ES6 class syntax should use block scoping
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2015-07-31  Saam barati  <saambarati1@gmail.com>
2
3         ES6 class syntax should use block scoping
4         https://bugs.webkit.org/show_bug.cgi?id=142567
5
6         Reviewed by Geoffrey Garen.
7
8         We treat class declarations like we do "let" declarations.
9         The class name is under TDZ until the class declaration
10         statement is evaluated. Class declarations also follow
11         the same rules as "let": No duplicate definitions inside
12         a lexical environment.
13
14         * parser/ASTBuilder.h:
15         (JSC::ASTBuilder::createClassDeclStatement):
16         * parser/Parser.cpp:
17         (JSC::Parser<LexerType>::parseClassDeclaration):
18         * tests/stress/class-syntax-block-scoping.js: Added.
19         (assert):
20         (truth):
21         (.):
22         * tests/stress/class-syntax-definition-semantics.js: Added.
23         (shouldBeSyntaxError):
24         (shouldNotBeSyntaxError):
25         (truth):
26         * tests/stress/class-syntax-tdz.js:
27         (assert):
28         (shouldThrowTDZ):
29         (truth):
30         (.):
31
32 2015-07-31  Sukolsak Sakshuwong  <sukolsak@gmail.com>
33
34         Implement WebAssembly module parser
35         https://bugs.webkit.org/show_bug.cgi?id=147293
36
37         Reviewed by Mark Lam.
38
39         Re-landing after fix for the "..\..\jsc.cpp(46): fatal error C1083: Cannot open
40         include file: 'JSWASMModule.h'" issue on Windows.
41
42         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
43         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
44         the magic number at the beginning of the files. Parsing of the rest will be
45         implemented in a subsequent patch.
46
47         * CMakeLists.txt:
48         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
49         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
50         * JavaScriptCore.xcodeproj/project.pbxproj:
51         * jsc.cpp:
52         (GlobalObject::finishCreation):
53         (functionLoadWebAssembly):
54         * parser/SourceProvider.h:
55         (JSC::WebAssemblySourceProvider::create):
56         (JSC::WebAssemblySourceProvider::data):
57         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
58         * runtime/JSGlobalObject.cpp:
59         (JSC::JSGlobalObject::init):
60         (JSC::JSGlobalObject::visitChildren):
61         * runtime/JSGlobalObject.h:
62         (JSC::JSGlobalObject::wasmModuleStructure):
63         * wasm/WASMMagicNumber.h: Added.
64         * wasm/WASMModuleParser.cpp: Added.
65         (JSC::WASMModuleParser::WASMModuleParser):
66         (JSC::WASMModuleParser::parse):
67         (JSC::WASMModuleParser::parseModule):
68         (JSC::parseWebAssembly):
69         * wasm/WASMModuleParser.h: Added.
70         * wasm/WASMReader.cpp: Added.
71         (JSC::WASMReader::readUnsignedInt32):
72         (JSC::WASMReader::readFloat):
73         (JSC::WASMReader::readDouble):
74         * wasm/WASMReader.h: Added.
75         (JSC::WASMReader::WASMReader):
76
77 2015-07-30  Sukolsak Sakshuwong  <sukolsak@gmail.com>
78
79         Add the "wasm" directory to the Additional Include Directories for jsc.exe
80         https://bugs.webkit.org/show_bug.cgi?id=147443
81
82         Reviewed by Mark Lam.
83
84         This patch should fix the "..\..\jsc.cpp(46): fatal error C1083:
85         Cannot open include file: 'JSWASMModule.h'" error in the Windows build.
86
87         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
88
89 2015-07-30  Chris Dumez  <cdumez@apple.com>
90
91         Mark more classes as fast allocated
92         https://bugs.webkit.org/show_bug.cgi?id=147440
93
94         Reviewed by Sam Weinig.
95
96         Mark more classes as fast allocated for performance. We heap-allocate
97         objects of those types throughout the code base.
98
99         * API/JSCallbackObject.h:
100         * API/ObjCCallbackFunction.mm:
101         * bytecode/BytecodeKills.h:
102         * bytecode/BytecodeLivenessAnalysis.h:
103         * bytecode/CallLinkStatus.h:
104         * bytecode/FullBytecodeLiveness.h:
105         * bytecode/SamplingTool.h:
106         * bytecompiler/BytecodeGenerator.h:
107         * dfg/DFGBasicBlock.h:
108         * dfg/DFGBlockMap.h:
109         * dfg/DFGInPlaceAbstractState.h:
110         * dfg/DFGThreadData.h:
111         * heap/HeapVerifier.h:
112         * heap/SlotVisitor.h:
113         * parser/Lexer.h:
114         * runtime/ControlFlowProfiler.h:
115         * runtime/TypeProfiler.h:
116         * runtime/TypeProfilerLog.h:
117         * runtime/Watchdog.h:
118
119 2015-07-29  Filip Pizlo  <fpizlo@apple.com>
120
121         DFG::ArgumentsEliminationPhase should emit a PutStack for all of the GetStacks that the ByteCodeParser emitted
122         https://bugs.webkit.org/show_bug.cgi?id=147433
123         rdar://problem/21668986
124
125         Reviewed by Mark Lam.
126
127         Ideally, the ByteCodeParser would only emit SetArgument nodes for named arguments.  But
128         currently that's not what it does - it emits a SetArgument for every argument that a varargs
129         call may pass.  Each SetArgument gets turned into a GetStack.  This means that if
130         ArgumentsEliminationPhase optimizes away PutStacks for those varargs arguments that didn't
131         get passed or used, we get degenerate IR where we have a GetStack of something that didn't
132         have a PutStack.
133
134         This fixes the bug by removing the code to optimize away PutStacks in
135         ArgumentsEliminationPhase.
136
137         * dfg/DFGArgumentsEliminationPhase.cpp:
138         * tests/stress/varargs-inlining-underflow.js: Added.
139         (baz):
140         (bar):
141         (foo):
142
143 2015-07-29  Andy VanWagoner  <thetalecrafter@gmail.com>
144
145         Implement basic types for ECMAScript Internationalization API
146         https://bugs.webkit.org/show_bug.cgi?id=146926
147
148         Reviewed by Benjamin Poulain.
149
150         Adds basic types for ECMA-402 2nd edition, but does not implement the full locale-aware features yet.
151         http://www.ecma-international.org/ecma-402/2.0/ECMA-402.pdf
152
153         * CMakeLists.txt: Added new Intl files.
154         * Configurations/FeatureDefines.xcconfig: Enable INTL.
155         * DerivedSources.make: Added Intl files.
156         * JavaScriptCore.xcodeproj/project.pbxproj: Added Intl files.
157         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added Intl files.
158         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added Intl files.
159         * runtime/CommonIdentifiers.h: Added Collator, NumberFormat, and DateTimeFormat.
160         * runtime/DateConstructor.cpp: Made Date.now public.
161         * runtime/DateConstructor.h: Made Date.now public.
162         * runtime/IntlCollator.cpp: Added.
163         (JSC::IntlCollator::create):
164         (JSC::IntlCollator::createStructure):
165         (JSC::IntlCollator::IntlCollator):
166         (JSC::IntlCollator::finishCreation):
167         (JSC::IntlCollator::destroy):
168         (JSC::IntlCollator::visitChildren):
169         (JSC::IntlCollator::setBoundCompare):
170         (JSC::IntlCollatorFuncCompare): Added placeholder implementation using codePointCompare.
171         * runtime/IntlCollator.h: Added.
172         (JSC::IntlCollator::constructor):
173         (JSC::IntlCollator::boundCompare):
174         * runtime/IntlCollatorConstructor.cpp: Added.
175         (JSC::IntlCollatorConstructor::create):
176         (JSC::IntlCollatorConstructor::createStructure):
177         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
178         (JSC::IntlCollatorConstructor::finishCreation):
179         (JSC::constructIntlCollator): Added Collator constructor (10.1.2).
180         (JSC::callIntlCollator): Added Collator constructor (10.1.2).
181         (JSC::IntlCollatorConstructor::getConstructData):
182         (JSC::IntlCollatorConstructor::getCallData):
183         (JSC::IntlCollatorConstructor::getOwnPropertySlot):
184         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
185         (JSC::IntlCollatorConstructor::visitChildren):
186         * runtime/IntlCollatorConstructor.h: Added.
