspector/ directory.
42
43 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
44
45         Unreviewed, fixing Clang builds of the GTK port on Linux.
46
47         * runtime/Options.cpp:
48         Include the <math.h> header for isnan().
49
50 2015-04-02  Mark Lam  <mark.lam@apple.com>
51
52         Enhance ability to dump JSC Options.
53         <https://webkit.org/b/143357>
54
55         Reviewed by Benjamin Poulain.
56
57         Some enhancements to how the JSC options work:
58
59         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
60            2 = All, 3 = Verbose.
61
62            The default is 0 (None).  This dumps nothing.
63            With the Overridden setting, at VM initialization time, we will dump all
64            option values that have been changed from their default.
65            With the All setting, at VM initialization time, we will dump all option values.
66            With the Verbose setting, at VM initialization time, we will dump all option
67            values along with their descriptions (if available).
68
69         2. We now store a copy of the default option values.
70
71            We later use this for comparison to tell if an option has been overridden, and
72            print the default value for reference.  As a result, we no longer need the
73            didOverride flag since we can compute whether the option is overridden at any time.
74
75         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
76
77            This will come in handy later when we want to rename some of the options to more sane
78            names that are easier to remember.  For example, we can change
79            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
80            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
81            of the description, we can afford to use shorter and less descriptive option names,
82            but they will be easier to remember and use for day to day debugging work.
83
84            In this patch, I did not change the names of any of the options yet.  I only added
85            description strings for options that I know about, and where I think the option name
86            isn't already descriptive enough.
87
88         4. Also deleted some unused code.
89
90         * jsc.cpp:
91         (CommandLine::parseArguments):
92         * runtime/Options.cpp:
93         (JSC::Options::initialize):
94         (JSC::Options::setOption):
95         (JSC::Options::dumpAllOptions):
96         (JSC::Options::dumpOption):
97         (JSC::Options::Option::dump):
98         (JSC::Options::Option::operator==):
99         * runtime/Options.h:
100         (JSC::OptionRange::rangeString):
101         (JSC::Options::Option::Option):
102         (JSC::Options::Option::operator!=):
103
104 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
105
106         JavaScriptCore API should support type checking for Array and Date
107         https://bugs.webkit.org/show_bug.cgi?id=143324
108
109         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
110
111         * API/JSValue.h:
112         * API/JSValue.mm:
113         (-[JSValue isArray]):
114         (-[JSValue isDate]): Added an ObjC API.
115
116         * API/JSValueRef.cpp:
117         (JSValueIsArray):
118         (JSValueIsDate):
119         * API/JSValueRef.h: Added a C API.
120
121         * API/WebKitAvailability.h: Brought our availability macros up to date
122         and fixed a harmless bug where "10_10" translated to "10.0".
123
124         * API/tests/testapi.c:
125         (main): Added a test and corrected a pre-existing leak.
126
127         * API/tests/testapi.mm:
128         (testObjectiveCAPI): Added a test.
129
130 2015-04-02  Mark Lam  <mark.lam@apple.com>
131
132         Add Options::dumpSourceAtDFGTime().
133         <https://webkit.org/b/143349>
134
135         Reviewed by Oliver Hunt, and Michael Saboff.
136
137         Sometimes, we will want to see the JS source code that we're compiling, and it
138         would be nice to be able to do this without having to jump thru a lot of hoops.
139         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
140         Options::dumpBytecodeAtDFGTime() option.
141
142         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
143         that explicitly take no arguments (instead of relying on the version that takes
144         the default argument).  These versions are friendlier to use when we want to call
145         them from an interactive debugging session.
146
147         * bytecode/CodeBlock.cpp:
148         (JSC::CodeBlock::dumpSource):
149         (JSC::CodeBlock::dumpBytecode):
150         * bytecode/CodeBlock.h:
151         * dfg/DFGByteCodeParser.cpp:
152         (JSC::DFG::ByteCodeParser::parseCodeBlock):
153         * runtime/Options.h:
154
155 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
156
157         Clean up EnumerationMode to easily extend
158         https://bugs.webkit.org/show_bug.cgi?id=143276
159
160         Reviewed by Geoffrey Garen.
161
162         To make the followings easily,
163         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
164         2. Make ExcludeSymbols implicitly default for the existing flags
165         we encapsulate EnumerationMode flags into EnumerationMode class.
166
167         And this class manages 2 flags. Later it will be extended to 3.
168         1. DontEnumPropertiesMode (default is Exclude)
169         2. JSObjectPropertiesMode (default is Include)
170         3. SymbolPropertiesMode (default is Exclude)
171             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
172
173         This patch replaces places using ExcludeDontEnumProperties
174         to EnumerationMode() value which represents default mode.
175
176         * API/JSCallbackObjectFunctions.h:
177         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
178         * API/JSObjectRef.cpp:
179         (JSObjectCopyPropertyNames):
180         * bindings/ScriptValue.cpp:
181         (Deprecated::jsToInspectorValue):
182         * bytecode/ObjectAllocationProfile.h:
183         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
184         * runtime/ArrayPrototype.cpp:
185         (JSC::arrayProtoFuncSort):
186         * runtime/EnumerationMode.h:
187         (JSC::EnumerationMode::EnumerationMode):
188         (JSC::EnumerationMode::includeDontEnumProperties):
189         (JSC::EnumerationMode::includeJSObjectProperties):
190         (JSC::shouldIncludeDontEnumProperties): Deleted.
191         (JSC::shouldExcludeDontEnumProperties): Deleted.
192         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
193         (JSC::modeThatSkipsJSObject): Deleted.
194         * runtime/GenericArgumentsInlines.h:
195         (JSC::GenericArguments<Type>::getOwnPropertyNames):
196         * runtime/JSArray.cpp:
197         (JSC::JSArray::getOwnNonIndexPropertyNames):
198         * runtime/JSArrayBuffer.cpp:
199         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
200         * runtime/JSArrayBufferView.cpp:
201         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
202         * runtime/JSFunction.cpp:
203         (JSC::JSFunction::getOwnNonIndexPropertyNames):
204         * runtime/JSFunction.h:
205         * runtime/JSGenericTypedArrayViewInlines.h:
206         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
207         * runtime/JSLexicalEnvironment.cpp:
208         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
209         * runtime/JSONObject.cpp:
210         (JSC::Stringifier::Holder::appendNextProperty):
211         (JSC::Walker::walk):
212         * runtime/JSObject.cpp:
213         (JSC::getClassPropertyNames):
214         (JSC::JSObject::getOwnPropertyNames):
215         (JSC::JSObject::getOwnNonIndexPropertyNames):
216         (JSC::JSObject::getGenericPropertyNames):
217         * runtime/JSPropertyNameEnumerator.h:
218         (JSC::propertyNameEnumerator):
219         * runtime/JSSymbolTableObject.cpp:
220         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
221         * runtime/ObjectConstructor.cpp:
222         (JSC::objectConstructorGetOwnPropertyNames):
223         (JSC::objectConstructorKeys):
224         (JSC::defineProperties):
225         (JSC::objectConstructorSeal):
226         (JSC::objectConstructorFreeze):
227         (JSC::objectConstructorIsSealed):
228         (JSC::objectConstructorIsFrozen):
229         * runtime/RegExpObject.cpp:
230         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
231         (JSC::RegExpObject::getPropertyNames):
232         (JSC::RegExpObject::getGenericPropertyNames):
233         * runtime/StringObject.cpp:
234         (JSC::StringObject::getOwnPropertyNames):
235         * runtime/Structure.cpp:
236         (JSC::Structure::getPropertyNamesFromStructure):
237
238 2015-04-01  Alex Christensen  <achristensen@webkit.org>
239
240         Progress towards CMake on Windows and Mac.
241         https://bugs.webkit.org/show_bug.cgi?id=143293
242
243         Reviewed by Filip Pizlo.
244
245         * CMakeLists.txt:
246         Enabled using assembly on Windows.
247         Replaced unix commands with CMake commands.
248         * PlatformMac.cmake:
249         Tell open source builders where to find unicode headers.
250
251 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
252
253         IteratorClose should be called when jumping over the target for-of loop
254         https://bugs.webkit.org/show_bug.cgi?id=143140
255
256         Reviewed by Geoffrey Garen.
257
258         This patch fixes labeled break/continue behaviors with for-of and iterators.
259
260         1. Support IteratorClose beyond multiple loop contexts
261         Previously, IteratorClose is only executed in for-of's breakTarget().
262         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
263         For example,
264         outer: for (var e1 of outer) {
265             inner: for (var e2 of inner) {
266                 break outer;
267             }
268         }
269         In this case, return method of inner should be called.
270         We leverage the existing system for `finally` to execute inner.return method correctly.
271         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
272         `throw` case is already supported by emitting try-catch handlers in for-of.
273
274         2. Incorrect LabelScope creation is done in ForOfNode
275         ForOfNode creates duplicated LabelScope.
276         It causes infinite loop when executing the following program that contains
277         explicitly labeled for-of loop.
278         For example,
279         inner: for (var elm of array) {
280             continue inner;
281         }
282
283         * bytecompiler/BytecodeGenerator.cpp:
284         (JSC::BytecodeGenerator::pushFinallyContext):
285         (JSC::BytecodeGenerator::pushIteratorCloseContext):
286         (JSC::BytecodeGenerator::popFinallyContext):
287         (JSC::BytecodeGenerator::popIteratorCloseContext):
288         (JSC::BytecodeGenerator::emitComplexPopScopes):
289         (JSC::BytecodeGenerator::emitEnumeration):
290         (JSC::BytecodeGenerator::emitIteratorClose):
291         * bytecompiler/BytecodeGenerator.h:
292         * bytecompiler/NodesCodegen.cpp:
293         (JSC::ForOfNode::emitBytecode):
294         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
295         (createIterator.iterator.return):
296         (createIterator):
297         * tests/stress/raise-error-in-iterator-close.js: Added.
298         (createIterator.iterator.return):
299         (createIterator):
300
301 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
302
303         [ES6] Implement Symbol.unscopables
304         https://bugs.webkit.org/show_bug.cgi?id=142829
305
306         Reviewed by Geoffrey Garen.
307
308         This patch introduces Symbol.unscopables functionality.
309         In ES6, some generic names (like keys, values) are introduced
310         as Array's method name. And this breaks the web since some web sites
311         use like the following code.
312
313         var values = ...;
314         with (array) {
315             values;  // This values is trapped by array's method "values".
316         }
317
318         To fix this, Symbol.unscopables introduces blacklist
319         for with scope's trapping. When resolving scope,
320         if name is found in the target scope and the target scope is with scope,
321         we check Symbol.unscopables object to filter generic names.
322
323         This functionality is only active for with scopes.
324         Global scope does not have unscopables functionality.
325
326         And since
327         1) op_resolve_scope for with scope always return Dynamic resolve type,
328         2) in that case, JSScope::resolve is always used in JIT and LLInt,
329         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
330         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
331         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
332
333         * runtime/ArrayPrototype.cpp:
334         (JSC::ArrayPrototype::finishCreation):
335         * runtime/CommonIdentifiers.h:
336         * runtime/JSGlobalObject.h:
337         (JSC::JSGlobalObject::runtimeFlags):
338         * runtime/JSScope.cpp:
339         (JSC::isUnscopable):
340         (JSC::JSScope::resolve):
341         * runtime/JSScope.h:
342         (JSC::ScopeChainIterator::scope):
343         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
344         (test):
345         * tests/stress/unscopables.js: Added.
346         (test):
347         (.):
348
349 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
350
351         ES6 class syntax should allow static setters and getters
352         https://bugs.webkit.org/show_bug.cgi?id=143180
353
354         Reviewed by Filip Pizlo
355
356         Apparently I misread the spec when I initially implemented parseClass.
357         ES6 class syntax allows static getters and setters so just allow that.
358
359         * parser/Parser.cpp:
360         (JSC::Parser<LexerType>::parseClass):
361
362 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
363
364         PutClosureVar CSE def() rule has a wrong base
365         https://bugs.webkit.org/show_bug.cgi?id=143280
366
367         Reviewed by Michael Saboff.
368         
369         I think that this code was incorrect in a benign way, since the base of a
370         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
371
372         * dfg/DFGClobberize.h:
373         (JSC::DFG::clobberize):
374
375 2015-03-31  Commit Queue  <commit-queue@webkit.org>
376
377         Unreviewed, rolling out r182200.
378         https://bugs.webkit.org/show_bug.cgi?id=143279
379
380         Probably causing assertion extravaganza on bots. (Requested by
381         kling on #webkit).
382
383         Reverted changeset:
384
385         "Logically empty WeakBlocks should not pin down their
386         MarkedBlocks indefinitely."
387         https://bugs.webkit.org/show_bug.cgi?id=143210
388         http://trac.webkit.org/changeset/182200
389
390 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
391
392         Clean up Identifier factories to clarify the meaning of StringImpl*
393         https://bugs.webkit.org/show_bug.cgi?id=143146
394
395         Reviewed by Filip Pizlo.
396
397         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
398         However, it's ambiguous because `StringImpl*` has 2 different meanings.
399         1) normal string, it is replacable with `WTFString` and
400         2) `uid`, which holds `isSymbol` information to represent Symbols.
401         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
402         + `Identifier::fromString(VM*/ExecState*, const String&)`.
403         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
404         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
405         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
406
407         And to clean up `StringImpl` which is used as uid,
408         we introduce `StringKind` into `StringImpl`. There's 3 kinds
409         1. StringNormal (non-atomic, non-symbol)
410         2. StringAtomic (atomic, non-symbol)
411         3. StringSymbol (non-atomic, symbol)
412         They are mutually exclusive. And (atomic, symbol) case should not exist.
413
414         * API/JSCallbackObjectFunctions.h:
415         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
416         * API/JSObjectRef.cpp:
417         (JSObjectMakeFunction):
418         * API/OpaqueJSString.cpp:
419         (OpaqueJSString::identifier):
420         * bindings/ScriptFunctionCall.cpp:
421         (Deprecated::ScriptFunctionCall::call):
422         * builtins/BuiltinExecutables.cpp:
423         (JSC::BuiltinExecutables::createExecutableInternal):
424         * builtins/BuiltinNames.h:
425         (JSC::BuiltinNames::BuiltinNames):
426         * bytecompiler/BytecodeGenerator.cpp:
427         (JSC::BytecodeGenerator::BytecodeGenerator):
428         (JSC::BytecodeGenerator::emitThrowReferenceError):
429         (JSC::BytecodeGenerator::emitThrowTypeError):
430         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
431         (JSC::BytecodeGenerator::emitEnumeration):
432         * dfg/DFGDesiredIdentifiers.cpp:
433         (JSC::DFG::DesiredIdentifiers::reallyAdd):
434         * inspector/JSInjectedScriptHost.cpp:
435         (Inspector::JSInjectedScriptHost::functionDetails):
436         (Inspector::constructInternalProperty):
437         (Inspector::JSInjectedScriptHost::weakMapEntries):
438         (Inspector::JSInjectedScriptHost::iteratorEntries):
439         * inspector/JSInjectedScriptHostPrototype.cpp:
440         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
441         * inspector/JSJavaScriptCallFramePrototype.cpp:
442         * inspector/ScriptCallStackFactory.cpp:
443         (Inspector::extractSourceInformationFromException):
444         * jit/JITOperations.cpp:
445         * jsc.cpp:
446         (GlobalObject::finishCreation):
447         (GlobalObject::addFunction):
448         (GlobalObject::addConstructableFunction):
449         (functionRun):
450         (runWithScripts):
451         * llint/LLIntData.cpp:
452         (JSC::LLInt::Data::performAssertions):
453         * llint/LowLevelInterpreter.asm:
454         * parser/ASTBuilder.h:
455         (JSC::ASTBuilder::addVar):
456         * parser/Parser.cpp:
457         (JSC::Parser<LexerType>::parseInner):
458         (JSC::Parser<LexerType>::createBindingPattern):
459         * parser/ParserArena.h:
460         (JSC::IdentifierArena::makeIdentifier):
461         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
462         (JSC::IdentifierArena::makeNumericIdentifier):
463         * runtime/ArgumentsIteratorPrototype.cpp:
464         (JSC::ArgumentsIteratorPrototype::finishCreation):
465         * runtime/ArrayIteratorPrototype.cpp:
466         (JSC::ArrayIteratorPrototype::finishCreation):
467         * runtime/ArrayPrototype.cpp:
468         (JSC::ArrayPrototype::finishCreation):
469         (JSC::arrayProtoFuncPush):
470         * runtime/ClonedArguments.cpp:
471         (JSC::ClonedArguments::getOwnPropertySlot):
472         * runtime/CommonIdentifiers.cpp:
473         (JSC::CommonIdentifiers::CommonIdentifiers):
474         * runtime/CommonIdentifiers.h:
475         * runtime/Error.cpp:
476         (JSC::addErrorInfo):
477         (JSC::hasErrorInfo):
478         * runtime/ExceptionHelpers.cpp:
479         (JSC::createUndefinedVariableError):
480         * runtime/GenericArgumentsInlines.h:
481         (JSC::GenericArguments<Type>::getOwnPropertySlot):
482         * runtime/Identifier.h:
483         (JSC::Identifier::isSymbol):
484         (JSC::Identifier::Identifier):
485         (JSC::Identifier::from): Deleted.