187         (JSC::IntlCollatorConstructor::collatorStructure):
188         * runtime/IntlCollatorPrototype.cpp: Added.
189         (JSC::IntlCollatorPrototype::create):
190         (JSC::IntlCollatorPrototype::createStructure):
191         (JSC::IntlCollatorPrototype::IntlCollatorPrototype):
192         (JSC::IntlCollatorPrototype::finishCreation):
193         (JSC::IntlCollatorPrototype::getOwnPropertySlot):
194         (JSC::IntlCollatorPrototypeGetterCompare): Added compare getter (10.3.3)
195         (JSC::IntlCollatorPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
196         * runtime/IntlCollatorPrototype.h: Added.
197         * runtime/IntlDateTimeFormat.cpp: Added.
198         (JSC::IntlDateTimeFormat::create):
199         (JSC::IntlDateTimeFormat::createStructure):
200         (JSC::IntlDateTimeFormat::IntlDateTimeFormat):
201         (JSC::IntlDateTimeFormat::finishCreation):
202         (JSC::IntlDateTimeFormat::destroy):
203         (JSC::IntlDateTimeFormat::visitChildren):
204         (JSC::IntlDateTimeFormat::setBoundFormat):
205         (JSC::IntlDateTimeFormatFuncFormatDateTime): Added placeholder implementation returning new Date(value).toString().
206         * runtime/IntlDateTimeFormat.h: Added.
207         (JSC::IntlDateTimeFormat::constructor):
208         (JSC::IntlDateTimeFormat::boundFormat):
209         * runtime/IntlDateTimeFormatConstructor.cpp: Added.
210         (JSC::IntlDateTimeFormatConstructor::create):
211         (JSC::IntlDateTimeFormatConstructor::createStructure):
212         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
213         (JSC::IntlDateTimeFormatConstructor::finishCreation):
214         (JSC::constructIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
215         (JSC::callIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
216         (JSC::IntlDateTimeFormatConstructor::getConstructData):
217         (JSC::IntlDateTimeFormatConstructor::getCallData):
218         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot):
219         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
220         (JSC::IntlDateTimeFormatConstructor::visitChildren):
221         * runtime/IntlDateTimeFormatConstructor.h: Added.
222         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure):
223         * runtime/IntlDateTimeFormatPrototype.cpp: Added.
224         (JSC::IntlDateTimeFormatPrototype::create):
225         (JSC::IntlDateTimeFormatPrototype::createStructure):
226         (JSC::IntlDateTimeFormatPrototype::IntlDateTimeFormatPrototype):
227         (JSC::IntlDateTimeFormatPrototype::finishCreation):
228         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot):
229         (JSC::IntlDateTimeFormatPrototypeGetterFormat): Added format getter (12.3.3).
230         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
231         * runtime/IntlDateTimeFormatPrototype.h: Added.
232         * runtime/IntlNumberFormat.cpp: Added.
233         (JSC::IntlNumberFormat::create):
234         (JSC::IntlNumberFormat::createStructure):
235         (JSC::IntlNumberFormat::IntlNumberFormat):
236         (JSC::IntlNumberFormat::finishCreation):
237         (JSC::IntlNumberFormat::destroy):
238         (JSC::IntlNumberFormat::visitChildren):
239         (JSC::IntlNumberFormat::setBoundFormat):
240         (JSC::IntlNumberFormatFuncFormatNumber): Added placeholder implementation returning Number(value).toString().
241         * runtime/IntlNumberFormat.h: Added.
242         (JSC::IntlNumberFormat::constructor):
243         (JSC::IntlNumberFormat::boundFormat):
244         * runtime/IntlNumberFormatConstructor.cpp: Added.
245         (JSC::IntlNumberFormatConstructor::create):
246         (JSC::IntlNumberFormatConstructor::createStructure):
247         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
248         (JSC::IntlNumberFormatConstructor::finishCreation):
249         (JSC::constructIntlNumberFormat): Added NumberFormat constructor (11.1.2).
250         (JSC::callIntlNumberFormat): Added NumberFormat constructor (11.1.2).
251         (JSC::IntlNumberFormatConstructor::getConstructData):
252         (JSC::IntlNumberFormatConstructor::getCallData):
253         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot):
254         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
255         (JSC::IntlNumberFormatConstructor::visitChildren):
256         * runtime/IntlNumberFormatConstructor.h: Added.
257         (JSC::IntlNumberFormatConstructor::numberFormatStructure):
258         * runtime/IntlNumberFormatPrototype.cpp: Added.
259         (JSC::IntlNumberFormatPrototype::create):
260         (JSC::IntlNumberFormatPrototype::createStructure):
261         (JSC::IntlNumberFormatPrototype::IntlNumberFormatPrototype):
262         (JSC::IntlNumberFormatPrototype::finishCreation):
263         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot):
264         (JSC::IntlNumberFormatPrototypeGetterFormat): Added format getter (11.3.3).
265         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
266         * runtime/IntlNumberFormatPrototype.h: Added.
267         * runtime/IntlObject.cpp:
268         (JSC::IntlObject::create):
269         (JSC::IntlObject::finishCreation): Added Collator, NumberFormat, and DateTimeFormat properties (8.1).
270         (JSC::IntlObject::visitChildren):
271         * runtime/IntlObject.h:
272         (JSC::IntlObject::collatorConstructor):
273         (JSC::IntlObject::collatorPrototype):
274         (JSC::IntlObject::collatorStructure):
275         (JSC::IntlObject::numberFormatConstructor):
276         (JSC::IntlObject::numberFormatPrototype):
277         (JSC::IntlObject::numberFormatStructure):
278         (JSC::IntlObject::dateTimeFormatConstructor):
279         (JSC::IntlObject::dateTimeFormatPrototype):
280         (JSC::IntlObject::dateTimeFormatStructure):
281         * runtime/JSGlobalObject.cpp:
282         (JSC::JSGlobalObject::init):
283
284 2015-07-29  Commit Queue  <commit-queue@webkit.org>
285
286         Unreviewed, rolling out r187550.
287         https://bugs.webkit.org/show_bug.cgi?id=147420
288
289         Broke Windows build (again) (Requested by smfr on #webkit).
290
291         Reverted changeset:
292
293         "Implement WebAssembly module parser"
294         https://bugs.webkit.org/show_bug.cgi?id=147293
295         http://trac.webkit.org/changeset/187550
296
297 2015-07-29  Basile Clement  <basile_clement@apple.com>
298
299         Remove native call inlining
300         https://bugs.webkit.org/show_bug.cgi?id=147417
301
302         Rubber Stamped by Filip Pizlo.
303
304         * CMakeLists.txt:
305         * dfg/DFGAbstractInterpreterInlines.h:
306         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
307         * dfg/DFGByteCodeParser.cpp:
308         (JSC::DFG::ByteCodeParser::handleCall): Deleted.
309         * dfg/DFGClobberize.h:
310         (JSC::DFG::clobberize): Deleted.
311         * dfg/DFGDoesGC.cpp:
312         (JSC::DFG::doesGC): Deleted.
313         * dfg/DFGFixupPhase.cpp:
314         (JSC::DFG::FixupPhase::fixupNode): Deleted.
315         * dfg/DFGNode.h:
316         (JSC::DFG::Node::hasHeapPrediction): Deleted.
317         (JSC::DFG::Node::hasCellOperand): Deleted.
318         * dfg/DFGNodeType.h:
319         * dfg/DFGPredictionPropagationPhase.cpp:
320         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
321         * dfg/DFGSafeToExecute.h:
322         (JSC::DFG::safeToExecute): Deleted.
323         * dfg/DFGSpeculativeJIT32_64.cpp:
324         (JSC::DFG::SpeculativeJIT::compile): Deleted.
325         * dfg/DFGSpeculativeJIT64.cpp:
326         (JSC::DFG::SpeculativeJIT::compile): Deleted.
327         * ftl/FTLCapabilities.cpp:
328         (JSC::FTL::canCompile): Deleted.
329         * ftl/FTLLowerDFGToLLVM.cpp:
330         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Deleted.
331         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
332         (JSC::FTL::DFG::LowerDFGToLLVM::compileNativeCallOrConstruct): Deleted.
333         (JSC::FTL::DFG::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
334         (JSC::FTL::DFG::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
335         (JSC::FTL::DFG::LowerDFGToLLVM::didOverflowStack): Deleted.
336         * ftl/FTLState.cpp:
337         (JSC::FTL::State::State): Deleted.
338         * ftl/FTLState.h:
339         * runtime/BundlePath.cpp: Removed.
340         (JSC::bundlePath): Deleted.
341         * runtime/JSDataViewPrototype.cpp:
342         (JSC::getData):
343         (JSC::setData):
344         * runtime/Options.h:
345
346 2015-07-29  Basile Clement  <basile_clement@apple.com>
347
348         Unreviewed, skipping a test that is too complex for its own good
349         https://bugs.webkit.org/show_bug.cgi?id=147167
350
351         * tests/stress/math-pow-coherency.js:
352
353 2015-07-29  Sukolsak Sakshuwong  <sukolsak@gmail.com>
354
355         Implement WebAssembly module parser
356         https://bugs.webkit.org/show_bug.cgi?id=147293
357
358         Reviewed by Mark Lam.
359
360         Reupload the patch, since r187539 should fix the "Cannot open include file:
361         'JSWASMModule.h'" issue in the Windows build.
362
363         * CMakeLists.txt:
364         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
365         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
366         * JavaScriptCore.xcodeproj/project.pbxproj:
367         * jsc.cpp:
368         (GlobalObject::finishCreation):
369         (functionLoadWebAssembly):
370         * parser/SourceProvider.h:
371         (JSC::WebAssemblySourceProvider::create):
372         (JSC::WebAssemblySourceProvider::data):
373         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
374         * runtime/JSGlobalObject.cpp:
375         (JSC::JSGlobalObject::init):
376         (JSC::JSGlobalObject::visitChildren):
377         * runtime/JSGlobalObject.h:
378         (JSC::JSGlobalObject::wasmModuleStructure):
379         * wasm/WASMMagicNumber.h: Added.
380         * wasm/WASMModuleParser.cpp: Added.
381         (JSC::WASMModuleParser::WASMModuleParser):
382         (JSC::WASMModuleParser::parse):
383         (JSC::WASMModuleParser::parseModule):
384         (JSC::parseWebAssembly):
385         * wasm/WASMModuleParser.h: Added.
386         * wasm/WASMReader.cpp: Added.
387         (JSC::WASMReader::readUnsignedInt32):
388         (JSC::WASMReader::readFloat):
389         (JSC::WASMReader::readDouble):
390         * wasm/WASMReader.h: Added.
391         (JSC::WASMReader::WASMReader):
392
393 2015-07-29  Basile Clement  <basile_clement@apple.com>
394
395         Unreviewed, lower the number of test iterations to prevent timing out on Debug builds
396         https://bugs.webkit.org/show_bug.cgi?id=147167
397
398         * tests/stress/math-pow-coherency.js:
399
400 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
401
402         Add the "wasm" directory to Visual Studio project files
403         https://bugs.webkit.org/show_bug.cgi?id=147400
404
405         Reviewed by Simon Fraser.
406
407         This patch should fix the "Cannot open include file: 'JSWASMModule.h'" issue
408         in the Windows build.
409
410         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
411         * JavaScriptCore.vcxproj/copy-files.cmd:
412
413 2015-07-28  Commit Queue  <commit-queue@webkit.org>
414
415         Unreviewed, rolling out r187531.
416         https://bugs.webkit.org/show_bug.cgi?id=147397
417
418         Broke Windows bild (Requested by smfr on #webkit).
419
420         Reverted changeset:
421
422         "Implement WebAssembly module parser"
423         https://bugs.webkit.org/show_bug.cgi?id=147293
424         http://trac.webkit.org/changeset/187531
425
426 2015-07-28  Benjamin Poulain  <bpoulain@apple.com>
427
428         Speed up the Stringifier::toJSON() fast case
429         https://bugs.webkit.org/show_bug.cgi?id=147383
430
431         Reviewed by Andreas Kling.
432
433         * runtime/JSONObject.cpp:
434         (JSC::Stringifier::toJSON):
435         (JSC::Stringifier::toJSONImpl):
436
437 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
438
439         Implement WebAssembly module parser
440         https://bugs.webkit.org/show_bug.cgi?id=147293
441
442         Reviewed by Geoffrey Garen.
443
444         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
445         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
446         the magic number at the beginning of the files. Parsing of the rest will be
447         implemented in a subsequent patch.
448
449         * CMakeLists.txt:
450         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
451         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
452         * JavaScriptCore.xcodeproj/project.pbxproj:
453         * jsc.cpp:
454         (GlobalObject::finishCreation):
455         (functionLoadWebAssembly):
456         * parser/SourceProvider.h:
457         (JSC::WebAssemblySourceProvider::create):
458         (JSC::WebAssemblySourceProvider::data):
459         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
460         * runtime/JSGlobalObject.cpp:
461         (JSC::JSGlobalObject::init):
462         (JSC::JSGlobalObject::visitChildren):
463         * runtime/JSGlobalObject.h:
464         (JSC::JSGlobalObject::wasmModuleStructure):
465         * wasm/WASMMagicNumber.h: Added.
466         * wasm/WASMModuleParser.cpp: Added.
467         (JSC::WASMModuleParser::WASMModuleParser):
468         (JSC::WASMModuleParser::parse):
469         (JSC::WASMModuleParser::parseModule):
470         (JSC::parseWebAssembly):
471         * wasm/WASMModuleParser.h: Added.
472         * wasm/WASMReader.cpp: Added.
473         (JSC::WASMReader::readUnsignedInt32):
474         (JSC::WASMReader::readFloat):
475         (JSC::WASMReader::readDouble):
476         * wasm/WASMReader.h: Added.
477         (JSC::WASMReader::WASMReader):
478
479 2015-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
480
481         [ES6] Add ENABLE_ES6_MODULES compile time flag with the default value "false"
482         https://bugs.webkit.org/show_bug.cgi?id=147350
483
484         Reviewed by Sam Weinig.
485
486         * Configurations/FeatureDefines.xcconfig:
487
488 2015-07-28  Saam barati  <saambarati1@gmail.com>
489
490         Make the type profiler work with lexical scoping and add tests
491         https://bugs.webkit.org/show_bug.cgi?id=145438
492
493         Reviewed by Geoffrey Garen.
494
495         op_profile_type now knows how to resolve variables allocated within
496         the local scope stack. This means it knows how to resolve "let"
497         and "const" variables. Also, some refactoring was done inside
498         the BytecodeGenerator to make writing code to support the type
499         profiler much simpler and clearer.
500
501         * bytecode/CodeBlock.cpp:
502         (JSC::CodeBlock::CodeBlock):
503         * bytecode/CodeBlock.h:
504         (JSC::CodeBlock::symbolTable): Deleted.
505         * bytecode/UnlinkedCodeBlock.h:
506         (JSC::UnlinkedCodeBlock::addExceptionHandler):
507         (JSC::UnlinkedCodeBlock::exceptionHandler):
508         (JSC::UnlinkedCodeBlock::vm):
509         (JSC::UnlinkedCodeBlock::addArrayProfile):
510         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex): Deleted.
511         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex): Deleted.