486         * runtime/IdentifierInlines.h:
487         (JSC::Identifier::Identifier):
488         (JSC::Identifier::fromUid):
489         (JSC::Identifier::fromString):
490         * runtime/JSCJSValue.cpp:
491         (JSC::JSValue::dumpInContextAssumingStructure):
492         * runtime/JSCJSValueInlines.h:
493         (JSC::JSValue::toPropertyKey):
494         * runtime/JSGlobalObject.cpp:
495         (JSC::JSGlobalObject::init):
496         * runtime/JSLexicalEnvironment.cpp:
497         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
498         * runtime/JSObject.cpp:
499         (JSC::getClassPropertyNames):
500         (JSC::JSObject::reifyStaticFunctionsForDelete):
501         * runtime/JSObject.h:
502         (JSC::makeIdentifier):
503         * runtime/JSPromiseConstructor.cpp:
504         (JSC::JSPromiseConstructorFuncRace):
505         (JSC::JSPromiseConstructorFuncAll):
506         * runtime/JSString.h:
507         (JSC::JSString::toIdentifier):
508         * runtime/JSSymbolTableObject.cpp:
509         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
510         * runtime/LiteralParser.cpp:
511         (JSC::LiteralParser<CharType>::tryJSONPParse):
512         (JSC::LiteralParser<CharType>::makeIdentifier):
513         * runtime/Lookup.h:
514         (JSC::reifyStaticProperties):
515         * runtime/MapConstructor.cpp:
516         (JSC::constructMap):
517         * runtime/MapIteratorPrototype.cpp:
518         (JSC::MapIteratorPrototype::finishCreation):
519         * runtime/MapPrototype.cpp:
520         (JSC::MapPrototype::finishCreation):
521         * runtime/MathObject.cpp:
522         (JSC::MathObject::finishCreation):
523         * runtime/NumberConstructor.cpp:
524         (JSC::NumberConstructor::finishCreation):
525         * runtime/ObjectConstructor.cpp:
526         (JSC::ObjectConstructor::finishCreation):
527         * runtime/PrivateName.h:
528         (JSC::PrivateName::PrivateName):
529         * runtime/PropertyMapHashTable.h:
530         (JSC::PropertyTable::find):
531         (JSC::PropertyTable::get):
532         * runtime/PropertyName.h:
533         (JSC::PropertyName::PropertyName):
534         (JSC::PropertyName::publicName):
535         (JSC::PropertyName::asIndex):
536         * runtime/PropertyNameArray.cpp:
537         (JSC::PropertyNameArray::add):
538         * runtime/PropertyNameArray.h:
539         (JSC::PropertyNameArray::addKnownUnique):
540         * runtime/RegExpConstructor.cpp:
541         (JSC::RegExpConstructor::finishCreation):
542         * runtime/SetConstructor.cpp:
543         (JSC::constructSet):
544         * runtime/SetIteratorPrototype.cpp:
545         (JSC::SetIteratorPrototype::finishCreation):
546         * runtime/SetPrototype.cpp:
547         (JSC::SetPrototype::finishCreation):
548         * runtime/StringIteratorPrototype.cpp:
549         (JSC::StringIteratorPrototype::finishCreation):
550         * runtime/StringPrototype.cpp:
551         (JSC::StringPrototype::finishCreation):
552         * runtime/Structure.cpp:
553         (JSC::Structure::getPropertyNamesFromStructure):
554         * runtime/SymbolConstructor.cpp:
555         * runtime/VM.cpp:
556         (JSC::VM::throwException):
557         * runtime/WeakMapConstructor.cpp:
558         (JSC::constructWeakMap):
559
560 2015-03-31  Andreas Kling  <akling@apple.com>
561
562         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
563         <https://webkit.org/b/143210>
564
565         Reviewed by Geoffrey Garen.
566
567         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
568         we had a little problem where WeakBlocks with only null pointers would still keep their
569         MarkedBlock alive.
570
571         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
572         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
573         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
574         destroying them once they're fully dead.
575
576         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
577         a mysterious issue where doing two full garbage collections back-to-back would free additional
578         memory in the second collection.
579
580         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
581         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
582         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
583
584         * heap/Heap.h:
585         * heap/Heap.cpp:
586         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
587         owned by Heap, after everything else has been swept.
588
589         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
590         after a full garbage collection ends. Note that we don't do this after Eden collections, since
591         they are unlikely to cause entire WeakBlocks to go empty.
592
593         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
594         to the Heap when it's detached from a WeakSet.
595
596         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
597         of the logically empty WeakBlocks owned by Heap.
598
599         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
600         and updates the next-logically-empty-weak-block-to-sweep index.
601
602         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
603         won't be another chance after this.
604
605         * heap/IncrementalSweeper.h:
606         (JSC::IncrementalSweeper::hasWork): Deleted.
607
608         * heap/IncrementalSweeper.cpp:
609         (JSC::IncrementalSweeper::fullSweep):
610         (JSC::IncrementalSweeper::doSweep):
611         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
612         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
613         changed to return a bool (true if there's more work to be done.)
614
615         * heap/WeakBlock.cpp:
616         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
617         contain any pointers to live objects. The answer is stored in a new SweepResult member.
618
619         * heap/WeakBlock.h:
620         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
621         if the WeakBlock could be detached from the MarkedBlock.
622
623         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
624         when declaring them.
625
626 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
627
628         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
629         https://bugs.webkit.org/show_bug.cgi?id=142883
630
631         Reviewed by Filip Pizlo.
632
633         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
634
635         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
636         in eval inside a derived class' constructor.
637
638         * bytecode/EvalCodeCache.h:
639         (JSC::EvalCodeCache::getSlow):
640         * bytecompiler/NodesCodegen.cpp:
641         (JSC::ThisNode::emitBytecode):
642         * debugger/DebuggerCallFrame.cpp:
643         (JSC::DebuggerCallFrame::evaluate):
644         * interpreter/Interpreter.cpp:
645         (JSC::eval):
646         * parser/ASTBuilder.h:
647         (JSC::ASTBuilder::thisExpr):
648         * parser/NodeConstructors.h:
649         (JSC::ThisNode::ThisNode):
650         * parser/Nodes.h:
651         * parser/Parser.cpp:
652         (JSC::Parser<LexerType>::Parser):
653         (JSC::Parser<LexerType>::parsePrimaryExpression):
654         * parser/Parser.h:
655         (JSC::parse):
656         * parser/ParserModes.h:
657         * parser/SyntaxChecker.h:
658         (JSC::SyntaxChecker::thisExpr):
659         * runtime/CodeCache.cpp:
660         (JSC::CodeCache::getGlobalCodeBlock):
661         (JSC::CodeCache::getProgramCodeBlock):
662         (JSC::CodeCache::getEvalCodeBlock):
663         * runtime/CodeCache.h:
664         (JSC::SourceCodeKey::SourceCodeKey):
665         * runtime/Executable.cpp:
666         (JSC::EvalExecutable::create):
667         * runtime/Executable.h:
668         * runtime/JSGlobalObject.cpp:
669         (JSC::JSGlobalObject::createEvalCodeBlock):
670         * runtime/JSGlobalObject.h:
671         * runtime/JSGlobalObjectFunctions.cpp:
672         (JSC::globalFuncEval):
673         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
674         * tests/stress/class-syntax-tdz-in-eval.js: Added.
675
676 2015-03-31  Commit Queue  <commit-queue@webkit.org>
677
678         Unreviewed, rolling out r182186.
679         https://bugs.webkit.org/show_bug.cgi?id=143270
680
681         it crashes all the WebGL tests on the Debug bots (Requested by
682         dino on #webkit).
683
684         Reverted changeset:
685
686         "Web Inspector: add 2D/WebGL canvas instrumentation
687         infrastructure"
688         https://bugs.webkit.org/show_bug.cgi?id=137278
689         http://trac.webkit.org/changeset/182186
690
691 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
692
693         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
694         https://bugs.webkit.org/show_bug.cgi?id=142937
695
696         Reviewed by Darin Adler.
697
698         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
699         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
700         But now, several functions perform ToObject onto a non-object parameter.
701         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
702         It is described in ES6 Annex E.
703         Functions different from ES5 are following.
704
705         1. An attempt is make to coerce the argument using ToObject.
706             Object.getOwnPropertyDescriptor
707             Object.getOwnPropertyNames
708             Object.getPrototypeOf
709             Object.keys
710
711         2. Treated as if it was a non-extensible ordinary object with no own properties.
712             Object.freeze
713             Object.isExtensible
714             Object.isFrozen
715             Object.isSealed
716             Object.preventExtensions
717             Object.seal
718
719         * runtime/ObjectConstructor.cpp:
720         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
721         (JSC::objectConstructorGetPrototypeOf):
722         (JSC::objectConstructorGetOwnPropertyDescriptor):
723         (JSC::objectConstructorGetOwnPropertyNames):
724         (JSC::objectConstructorKeys):
725         (JSC::objectConstructorSeal):
726         (JSC::objectConstructorFreeze):
727         (JSC::objectConstructorPreventExtensions):
728         (JSC::objectConstructorIsSealed):
729         (JSC::objectConstructorIsFrozen):
730         (JSC::objectConstructorIsExtensible):
731         * tests/stress/object-freeze-accept-non-object.js: Added.
732         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
733         (canary):
734         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
735         (compare):
736         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
737         * tests/stress/object-is-extensible-accept-non-object.js: Added.
738         * tests/stress/object-is-frozen-accept-non-object.js: Added.
739         * tests/stress/object-is-sealed-accept-non-object.js: Added.
740         * tests/stress/object-keys-perform-to-object.js: Added.
741         (compare):
742         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
743         * tests/stress/object-seal-accept-non-object.js: Added.
744
745 2015-03-31  Matt Baker  <mattbaker@apple.com>
746
747         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
748         https://bugs.webkit.org/show_bug.cgi?id=137278
749
750         Reviewed by Timothy Hatcher.
751
752         Added Canvas protocol which defines types used by InspectorCanvasAgent.
753
754         * CMakeLists.txt:
755         * DerivedSources.make:
756         * inspector/protocol/Canvas.json: Added.
757
758         * inspector/scripts/codegen/generator.py:
759         (Generator.stylized_name_for_enum_value):
760         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
761
762 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
763
764         Extending null should set __proto__ to null
765         https://bugs.webkit.org/show_bug.cgi?id=142882
766
767         Reviewed by Geoffrey Garen and Benjamin Poulain.
768
769         Set Derived.prototype.__proto__ to null when extending null.
770
771         * bytecompiler/NodesCodegen.cpp:
772         (JSC::ClassExprNode::emitBytecode):
773
774 2015-03-30  Mark Lam  <mark.lam@apple.com>
775
776         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
777         <https://webkit.org/b/143105>
778
779         Reviewed by Filip Pizlo.
780
781         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
782         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
783         JIT frames that may have its scope register not set.  The Debugger's current implementation
784         which relies on the scope register is not happy about this.  For example, this results in a
785         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
786
787         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
788         ensure that the scope register value is flushed to the register in the stack frame.
789
790         * dfg/DFGByteCodeParser.cpp:
791         (JSC::DFG::ByteCodeParser::ByteCodeParser):
792         (JSC::DFG::ByteCodeParser::setLocal):
793         (JSC::DFG::ByteCodeParser::flush):
794         - Add code to flush the scope register.
795         (JSC::DFG::ByteCodeParser::inliningCost):
796         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
797           disabling inlining whenever the debugger is in use.
798         * dfg/DFGGraph.cpp:
799         (JSC::DFG::Graph::Graph):
800         * dfg/DFGGraph.h:
801         (JSC::DFG::Graph::hasDebuggerEnabled):
802         * dfg/DFGStackLayoutPhase.cpp:
803         (JSC::DFG::StackLayoutPhase::run):
804         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
805         * ftl/FTLCompile.cpp:
806         (JSC::FTL::mmAllocateDataSection):
807         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
808
809 2015-03-30  Michael Saboff  <msaboff@apple.com>
810
811         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
812         https://bugs.webkit.org/show_bug.cgi?id=138391
813
814         Reviewed by Mark Lam.
815
816         Re-enabling these tests as I can't get them to fail on local iOS test devices.
817         There have been many changes since these tests were disabled.
818         I'll watch automated test results for failures.  If there are failures running automated
819         testing, it might be due to the device's relative CPU performance.
820         
821         * tests/stress/float32-repeat-out-of-bounds.js:
822         * tests/stress/int8-repeat-out-of-bounds.js:
823
824 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
825
826         Web Inspector: Regression: Preview for [[null]] shouldn't be []
827         https://bugs.webkit.org/show_bug.cgi?id=143208
828
829         Reviewed by Mark Lam.
830
831         * inspector/InjectedScriptSource.js:
832         Handle null when generating simple object previews.
833
834 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
835
836         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
837         https://bugs.webkit.org/show_bug.cgi?id=143134
838
839         Reviewed by Geoffrey Garen.
840
841         * jit/JSInterfaceJIT.h:
842         * jit/Repatch.cpp:
843         (JSC::tryCacheGetByID):
844
845 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
846
847         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
848         https://bugs.webkit.org/show_bug.cgi?id=143104
849
850         Reviewed by Geoffrey Garen.
851         
852         Created a test that is a 100% repro of the flaky failure. This test is called
853         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
854         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
855         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
856         
857         Also created three more tests for three similar, but not identical, failures.
858         
859         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
860         only reading those parts of the stack that are relevant to the current semantic code origin.
861         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
862         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
863         read parts of the stack associated with the inline call frame for the phantom arguments. This
864         may not be subsumed by the current semantic origin's stack area in cases that the arguments
865         were allowed to "locally" escape.
866         
867         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
868         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
869         the stack due to function.arguments, but there are a bunch of other ways that we could also
870         read the stack and those operations may read any stack slot. I believe that this change makes
871         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
872         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
873         readTop() in PreciseLocalClobberize does the right thing.
874
875         * dfg/DFGClobberize.h:
876         (JSC::DFG::clobberize):
877         * dfg/DFGPreciseLocalClobberize.h:
878         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
879         * dfg/DFGPutStackSinkingPhase.cpp:
880         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
881         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
882         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
883         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
884         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
885
886 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
887
888         Start the features.json files
889         https://bugs.webkit.org/show_bug.cgi?id=143207
890
891         Reviewed by Darin Adler.
892
893         Start the features.json files to have something to experiment
894         with for the UI.
895
896         * features.json: Added.
897
898 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
899
900         [Win] Addresing post-review comment after r182122
901         https://bugs.webkit.org/show_bug.cgi?id=143189
902
903         Unreviewed.
904
905 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
906
907         [Win] Allow building JavaScriptCore without Cygwin
908         https://bugs.webkit.org/show_bug.cgi?id=143189
909
910         Reviewed by Brent Fulgham.
911
912         Paths like /usr/bin/ don't exist on Windows.
913         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
914         Prefixing commands with environment variables doesn't work on Windows.
915         Windows doesn't have 'cmp'
916         Windows uses 'del' instead of 'rm'
917         Windows uses 'type NUL' intead of 'touch'
918
919         * DerivedSources.make:
920         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
921         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
922         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
923         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
924         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
925         * JavaScriptCore.vcxproj/build-generated-files.pl:
926         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
927
928 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
929
930         Clean up JavaScriptCore/builtins
931         https://bugs.webkit.org/show_bug.cgi?id=143177
932
933         Reviewed by Ryosuke Niwa.
934
935         * builtins/ArrayConstructor.js:
936         (from):
937         - We can compare to undefined instead of using a typeof undefined check.
938         - Converge on double quoted strings everywhere.
939
940         * builtins/ArrayIterator.prototype.js:
941         (next):
942         * builtins/StringIterator.prototype.js:
943         (next):
944         - Use shorthand object construction to avoid duplication.
945         - Improve grammar in error messages.
946
947         * tests/stress/array-iterators-next-with-call.js:
948         * tests/stress/string-iterators.js:
949         - Update for new error message strings.
950
951 2015-03-28  Saam Barati  <saambarati1@gmail.com>
952
953         Web Inspector: ES6: Better support for Symbol types in Type Profiler
954         https://bugs.webkit.org/show_bug.cgi?id=141257
955
956         Reviewed by Joseph Pecoraro.
957
958         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
959         type profiler support this new primitive type.
960
961         * dfg/DFGFixupPhase.cpp:
962         (JSC::DFG::FixupPhase::fixupNode):
963         * inspector/protocol/Runtime.json:
964         * runtime/RuntimeType.cpp:
965         (JSC::runtimeTypeForValue):
966         * runtime/RuntimeType.h:
967         (JSC::runtimeTypeIsPrimitive):
968         * runtime/TypeSet.cpp:
969         (JSC::TypeSet::addTypeInformation):
970         (JSC::TypeSet::dumpTypes):
971         (JSC::TypeSet::doesTypeConformTo):
972         (JSC::TypeSet::displayName):
973         (JSC::TypeSet::inspectorTypeSet):
974         (JSC::TypeSet::toJSONString):
975         * runtime/TypeSet.h:
976         (JSC::TypeSet::seenTypes):
977         * tests/typeProfiler/driver/driver.js:
978         * tests/typeProfiler/symbol.js: Added.
979         (wrapper.foo):
980         (wrapper.bar):
981         (wrapper.bar.bar.baz):
982         (wrapper):
983
984 2015-03-27  Saam Barati  <saambarati1@gmail.com>
985
986         Deconstruction parameters are bound too late
987         https://bugs.webkit.org/show_bug.cgi?id=143148
988
989         Reviewed by Filip Pizlo.
990
991         Currently, a deconstruction pattern named with the same
992         name as a function will shadow the function. This is
993         wrong. It should be the other way around.
994
995         * bytecompiler/BytecodeGenerator.cpp:
996         (JSC::BytecodeGenerator::generate):
997
998 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
999
1000         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
1001         https://bugs.webkit.org/show_bug.cgi?id=143170
1002
1003         Reviewed by Benjamin Poulain.
1004
1005         Assert that we never use 16-bit version of the parser to parse a default constructor
1006         since both base and derived default constructors should be using a 8-bit string.
1007
1008         * parser/Parser.h:
1009         (JSC::parse):
1010
1011 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1012
1013         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
1014         https://bugs.webkit.org/show_bug.cgi?id=142862
1015
1016         Reviewed by Benjamin Poulain.
1017
1018         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
1019
1020         * tests/stress/class-syntax-derived-default-constructor.js: Added.
1021
1022 2015-03-27  Michael Saboff  <msaboff@apple.com>
1023
1024         load8Signed() and load16Signed() should be renamed to avoid confusion
1025         https://bugs.webkit.org/show_bug.cgi?id=143168
1026
1027         Reviewed by Benjamin Poulain.
1028
1029         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
1030
1031         * assembler/MacroAssemblerARM.h:
1032         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
1033         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
1034         (JSC::MacroAssemblerARM::load8Signed): Deleted.
1035         (JSC::MacroAssemblerARM::load16Signed): Deleted.
1036         * assembler/MacroAssemblerARM64.h:
1037         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1038         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1039         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
1040         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
1041         * assembler/MacroAssemblerARMv7.h:
1042         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
1043         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
1044         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
1045         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
1046         * assembler/MacroAssemblerMIPS.h:
1047         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1048         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1049         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
1050         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
1051         * assembler/MacroAssemblerSH4.h:
1052         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
1053         (JSC::MacroAssemblerSH4::load8):
1054         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
1055         (JSC::MacroAssemblerSH4::load16):
1056         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
1057         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
1058         * assembler/MacroAssemblerX86Common.h:
1059         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1060         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1061         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
1062         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
1063         * dfg/DFGSpeculativeJIT.cpp:
1064         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1065         * jit/JITPropertyAccess.cpp:
1066         (JSC::JIT::emitIntTypedArrayGetByVal):
1067
1068 2015-03-27  Michael Saboff  <msaboff@apple.com>
1069
1070         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
1071         https://bugs.webkit.org/show_bug.cgi?id=138390
1072
1073         Reviewed by Mark Lam.
1074
1075         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
1076         instead of 64 bits.  This is what X86-64 does.
1077
1078         * assembler/MacroAssemblerARM64.h:
1079         (JSC::MacroAssemblerARM64::load16Signed):
1080         (JSC::MacroAssemblerARM64::load8Signed):
1081
1082 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1083
1084         Add back previously broken assert from bug 141869
1085         https://bugs.webkit.org/show_bug.cgi?id=143005
1086
1087         Reviewed by Michael Saboff.
1088
1089         * runtime/ExceptionHelpers.cpp:
1090         (JSC::invalidParameterInSourceAppender):
1091
1092 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1093
1094         Make some more objects use FastMalloc
1095         https://bugs.webkit.org/show_bug.cgi?id=143122
1096
1097         Reviewed by Csaba Osztrogonác.
1098
1099         * API/JSCallbackObject.h:
1100         * heap/IncrementalSweeper.h:
1101         * jit/JITThunks.h:
1102         * runtime/JSGlobalObjectDebuggable.h:
1103         * runtime/RegExpCache.h:
1104
1105 2015-03-27  Michael Saboff  <msaboff@apple.com>
1106
1107         Objects with numeric properties intermittently get a phantom 'length' property
1108         https://bugs.webkit.org/show_bug.cgi?id=142792
1109
1110         Reviewed by Csaba Osztrogonác.
1111
1112         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
1113         test and branch instructions.  This function is used for linking tbz/tbnz branches between
1114         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
1115         the failure case checks in the GetById array length stub created for "obj.length" access.
1116         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
1117         being set when we should have been looking for bit 0.
1118
1119         * assembler/ARM64Assembler.h:
1120         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
1121
1122 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1123
1124         Insert exception check around toPropertyKey call
1125         https://bugs.webkit.org/show_bug.cgi?id=142922
1126
1127         Reviewed by Geoffrey Garen.
1128
1129         In some places, exception check is missing after/before toPropertyKey.
1130         However, since it calls toString, it's observable to users,
1131
1132         Missing exception checks in Object.prototype methods can be
1133         observed since it would be overridden with toObject(null/undefined) errors.
1134         We inserted exception checks after toPropertyKey.
1135
1136         Missing exception checks in GetById related code can be
1137         observed since it would be overridden with toObject(null/undefined) errors.
1138         In this case, we need to insert exception checks before/after toPropertyKey
1139         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
1140
1141         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
1142         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
1143         According to the spec, we first perform RequireObjectCoercible and check the exception.
1144         And second, we perform ToPropertyKey and check the exception.
1145         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
1146         For example, if the target is not object coercible,
1147         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
1148         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
1149
1150         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
1151
1152         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
1153
1154         toObject converts primitive types into wrapper objects.
1155         But it is not efficient since wrapper objects are not necessary
1156         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
1157
1158         2. Using the result of toObject is not correct to the spec.
1159
1160         To align to the spec correctly, we cannot use JSObject::get
1161         by using the wrapper object produced by the toObject suggested in (1).
1162         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
1163         It is not correct since getter should be called with the original |this| value that may be primitive types.
1164
1165         So in this patch, we use JSValue::requireObjectCoercible
1166         to check the target is object coercible and raise an error if it's not.
1167
1168         * dfg/DFGOperations.cpp:
1169         * jit/JITOperations.cpp:
1170         (JSC::getByVal):
1171         * llint/LLIntSlowPaths.cpp:
1172         (JSC::LLInt::getByVal):
1173         * runtime/CommonSlowPaths.cpp:
1174         (JSC::SLOW_PATH_DECL):
1175         * runtime/JSCJSValue.h:
1176         * runtime/JSCJSValueInlines.h:
1177         (JSC::JSValue::requireObjectCoercible):
1178         * runtime/ObjectPrototype.cpp:
1179         (JSC::objectProtoFuncHasOwnProperty):
1180         (JSC::objectProtoFuncDefineGetter):
1181         (JSC::objectProtoFuncDefineSetter):
1182         (JSC::objectProtoFuncLookupGetter):
1183         (JSC::objectProtoFuncLookupSetter):
1184         (JSC::objectProtoFuncPropertyIsEnumerable):
1185         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
1186         (shouldThrow):
1187         (if):
1188         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
1189         (shouldThrow):
1190         (.):
1191
1192 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1193
1194         WebContent Crash when instantiating class with Type Profiling enabled
1195         https://bugs.webkit.org/show_bug.cgi?id=143037
1196
1197         Reviewed by Ryosuke Niwa.
1198
1199         * bytecompiler/BytecodeGenerator.h:
1200         * bytecompiler/BytecodeGenerator.cpp:
1201         (JSC::BytecodeGenerator::BytecodeGenerator):
1202         (JSC::BytecodeGenerator::emitMoveEmptyValue):
1203         We cannot profile the type of an uninitialized empty JSValue.
1204         Nor do we expect this to be necessary, since it is effectively
1205         an unseen undefined value. So add a way to put the empty value
1206         without profiling.
1207
1208         (JSC::BytecodeGenerator::emitMove):
1209         Add an assert to try to catch this issue early on, and force
1210         callers to explicitly use emitMoveEmptyValue instead.
1211
1212         * tests/typeProfiler/classes.js: Added.
1213         (wrapper.Base):
1214         (wrapper.Derived):
1215         (wrapper):
1216         Add test coverage both for this case and classes in general.
1217
1218 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1219
1220         Web Inspector: ES6: Provide a better view for Classes in the console
1221         https://bugs.webkit.org/show_bug.cgi?id=142999
1222
1223         Reviewed by Timothy Hatcher.
1224
1225         * inspector/protocol/Runtime.json:
1226         Provide a new `subtype` enum "class". This is a subtype of `type`
1227         "function", all other subtypes are subtypes of `object` types.
1228         For a class, the frontend will immediately want to get the prototype
1229         to enumerate its methods, so include the `classPrototype`.
1230
1231         * inspector/JSInjectedScriptHost.cpp:
1232         (Inspector::JSInjectedScriptHost::subtype):
1233         Denote class construction functions as "class" subtypes.
1234
1235         * inspector/InjectedScriptSource.js:
1236         Handling for the new "class" type.
1237
1238         * bytecode/UnlinkedCodeBlock.h:
1239         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1240         * runtime/Executable.h:
1241         (JSC::FunctionExecutable::isClassConstructorFunction):
1242         * runtime/JSFunction.h:
1243         * runtime/JSFunctionInlines.h:
1244         (JSC::JSFunction::isClassConstructorFunction):
1245         Check if this function is a class constructor function. That information
1246         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1247
1248 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1249
1250         Function.prototype.toString should not decompile the AST
1251         https://bugs.webkit.org/show_bug.cgi?id=142853
1252
1253         Reviewed by Darin Adler.
1254
1255         Following up on Darin's review comments.
1256
1257         * runtime/FunctionConstructor.cpp:
1258         (JSC::constructFunctionSkippingEvalEnabledCheck):
1259
1260 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1261
1262         "lineNo" does not match WebKit coding style guidelines
1263         https://bugs.webkit.org/show_bug.cgi?id=143119
1264
1265         Reviewed by Michael Saboff.
1266
1267         We can afford to use whole words.
1268
1269         * bytecode/CodeBlock.cpp:
1270         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1271         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1272         * bytecode/UnlinkedCodeBlock.cpp:
1273         (JSC::UnlinkedFunctionExecutable::link):
1274         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1275         * bytecode/UnlinkedCodeBlock.h:
1276         * bytecompiler/NodesCodegen.cpp:
1277         (JSC::WhileNode::emitBytecode):
1278         * debugger/Debugger.cpp:
1279         (JSC::Debugger::toggleBreakpoint):
1280         * interpreter/Interpreter.cpp:
1281         (JSC::StackFrame::computeLineAndColumn):
1282         (JSC::GetStackTraceFunctor::operator()):
1283         (JSC::Interpreter::execute):
1284         * interpreter/StackVisitor.cpp:
1285         (JSC::StackVisitor::Frame::computeLineAndColumn):
1286         * parser/Nodes.h:
1287         (JSC::Node::firstLine):
1288         (JSC::Node::lineNo): Deleted.
1289         (JSC::StatementNode::firstLine): Deleted.
1290         * parser/ParserError.h:
1291         (JSC::ParserError::toErrorObject):
1292         * profiler/LegacyProfiler.cpp:
1293         (JSC::createCallIdentifierFromFunctionImp):
1294         * runtime/CodeCache.cpp:
1295         (JSC::CodeCache::getGlobalCodeBlock):
1296         * runtime/Executable.cpp:
1297         (JSC::ScriptExecutable::ScriptExecutable):
1298         (JSC::ScriptExecutable::newCodeBlockFor):
1299         (JSC::FunctionExecutable::fromGlobalCode):
1300         * runtime/Executable.h:
1301         (JSC::ScriptExecutable::firstLine):
1302         (JSC::ScriptExecutable::setOverrideLineNumber):
1303         (JSC::ScriptExecutable::hasOverrideLineNumber):
1304         (JSC::ScriptExecutable::overrideLineNumber):
1305         (JSC::ScriptExecutable::lineNo): Deleted.
1306         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1307         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
1308         (JSC::ScriptExecutable::overrideLineNo): Deleted.
1309         * runtime/FunctionConstructor.cpp:
1310         (JSC::constructFunctionSkippingEvalEnabledCheck):
1311         * runtime/FunctionConstructor.h:
1312         * tools/CodeProfile.cpp:
1313         (JSC::CodeProfile::report):
1314         * tools/CodeProfile.h:
1315         (JSC::CodeProfile::CodeProfile):
1316
1317 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1318
1319         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
1320         https://bugs.webkit.org/show_bug.cgi?id=142974
1321
1322         Reviewed by Joseph Pecoraro.
1323
1324         This patch does two things:
1325
1326         (1) Restore JavaScriptCore's sanitization of line and column numbers to
1327         one-based values.
1328
1329         We need this because WebCore sometimes provides huge negative column
1330         numbers.
1331
1332         (2) Solve the attribute event listener line numbering problem a different
1333         way: Rather than offseting all line numbers by -1 in an attribute event
1334         listener in order to arrange for a custom result, instead use an explicit
1335         feature for saying "all errors in this code should map to this line number".
1336
1337         * bytecode/UnlinkedCodeBlock.cpp:
1338         (JSC::UnlinkedFunctionExecutable::link):
1339         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1340         * bytecode/UnlinkedCodeBlock.h:
1341         * interpreter/Interpreter.cpp:
1342         (JSC::StackFrame::computeLineAndColumn):
1343         (JSC::GetStackTraceFunctor::operator()):
1344         * interpreter/Interpreter.h:
1345         * interpreter/StackVisitor.cpp:
1346         (JSC::StackVisitor::Frame::computeLineAndColumn):
1347         * parser/ParserError.h:
1348         (JSC::ParserError::toErrorObject): Plumb through an override line number.
1349         When a function has an override line number, all syntax and runtime
1350         errors in the function will map to it. This is useful for attribute event
1351         listeners.
1352  
1353         * parser/SourceCode.h:
1354         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
1355         column numbers to one-based integers. It was kind of a hack to remove this.
1356
1357         * runtime/Executable.cpp:
1358         (JSC::ScriptExecutable::ScriptExecutable):
1359         (JSC::FunctionExecutable::fromGlobalCode):
1360         * runtime/Executable.h:
1361         (JSC::ScriptExecutable::setOverrideLineNo):
1362         (JSC::ScriptExecutable::hasOverrideLineNo):
1363         (JSC::ScriptExecutable::overrideLineNo):
1364         * runtime/FunctionConstructor.cpp:
1365         (JSC::constructFunctionSkippingEvalEnabledCheck):
1366         * runtime/FunctionConstructor.h: Plumb through an override line number.
1367
1368 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1369
1370         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
1371
1372         Reviewed by Michael Saboff.
1373
1374         * jit/JITPropertyAccess.cpp:
1375         (JSC::JIT::emitScopedArgumentsGetByVal):
1376         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
1377
1378 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1379
1380         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
1381         https://bugs.webkit.org/show_bug.cgi?id=143098
1382
1383         Reviewed by Csaba Osztrogonác.
1384
1385         * ftl/FTLLowerDFGToLLVM.cpp:
1386         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
1387         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
1388
1389 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
1390
1391         Unreviewed gardening, skip failing tests on AArch64 Linux.
1392
1393         * tests/mozilla/mozilla-tests.yaml:
1394         * tests/stress/cached-prototype-setter.js:
1395
1396 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1397
1398         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
1399
1400         * dfg/DFGConstantFoldingPhase.cpp:
1401         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
1402         * ftl/FTLCompile.cpp:
1403         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
1404         * ftl/FTLState.cpp:
1405         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
1406         * ftl/FTLState.h:
1407
1408 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1409
1410         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
1411         right, so this just makes 32-bit do the same.