512         * bytecompiler/BytecodeGenerator.cpp:
513         (JSC::BytecodeGenerator::BytecodeGenerator):
514         (JSC::BytecodeGenerator::emitMove):
515         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
516         (JSC::BytecodeGenerator::emitProfileType):
517         (JSC::BytecodeGenerator::emitProfileControlFlow):
518         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
519         * bytecompiler/BytecodeGenerator.h:
520         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
521         * bytecompiler/NodesCodegen.cpp:
522         (JSC::ThisNode::emitBytecode):
523         (JSC::ResolveNode::emitBytecode):
524         (JSC::BracketAccessorNode::emitBytecode):
525         (JSC::DotAccessorNode::emitBytecode):
526         (JSC::FunctionCallValueNode::emitBytecode):
527         (JSC::FunctionCallResolveNode::emitBytecode):
528         (JSC::FunctionCallBracketNode::emitBytecode):
529         (JSC::FunctionCallDotNode::emitBytecode):
530         (JSC::CallFunctionCallDotNode::emitBytecode):
531         (JSC::ApplyFunctionCallDotNode::emitBytecode):
532         (JSC::PostfixNode::emitResolve):
533         (JSC::PostfixNode::emitBracket):
534         (JSC::PostfixNode::emitDot):
535         (JSC::PrefixNode::emitResolve):
536         (JSC::PrefixNode::emitBracket):
537         (JSC::PrefixNode::emitDot):
538         (JSC::ReadModifyResolveNode::emitBytecode):
539         (JSC::AssignResolveNode::emitBytecode):
540         (JSC::AssignDotNode::emitBytecode):
541         (JSC::ReadModifyDotNode::emitBytecode):
542         (JSC::AssignBracketNode::emitBytecode):
543         (JSC::ReadModifyBracketNode::emitBytecode):
544         (JSC::EmptyVarExpression::emitBytecode):
545         (JSC::EmptyLetExpression::emitBytecode):
546         (JSC::ForInNode::emitLoopHeader):
547         (JSC::ForOfNode::emitBytecode):
548         (JSC::ReturnNode::emitBytecode):
549         (JSC::FunctionNode::emitBytecode):
550         (JSC::BindingNode::bindValue):
551         * dfg/DFGSpeculativeJIT32_64.cpp:
552         (JSC::DFG::SpeculativeJIT::compile):
553         * dfg/DFGSpeculativeJIT64.cpp:
554         (JSC::DFG::SpeculativeJIT::compile):
555         * jit/JITOpcodes.cpp:
556         (JSC::JIT::emit_op_profile_type):
557         * jit/JITOpcodes32_64.cpp:
558         (JSC::JIT::emit_op_profile_type):
559         * llint/LowLevelInterpreter32_64.asm:
560         * llint/LowLevelInterpreter64.asm:
561         * tests/typeProfiler/es6-block-scoping.js: Added.
562         (noop):
563         (arr):
564         (wrapper.changeFoo):
565         (wrapper.scoping):
566         (wrapper.scoping2):
567         (wrapper):
568         * tests/typeProfiler/es6-classes.js: Added.
569         (noop):
570         (wrapper.Animal):
571         (wrapper.Animal.prototype.methodA):
572         (wrapper.Dog):
573         (wrapper.Dog.prototype.methodB):
574         (wrapper):
575
576 2015-07-28  Saam barati  <saambarati1@gmail.com>
577
578         Implement catch scope using lexical scoping constructs introduced with "let" scoping patch
579         https://bugs.webkit.org/show_bug.cgi?id=146979
580
581         Reviewed by Geoffrey Garen.
582
583         Now that BytecodeGenerator has a notion of local scope depth,
584         we can easily implement a catch scope that doesn't claim that
585         all variables are dynamically scoped. This means that functions
586         that use try/catch can have local variable resolution. This also
587         means that all functions that use try/catch don't have all
588         their variables marked as being captured.
589
590         Catch scopes now behave like a "let" scope (sans the TDZ logic) with a 
591         single variable. Catch scopes are now just JSLexicalEnvironments and the 
592         symbol table backing the catch scope knows that it corresponds to a catch scope.
593
594         * CMakeLists.txt:
595         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
596         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
597         * JavaScriptCore.xcodeproj/project.pbxproj:
598         * bytecode/CodeBlock.cpp:
599         (JSC::CodeBlock::dumpBytecode):
600         * bytecode/EvalCodeCache.h:
601         (JSC::EvalCodeCache::isCacheable):
602         * bytecompiler/BytecodeGenerator.cpp:
603         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
604         (JSC::BytecodeGenerator::emitLoadGlobalObject):
605         (JSC::BytecodeGenerator::pushLexicalScope):
606         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
607         (JSC::BytecodeGenerator::popLexicalScope):
608         (JSC::BytecodeGenerator::popLexicalScopeInternal):
609         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
610         (JSC::BytecodeGenerator::variable):
611         (JSC::BytecodeGenerator::resolveType):
612         (JSC::BytecodeGenerator::emitResolveScope):
613         (JSC::BytecodeGenerator::emitPopScope):
614         (JSC::BytecodeGenerator::emitPopWithScope):
615         (JSC::BytecodeGenerator::emitDebugHook):
616         (JSC::BytecodeGenerator::popScopedControlFlowContext):
617         (JSC::BytecodeGenerator::emitPushCatchScope):
618         (JSC::BytecodeGenerator::emitPopCatchScope):
619         (JSC::BytecodeGenerator::beginSwitch):
620         (JSC::BytecodeGenerator::emitPopWithOrCatchScope): Deleted.
621         * bytecompiler/BytecodeGenerator.h:
622         (JSC::BytecodeGenerator::lastOpcodeID):
623         * bytecompiler/NodesCodegen.cpp:
624         (JSC::AssignResolveNode::emitBytecode):
625         (JSC::WithNode::emitBytecode):
626         (JSC::TryNode::emitBytecode):
627         * debugger/DebuggerScope.cpp:
628         (JSC::DebuggerScope::isCatchScope):
629         (JSC::DebuggerScope::isFunctionNameScope):
630         (JSC::DebuggerScope::isFunctionOrEvalScope):
631         (JSC::DebuggerScope::caughtValue):
632         * debugger/DebuggerScope.h:
633         * inspector/ScriptDebugServer.cpp:
634         (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
635         * interpreter/Interpreter.cpp:
636         (JSC::Interpreter::execute):
637         * jit/JITOpcodes.cpp:
638         (JSC::JIT::emit_op_push_name_scope):
639         * jit/JITOpcodes32_64.cpp:
640         (JSC::JIT::emit_op_push_name_scope):
641         * jit/JITOperations.cpp:
642         * jit/JITOperations.h:
643         * parser/ASTBuilder.h:
644         (JSC::ASTBuilder::createContinueStatement):
645         (JSC::ASTBuilder::createTryStatement):
646         * parser/NodeConstructors.h:
647         (JSC::ThrowNode::ThrowNode):
648         (JSC::TryNode::TryNode):
649         (JSC::FunctionParameters::FunctionParameters):
650         * parser/Nodes.h:
651         * parser/Parser.cpp:
652         (JSC::Parser<LexerType>::parseTryStatement):
653         * parser/SyntaxChecker.h:
654         (JSC::SyntaxChecker::createBreakStatement):
655         (JSC::SyntaxChecker::createContinueStatement):
656         (JSC::SyntaxChecker::createTryStatement):
657         (JSC::SyntaxChecker::createSwitchStatement):
658         (JSC::SyntaxChecker::createWhileStatement):
659         (JSC::SyntaxChecker::createWithStatement):
660         * runtime/JSCatchScope.cpp:
661         * runtime/JSCatchScope.h:
662         (JSC::JSCatchScope::JSCatchScope): Deleted.
663         (JSC::JSCatchScope::create): Deleted.
664         (JSC::JSCatchScope::createStructure): Deleted.
665         * runtime/JSFunctionNameScope.h:
666         (JSC::JSFunctionNameScope::JSFunctionNameScope):
667         * runtime/JSGlobalObject.cpp:
668         (JSC::JSGlobalObject::init):
669         (JSC::JSGlobalObject::visitChildren):
670         * runtime/JSGlobalObject.h:
671         (JSC::JSGlobalObject::withScopeStructure):
672         (JSC::JSGlobalObject::strictEvalActivationStructure):
673         (JSC::JSGlobalObject::activationStructure):
674         (JSC::JSGlobalObject::functionNameScopeStructure):
675         (JSC::JSGlobalObject::directArgumentsStructure):
676         (JSC::JSGlobalObject::scopedArgumentsStructure):
677         (JSC::JSGlobalObject::catchScopeStructure): Deleted.
678         * runtime/JSNameScope.cpp:
679         (JSC::JSNameScope::create):
680         (JSC::JSNameScope::toThis):
681         * runtime/JSNameScope.h:
682         * runtime/JSObject.cpp:
683         (JSC::JSObject::toThis):
684         (JSC::JSObject::isFunctionNameScopeObject):
685         (JSC::JSObject::isCatchScopeObject): Deleted.