1412
1413         * dfg/DFGSpeculativeJIT32_64.cpp:
1414         (JSC::DFG::SpeculativeJIT::emitCall):
1415
1416 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1417
1418         Fix a typo that ggaren found but that I didn't fix before.
1419
1420         * runtime/DirectArgumentsOffset.h:
1421
1422 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1423
1424         Unreviewed, VC found a bug. This fixes the bug.
1425
1426         * dfg/DFGConstantFoldingPhase.cpp:
1427         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1428
1429 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1430
1431         Unreviewed, try to fix Windows build.
1432
1433         * runtime/ClonedArguments.cpp:
1434         (JSC::ClonedArguments::createWithInlineFrame):
1435
1436 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1437
1438         Unreviewed, fix debug build.
1439
1440         * bytecompiler/NodesCodegen.cpp:
1441         (JSC::ConstDeclNode::emitCodeSingle):
1442
1443 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1444
1445         Unreviewed, fix CLOOP build.
1446
1447         * dfg/DFGMinifiedID.h:
1448
1449 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1450
1451         Heap variables shouldn't end up in the stack frame
1452         https://bugs.webkit.org/show_bug.cgi?id=141174
1453
1454         Reviewed by Geoffrey Garen.
1455         
1456         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
1457         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
1458         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
1459         simplifications:
1460         
1461         - Accesses to variables no longer need checks or indirections to determine where the variable is
1462           at that moment in time. For example, loading a closure variable now takes just one load instead
1463           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
1464           (when no arguments object allocation is required) while previously that same operation required
1465           a "did I allocate arguments yet" check, a bounds check, and then the load.
1466         
1467         - Reasoning about the allocation of an activation or arguments object now follows the same simple
1468           logic as the allocation of any other kind of object. Previously, those objects were lazily
1469           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
1470           allocate anything at all. This made the implementation of traditional escape analyses really
1471           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
1472           arguments object using the usual SSA tricks which allows for more comprehensive removal.
1473         
1474         - The allocations of arguments objects, functions, and activations are now much faster. While
1475           this patch generally expands our ability to eliminate arguments object allocations, an earlier
1476           version of the patch - which lacked that functionality - was a progression on some arguments-
1477           and closure-happy benchmarks because although no allocations were eliminated, all allocations
1478           were faster.
1479         
1480         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
1481           its arguments objects or activations. The runtime doesn't have to do things to the arguments
1482           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
1483           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
1484           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
1485           now gone. This also enables implementing block-scoping. Without this change, block-scope
1486           support would require telling CodeBlock and all of the rest of the runtime about all of the
1487           variables that store currently-live scopes. That would have been so disastrously hard that it
1488           might as well be impossible. With this change, it's fair game for the bytecode generator to
1489           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
1490           however long it wants. This all works, because after bytecode generation, an activation is just
1491           an object and variables that refer to it are just normal variables.
1492         
1493         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
1494           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
1495           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
1496           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
1497           an arguments object.
1498         
1499         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
1500           using activations used to prevent inlining; now functions that use activations can be inlined
1501           just fine.
1502         
1503         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
1504         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
1505         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
1506         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
1507         
1508         The easiest way of understanding this change is to start by looking at the changes in runtime/,
1509         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
1510
1511         * CMakeLists.txt:
1512         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1513         * JavaScriptCore.xcodeproj/project.pbxproj:
1514         * assembler/AbortReason.h:
1515         * assembler/AbstractMacroAssembler.h:
1516         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
1517         * bytecode/ByValInfo.h:
1518         (JSC::hasOptimizableIndexingForJSType):
1519         (JSC::hasOptimizableIndexing):
1520         (JSC::jitArrayModeForJSType):
1521         (JSC::jitArrayModePermitsPut):
1522         (JSC::jitArrayModeForStructure):
1523         * bytecode/BytecodeKills.h: Added.
1524         (JSC::BytecodeKills::BytecodeKills):
1525         (JSC::BytecodeKills::operandIsKilled):
1526         (JSC::BytecodeKills::forEachOperandKilledAt):
1527         (JSC::BytecodeKills::KillSet::KillSet):
1528         (JSC::BytecodeKills::KillSet::add):
1529         (JSC::BytecodeKills::KillSet::forEachLocal):
1530         (JSC::BytecodeKills::KillSet::contains):
1531         * bytecode/BytecodeList.json:
1532         * bytecode/BytecodeLivenessAnalysis.cpp:
1533         (JSC::isValidRegisterForLiveness):
1534         (JSC::stepOverInstruction):
1535         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
1536         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1537         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
1538         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1539         (JSC::BytecodeLivenessAnalysis::computeKills):
1540         (JSC::indexForOperand): Deleted.
1541         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
1542         (JSC::getLivenessInfo): Deleted.
1543         * bytecode/BytecodeLivenessAnalysis.h:
1544         * bytecode/BytecodeLivenessAnalysisInlines.h:
1545         (JSC::operandIsAlwaysLive):
1546         (JSC::operandThatIsNotAlwaysLiveIsLive):
1547         (JSC::operandIsLive):
1548         * bytecode/BytecodeUseDef.h:
1549         (JSC::computeUsesForBytecodeOffset):
1550         (JSC::computeDefsForBytecodeOffset):
1551         * bytecode/CodeBlock.cpp:
1552         (JSC::CodeBlock::dumpBytecode):
1553         (JSC::CodeBlock::CodeBlock):
1554         (JSC::CodeBlock::nameForRegister):
1555         (JSC::CodeBlock::validate):
1556         (JSC::CodeBlock::isCaptured): Deleted.
1557         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
1558         (JSC::CodeBlock::machineSlowArguments): Deleted.
1559         * bytecode/CodeBlock.h:
1560         (JSC::unmodifiedArgumentsRegister): Deleted.
1561         (JSC::CodeBlock::setArgumentsRegister): Deleted.
1562         (JSC::CodeBlock::argumentsRegister): Deleted.
1563         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
1564         (JSC::CodeBlock::usesArguments): Deleted.
1565         (JSC::CodeBlock::captureCount): Deleted.
1566         (JSC::CodeBlock::captureStart): Deleted.
1567         (JSC::CodeBlock::captureEnd): Deleted.
1568         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
1569         (JSC::CodeBlock::hasSlowArguments): Deleted.
1570         (JSC::ExecState::argumentAfterCapture): Deleted.
1571         * bytecode/CodeOrigin.h:
1572         * bytecode/DataFormat.h:
1573         (JSC::dataFormatToString):
1574         * bytecode/FullBytecodeLiveness.h:
1575         (JSC::FullBytecodeLiveness::getLiveness):
1576         (JSC::FullBytecodeLiveness::operandIsLive):
1577         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
1578         (JSC::FullBytecodeLiveness::getOut): Deleted.
1579         * bytecode/Instruction.h:
1580         (JSC::Instruction::Instruction):
1581         * bytecode/Operands.h:
1582         (JSC::Operands::virtualRegisterForIndex):
1583         * bytecode/SpeculatedType.cpp:
1584         (JSC::dumpSpeculation):
1585         (JSC::speculationToAbbreviatedString):
1586         (JSC::speculationFromClassInfo):
1587         * bytecode/SpeculatedType.h:
1588         (JSC::isDirectArgumentsSpeculation):
1589         (JSC::isScopedArgumentsSpeculation):
1590         (JSC::isActionableMutableArraySpeculation):
1591         (JSC::isActionableArraySpeculation):
1592         (JSC::isArgumentsSpeculation): Deleted.
1593         * bytecode/UnlinkedCodeBlock.cpp:
1594         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1595         * bytecode/UnlinkedCodeBlock.h:
1596         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
1597         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
1598         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
1599         * bytecode/ValueRecovery.cpp:
1600         (JSC::ValueRecovery::dumpInContext):
1601         * bytecode/ValueRecovery.h:
1602         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
1603         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
1604         (JSC::ValueRecovery::nodeID):
1605         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
1606         * bytecode/VirtualRegister.h:
1607         (JSC::VirtualRegister::operator==):
1608         (JSC::VirtualRegister::operator!=):
1609         (JSC::VirtualRegister::operator<):
1610         (JSC::VirtualRegister::operator>):
1611         (JSC::VirtualRegister::operator<=):
1612         (JSC::VirtualRegister::operator>=):
1613         * bytecompiler/BytecodeGenerator.cpp:
1614         (JSC::BytecodeGenerator::generate):
1615         (JSC::BytecodeGenerator::BytecodeGenerator):
1616         (JSC::BytecodeGenerator::initializeNextParameter):
1617         (JSC::BytecodeGenerator::visibleNameForParameter):
1618         (JSC::BytecodeGenerator::emitMove):
1619         (JSC::BytecodeGenerator::variable):
1620         (JSC::BytecodeGenerator::createVariable):
1621         (JSC::BytecodeGenerator::emitResolveScope):
1622         (JSC::BytecodeGenerator::emitGetFromScope):
1623         (JSC::BytecodeGenerator::emitPutToScope):
1624         (JSC::BytecodeGenerator::initializeVariable):
1625         (JSC::BytecodeGenerator::emitInstanceOf):
1626         (JSC::BytecodeGenerator::emitNewFunction):
1627         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1628         (JSC::BytecodeGenerator::emitCall):
1629         (JSC::BytecodeGenerator::emitReturn):
1630         (JSC::BytecodeGenerator::emitConstruct):
1631         (JSC::BytecodeGenerator::isArgumentNumber):
1632         (JSC::BytecodeGenerator::emitEnumeration):
1633         (JSC::BytecodeGenerator::addVar): Deleted.
1634         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
1635         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
1636         (JSC::BytecodeGenerator::resolveCallee): Deleted.
1637         (JSC::BytecodeGenerator::addCallee): Deleted.
1638         (JSC::BytecodeGenerator::addParameter): Deleted.
1639         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
1640         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
1641         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
1642         (JSC::BytecodeGenerator::isCaptured): Deleted.
1643         (JSC::BytecodeGenerator::local): Deleted.
1644         (JSC::BytecodeGenerator::constLocal): Deleted.
1645         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
1646         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
1647         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
1648         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
1649         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
1650         * bytecompiler/BytecodeGenerator.h:
1651         (JSC::Variable::Variable):
1652         (JSC::Variable::isResolved):
1653         (JSC::Variable::ident):
1654         (JSC::Variable::offset):
1655         (JSC::Variable::isLocal):
1656         (JSC::Variable::local):
1657         (JSC::Variable::isSpecial):
1658         (JSC::BytecodeGenerator::argumentsRegister):
1659         (JSC::BytecodeGenerator::emitNode):
1660         (JSC::BytecodeGenerator::registerFor):
1661         (JSC::Local::Local): Deleted.
1662         (JSC::Local::operator bool): Deleted.
1663         (JSC::Local::get): Deleted.
1664         (JSC::Local::isSpecial): Deleted.
1665         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
1666         (JSC::ResolveScopeInfo::isLocal): Deleted.
1667         (JSC::ResolveScopeInfo::localIndex): Deleted.
1668         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
1669         (JSC::BytecodeGenerator::captureMode): Deleted.
1670         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
1671         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
1672         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
1673         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
1674         * bytecompiler/NodesCodegen.cpp:
1675         (JSC::ResolveNode::isPure):
1676         (JSC::ResolveNode::emitBytecode):
1677         (JSC::BracketAccessorNode::emitBytecode):
1678         (JSC::DotAccessorNode::emitBytecode):
1679         (JSC::EvalFunctionCallNode::emitBytecode):
1680         (JSC::FunctionCallResolveNode::emitBytecode):
1681         (JSC::CallFunctionCallDotNode::emitBytecode):
1682         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1683         (JSC::PostfixNode::emitResolve):
1684         (JSC::DeleteResolveNode::emitBytecode):
1685         (JSC::TypeOfResolveNode::emitBytecode):
1686         (JSC::PrefixNode::emitResolve):
1687         (JSC::ReadModifyResolveNode::emitBytecode):
1688         (JSC::AssignResolveNode::emitBytecode):
1689         (JSC::ConstDeclNode::emitCodeSingle):
1690         (JSC::EmptyVarExpression::emitBytecode):
1691         (JSC::ForInNode::tryGetBoundLocal):
1692         (JSC::ForInNode::emitLoopHeader):
1693         (JSC::ForOfNode::emitBytecode):
1694         (JSC::ArrayPatternNode::emitDirectBinding):
1695         (JSC::BindingNode::bindValue):
1696         (JSC::getArgumentByVal): Deleted.
1697         * dfg/DFGAbstractHeap.h:
1698         * dfg/DFGAbstractInterpreter.h:
1699         * dfg/DFGAbstractInterpreterInlines.h:
1700         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1701         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1702         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
1703         * dfg/DFGAbstractValue.h:
1704         * dfg/DFGArgumentPosition.h:
1705         (JSC::DFG::ArgumentPosition::addVariable):
1706         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
1707         (JSC::DFG::performArgumentsElimination):
1708         * dfg/DFGArgumentsEliminationPhase.h: Added.
1709         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
1710         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
1711         * dfg/DFGArgumentsUtilities.cpp: Added.
1712         (JSC::DFG::argumentsInvolveStackSlot):
1713         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1714         * dfg/DFGArgumentsUtilities.h: Added.
1715         * dfg/DFGArrayMode.cpp:
1716         (JSC::DFG::ArrayMode::refine):
1717         (JSC::DFG::ArrayMode::alreadyChecked):
1718         (JSC::DFG::arrayTypeToString):
1719         * dfg/DFGArrayMode.h:
1720         (JSC::DFG::ArrayMode::canCSEStorage):
1721         (JSC::DFG::ArrayMode::modeForPut):
1722         * dfg/DFGAvailabilityMap.cpp:
1723         (JSC::DFG::AvailabilityMap::prune):
1724         * dfg/DFGAvailabilityMap.h:
1725         (JSC::DFG::AvailabilityMap::closeOverNodes):
1726         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
1727         * dfg/DFGBackwardsPropagationPhase.cpp:
1728         (JSC::DFG::BackwardsPropagationPhase::propagate):
1729         * dfg/DFGByteCodeParser.cpp:
1730         (JSC::DFG::ByteCodeParser::newVariableAccessData):
1731         (JSC::DFG::ByteCodeParser::getLocal):
1732         (JSC::DFG::ByteCodeParser::setLocal):
1733         (JSC::DFG::ByteCodeParser::getArgument):
1734         (JSC::DFG::ByteCodeParser::setArgument):
1735         (JSC::DFG::ByteCodeParser::flushDirect):
1736         (JSC::DFG::ByteCodeParser::flush):
1737         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
1738         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1739         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1740         (JSC::DFG::ByteCodeParser::handleInlining):
1741         (JSC::DFG::ByteCodeParser::parseBlock):
1742         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1743         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1744         * dfg/DFGCPSRethreadingPhase.cpp:
1745         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1746         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1747         * dfg/DFGCSEPhase.cpp:
1748         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
1749         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
1750         * dfg/DFGCapabilities.cpp:
1751         (JSC::DFG::isSupportedForInlining):
1752         (JSC::DFG::capabilityLevel):
1753         * dfg/DFGClobberize.h:
1754         (JSC::DFG::clobberize):
1755         * dfg/DFGCommon.h:
1756         * dfg/DFGCommonData.h:
1757         (JSC::DFG::CommonData::CommonData):
1758         * dfg/DFGConstantFoldingPhase.cpp:
1759         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1760         * dfg/DFGDCEPhase.cpp:
1761         (JSC::DFG::DCEPhase::cleanVariables):
1762         * dfg/DFGDisassembler.h:
1763         * dfg/DFGDoesGC.cpp:
1764         (JSC::DFG::doesGC):
1765         * dfg/DFGFixupPhase.cpp:
1766         (JSC::DFG::FixupPhase::fixupNode):
1767         * dfg/DFGFlushFormat.cpp:
1768         (WTF::printInternal):
1769         * dfg/DFGFlushFormat.h:
1770         (JSC::DFG::resultFor):
1771         (JSC::DFG::useKindFor):
1772         (JSC::DFG::dataFormatFor):
1773         * dfg/DFGForAllKills.h: Added.
1774         (JSC::DFG::forAllLiveNodesAtTail):
1775         (JSC::DFG::forAllDirectlyKilledOperands):
1776         (JSC::DFG::forAllKilledOperands):
1777         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1778         (JSC::DFG::forAllKillsInBlock):
1779         * dfg/DFGGraph.cpp:
1780         (JSC::DFG::Graph::Graph):
1781         (JSC::DFG::Graph::dump):
1782         (JSC::DFG::Graph::substituteGetLocal):
1783         (JSC::DFG::Graph::livenessFor):
1784         (JSC::DFG::Graph::killsFor):
1785         (JSC::DFG::Graph::tryGetConstantClosureVar):
1786         (JSC::DFG::Graph::tryGetRegisters): Deleted.
1787         * dfg/DFGGraph.h:
1788         (JSC::DFG::Graph::symbolTableFor):
1789         (JSC::DFG::Graph::uses):
1790         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
1791         (JSC::DFG::Graph::capturedVarsFor): Deleted.
1792         (JSC::DFG::Graph::usesArguments): Deleted.
1793         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
1794         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
1795         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
1796         * dfg/DFGHeapLocation.cpp:
1797         (WTF::printInternal):
1798         * dfg/DFGHeapLocation.h:
1799         * dfg/DFGInPlaceAbstractState.cpp:
1800         (JSC::DFG::InPlaceAbstractState::initialize):
1801         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1802         * dfg/DFGJITCompiler.cpp:
1803         (JSC::DFG::JITCompiler::link):
1804         * dfg/DFGMayExit.cpp:
1805         (JSC::DFG::mayExit):
1806         * dfg/DFGMinifiedID.h:
1807         * dfg/DFGMinifiedNode.cpp:
1808         (JSC::DFG::MinifiedNode::fromNode):
1809         * dfg/DFGMinifiedNode.h:
1810         (JSC::DFG::belongsInMinifiedGraph):
1811         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
1812         (JSC::DFG::MinifiedNode::inlineCallFrame):
1813         * dfg/DFGNode.cpp:
1814         (JSC::DFG::Node::convertToIdentityOn):
1815         * dfg/DFGNode.h:
1816         (JSC::DFG::Node::hasConstant):
1817         (JSC::DFG::Node::constant):
1818         (JSC::DFG::Node::hasScopeOffset):
1819         (JSC::DFG::Node::scopeOffset):
1820         (JSC::DFG::Node::hasDirectArgumentsOffset):
1821         (JSC::DFG::Node::capturedArgumentsOffset):
1822         (JSC::DFG::Node::variablePointer):
1823         (JSC::DFG::Node::hasCallVarargsData):
1824         (JSC::DFG::Node::hasLoadVarargsData):
1825         (JSC::DFG::Node::hasHeapPrediction):
1826         (JSC::DFG::Node::hasCellOperand):
1827         (JSC::DFG::Node::objectMaterializationData):
1828         (JSC::DFG::Node::isPhantomAllocation):
1829         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1830         (JSC::DFG::Node::shouldSpeculateDirectArguments):
1831         (JSC::DFG::Node::shouldSpeculateScopedArguments):
1832         (JSC::DFG::Node::isPhantomArguments): Deleted.
1833         (JSC::DFG::Node::hasVarNumber): Deleted.
1834         (JSC::DFG::Node::varNumber): Deleted.
1835         (JSC::DFG::Node::registerPointer): Deleted.
1836         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
1837         * dfg/DFGNodeType.h:
1838         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1839         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1840         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1841         * dfg/DFGOSRExitCompiler.cpp:
1842         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
1843         * dfg/DFGOSRExitCompiler.h:
1844         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
1845         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
1846         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
1847         * dfg/DFGOSRExitCompiler32_64.cpp:
1848         (JSC::DFG::OSRExitCompiler::compileExit):
1849         * dfg/DFGOSRExitCompiler64.cpp:
1850         (JSC::DFG::OSRExitCompiler::compileExit):
1851         * dfg/DFGOSRExitCompilerCommon.cpp:
1852         (JSC::DFG::reifyInlinedCallFrames):
1853         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
1854         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
1855         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
1856         * dfg/DFGOSRExitCompilerCommon.h:
1857         * dfg/DFGOperations.cpp:
1858         * dfg/DFGOperations.h:
1859         * dfg/DFGPlan.cpp:
1860         (JSC::DFG::Plan::compileInThreadImpl):
1861         * dfg/DFGPreciseLocalClobberize.h:
1862         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
1863         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
1864         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
1865         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1866         (JSC::DFG::preciseLocalClobberize):
1867         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
1868         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
1869         * dfg/DFGPredictionPropagationPhase.cpp:
1870         (JSC::DFG::PredictionPropagationPhase::run):
1871         (JSC::DFG::PredictionPropagationPhase::propagate):
1872         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1873         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
1874         * dfg/DFGPromoteHeapAccess.h:
1875         (JSC::DFG::promoteHeapAccess):
1876         * dfg/DFGPromotedHeapLocation.cpp:
1877         (WTF::printInternal):
1878         * dfg/DFGPromotedHeapLocation.h:
1879         * dfg/DFGSSAConversionPhase.cpp:
1880         (JSC::DFG::SSAConversionPhase::run):
1881         * dfg/DFGSafeToExecute.h:
1882         (JSC::DFG::safeToExecute):
1883         * dfg/DFGSpeculativeJIT.cpp:
1884         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1885         (JSC::DFG::SpeculativeJIT::emitGetLength):
1886         (JSC::DFG::SpeculativeJIT::emitGetCallee):
1887         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
1888         (JSC::DFG::SpeculativeJIT::checkArray):
1889         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1890         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1891         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1892         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1893         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1894         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1895         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1896         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1897         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1898         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1899         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1900         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
1901         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
1902         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
1903         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
1904         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
1905         * dfg/DFGSpeculativeJIT.h:
1906         (JSC::DFG::SpeculativeJIT::callOperation):
1907         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1908         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1909         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
1910         * dfg/DFGSpeculativeJIT32_64.cpp:
1911         (JSC::DFG::SpeculativeJIT::emitCall):
1912         (JSC::DFG::SpeculativeJIT::compile):
1913         * dfg/DFGSpeculativeJIT64.cpp:
1914         (JSC::DFG::SpeculativeJIT::emitCall):
1915         (JSC::DFG::SpeculativeJIT::compile):
1916         * dfg/DFGStackLayoutPhase.cpp:
1917         (JSC::DFG::StackLayoutPhase::run):
1918         * dfg/DFGStrengthReductionPhase.cpp:
1919         (JSC::DFG::StrengthReductionPhase::handleNode):
1920         * dfg/DFGStructureRegistrationPhase.cpp:
1921         (JSC::DFG::StructureRegistrationPhase::run):
1922         * dfg/DFGUnificationPhase.cpp:
1923         (JSC::DFG::UnificationPhase::run):
1924         * dfg/DFGValidate.cpp:
1925         (JSC::DFG::Validate::validateCPS):
1926         * dfg/DFGValueSource.cpp:
1927         (JSC::DFG::ValueSource::dump):
1928         * dfg/DFGValueSource.h:
1929         (JSC::DFG::dataFormatToValueSourceKind):
1930         (JSC::DFG::valueSourceKindToDataFormat):
1931         (JSC::DFG::ValueSource::ValueSource):
1932         (JSC::DFG::ValueSource::forFlushFormat):
1933         (JSC::DFG::ValueSource::valueRecovery):
1934         * dfg/DFGVarargsForwardingPhase.cpp: Added.
1935         (JSC::DFG::performVarargsForwarding):
1936         * dfg/DFGVarargsForwardingPhase.h: Added.
1937         * dfg/DFGVariableAccessData.cpp:
1938         (JSC::DFG::VariableAccessData::VariableAccessData):
1939         (JSC::DFG::VariableAccessData::flushFormat):
1940         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1941         * dfg/DFGVariableAccessData.h:
1942         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
1943         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1944         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
1945         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
1946         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
1947         * dfg/DFGVariableAccessDataDump.cpp:
1948         (JSC::DFG::VariableAccessDataDump::dump):
1949         * dfg/DFGVariableAccessDataDump.h:
1950         * dfg/DFGVariableEventStream.cpp:
1951         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1952         * dfg/DFGVariableEventStream.h:
1953         * ftl/FTLAbstractHeap.cpp:
1954         (JSC::FTL::AbstractHeap::dump):
1955         (JSC::FTL::AbstractField::dump):
1956         (JSC::FTL::IndexedAbstractHeap::dump):
1957         (JSC::FTL::NumberedAbstractHeap::dump):
1958         (JSC::FTL::AbsoluteAbstractHeap::dump):
1959         * ftl/FTLAbstractHeap.h:
1960         * ftl/FTLAbstractHeapRepository.cpp:
1961         * ftl/FTLAbstractHeapRepository.h:
1962         * ftl/FTLCapabilities.cpp:
1963         (JSC::FTL::canCompile):
1964         * ftl/FTLCompile.cpp:
1965         (JSC::FTL::mmAllocateDataSection):
1966         * ftl/FTLExitArgument.cpp:
1967         (JSC::FTL::ExitArgument::dump):
1968         * ftl/FTLExitPropertyValue.cpp:
1969         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
1970         * ftl/FTLExitPropertyValue.h:
1971         * ftl/FTLExitTimeObjectMaterialization.cpp:
1972         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1973         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
1974         * ftl/FTLExitTimeObjectMaterialization.h:
1975         (JSC::FTL::ExitTimeObjectMaterialization::origin):
1976         * ftl/FTLExitValue.cpp:
1977         (JSC::FTL::ExitValue::withLocalsOffset):
1978         (JSC::FTL::ExitValue::valueFormat):
1979         (JSC::FTL::ExitValue::dumpInContext):
1980         * ftl/FTLExitValue.h:
1981         (JSC::FTL::ExitValue::isArgument):
1982         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
1983         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
1984         (JSC::FTL::ExitValue::valueFormat): Deleted.
1985         * ftl/FTLInlineCacheSize.cpp:
1986         (JSC::FTL::sizeOfCallForwardVarargs):
1987         (JSC::FTL::sizeOfConstructForwardVarargs):
1988         (JSC::FTL::sizeOfICFor):
1989         * ftl/FTLInlineCacheSize.h:
1990         * ftl/FTLIntrinsicRepository.h:
1991         * ftl/FTLJSCallVarargs.cpp:
1992         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1993         (JSC::FTL::JSCallVarargs::emit):
1994         * ftl/FTLJSCallVarargs.h:
1995         * ftl/FTLLowerDFGToLLVM.cpp:
1996         (JSC::FTL::LowerDFGToLLVM::lower):
1997         (JSC::FTL::LowerDFGToLLVM::compileNode):
1998         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
1999         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2000         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2001         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2002         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2003         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2004         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2005         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2006         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2007         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
2008         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
2009         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
2010         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2011         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
2012         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
2013         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
2014         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
2015         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
2016         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
2017         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
2018         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
2019         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2020         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
2021         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2022         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
2023         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
2024         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
2025         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
2026         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2027         (JSC::FTL::LowerDFGToLLVM::allocateObject):
2028         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
2029         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2030         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2031         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2032         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2033         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2034         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2035         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
2036         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
2037         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
2038         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
2039         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
2040         * ftl/FTLOSRExitCompiler.cpp:
2041         (JSC::FTL::compileRecovery):
2042         (JSC::FTL::compileStub):
2043         * ftl/FTLOperations.cpp:
2044         (JSC::FTL::operationMaterializeObjectInOSR):
2045         * ftl/FTLOutput.h:
2046         (JSC::FTL::Output::aShr):
2047         (JSC::FTL::Output::lShr):
2048         (JSC::FTL::Output::zeroExtPtr):
2049         * heap/CopyToken.h:
2050         * interpreter/CallFrame.h:
2051         (JSC::ExecState::getArgumentUnsafe):
2052         * interpreter/Interpreter.cpp:
2053         (JSC::sizeOfVarargs):
2054         (JSC::sizeFrameForVarargs):
2055         (JSC::loadVarargs):
2056         (JSC::unwindCallFrame):
2057         * interpreter/Interpreter.h:
2058         * interpreter/StackVisitor.cpp:
2059         (JSC::StackVisitor::Frame::createArguments):
2060         (JSC::StackVisitor::Frame::existingArguments): Deleted.
2061         * interpreter/StackVisitor.h:
2062         * jit/AssemblyHelpers.h:
2063         (JSC::AssemblyHelpers::storeValue):
2064         (JSC::AssemblyHelpers::loadValue):
2065         (JSC::AssemblyHelpers::storeTrustedValue):
2066         (JSC::AssemblyHelpers::branchIfNotCell):
2067         (JSC::AssemblyHelpers::branchIsEmpty):
2068         (JSC::AssemblyHelpers::argumentsStart):
2069         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
2070         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
2071         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
2072         * jit/CCallHelpers.h:
2073         (JSC::CCallHelpers::setupArgument):
2074         * jit/GPRInfo.h:
2075         (JSC::JSValueRegs::withTwoAvailableRegs):
2076         * jit/JIT.cpp:
2077         (JSC::JIT::privateCompileMainPass):
2078         (JSC::JIT::privateCompileSlowCases):
2079         * jit/JIT.h:
2080         * jit/JITCall.cpp:
2081         (JSC::JIT::compileSetupVarargsFrame):
2082         * jit/JITCall32_64.cpp:
2083         (JSC::JIT::compileSetupVarargsFrame):
2084         * jit/JITInlines.h:
2085         (JSC::JIT::callOperation):
2086         * jit/JITOpcodes.cpp:
2087         (JSC::JIT::emit_op_create_lexical_environment):
2088         (JSC::JIT::emit_op_new_func):
2089         (JSC::JIT::emit_op_create_direct_arguments):
2090         (JSC::JIT::emit_op_create_scoped_arguments):
2091         (JSC::JIT::emit_op_create_out_of_band_arguments):
2092         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2093         (JSC::JIT::emit_op_create_arguments): Deleted.
2094         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2095         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2096         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2097         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2098         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2099         * jit/JITOpcodes32_64.cpp:
2100         (JSC::JIT::emit_op_create_lexical_environment):
2101         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2102         (JSC::JIT::emit_op_create_arguments): Deleted.
2103         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2104         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2105         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2106         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2107         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2108         * jit/JITOperations.cpp:
2109         * jit/JITOperations.h:
2110         * jit/JITPropertyAccess.cpp:
2111         (JSC::JIT::emitGetClosureVar):
2112         (JSC::JIT::emitPutClosureVar):
2113         (JSC::JIT::emit_op_get_from_arguments):
2114         (JSC::JIT::emit_op_put_to_arguments):
2115         (JSC::JIT::emit_op_init_global_const):
2116         (JSC::JIT::privateCompileGetByVal):
2117         (JSC::JIT::emitDirectArgumentsGetByVal):
2118         (JSC::JIT::emitScopedArgumentsGetByVal):
2119         * jit/JITPropertyAccess32_64.cpp:
2120         (JSC::JIT::emitGetClosureVar):
2121         (JSC::JIT::emitPutClosureVar):
2122         (JSC::JIT::emit_op_get_from_arguments):
2123         (JSC::JIT::emit_op_put_to_arguments):
2124         (JSC::JIT::emit_op_init_global_const):
2125         * jit/SetupVarargsFrame.cpp:
2126         (JSC::emitSetupVarargsFrameFastCase):
2127         * llint/LLIntOffsetsExtractor.cpp:
2128         * llint/LLIntSlowPaths.cpp:
2129         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2130         * llint/LowLevelInterpreter.asm:
2131         * llint/LowLevelInterpreter32_64.asm:
2132         * llint/LowLevelInterpreter64.asm:
2133         * parser/Nodes.h:
2134         (JSC::ScopeNode::captures):
2135         * runtime/Arguments.cpp: Removed.
2136         * runtime/Arguments.h: Removed.
2137         * runtime/ArgumentsMode.h: Added.
2138         * runtime/DirectArgumentsOffset.cpp: Added.
2139         (JSC::DirectArgumentsOffset::dump):
2140         * runtime/DirectArgumentsOffset.h: Added.
2141         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
2142         * runtime/CommonSlowPaths.cpp:
2143         (JSC::SLOW_PATH_DECL):
2144         * runtime/CommonSlowPaths.h:
2145         * runtime/ConstantMode.cpp: Added.
2146         (WTF::printInternal):
2147         * runtime/ConstantMode.h:
2148         (JSC::modeForIsConstant):
2149         * runtime/DirectArguments.cpp: Added.