686         * runtime/JSObject.h:
687         * runtime/JSScope.cpp:
688         (JSC::JSScope::collectVariablesUnderTDZ):
689         (JSC::JSScope::isLexicalScope):
690         (JSC::JSScope::isCatchScope):
691         (JSC::resolveModeName):
692         * runtime/JSScope.h:
693         * runtime/SymbolTable.cpp:
694         (JSC::SymbolTable::SymbolTable):
695         (JSC::SymbolTable::cloneScopePart):
696         * runtime/SymbolTable.h:
697         * tests/stress/const-semantics.js:
698         (.):
699
700 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
701
702         DFG::ArgumentsEliminationPhase has a redundant check for inserting CheckInBounds when converting GetByVal to GetStack in the inline non-varargs case
703         https://bugs.webkit.org/show_bug.cgi?id=147373
704
705         Reviewed by Mark Lam.
706
707         The code was doing a check for "index >= inlineCallFrame->arguments.size() - 1" in code where
708         safeToGetStack is true and we aren't in varargs context, but in a non-varargs context,
709         safeToGetStack can only be true if "index < inlineCallFrame->arguments.size() - 1".
710
711         When converting a GetByVal to GetStack, there are three possibilities:
712
713         1) Impossible to convert. This can happen if the GetByVal is out-of-bounds of the things we
714            know to have stored to the stack. For example, if we inline a function that does
715            "arguments[42]" at a call that passes no arguments.
716
717         2) Possible to convert, but we cannot prove statically that the GetByVal was in bounds. This
718            can happen for "arguments[42]" with no inline call frame (since we don't know statically
719            how many arguments we will be passed) or in a varargs call frame.
720
721         3) Possible to convert, and we know statically that the GetByVal is in bounds. This can
722            happen for "arguments[42]" if we have an inline call frame, and it's not a varargs call
723            frame, and we know that the caller passed 42 or more arguments.
724
725         The way the phase handles this is it first determines that we're not in case (1). This is
726         called safeToGetStack. safeToGetStack is true if we have case (2) or (3). For inline call
727         frames that have no varargs, this means that safeToGetStack is true exactly when the GetByVal
728         is in-bounds (i.e. case (3)).
729
730         But the phase was again doing a check for whether the index is in-bounds for non-varargs
731         inline call frames even when safeToGetStack was true. That check is redundant and should be
732         eliminated, since it makes the code confusing.
733
734         * dfg/DFGArgumentsEliminationPhase.cpp:
735
736 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
737
738         DFG::PutStackSinkingPhase should be more aggressive about its "no GetStack until put" rule
739         https://bugs.webkit.org/show_bug.cgi?id=147371
740
741         Reviewed by Mark Lam.
742
743         Two fixes:
744
745         - Make ConflictingFlush really mean that you can't load from the stack slot. This means not
746           using ConflictingFlush for arguments.
747
748         - Assert that a GetStack never sees ConflictingFlush.
749
750         * dfg/DFGPutStackSinkingPhase.cpp:
751
752 2015-07-28  Basile Clement  <basile_clement@apple.com>
753
754         Misleading error message: "At least one digit must occur after a decimal point"
755         https://bugs.webkit.org/show_bug.cgi?id=146238
756
757         Reviewed by Geoffrey Garen.
758
759         Interestingly, we had a comment explaining what this error message was
760         about that is much clearer than the error message itself. This patch
761         simply replaces the error message with the explanation from the
762         comment.
763
764         * parser/Lexer.cpp:
765         (JSC::Lexer<T>::lex):
766
767 2015-07-28  Basile Clement  <basile_clement@apple.com>
768
769         Simplify call linking
770         https://bugs.webkit.org/show_bug.cgi?id=147363
771
772         Reviewed by Filip Pizlo.
773
774         Previously, we were passing both the CallLinkInfo and a
775         (CodeSpecializationKind, RegisterPreservationMode) pair to the
776         different call linking slow paths. However, the CallLinkInfo already
777         has all of that information, and we don't gain anything by having them
778         in additional static parameters - except possibly a very small
779         performance gain in presence of inlining. However since those are
780         already slow paths, this performance loss (if it exists) will not be
781         visible in practice.
782
783         This patch removes the various specialized thunks and JIT operations
784         for regular and polymorphic call linking with a single thunk and
785         operation for each case. Moreover, it removes the four specialized
786         virtual call thunks and operations with one virtual call thunk for each
787         call link info, allowing for better branch prediction by the CPU and
788         fixing a pre-existing FIXME.
789
790         * bytecode/CallLinkInfo.cpp:
791         (JSC::CallLinkInfo::unlink):
792         (JSC::CallLinkInfo::dummy): Deleted.
793         * bytecode/CallLinkInfo.h:
794         (JSC::CallLinkInfo::CallLinkInfo):
795         (JSC::CallLinkInfo::registerPreservationMode):
796         (JSC::CallLinkInfo::setUpCallFromFTL):
797         (JSC::CallLinkInfo::setSlowStub):
798         (JSC::CallLinkInfo::clearSlowStub):
799         (JSC::CallLinkInfo::slowStub):
800         * dfg/DFGDriver.cpp:
801         (JSC::DFG::compileImpl):
802         * dfg/DFGJITCompiler.cpp:
803         (JSC::DFG::JITCompiler::link):
804         * ftl/FTLJSCallBase.cpp:
805         (JSC::FTL::JSCallBase::link):
806         * jit/JITCall.cpp:
807         (JSC::JIT::compileCallEvalSlowCase):
808         (JSC::JIT::compileOpCall):
809         (JSC::JIT::compileOpCallSlowCase):
810         * jit/JITCall32_64.cpp:
811         (JSC::JIT::compileCallEvalSlowCase):
812         (JSC::JIT::compileOpCall):
813         (JSC::JIT::compileOpCallSlowCase):
814         * jit/JITOperations.cpp:
815         * jit/JITOperations.h:
816         (JSC::operationLinkFor): Deleted.
817         (JSC::operationVirtualFor): Deleted.
818         (JSC::operationLinkPolymorphicCallFor): Deleted.
819         * jit/Repatch.cpp:
820         (JSC::generateByIdStub):
821         (JSC::linkSlowFor):
822         (JSC::linkFor):
823         (JSC::revertCall):
824         (JSC::unlinkFor):
825         (JSC::linkVirtualFor):
826         (JSC::linkPolymorphicCall):
827         * jit/Repatch.h:
828         * jit/ThunkGenerators.cpp:
829         (JSC::linkCallThunkGenerator):
830         (JSC::linkPolymorphicCallThunkGenerator):
831         (JSC::virtualThunkFor):
832         (JSC::linkForThunkGenerator): Deleted.
833         (JSC::linkConstructThunkGenerator): Deleted.
834         (JSC::linkCallThatPreservesRegsThunkGenerator): Deleted.
835         (JSC::linkConstructThatPreservesRegsThunkGenerator): Deleted.
836         (JSC::linkPolymorphicCallForThunkGenerator): Deleted.
837         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator): Deleted.
838         (JSC::virtualForThunkGenerator): Deleted.
839         (JSC::virtualCallThunkGenerator): Deleted.
840         (JSC::virtualConstructThunkGenerator): Deleted.
841         (JSC::virtualCallThatPreservesRegsThunkGenerator): Deleted.
842         (JSC::virtualConstructThatPreservesRegsThunkGenerator): Deleted.
843         * jit/ThunkGenerators.h:
844         (JSC::linkThunkGeneratorFor): Deleted.
845         (JSC::linkPolymorphicCallThunkGeneratorFor): Deleted.
846         (JSC::virtualThunkGeneratorFor): Deleted.
847
848 2015-07-28  Basile Clement  <basile_clement@apple.com>
849
850         stress/math-pow-with-constants.js fails in cloop
851         https://bugs.webkit.org/show_bug.cgi?id=147167
852
853         Reviewed by Geoffrey Garen.
854
855         Baseline JIT, DFG and FTL are using a fast exponentiation fast path
856         when computing Math.pow() with an integer exponent that is not taken in
857         the LLInt (or the DFG abstract interpreter). This leads to the result
858         of pow changing depending on the compilation tier or the fact that
859         constant propagation kicks in, which is undesirable.
860
861         This patch adds the fast path to the slow operationMathPow in order to
862         maintain an illusion of consistency.
863
864         * runtime/MathCommon.cpp:
865         (JSC::operationMathPow):
866         * tests/stress/math-pow-coherency.js: Added.