2150         (JSC::DirectArguments::DirectArguments):
2151         (JSC::DirectArguments::createUninitialized):
2152         (JSC::DirectArguments::create):
2153         (JSC::DirectArguments::createByCopying):
2154         (JSC::DirectArguments::visitChildren):
2155         (JSC::DirectArguments::copyBackingStore):
2156         (JSC::DirectArguments::createStructure):
2157         (JSC::DirectArguments::overrideThings):
2158         (JSC::DirectArguments::overrideThingsIfNecessary):
2159         (JSC::DirectArguments::overrideArgument):
2160         (JSC::DirectArguments::copyToArguments):
2161         (JSC::DirectArguments::overridesSize):
2162         * runtime/DirectArguments.h: Added.
2163         (JSC::DirectArguments::internalLength):
2164         (JSC::DirectArguments::length):
2165         (JSC::DirectArguments::canAccessIndexQuickly):
2166         (JSC::DirectArguments::getIndexQuickly):
2167         (JSC::DirectArguments::setIndexQuickly):
2168         (JSC::DirectArguments::callee):
2169         (JSC::DirectArguments::argument):
2170         (JSC::DirectArguments::overrodeThings):
2171         (JSC::DirectArguments::offsetOfCallee):
2172         (JSC::DirectArguments::offsetOfLength):
2173         (JSC::DirectArguments::offsetOfMinCapacity):
2174         (JSC::DirectArguments::offsetOfOverrides):
2175         (JSC::DirectArguments::storageOffset):
2176         (JSC::DirectArguments::offsetOfSlot):
2177         (JSC::DirectArguments::allocationSize):
2178         (JSC::DirectArguments::storage):
2179         * runtime/FunctionPrototype.cpp:
2180         * runtime/GenericArguments.h: Added.
2181         (JSC::GenericArguments::GenericArguments):
2182         * runtime/GenericArgumentsInlines.h: Added.
2183         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2184         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2185         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2186         (JSC::GenericArguments<Type>::put):
2187         (JSC::GenericArguments<Type>::putByIndex):
2188         (JSC::GenericArguments<Type>::deleteProperty):
2189         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2190         (JSC::GenericArguments<Type>::defineOwnProperty):
2191         (JSC::GenericArguments<Type>::copyToArguments):
2192         * runtime/GenericOffset.h: Added.
2193         (JSC::GenericOffset::GenericOffset):
2194         (JSC::GenericOffset::operator!):
2195         (JSC::GenericOffset::offsetUnchecked):
2196         (JSC::GenericOffset::offset):
2197         (JSC::GenericOffset::operator==):
2198         (JSC::GenericOffset::operator!=):
2199         (JSC::GenericOffset::operator<):
2200         (JSC::GenericOffset::operator>):
2201         (JSC::GenericOffset::operator<=):
2202         (JSC::GenericOffset::operator>=):
2203         (JSC::GenericOffset::operator+):
2204         (JSC::GenericOffset::operator-):
2205         (JSC::GenericOffset::operator+=):
2206         (JSC::GenericOffset::operator-=):
2207         * runtime/JSArgumentsIterator.cpp:
2208         (JSC::JSArgumentsIterator::finishCreation):
2209         (JSC::argumentsFuncIterator):
2210         * runtime/JSArgumentsIterator.h:
2211         (JSC::JSArgumentsIterator::create):
2212         (JSC::JSArgumentsIterator::next):
2213         * runtime/JSEnvironmentRecord.cpp:
2214         (JSC::JSEnvironmentRecord::visitChildren):
2215         * runtime/JSEnvironmentRecord.h:
2216         (JSC::JSEnvironmentRecord::variables):
2217         (JSC::JSEnvironmentRecord::isValid):
2218         (JSC::JSEnvironmentRecord::variableAt):
2219         (JSC::JSEnvironmentRecord::offsetOfVariables):
2220         (JSC::JSEnvironmentRecord::offsetOfVariable):
2221         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
2222         (JSC::JSEnvironmentRecord::allocationSize):
2223         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2224         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2225         (JSC::JSEnvironmentRecord::finishCreation):
2226         (JSC::JSEnvironmentRecord::registers): Deleted.
2227         (JSC::JSEnvironmentRecord::registerAt): Deleted.
2228         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
2229         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
2230         * runtime/JSFunction.cpp:
2231         * runtime/JSGlobalObject.cpp:
2232         (JSC::JSGlobalObject::init):
2233         (JSC::JSGlobalObject::addGlobalVar):
2234         (JSC::JSGlobalObject::addFunction):
2235         (JSC::JSGlobalObject::visitChildren):
2236         (JSC::JSGlobalObject::addStaticGlobals):
2237         * runtime/JSGlobalObject.h:
2238         (JSC::JSGlobalObject::directArgumentsStructure):
2239         (JSC::JSGlobalObject::scopedArgumentsStructure):
2240         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2241         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2242         * runtime/JSLexicalEnvironment.cpp:
2243         (JSC::JSLexicalEnvironment::symbolTableGet):
2244         (JSC::JSLexicalEnvironment::symbolTablePut):
2245         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2246         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2247         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2248         * runtime/JSLexicalEnvironment.h:
2249         (JSC::JSLexicalEnvironment::create):
2250         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2251         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2252         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2253         (JSC::JSLexicalEnvironment::storage): Deleted.
2254         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2255         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2256         (JSC::JSLexicalEnvironment::isValid): Deleted.
2257         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2258         * runtime/JSNameScope.cpp:
2259         (JSC::JSNameScope::visitChildren): Deleted.
2260         * runtime/JSNameScope.h:
2261         (JSC::JSNameScope::create):
2262         (JSC::JSNameScope::value):
2263         (JSC::JSNameScope::finishCreation):
2264         (JSC::JSNameScope::JSNameScope):
2265         * runtime/JSScope.cpp:
2266         (JSC::abstractAccess):
2267         * runtime/JSSegmentedVariableObject.cpp:
2268         (JSC::JSSegmentedVariableObject::findVariableIndex):
2269         (JSC::JSSegmentedVariableObject::addVariables):
2270         (JSC::JSSegmentedVariableObject::visitChildren):
2271         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2272         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2273         * runtime/JSSegmentedVariableObject.h:
2274         (JSC::JSSegmentedVariableObject::variableAt):
2275         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2276         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2277         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2278         * runtime/JSSymbolTableObject.h:
2279         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2280         (JSC::symbolTableGet):
2281         (JSC::symbolTablePut):
2282         (JSC::symbolTablePutWithAttributes):
2283         * runtime/JSType.h:
2284         * runtime/Options.h:
2285         * runtime/ClonedArguments.cpp: Added.
2286         (JSC::ClonedArguments::ClonedArguments):
2287         (JSC::ClonedArguments::createEmpty):
2288         (JSC::ClonedArguments::createWithInlineFrame):
2289         (JSC::ClonedArguments::createWithMachineFrame):
2290         (JSC::ClonedArguments::createByCopyingFrom):
2291         (JSC::ClonedArguments::createStructure):
2292         (JSC::ClonedArguments::getOwnPropertySlot):
2293         (JSC::ClonedArguments::getOwnPropertyNames):
2294         (JSC::ClonedArguments::put):
2295         (JSC::ClonedArguments::deleteProperty):
2296         (JSC::ClonedArguments::defineOwnProperty):
2297         (JSC::ClonedArguments::materializeSpecials):
2298         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2299         * runtime/ClonedArguments.h: Added.
2300         (JSC::ClonedArguments::specialsMaterialized):
2301         * runtime/ScopeOffset.cpp: Added.
2302         (JSC::ScopeOffset::dump):
2303         * runtime/ScopeOffset.h: Added.
2304         (JSC::ScopeOffset::ScopeOffset):
2305         * runtime/ScopedArguments.cpp: Added.
2306         (JSC::ScopedArguments::ScopedArguments):
2307         (JSC::ScopedArguments::finishCreation):
2308         (JSC::ScopedArguments::createUninitialized):
2309         (JSC::ScopedArguments::create):
2310         (JSC::ScopedArguments::createByCopying):
2311         (JSC::ScopedArguments::createByCopyingFrom):
2312         (JSC::ScopedArguments::visitChildren):
2313         (JSC::ScopedArguments::createStructure):
2314         (JSC::ScopedArguments::overrideThings):
2315         (JSC::ScopedArguments::overrideThingsIfNecessary):
2316         (JSC::ScopedArguments::overrideArgument):
2317         (JSC::ScopedArguments::copyToArguments):
2318         * runtime/ScopedArguments.h: Added.
2319         (JSC::ScopedArguments::internalLength):
2320         (JSC::ScopedArguments::length):
2321         (JSC::ScopedArguments::canAccessIndexQuickly):
2322         (JSC::ScopedArguments::getIndexQuickly):
2323         (JSC::ScopedArguments::setIndexQuickly):
2324         (JSC::ScopedArguments::callee):
2325         (JSC::ScopedArguments::overrodeThings):
2326         (JSC::ScopedArguments::offsetOfOverrodeThings):
2327         (JSC::ScopedArguments::offsetOfTotalLength):
2328         (JSC::ScopedArguments::offsetOfTable):
2329         (JSC::ScopedArguments::offsetOfScope):
2330         (JSC::ScopedArguments::overflowStorageOffset):
2331         (JSC::ScopedArguments::allocationSize):
2332         (JSC::ScopedArguments::overflowStorage):
2333         * runtime/ScopedArgumentsTable.cpp: Added.
2334         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
2335         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
2336         (JSC::ScopedArgumentsTable::destroy):
2337         (JSC::ScopedArgumentsTable::create):
2338         (JSC::ScopedArgumentsTable::clone):
2339         (JSC::ScopedArgumentsTable::setLength):
2340         (JSC::ScopedArgumentsTable::set):
2341         (JSC::ScopedArgumentsTable::createStructure):
2342         * runtime/ScopedArgumentsTable.h: Added.
2343         (JSC::ScopedArgumentsTable::length):
2344         (JSC::ScopedArgumentsTable::get):
2345         (JSC::ScopedArgumentsTable::lock):
2346         (JSC::ScopedArgumentsTable::offsetOfLength):
2347         (JSC::ScopedArgumentsTable::offsetOfArguments):
2348         (JSC::ScopedArgumentsTable::at):
2349         * runtime/SymbolTable.cpp:
2350         (JSC::SymbolTableEntry::prepareToWatch):
2351         (JSC::SymbolTable::SymbolTable):
2352         (JSC::SymbolTable::visitChildren):
2353         (JSC::SymbolTable::localToEntry):
2354         (JSC::SymbolTable::entryFor):
2355         (JSC::SymbolTable::cloneScopePart):
2356         (JSC::SymbolTable::prepareForTypeProfiling):
2357         (JSC::SymbolTable::uniqueIDForOffset):
2358         (JSC::SymbolTable::globalTypeSetForOffset):
2359         (JSC::SymbolTable::cloneCapturedNames): Deleted.
2360         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
2361         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
2362         * runtime/SymbolTable.h:
2363         (JSC::SymbolTableEntry::varOffsetFromBits):
2364         (JSC::SymbolTableEntry::scopeOffsetFromBits):
2365         (JSC::SymbolTableEntry::Fast::varOffset):
2366         (JSC::SymbolTableEntry::Fast::scopeOffset):
2367         (JSC::SymbolTableEntry::Fast::isDontEnum):
2368         (JSC::SymbolTableEntry::Fast::getAttributes):
2369         (JSC::SymbolTableEntry::SymbolTableEntry):
2370         (JSC::SymbolTableEntry::varOffset):
2371         (JSC::SymbolTableEntry::isWatchable):
2372         (JSC::SymbolTableEntry::scopeOffset):
2373         (JSC::SymbolTableEntry::setAttributes):
2374         (JSC::SymbolTableEntry::constantMode):
2375         (JSC::SymbolTableEntry::isDontEnum):
2376         (JSC::SymbolTableEntry::disableWatching):
2377         (JSC::SymbolTableEntry::pack):
2378         (JSC::SymbolTableEntry::isValidVarOffset):
2379         (JSC::SymbolTable::createNameScopeTable):
2380         (JSC::SymbolTable::maxScopeOffset):
2381         (JSC::SymbolTable::didUseScopeOffset):
2382         (JSC::SymbolTable::didUseVarOffset):
2383         (JSC::SymbolTable::scopeSize):
2384         (JSC::SymbolTable::nextScopeOffset):
2385         (JSC::SymbolTable::takeNextScopeOffset):
2386         (JSC::SymbolTable::add):
2387         (JSC::SymbolTable::set):
2388         (JSC::SymbolTable::argumentsLength):
2389         (JSC::SymbolTable::setArgumentsLength):
2390         (JSC::SymbolTable::argumentOffset):
2391         (JSC::SymbolTable::setArgumentOffset):
2392         (JSC::SymbolTable::arguments):
2393         (JSC::SlowArgument::SlowArgument): Deleted.
2394         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
2395         (JSC::SymbolTableEntry::getIndex): Deleted.
2396         (JSC::SymbolTableEntry::isValidIndex): Deleted.
2397         (JSC::SymbolTable::captureStart): Deleted.
2398         (JSC::SymbolTable::setCaptureStart): Deleted.
2399         (JSC::SymbolTable::captureEnd): Deleted.
2400         (JSC::SymbolTable::setCaptureEnd): Deleted.
2401         (JSC::SymbolTable::captureCount): Deleted.
2402         (JSC::SymbolTable::isCaptured): Deleted.
2403         (JSC::SymbolTable::parameterCount): Deleted.
2404         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
2405         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
2406         (JSC::SymbolTable::slowArguments): Deleted.
2407         (JSC::SymbolTable::setSlowArguments): Deleted.
2408         * runtime/VM.cpp:
2409         (JSC::VM::VM):
2410         * runtime/VM.h:
2411         * runtime/VarOffset.cpp: Added.
2412         (JSC::VarOffset::dump):
2413         (WTF::printInternal):
2414         * runtime/VarOffset.h: Added.
2415         (JSC::VarOffset::VarOffset):
2416         (JSC::VarOffset::assemble):
2417         (JSC::VarOffset::isValid):
2418         (JSC::VarOffset::operator!):
2419         (JSC::VarOffset::kind):
2420         (JSC::VarOffset::isStack):
2421         (JSC::VarOffset::isScope):
2422         (JSC::VarOffset::isDirectArgument):
2423         (JSC::VarOffset::stackOffsetUnchecked):
2424         (JSC::VarOffset::scopeOffsetUnchecked):
2425         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
2426         (JSC::VarOffset::stackOffset):
2427         (JSC::VarOffset::scopeOffset):
2428         (JSC::VarOffset::capturedArgumentsOffset):
2429         (JSC::VarOffset::rawOffset):
2430         (JSC::VarOffset::checkSanity):
2431         (JSC::VarOffset::operator==):
2432         (JSC::VarOffset::operator!=):
2433         (JSC::VarOffset::hash):
2434         (JSC::VarOffset::isHashTableDeletedValue):
2435         (JSC::VarOffsetHash::hash):
2436         (JSC::VarOffsetHash::equal):
2437         * tests/stress/arguments-exit-strict-mode.js: Added.
2438         * tests/stress/arguments-exit.js: Added.
2439         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
2440         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
2441         * tests/stress/arguments-inlined-exit.js: Added.
2442         * tests/stress/arguments-interference.js: Added.
2443         * tests/stress/arguments-interference-cfg.js: Added.
2444         * tests/stress/dead-get-closure-var.js: Added.
2445         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
2446         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
2447         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
2448         * tests/stress/varargs-closure-inlined-exit.js: Added.
2449         * tests/stress/varargs-exit.js: Added.
2450         * tests/stress/varargs-inlined-exit.js: Added.
2451         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
2452         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
2453         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
2454         * tests/stress/varargs-inlined-simple-exit.js: Added.
2455         * tests/stress/varargs-too-few-arguments.js: Added.
2456         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
2457         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
2458         * tests/stress/varargs-varargs-inlined-exit.js: Added.
2459
2460 2015-03-25  Andy Estes  <aestes@apple.com>
2461
2462         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
2463         https://bugs.webkit.org/show_bug.cgi?id=143068
2464
2465         Reviewed by Dan Bernstein.
2466
2467         * inspector/remote/RemoteInspectorXPCConnection.mm:
2468         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
2469
2470 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2471
2472         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
2473         https://bugs.webkit.org/show_bug.cgi?id=142993
2474
2475         Reviewed by Geoffrey Garen and Mark Lam.
2476         
2477         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
2478         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
2479         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
2480         failure, but also involves adding the same kind of thing to the stub generators in
2481         Repatch.
2482         
2483         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
2484         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
2485         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
2486         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
2487         printout.
2488         
2489         Also add a way of inducing executable allocation failure, so that we can test this.
2490
2491         * CMakeLists.txt:
2492         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2493         * JavaScriptCore.xcodeproj/project.pbxproj:
2494         * dfg/DFGJITCompiler.cpp:
2495         (JSC::DFG::JITCompiler::compile):
2496         (JSC::DFG::JITCompiler::compileFunction):
2497         (JSC::DFG::JITCompiler::link): Deleted.
2498         (JSC::DFG::JITCompiler::linkFunction): Deleted.
2499         * dfg/DFGJITCompiler.h:
2500         * dfg/DFGPlan.cpp:
2501         (JSC::DFG::Plan::compileInThreadImpl):
2502         * ftl/FTLCompile.cpp:
2503         (JSC::FTL::mmAllocateCodeSection):
2504         (JSC::FTL::mmAllocateDataSection):
2505         * ftl/FTLLink.cpp:
2506         (JSC::FTL::link):
2507         * ftl/FTLState.h:
2508         * jit/ArityCheckFailReturnThunks.cpp:
2509         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2510         * jit/ExecutableAllocationFuzz.cpp: Added.
2511         (JSC::numberOfExecutableAllocationFuzzChecks):
2512         (JSC::doExecutableAllocationFuzzing):
2513         * jit/ExecutableAllocationFuzz.h: Added.
2514         (JSC::doExecutableAllocationFuzzingIfEnabled):
2515         * jit/ExecutableAllocatorFixedVMPool.cpp:
2516         (JSC::ExecutableAllocator::allocate):
2517         * jit/JIT.cpp:
2518         (JSC::JIT::privateCompile):
2519         * jit/JITCompilationEffort.h:
2520         * jit/Repatch.cpp:
2521         (JSC::generateByIdStub):
2522         (JSC::tryCacheGetByID):
2523         (JSC::tryBuildGetByIDList):
2524         (JSC::emitPutReplaceStub):
2525         (JSC::emitPutTransitionStubAndGetOldStructure):
2526         (JSC::tryCachePutByID):
2527         (JSC::tryBuildPutByIdList):
2528         (JSC::tryRepatchIn):
2529         (JSC::linkPolymorphicCall):
2530         * jsc.cpp:
2531         (jscmain):
2532         * runtime/Options.h:
2533         * runtime/TestRunnerUtils.h:
2534         * runtime/VM.cpp:
2535         * tests/executableAllocationFuzz: Added.
2536         * tests/executableAllocationFuzz.yaml: Added.
2537         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
2538
2539 2015-03-25  Mark Lam  <mark.lam@apple.com>
2540
2541         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
2542         <https://webkit.org/b/135719>
2543
2544         Reviewed by Geoffrey Garen.
2545
2546         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
2547         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
2548         update the LLINT to access it as such.
2549
2550         The issue has only manifested so far on the CLoop tests because those are LLINT
2551         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
2552         hiding the bug in the LLINT.
2553
2554         * API/JSContextRef.cpp:
2555         (createWatchdogIfNeeded):
2556         (JSContextGroupSetExecutionTimeLimit):
2557         (JSContextGroupClearExecutionTimeLimit):
2558         * llint/LowLevelInterpreter.asm:
2559
2560 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2561
2562         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
2563
2564         Rubber stamped by Geoffrey Garen.
2565
2566         * bytecode/CodeBlock.cpp:
2567         (JSC::CodeBlock::visitAggregate):
2568
2569 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2570
2571         Fix formatting in BuiltinExecutables
2572         https://bugs.webkit.org/show_bug.cgi?id=143061
2573
2574         Reviewed by Ryosuke Niwa.
2575
2576         * builtins/BuiltinExecutables.cpp:
2577         (JSC::BuiltinExecutables::createExecutableInternal):
2578
2579 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2580
2581         ES6: Classes: Program level class statement throws exception in strict mode
2582         https://bugs.webkit.org/show_bug.cgi?id=143038
2583
2584         Reviewed by Ryosuke Niwa.
2585
2586         Classes expose a name to the current lexical environment. This treats
2587         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
2588         Also, improve error messages for class statements where the class is missing a name.
2589
2590         * parser/Parser.h:
2591         * parser/Parser.cpp:
2592         (JSC::Parser<LexerType>::parseClass):
2593         Fill name in info parameter if needed. Better error message if name is needed and missing.
2594
2595         (JSC::Parser<LexerType>::parseClassDeclaration):
2596         Pass info parameter to get name, and expose the name as a variable name.
2597
2598         (JSC::Parser<LexerType>::parsePrimaryExpression):
2599         Pass info parameter that is ignored.
2600
2601         * parser/ParserFunctionInfo.h:
2602         Add a parser info for class, to extract the name.
2603
2604 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2605
2606         New map and set modification tests in r181922 fails
2607         https://bugs.webkit.org/show_bug.cgi?id=143031
2608
2609         Reviewed and tweaked by Geoffrey Garen.
2610
2611         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
2612         to adjust for the packed backing store.
2613
2614         Consider the following map data.
2615
2616         x: deleted, o: exists
2617         0 1 2 3 4
2618         x x x x o
2619
2620         And iterator with m_index 3.
2621
2622         When packing the map data, map data will become,
2623
2624         0
2625         o
2626
2627         At that time, we perfom didRemoveEntry 4 times on iterators.
2628         times => m_index/index/result
2629         1 => 3/0/dec
2630         2 => 2/1/dec
2631         3 => 1/2/nothing
2632         4 => 1/3/nothing
2633
2634         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
2635         This is because if we use decremented m_index for comparison,
2636         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
2637
2638         In this patch, we compare against the packed index instead.
2639         times => m_index/packedIndex/result
2640         1 => 3/0/dec
2641         2 => 2/0/dec
2642         3 => 1/0/dec
2643         4 => 0/0/nothing
2644
2645         So m_index becomes 0 as expected.
2646
2647         And according to the spec, once the iterator is closed (becomes done: true),
2648         its internal [[Map]]/[[Set]] is set to undefined.
2649         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
2650
2651         In this patch, we change 2 things.
2652         1.
2653         Compare an iterator's index against the packed index when removing an entry.
2654
2655         2.
2656         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
2657
2658         * runtime/MapData.h:
2659         (JSC::MapDataImpl::IteratorData::finish):
2660         (JSC::MapDataImpl::IteratorData::isFinished):
2661         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
2662         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
2663         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
2664         * runtime/MapDataInlines.h:
2665         (JSC::JSIterator>::replaceAndPackBackingStore):
2666         * tests/stress/modify-map-during-iteration.js:
2667         * tests/stress/modify-set-during-iteration.js:
2668
2669 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2670
2671         Setter should have a single formal parameter, Getter no parameters
2672         https://bugs.webkit.org/show_bug.cgi?id=142903
2673
2674         Reviewed by Geoffrey Garen.
2675
2676         * parser/Parser.cpp:
2677         (JSC::Parser<LexerType>::parseFunctionInfo):
2678         Enforce no parameters for getters and a single parameter
2679         for setters, with informational error messages.
2680
2681 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2682
2683         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
2684         https://bugs.webkit.org/show_bug.cgi?id=143012
2685
2686         Reviewed by Ryosuke Niwa.
2687
2688         * bytecompiler/BytecodeGenerator.cpp:
2689         (JSC::BytecodeGenerator::emitReturn):
2690         Fix handling of "undefined" when returned from a Derived class. It was
2691         returning "undefined" when it should have returned "this".
2692
2693 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2694
2695         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
2696         https://bugs.webkit.org/show_bug.cgi?id=142696
2697
2698         Reviewed and tweaked by Geoffrey Garen.
2699
2700         Before r142556, JSSetIterator::destroy was not defined.
2701         So accidentally MapData::const_iterator in JSSet was never destroyed.
2702         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
2703
2704         After r142556, JSSetIterator::destroy works.
2705         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
2706         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
2707
2708         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
2709         and marks it in visitChildren (WriteBarrier<Unknown>).
2710         However, the order of destructions is not guaranteed in GC-ed system.
2711
2712         Consider the following case,
2713         allocate JSSet and subsequently allocate JSSetIterator.
2714         And they resides in the separated MarkedBlock, <1> and <2>.
2715
2716         JSSet<1> <- JSSetIterator<2>
2717
2718         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
2719         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
2720
2721         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
2722         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
2723         However, JSSetIterator<2>'s destructor,
2724         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
2725
2726         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
2727         When packing the removed elements in JSSet/JSMap, we apply the change to all live
2728         iterators tracked by WeakGCMap.
2729
2730         WeakGCMap can only track JSCell since they are managed by GC.
2731         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
2732         introduces JS style iterator signatures into C++ class IteratorData.
2733         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
2734         IteratorData directly.
2735
2736         * runtime/JSMap.cpp:
2737         (JSC::JSMap::destroy):
2738         * runtime/JSMap.h:
2739         (JSC::JSMap::JSMap):
2740         (JSC::JSMap::begin): Deleted.
2741         (JSC::JSMap::end): Deleted.
2742         * runtime/JSMapIterator.cpp:
2743         (JSC::JSMapIterator::destroy):
2744         * runtime/JSMapIterator.h:
2745         (JSC::JSMapIterator::next):
2746         (JSC::JSMapIterator::nextKeyValue):
2747         (JSC::JSMapIterator::iteratorData):
2748         (JSC::JSMapIterator::JSMapIterator):
2749         * runtime/JSSet.cpp:
2750         (JSC::JSSet::destroy):
2751         * runtime/JSSet.h:
2752         (JSC::JSSet::JSSet):
2753         (JSC::JSSet::begin): Deleted.
2754         (JSC::JSSet::end): Deleted.
2755         * runtime/JSSetIterator.cpp:
2756         (JSC::JSSetIterator::destroy):
2757         * runtime/JSSetIterator.h:
2758         (JSC::JSSetIterator::next):
2759         (JSC::JSSetIterator::iteratorData):
2760         (JSC::JSSetIterator::JSSetIterator):
2761         * runtime/MapData.h:
2762         (JSC::MapDataImpl::IteratorData::finish):
2763         (JSC::MapDataImpl::IteratorData::isFinished):
2764         (JSC::MapDataImpl::shouldPack):
2765         (JSC::JSIterator>::MapDataImpl):
2766         (JSC::JSIterator>::KeyType::KeyType):
2767         (JSC::JSIterator>::IteratorData::IteratorData):
2768         (JSC::JSIterator>::IteratorData::next):
2769         (JSC::JSIterator>::IteratorData::ensureSlot):
2770         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
2771         (JSC::JSIterator>::IteratorData::refreshCursor):
2772         (JSC::MapDataImpl::const_iterator::key): Deleted.
2773         (JSC::MapDataImpl::const_iterator::value): Deleted.
2774         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
2775         (JSC::MapDataImpl::const_iterator::finish): Deleted.
2776         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
2777         (JSC::MapDataImpl::begin): Deleted.
2778         (JSC::MapDataImpl::end): Deleted.
2779         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
2780         (JSC::MapDataImpl<Entry>::clear): Deleted.
2781         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
2782         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
2783         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
2784         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
2785         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
2786         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
2787         (JSC::=): Deleted.
2788         * runtime/MapDataInlines.h:
2789         (JSC::JSIterator>::clear):
2790         (JSC::JSIterator>::find):
2791         (JSC::JSIterator>::contains):
2792         (JSC::JSIterator>::add):
2793         (JSC::JSIterator>::set):
2794         (JSC::JSIterator>::get):
2795         (JSC::JSIterator>::remove):
2796         (JSC::JSIterator>::replaceAndPackBackingStore):
2797         (JSC::JSIterator>::replaceBackingStore):
2798         (JSC::JSIterator>::ensureSpaceForAppend):
2799         (JSC::JSIterator>::visitChildren):
2800         (JSC::JSIterator>::copyBackingStore):
2801         (JSC::JSIterator>::applyMapDataPatch):
2802         (JSC::MapDataImpl<Entry>::find): Deleted.
2803         (JSC::MapDataImpl<Entry>::contains): Deleted.
2804         (JSC::MapDataImpl<Entry>::add): Deleted.
2805         (JSC::MapDataImpl<Entry>::set): Deleted.
2806         (JSC::MapDataImpl<Entry>::get): Deleted.
2807         (JSC::MapDataImpl<Entry>::remove): Deleted.
2808         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
2809         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
2810         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
2811         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
2812         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
2813         * runtime/MapPrototype.cpp:
2814         (JSC::mapProtoFuncForEach):
2815         * runtime/SetPrototype.cpp:
2816         (JSC::setProtoFuncForEach):
2817         * runtime/WeakGCMap.h:
2818         (JSC::WeakGCMap::forEach):
2819         * tests/stress/modify-map-during-iteration.js: Added.
2820         (testValue):
2821         (identityPairs):
2822         (.set if):
2823         (var):
2824         (set map):
2825         * tests/stress/modify-set-during-iteration.js: Added.
2826         (testValue):
2827         (set forEach):
2828         (set delete):
2829
2830 2015-03-24  Mark Lam  <mark.lam@apple.com>
2831
2832         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
2833         <https://webkit.org/b/143024>
2834
2835         Reviewed by Geoffrey Garen.
2836
2837         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
2838         passed in from testapi.c.  It should create its own for better
2839         encapsulation of the test.
2840
2841         * API/tests/ExecutionTimeLimitTest.cpp:
2842         (currentCPUTimeAsJSFunctionCallback):
2843         (testExecutionTimeLimit):
2844         * API/tests/ExecutionTimeLimitTest.h:
2845         * API/tests/testapi.c:
2846         (main):
2847
2848 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2849
2850         ES6: Object Literal Methods toString is missing method name
2851         https://bugs.webkit.org/show_bug.cgi?id=142992
2852
2853         Reviewed by Geoffrey Garen.
2854
2855         Always stringify functions in the pattern:
2856
2857           "function " + <function name> + <text from opening parenthesis to closing brace>.
2858
2859         * runtime/FunctionPrototype.cpp:
2860         (JSC::functionProtoFuncToString):
2861         Update the path that was not stringifying in this pattern.
2862
2863         * bytecode/UnlinkedCodeBlock.cpp:
2864         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2865         * bytecode/UnlinkedCodeBlock.h:
2866         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
2867         * parser/Nodes.h:
2868         * runtime/Executable.cpp:
2869         (JSC::FunctionExecutable::FunctionExecutable):
2870         * runtime/Executable.h:
2871         (JSC::FunctionExecutable::parametersStartOffset):
2872         Pass the already known function parameter opening parenthesis
2873         start offset through to the FunctionExecutable. 
2874
2875         * tests/mozilla/js1_5/Scope/regress-185485.js:
2876         (with.g):
2877         Add back original space in this test that was removed by r181810
2878         now that we have the space again in stringification.
2879
2880 2015-03-24  Michael Saboff  <msaboff@apple.com>
2881
2882         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
2883         https://bugs.webkit.org/show_bug.cgi?id=142856
2884
2885         Reviewed by Filip Pizlo.
2886
2887         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
2888         get info for three loops to iterate over indexed properties, structure properties and other properties,
2889         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
2890         for all loops before we exectue any enumeration.
2891
2892         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
2893         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
2894         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
2895
2896         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
2897         op_next_enumerator_pname.
2898         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
2899         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
2900         end value we stop iterating on.