867         (pow42):
868         (build42AsDouble.opaqueAdd):
869         (build42AsDouble):
870         (powDouble42):
871         (clobber):
872         (pow42NoConstantFolding):
873         (powDouble42NoConstantFolding):
874
875 2015-07-28  Joseph Pecoraro  <pecoraro@apple.com>
876
877         Web Inspector: Show Pseudo Elements in DOM Tree
878         https://bugs.webkit.org/show_bug.cgi?id=139612
879
880         Reviewed by Timothy Hatcher.
881
882         * inspector/protocol/DOM.json:
883         Add new properties to DOMNode if it is a pseudo element or if it has
884         pseudo element children. Add new events for if a pseudo element is
885         added or removed dynamically to an existing DOMNode.
886
887 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
888
889         Add logging when executable code gets deallocated
890         https://bugs.webkit.org/show_bug.cgi?id=147355
891
892         Reviewed by Mark Lam.
893
894         * ftl/FTLJITCode.cpp:
895         (JSC::FTL::JITCode::~JITCode): Print something when this is freed.
896         * jit/JITCode.cpp:
897         (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef): Print something when this is freed.
898
899 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
900
901         DFG::safeToExecute() cases for GetByOffset/PutByOffset don't handle clobbered structure abstract values correctly
902         https://bugs.webkit.org/show_bug.cgi?id=147354
903
904         Reviewed by Michael Saboff.
905
906         If m_structure.isClobbered(), it means that we had a side effect that clobbered
907         the abstract value but it may recover back to its original value at the next
908         invalidation point. Since the invalidation point hasn't been reached yet, we need
909         to conservatively treat the clobbered state as if it was top. At the invalidation
910         point, the clobbered set will return back to being unclobbered.
911
912         In addition to fixing the bug, this introduces isInfinite(), which should be used
913         in places where it's tempting to just use isTop().
914
915         * dfg/DFGSafeToExecute.h:
916         (JSC::DFG::safeToExecute): Fix the bug.
917         * dfg/DFGStructureAbstractValue.cpp:
918         (JSC::DFG::StructureAbstractValue::contains): Switch to using isInfinite().
919         (JSC::DFG::StructureAbstractValue::isSubsetOf): Switch to using isInfinite().
920         (JSC::DFG::StructureAbstractValue::isSupersetOf): Switch to using isInfinite().
921         (JSC::DFG::StructureAbstractValue::overlaps): Switch to using isInfinite().
922         * dfg/DFGStructureAbstractValue.h:
923         (JSC::DFG::StructureAbstractValue::isFinite): New convenience method.
924         (JSC::DFG::StructureAbstractValue::isInfinite): New convenience method.
925         (JSC::DFG::StructureAbstractValue::onlyStructure): Switch to using isInfinite().
926
927 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
928
929         [ES6] Implement Reflect.enumerate
930         https://bugs.webkit.org/show_bug.cgi?id=147347
931
932         Reviewed by Sam Weinig.
933
934         This patch implements Reflect.enumerate.
935         It returns the iterator that iterates the enumerable keys of the given object.
936         It follows the for-in's enumeration order.
937
938         To implement it, we write down the same logic to the for-in's enumeration code in C++.
939
940         * CMakeLists.txt:
941         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
942         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
943         * JavaScriptCore.xcodeproj/project.pbxproj:
944         * runtime/JSGlobalObject.cpp:
945         (JSC::JSGlobalObject::init):
946         (JSC::JSGlobalObject::visitChildren):
947         * runtime/JSGlobalObject.h:
948         (JSC::JSGlobalObject::propertyNameIteratorStructure):
949         * runtime/JSPropertyNameIterator.cpp: Added.
950         (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
951         (JSC::JSPropertyNameIterator::clone):
952         (JSC::JSPropertyNameIterator::create):
953         (JSC::JSPropertyNameIterator::finishCreation):
954         (JSC::JSPropertyNameIterator::visitChildren):
955         (JSC::JSPropertyNameIterator::next):
956         (JSC::propertyNameIteratorFuncNext):
957         * runtime/JSPropertyNameIterator.h: Added.
958         (JSC::JSPropertyNameIterator::createStructure):
959         * runtime/ReflectObject.cpp:
960         (JSC::reflectObjectEnumerate):
961         * tests/stress/reflect-enumerate.js: Added.
962         (shouldBe):
963         (shouldThrow):
964
965 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
966
967         [ES6] Implement Reflect.preventExtensions
968         https://bugs.webkit.org/show_bug.cgi?id=147331
969
970         Reviewed by Sam Weinig.
971
972         Implement Reflect.preventExtensions.
973         This is different from Object.preventExensions.
974
975         1. When preventExtensions is called onto the non-object, it raises the TypeError.
976         2. Reflect.preventExtensions does not raise the TypeError when the preventExtensions operation is failed.
977
978         For the (2) case, since there is no Proxy implementation currently, Reflect.preventExtensions always succeed.
979
980         * runtime/ReflectObject.cpp:
981         (JSC::reflectObjectPreventExtensions):
982         * tests/stress/reflect-prevent-extensions.js: Added.
983         (shouldBe):
984         (shouldThrow):
985
986 2015-07-27  Alex Christensen  <achristensen@webkit.org>
987
988         Use Ninja on Windows.
989         https://bugs.webkit.org/show_bug.cgi?id=147228
990
991         Reviewed by Martin Robinson.
992
993         * CMakeLists.txt:
994         Set the working directory when generating LowLevelInterpreterWin.asm to put LowLevelInterpreterWin.asm.sym in the right place.
995
996 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
997
998         SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index
999         https://bugs.webkit.org/show_bug.cgi?id=147265
1000
1001         Reviewed by Geoffrey Garen.
1002
1003         JSObject's vector holds the indexed values and we leverage it to represent stored values and holes.
1004         By checking that the given index is in-bound of the vector's length, we can look up the property fast.
1005         And for the sparse array, we have also the separated SparseValueMap to hold the pairs.
1006         And we need to take care that the length of the vector should not overlap the indices stored in the SparseValueMap.
1007
1008         The vector only holds the pure JS values to avoid additional checking for accessors when looking up the value
1009         from the vector. To achieve this, we also store the accessors (and attributed properties) to SparseValueMap
1010         even the index is less than MIN_SPARSE_ARRAY_INDEX.
1011
1012         As a result, if the length of the vector overlaps the indices of the accessors stored in the SparseValueMap,
1013         we accidentally skip the phase looking up from the SparseValueMap. Instead, we just load from the vector and
1014         if the loaded value is an array hole, we decide the given object does not have the value for the given index.
1015
1016         This patch fixes the problem.
1017         When defining the attributed value that index is smaller than the length of the vector, we throw away the vector
1018         and change the object to DictionaryIndexingMode. Since we can assume that indexed accessors rarely exist in
1019         practice, we expect this does not hurt the performance while keeping the fast property access system without
1020         checking the sparse map.
1021
1022         * runtime/JSObject.cpp:
1023         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1024         * tests/stress/sparse-map-non-overlapping.js: Added.
1025         (shouldBe):
1026         (testing):
1027         (object.get 1000):
1028         * tests/stress/sparse-map-non-skip-getter-overriding.js: Added.
1029         (shouldBe):
1030         (obj.get 1):
1031         (testing):
1032         * tests/stress/sparse-map-non-skip.js: Added.
1033         (shouldBe):
1034         (testing):
1035         (testing2):
1036         (.get for):
1037
1038 2015-07-27  Saam barati  <saambarati1@gmail.com>
1039
1040         Reduce execution time for "let" and "const" tests
1041         https://bugs.webkit.org/show_bug.cgi?id=147291
1042
1043         Reviewed by Geoffrey Garen.
1044
1045         We don't need to loop so many times for things that will not make it 
1046         into the DFG.  Also, we can loop a lot less for almost all the tests 
1047         because they're mostly testing the bytecode generator.