2901
2902         Made corresponding node changes to the DFG and FTL for the bytecode changes.
2903
2904         * bytecode/BytecodeList.json:
2905         * bytecode/BytecodeUseDef.h:
2906         (JSC::computeUsesForBytecodeOffset):
2907         (JSC::computeDefsForBytecodeOffset):
2908         * bytecode/CodeBlock.cpp:
2909         (JSC::CodeBlock::dumpBytecode):
2910         * bytecompiler/BytecodeGenerator.cpp:
2911         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
2912         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
2913         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
2914         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
2915         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
2916         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
2917         * bytecompiler/BytecodeGenerator.h:
2918         * bytecompiler/NodesCodegen.cpp:
2919         (JSC::ForInNode::emitMultiLoopBytecode):
2920         * dfg/DFGAbstractInterpreterInlines.h:
2921         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2922         * dfg/DFGByteCodeParser.cpp:
2923         (JSC::DFG::ByteCodeParser::parseBlock):
2924         * dfg/DFGCapabilities.cpp:
2925         (JSC::DFG::capabilityLevel):
2926         * dfg/DFGClobberize.h:
2927         (JSC::DFG::clobberize):
2928         * dfg/DFGDoesGC.cpp:
2929         (JSC::DFG::doesGC):
2930         * dfg/DFGFixupPhase.cpp:
2931         (JSC::DFG::FixupPhase::fixupNode):
2932         * dfg/DFGNodeType.h:
2933         * dfg/DFGPredictionPropagationPhase.cpp:
2934         (JSC::DFG::PredictionPropagationPhase::propagate):
2935         * dfg/DFGSafeToExecute.h:
2936         (JSC::DFG::safeToExecute):
2937         * dfg/DFGSpeculativeJIT32_64.cpp:
2938         (JSC::DFG::SpeculativeJIT::compile):
2939         * dfg/DFGSpeculativeJIT64.cpp:
2940         (JSC::DFG::SpeculativeJIT::compile):
2941         * ftl/FTLAbstractHeapRepository.h:
2942         * ftl/FTLCapabilities.cpp:
2943         (JSC::FTL::canCompile):
2944         * ftl/FTLLowerDFGToLLVM.cpp:
2945         (JSC::FTL::LowerDFGToLLVM::compileNode):
2946         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2947         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
2948         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
2949         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
2950         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
2951         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
2952         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
2953         * jit/JIT.cpp:
2954         (JSC::JIT::privateCompileMainPass):
2955         * jit/JIT.h:
2956         * jit/JITOpcodes.cpp:
2957         (JSC::JIT::emit_op_enumerator_structure_pname):
2958         (JSC::JIT::emit_op_enumerator_generic_pname):
2959         (JSC::JIT::emit_op_get_property_enumerator):
2960         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2961         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
2962         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
2963         * jit/JITOpcodes32_64.cpp:
2964         (JSC::JIT::emit_op_enumerator_structure_pname):
2965         (JSC::JIT::emit_op_enumerator_generic_pname):
2966         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2967         * jit/JITOperations.cpp:
2968         * jit/JITOperations.h:
2969         * llint/LowLevelInterpreter.asm:
2970         * runtime/CommonSlowPaths.cpp:
2971         (JSC::SLOW_PATH_DECL):
2972         * runtime/CommonSlowPaths.h:
2973         * runtime/JSPropertyNameEnumerator.cpp:
2974         (JSC::JSPropertyNameEnumerator::create):
2975         (JSC::JSPropertyNameEnumerator::finishCreation):
2976         * runtime/JSPropertyNameEnumerator.h:
2977         (JSC::JSPropertyNameEnumerator::indexedLength):
2978         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
2979         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
2980         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
2981         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
2982         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
2983         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
2984         (JSC::propertyNameEnumerator):
2985         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
2986         (JSC::structurePropertyNameEnumerator): Deleted.
2987         (JSC::genericPropertyNameEnumerator): Deleted.
2988         * runtime/Structure.cpp:
2989         (JSC::Structure::setCachedPropertyNameEnumerator):
2990         (JSC::Structure::cachedPropertyNameEnumerator):
2991         (JSC::Structure::canCachePropertyNameEnumerator):
2992         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
2993         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
2994         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
2995         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
2996         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
2997         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
2998         * runtime/Structure.h:
2999         * runtime/StructureRareData.cpp:
3000         (JSC::StructureRareData::visitChildren):
3001         (JSC::StructureRareData::cachedPropertyNameEnumerator):
3002         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
3003         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
3004         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
3005         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
3006         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
3007         * runtime/StructureRareData.h:
3008         * tests/stress/for-in-delete-during-iteration.js:
3009
3010 2015-03-24  Michael Saboff  <msaboff@apple.com>
3011
3012         Unreviewed build fix for debug builds.
3013
3014         * runtime/ExceptionHelpers.cpp:
3015         (JSC::invalidParameterInSourceAppender):
3016
3017 2015-03-24  Saam Barati  <saambarati1@gmail.com>
3018
3019         Improve error messages in JSC
3020         https://bugs.webkit.org/show_bug.cgi?id=141869
3021
3022         Reviewed by Geoffrey Garen.
3023
3024         JavaScriptCore has some unintuitive error messages associated
3025         with certain common errors. This patch changes some specific
3026         error messages to be more understandable and also creates a
3027         mechanism that will allow for easy modification of error messages
3028         in the future. The specific errors we change are not a function
3029         errors and invalid parameter errors.
3030
3031         * CMakeLists.txt:
3032         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3033         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3034         * JavaScriptCore.xcodeproj/project.pbxproj:
3035         * interpreter/Interpreter.cpp:
3036         (JSC::sizeOfVarargs):
3037         * jit/JITOperations.cpp:
3038         op_throw_static_error always has a JSString as its argument.
3039         There is no need to dance around this, and we should assert
3040         that this always holds. This JSString represents the error 
3041         message we want to display to the user, so there is no need
3042         to pass it into errorDescriptionForValue which will now place
3043         quotes around the string.
3044
3045         * llint/LLIntSlowPaths.cpp:
3046         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3047         * runtime/CommonSlowPaths.h:
3048         (JSC::CommonSlowPaths::opIn):
3049         * runtime/ErrorInstance.cpp:
3050         (JSC::ErrorInstance::ErrorInstance):
3051         * runtime/ErrorInstance.h:
3052         (JSC::ErrorInstance::hasSourceAppender):
3053         (JSC::ErrorInstance::sourceAppender):
3054         (JSC::ErrorInstance::setSourceAppender):
3055         (JSC::ErrorInstance::clearSourceAppender):
3056         (JSC::ErrorInstance::setRuntimeTypeForCause):
3057         (JSC::ErrorInstance::runtimeTypeForCause):
3058         (JSC::ErrorInstance::clearRuntimeTypeForCause):
3059         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
3060         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
3061         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
3062         * runtime/ExceptionHelpers.cpp:
3063         (JSC::errorDescriptionForValue):
3064         (JSC::defaultApproximateSourceError):
3065         (JSC::defaultSourceAppender):
3066         (JSC::functionCallBase):
3067         (JSC::notAFunctionSourceAppender):
3068         (JSC::invalidParameterInSourceAppender):
3069         (JSC::invalidParameterInstanceofSourceAppender):
3070         (JSC::createError):
3071         (JSC::createInvalidFunctionApplyParameterError):
3072         (JSC::createInvalidInParameterError):
3073         (JSC::createInvalidInstanceofParameterError):
3074         (JSC::createNotAConstructorError):
3075         (JSC::createNotAFunctionError):
3076         (JSC::createNotAnObjectError):
3077         (JSC::createInvalidParameterError): Deleted.
3078         * runtime/ExceptionHelpers.h:
3079         * runtime/JSObject.cpp:
3080         (JSC::JSObject::hasInstance):
3081         * runtime/RuntimeType.cpp: Added.
3082         (JSC::runtimeTypeForValue):
3083         (JSC::runtimeTypeAsString):
3084         * runtime/RuntimeType.h: Added.
3085         * runtime/TypeProfilerLog.cpp:
3086         (JSC::TypeProfilerLog::processLogEntries):
3087         * runtime/TypeSet.cpp:
3088         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
3089         * runtime/TypeSet.h:
3090         * runtime/VM.cpp:
3091         (JSC::appendSourceToError):
3092         (JSC::VM::throwException):
3093
3094 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
3095
3096         JSC should have a low-cost asynchronous disassembler
3097         https://bugs.webkit.org/show_bug.cgi?id=142997
3098
3099         Reviewed by Mark Lam.
3100         
3101         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
3102         doesn't block execution. Some code will live a little longer because of this, since the
3103         work tasks hold a ref to the code, but other than that there is basically no overhead.
3104         
3105         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
3106         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
3107         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
3108         JSC_asyncDisassembly has bizarre behavior - so just choose one.
3109         
3110         A simple way of understanding how great this is, is to run a small benchmark like
3111         V8Spider/earley-boyer.
3112         
3113         Performance without any disassembly flags: 60ms
3114         Performance with JSC_showDisassembly=true: 477ms
3115         Performance with JSC_asyncDisassembly=true: 65ms
3116         
3117         So, the overhead of disassembly goes from 8x to 8%.
3118         
3119         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
3120         measuring benchmark performance. This is because at VM exit, we wait for all async
3121         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
3122         after the benchmark completely finishes to finish the disassemblies. This small weirdness
3123         should be OK for the intended use-cases, since all you have to do to get around it is to
3124         measure the execution time of the benchmark payload rather than the end-to-end time of
3125         launching the VM.
3126
3127         * assembler/LinkBuffer.cpp:
3128         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3129         * assembler/LinkBuffer.h:
3130         (JSC::LinkBuffer::wasAlreadyDisassembled):
3131         (JSC::LinkBuffer::didAlreadyDisassemble):
3132         * dfg/DFGJITCompiler.cpp:
3133         (JSC::DFG::JITCompiler::disassemble):
3134         * dfg/DFGJITFinalizer.cpp:
3135         (JSC::DFG::JITFinalizer::finalize):
3136         (JSC::DFG::JITFinalizer::finalizeFunction):
3137         * disassembler/Disassembler.cpp:
3138         (JSC::disassembleAsynchronously):
3139         (JSC::waitForAsynchronousDisassembly):
3140         * disassembler/Disassembler.h:
3141         * ftl/FTLCompile.cpp:
3142         (JSC::FTL::mmAllocateDataSection):
3143         * ftl/FTLLink.cpp:
3144         (JSC::FTL::link):
3145         * jit/JIT.cpp:
3146         (JSC::JIT::privateCompile):
3147         * jsc.cpp:
3148         * runtime/Options.h:
3149         * runtime/VM.cpp:
3150         (JSC::VM::~VM):
3151
3152 2015-03-23  Dean Jackson  <dino@apple.com>
3153
3154         ES7: Implement Array.prototype.includes
3155         https://bugs.webkit.org/show_bug.cgi?id=142707
3156
3157         Reviewed by Geoffrey Garen.
3158
3159         Add support for the ES7 includes method on Arrays.
3160         https://github.com/tc39/Array.prototype.includes
3161
3162         * builtins/Array.prototype.js:
3163         (includes): Implementation in JS.
3164         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
3165
3166 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
3167
3168         __defineGetter__/__defineSetter__ should throw exceptions
3169         https://bugs.webkit.org/show_bug.cgi?id=142934
3170
3171         Reviewed by Geoffrey Garen.
3172
3173         * runtime/ObjectPrototype.cpp:
3174         (JSC::objectProtoFuncDefineGetter):
3175         (JSC::objectProtoFuncDefineSetter):
3176         Throw exceptions when these functions are used directly.
3177
3178 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
3179
3180         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
3181         https://bugs.webkit.org/show_bug.cgi?id=142952
3182
3183         Reviewed by Geoffrey Garen.
3184
3185         * runtime/Structure.cpp:
3186         (JSC::PropertyTable::checkConsistency):
3187         The check offset method doesn't exist in PropertyTable, it exists in Structure.
3188
3189         (JSC::Structure::checkConsistency):
3190         So move it here, and always put it at the start to match normal behavior.
3191
3192 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3193
3194         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
3195         https://bugs.webkit.org/show_bug.cgi?id=142956
3196
3197         Rubber stamped by Gyuyoung Kim.
3198         
3199         Just removing dead code.
3200
3201         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3202         * JavaScriptCore.xcodeproj/project.pbxproj:
3203         * dfg/DFGOSRExit.h:
3204         * dfg/DFGOSRExitCompiler.cpp:
3205         * dfg/DFGValueRecoveryOverride.h: Removed.
3206
3207 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3208
3209         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
3210         https://bugs.webkit.org/show_bug.cgi?id=142948
3211
3212         Reviewed by Sam Weinig.
3213         
3214         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
3215         since a signal may clobber the area below the stack pointer. When the DFG is executing,
3216         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
3217         baseline, we will use a different amount of stack. This is because baseline is a different
3218         compiler. It will make different decisions. So it will use a different amount of stack.
3219         
3220         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
3221         incrementally transforming the stack from how it looked in the DFG to how it will look in
3222         baseline. The most conservative approach would be to set the stack pointer to the max of
3223         DFG and baseline.
3224         
3225         When this code was written, a reckless assumption was made: that the stack usage in
3226         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
3227         assumption, the code first adjusts the stack pointer to account for the baseline stack
3228         usage. This sort of usually works, because usually baseline does happen to use more stack.
3229         But that's not an invariant. Nobody guarantees this. We will never make any changes that
3230         would make this be guaranteed, because that would be antithetical to how optimizing
3231         compilers work. The DFG should be allowed to use however much stack it decides that it
3232         should use in order to get good performance, and it shouldn't try to guarantee that it
3233         always uses less stack than baseline.
3234         
3235         As such, we must always assume that the frame size for DFG execution (i.e.
3236         frameRegisterCount) and the frame size in baseline once we exit (i.e.
3237         requiredRegisterCountForExit) are two independent quantities and they have no
3238         relationship.
3239         
3240         Fortunately, though, this code can be made correct by just moving the stack adjustment to
3241         just before we do conversions. This is because we have since changed the OSR exit
3242         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
3243         drop it out of the scratch buffer and into the stack according to the baseline layout. The
3244         point just before conversions is the point where we have finished reading the DFG frame
3245         and will not read it anymore, and we haven't started writing the baseline frame. So, at
3246         this point it is safe to set the stack pointer to account for the frame size at exit.
3247         
3248         This is benign because baseline happens to create larger frames than DFG.
3249
3250         * dfg/DFGOSRExitCompiler32_64.cpp:
3251         (JSC::DFG::OSRExitCompiler::compileExit):
3252         * dfg/DFGOSRExitCompiler64.cpp:
3253         (JSC::DFG::OSRExitCompiler::compileExit):
3254         * dfg/DFGOSRExitCompilerCommon.cpp:
3255         (JSC::DFG::adjustAndJumpToTarget):
3256
3257 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3258
3259         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
3260
3261         Rubber stamped by Sam Weinig.
3262
3263         * tests/stress/equals-masquerader.js:
3264
3265 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3266
3267         tests/stress/*tdz* tests do 10x more iterations than necessary
3268         https://bugs.webkit.org/show_bug.cgi?id=142946
3269
3270         Reviewed by Ryosuke Niwa.
3271         
3272         The stress test harness runs all of these tests in various configurations. This includes
3273         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
3274         enough to get to the highest tier. The only exceptions are very large functions or
3275         functions that have some reoptimizations. That happens rarely, and when it does happen,
3276         usually 20,000 iterations is enough.
3277         
3278         Therefore, these tests use 10x too many iterations. This is bad, since these tests
3279         allocate on each iteration, and so they run very slowly in debug mode.
3280
3281         * tests/stress/class-syntax-no-loop-tdz.js:
3282         * tests/stress/class-syntax-no-tdz-in-catch.js:
3283         * tests/stress/class-syntax-no-tdz-in-conditional.js:
3284         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
3285         * tests/stress/class-syntax-no-tdz-in-loop.js:
3286         * tests/stress/class-syntax-no-tdz.js:
3287         * tests/stress/class-syntax-tdz-in-catch.js:
3288         * tests/stress/class-syntax-tdz-in-conditional.js:
3289         * tests/stress/class-syntax-tdz-in-loop.js:
3290         * tests/stress/class-syntax-tdz.js:
3291
3292 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
3293
3294         Fix a typo in Parser error message
3295         https://bugs.webkit.org/show_bug.cgi?id=142942
3296
3297         Reviewed by Alexey Proskuryakov.
3298
3299         * jit/JITPropertyAccess.cpp:
3300         (JSC::JIT::emitSlow_op_resolve_scope):
3301         * jit/JITPropertyAccess32_64.cpp:
3302         (JSC::JIT::emitSlow_op_resolve_scope):
3303         * parser/Parser.cpp:
3304         (JSC::Parser<LexerType>::parseClass):
3305         Fix a common identifier typo.
3306
3307 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
3308
3309         Computed Property names should allow only AssignmentExpressions not any Expression
3310         https://bugs.webkit.org/show_bug.cgi?id=142902
3311
3312         Reviewed by Ryosuke Niwa.
3313
3314         * parser/Parser.cpp:
3315         (JSC::Parser<LexerType>::parseProperty):
3316         Limit computed expressions to just assignment expressions instead of
3317         any expression (which allowed comma expressions).
3318
3319 2015-03-21  Andreas Kling  <akling@apple.com>
3320
3321         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
3322         <https://webkit.org/b/142939>
3323
3324         Reviewed by Mark Hahnenberg.
3325
3326         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
3327         a 128-byte heap cell instead of requiring a 256-byte one.
3328
3329         Threw in a static_assert to catch anyone pushing it over the limit again.
3330
3331         * bytecode/UnlinkedCodeBlock.cpp:
3332         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3333         * bytecode/UnlinkedCodeBlock.h:
3334         (JSC::UnlinkedFunctionExecutable::functionMode):