1048
1049         * tests/stress/const-and-with-statement.js:
1050         * tests/stress/const-exception-handling.js:
1051         * tests/stress/const-loop-semantics.js:
1052         * tests/stress/const-not-strict-mode.js:
1053         * tests/stress/const-semantics.js:
1054         * tests/stress/const-tdz.js:
1055         * tests/stress/lexical-let-and-with-statement.js:
1056         * tests/stress/lexical-let-exception-handling.js:
1057         (assert):
1058         * tests/stress/lexical-let-loop-semantics.js:
1059         (assert):
1060         (shouldThrowTDZ):
1061         (.):
1062         * tests/stress/lexical-let-not-strict-mode.js:
1063         * tests/stress/lexical-let-semantics.js:
1064         (.):
1065         * tests/stress/lexical-let-tdz.js:
1066         (shouldThrowTDZ):
1067         (.):
1068
1069 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1070
1071         Rename PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols
1072         https://bugs.webkit.org/show_bug.cgi?id=147311
1073
1074         Reviewed by Sam Weinig.
1075
1076         To make the meaning clear in the user side (PropertyNameArray array(exec, PropertyNameMode::StringsAndSymbols)),
1077         this patch renames PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols.
1078
1079         * bytecode/ObjectAllocationProfile.h:
1080         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1081         * runtime/EnumerationMode.h:
1082         * runtime/ObjectConstructor.cpp:
1083         (JSC::ownEnumerablePropertyKeys):
1084         (JSC::defineProperties):
1085         (JSC::objectConstructorSeal):
1086         (JSC::objectConstructorFreeze):
1087         (JSC::objectConstructorIsSealed):
1088         (JSC::objectConstructorIsFrozen):
1089         (JSC::ownPropertyKeys):
1090         * runtime/ReflectObject.cpp:
1091         (JSC::reflectObjectOwnKeys):
1092
1093 2015-07-27  Saam barati  <saambarati1@gmail.com>
1094
1095         Added a comment explaining that all "addVar()"s should happen before
1096         emitting bytecode for a function's default parameter expressions
1097
1098         Rubber Stamped by Mark Lam.
1099
1100         * bytecompiler/BytecodeGenerator.cpp:
1101         (JSC::BytecodeGenerator::BytecodeGenerator):
1102
1103 2015-07-26  Sam Weinig  <sam@webkit.org>
1104
1105         Add missing builtin files to the JavaScriptCore Xcode project
1106         https://bugs.webkit.org/show_bug.cgi?id=147312
1107
1108         Reviewed by Darin Adler.
1109
1110         * JavaScriptCore.xcodeproj/project.pbxproj:
1111         Add missing files.
1112
1113 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1114
1115         [ES6] Implement Reflect.isExtensible
1116         https://bugs.webkit.org/show_bug.cgi?id=147308
1117
1118         Reviewed by Sam Weinig.
1119
1120         This patch implements Reflect.isExtensible.
1121         It is similar to Object.isExtensible.
1122         The difference is that it raises an error if the first argument is not an object.
1123
1124         * runtime/ReflectObject.cpp:
1125         (JSC::reflectObjectIsExtensible):
1126         * tests/stress/reflect-is-extensible.js: Added.
1127         (shouldBe):
1128         (shouldThrow):
1129
1130 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1131
1132         Unreviewed, fix the debug build due to touching the non-declared variable in ASSERT
1133         https://bugs.webkit.org/show_bug.cgi?id=147307
1134
1135         * runtime/ObjectConstructor.cpp:
1136         (JSC::ownPropertyKeys):
1137
1138 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1139
1140         [ES6] Implement Reflect.ownKeys
1141         https://bugs.webkit.org/show_bug.cgi?id=147307
1142
1143         Reviewed by Sam Weinig.
1144
1145         This patch implements Reflect.ownKeys.
1146         In this patch, we refactor the existing code to list up own keys in the object.
1147         Such code is used by Object.getOwnPropertyNames, Object.getOwnPropertyKeys, Object.keys and @ownEnumerableKeys.
1148         We factor out the listing up own keys as ownPropertyKeys function and also use it in Reflect.ownKeys.
1149
1150         * runtime/ObjectConstructor.cpp:
1151         (JSC::objectConstructorGetOwnPropertyNames):
1152         (JSC::objectConstructorGetOwnPropertySymbols):
1153         (JSC::objectConstructorKeys):
1154         (JSC::ownEnumerablePropertyKeys):
1155         (JSC::ownPropertyKeys):
1156         * runtime/ObjectConstructor.h:
1157         * runtime/ReflectObject.cpp:
1158         (JSC::reflectObjectOwnKeys):
1159         * tests/stress/reflect-own-keys.js: Added.
1160         (shouldBe):
1161         (shouldThrow):
1162         (shouldBeArray):
1163
1164 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1165
1166         [ES6] Implement Reflect.apply
1167         https://bugs.webkit.org/show_bug.cgi?id=147306
1168
1169         Reviewed by Sam Weinig.
1170
1171         Implement Reflect.apply.
1172         The large part of this can be implemented by the @apply builtin annotation.
1173         The only thing which is different from the Funciton.prototype.apply is the third parameter,
1174         "argumentsList" is needed to be an object.
1175
1176         * builtins/ReflectObject.js:
1177         (apply):
1178         (deleteProperty):
1179         * runtime/ReflectObject.cpp:
1180         * tests/stress/reflect-apply.js: Added.
1181         (shouldBe):
1182         (shouldThrow):
1183         (get shouldThrow):
1184         (.get shouldThrow):
1185         (get var.array.get length):
1186         (get var.array.get 0):
1187         (.get var):
1188         * tests/stress/reflect-delete-property.js:
1189
1190 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1191
1192         [ES6] Add Reflect namespace and add Reflect.deleteProperty
1193         https://bugs.webkit.org/show_bug.cgi?id=147287
1194
1195         Reviewed by Sam Weinig.
1196
1197         This patch just creates the namespace for ES6 Reflect APIs.
1198         And add template files to implement the actual code.
1199
1200         Not to keep the JS generated properties C array empty,
1201         we added one small method, Reflect.deleteProperty in this patch.
1202
1203         * CMakeLists.txt:
1204         * DerivedSources.make:
1205         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1206         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1207         * JavaScriptCore.xcodeproj/project.pbxproj:
1208         * builtins/ReflectObject.js: Added.
1209         (deleteProperty):
1210         * runtime/CommonIdentifiers.h:
1211         * runtime/JSGlobalObject.cpp:
1212         (JSC::JSGlobalObject::init):
1213         * runtime/ReflectObject.cpp: Added.
1214         (JSC::ReflectObject::ReflectObject):
1215         (JSC::ReflectObject::finishCreation):
1216         (JSC::ReflectObject::getOwnPropertySlot):
1217         * runtime/ReflectObject.h: Added.
1218         (JSC::ReflectObject::create):
1219         (JSC::ReflectObject::createStructure):
1220         * tests/stress/reflect-delete-property.js: Added.
1221         (shouldBe):
1222         (shouldThrow):
1223
1224 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1225
1226         Avoid 2 times name iteration in Object.assign
1227         https://bugs.webkit.org/show_bug.cgi?id=147268
1228
1229         Reviewed by Geoffrey Garen.
1230
1231         Object.assign calls Object.getOwnPropertyNames & Object.getOwnPropertySymbols to collect all the names.
1232         But exposing the private API that collects both at the same time makes the API efficient when the given Object has so many non-indexed properties.
1233         Since Object.assign is so generic API (some form of utility API), the form of the given Object is not expected.
1234         So the taken object may have so many non-indexed properties.
1235
1236         In this patch, we introduce `ownEnumerablePropertyKeys` private function.
1237         It is minor changed version of `[[OwnPropertyKeys]]` in the ES6 spec;
1238         It only includes enumerable properties.
1239
1240         By filtering out the non-enumerable properties in the exposed private function,
1241         we avoid calling @objectGetOwnPropertyDescriptor for each property at the same time.
1242
1243         * builtins/ObjectConstructor.js:
1244         (assign):
1245         * runtime/CommonIdentifiers.h:
1246         * runtime/EnumerationMode.h:
1247         * runtime/JSGlobalObject.cpp:
1248         (JSC::JSGlobalObject::init):
1249         * runtime/ObjectConstructor.cpp:
1250         (JSC::ownEnumerablePropertyKeys):
1251         * runtime/ObjectConstructor.h:
1252         * tests/stress/object-assign-enumerable.js: Added.
1253         (shouldBe):
1254         * tests/stress/object-assign-order.js: Added.
1255         (shouldBe):
1256
1257 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1258
1259         Remove runtime flags for symbols
1260         https://bugs.webkit.org/show_bug.cgi?id=147246
1261
1262         Reviewed by Alex Christensen.
1263
1264         * runtime/ArrayPrototype.cpp:
1265         (JSC::ArrayPrototype::finishCreation):
1266         * runtime/JSGlobalObject.cpp:
1267         (JSC::JSGlobalObject::init): Deleted.
1268         * runtime/JSGlobalObject.h:
1269         * runtime/ObjectConstructor.cpp:
1270         (JSC::ObjectConstructor::finishCreation):
1271         * runtime/RuntimeFlags.h:
1272
1273 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1274
1275         Object.getOwnPropertySymbols on large list takes very long
1276         https://bugs.webkit.org/show_bug.cgi?id=146137
1277
1278         Reviewed by Mark Lam.
1279
1280         Before this patch, Object.getOwnPropertySymbols collects all the names including strings.
1281         And after it's done, filter the names to only retrieve the symbols.
1282         But it's so time consuming if the given object is a large non-holed array since it has
1283         many indexed properties and all the indexes have to be converted to uniqued_strings and
1284         added to the collection of property names (though they may not be of the requested type
1285         and will be filtered out later)
1286
1287         This patch introduces PropertyNameMode.
1288         We leverage this mode in 2 places.
1289
1290         1. PropertyNameArray side
1291         It is set in PropertyNameArray and it filters the incoming added identifiers based on the mode.
1292         It ensures that PropertyNameArray doesn't become so large in the pathological case.
1293         And it ensures that non-expected typed keys by the filter (Symbols or Strings) are never added
1294         to the property name array collections.
1295         However it does not solve the whole problem because the huge array still incurs the many
1296         "indexed property to uniqued string" conversion and the large iteration before adding the keys
1297         to the property name array.
1298
1299         2. getOwnPropertyNames side
1300         So we can use the PropertyNameMode in the caller side (getOwnPropertyNames) as a **hint**.
1301         When the large iteration may occur, the caller side can use the PropertyNameMode as a hint to
1302         avoid the iteration.
1303         But we cannot exclusively rely on these caller side checks because it would require that we
1304         exhaustively add the checks to all custom implementations of getOwnPropertyNames as well.
1305         This process requires manual inspection of many pieces of code, and is error prone. Instead,
1306         we only apply the caller side check in a few strategic places where it is known to yield
1307         performance benefits; and we rely on the filter in PropertyNameArray::add() to reject the wrong
1308         types of properties for all other calls to PropertyNameArray::add().
1309
1310         In this patch, there's a concept in use that is not clear just from reading the code, and hence
1311         should be documented here. When selecting the PropertyNameMode for the PropertyNameArray to be
1312         instantiated, we apply the following logic:
1313
1314         1. Only JavaScriptCore code is aware of ES6 Symbols.
1315         We can assume that pre-existing external code that interfaces JSC are only looking for string named properties. This includes:
1316             a. WebCore bindings
1317             b. Serializer bindings
1318             c. NPAPI bindings
1319             d. Objective C bindings
1320         2. In JSC, code that compute object storage space needs to iterate both Symbol and String named properties. Hence, use PropertyNameMode::Both.
1321         3. In JSC, ES6 APIs that work with Symbols should use PropertyNameMode::Symbols.
1322         4. In JSC, ES6 APIs that work with String named properties should use PropertyNameMode::Strings.
1323
1324         * API/JSObjectRef.cpp:
1325         (JSObjectCopyPropertyNames):
1326         * bindings/ScriptValue.cpp:
1327         (Deprecated::jsToInspectorValue):
1328         * bytecode/ObjectAllocationProfile.h:
1329         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1330         * runtime/EnumerationMode.h:
1331         (JSC::EnumerationMode::EnumerationMode):
1332         (JSC::EnumerationMode::includeSymbolProperties): Deleted.
1333         * runtime/GenericArgumentsInlines.h:
1334         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1335         * runtime/JSGenericTypedArrayViewInlines.h:
1336         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
1337         * runtime/JSLexicalEnvironment.cpp:
1338         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1339         * runtime/JSONObject.cpp:
1340         (JSC::Stringifier::Stringifier):
1341         (JSC::Stringifier::Holder::appendNextProperty):
1342         (JSC::Walker::walk):
1343         * runtime/JSObject.cpp:
1344         (JSC::JSObject::getOwnPropertyNames):
1345         * runtime/JSPropertyNameEnumerator.cpp:
1346         (JSC::JSPropertyNameEnumerator::create):
1347         * runtime/JSPropertyNameEnumerator.h:
1348         (JSC::propertyNameEnumerator):
1349         * runtime/JSSymbolTableObject.cpp:
1350         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1351         * runtime/ObjectConstructor.cpp:
1352         (JSC::objectConstructorGetOwnPropertyNames):
1353         (JSC::objectConstructorGetOwnPropertySymbols):
1354         (JSC::objectConstructorKeys):
1355         (JSC::defineProperties):
1356         (JSC::objectConstructorSeal):
1357         (JSC::objectConstructorFreeze):
1358         (JSC::objectConstructorIsSealed):
1359         (JSC::objectConstructorIsFrozen):
1360         * runtime/PropertyNameArray.h:
1361         (JSC::PropertyNameArray::PropertyNameArray):
1362         (JSC::PropertyNameArray::mode):
1363         (JSC::PropertyNameArray::addKnownUnique):
1364         (JSC::PropertyNameArray::add):
1365         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
1366         (JSC::PropertyNameArray::includeSymbolProperties):
1367         (JSC::PropertyNameArray::includeStringProperties):
1368         * runtime/StringObject.cpp:
1369         (JSC::StringObject::getOwnPropertyNames):
1370         * runtime/Structure.cpp:
1371         (JSC::Structure::getPropertyNamesFromStructure):
1372
1373 2015-07-24  Saam barati  <saambarati1@gmail.com>
1374
1375         [ES6] Add support for default parameters
1376         https://bugs.webkit.org/show_bug.cgi?id=38409
1377
1378         Reviewed by Filip Pizlo.
1379
1380         This patch implements ES6 default parameters according to the ES6
1381         specification. This patch builds off the components introduced with 
1382         "let" scoping and parsing function parameters in the same parser
1383         arena as the function itself. "let" scoping allows functions with default 
1384         parameter values to place their parameters under the TDZ. Parsing function
1385         parameters in the same parser arena allows the FunctionParameters AST node
1386         refer to ExpressionNodes.
1387
1388         The most subtle part of this patch is how we allocate lexical environments
1389         when functions have default parameter values. If a function has default
1390         parameter values then there must be a separate lexical environment for
1391         its parameters. Then, the function's "var" lexical environment must have
1392         the parameter lexical environment as its parent. The BytecodeGenerator
1393         takes great care to not allocate the "var" lexical environment before its
1394         really needed.
1395
1396         The "arguments" object for a function with default parameters will never be 
1397         a mapped arugments object. It will always be a cloned arugments object.
1398
1399         * bytecompiler/BytecodeGenerator.cpp:
1400         (JSC::BytecodeGenerator::generate):
1401         (JSC::BytecodeGenerator::BytecodeGenerator):
1402         (JSC::BytecodeGenerator::~BytecodeGenerator):
1403         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1404         (JSC::BytecodeGenerator::initializeNextParameter):
1405         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
1406         (JSC::BytecodeGenerator::visibleNameForParameter):
1407         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1408         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1409         (JSC::BytecodeGenerator::pushLexicalScope):
1410         (JSC::BytecodeGenerator::popLexicalScope):
1411         * bytecompiler/BytecodeGenerator.h:
1412         (JSC::BytecodeGenerator::lastOpcodeID):
1413         * bytecompiler/NodesCodegen.cpp:
1414         (JSC::FunctionNode::emitBytecode):
1415         * jit/JITOperations.cpp:
1416         * parser/ASTBuilder.h:
1417         (JSC::ASTBuilder::createElementList):
1418         (JSC::ASTBuilder::createFormalParameterList):
1419         (JSC::ASTBuilder::appendParameter):
1420         (JSC::ASTBuilder::createClause):
1421         (JSC::ASTBuilder::createClauseList):
1422         * parser/Nodes.h:
1423         (JSC::FunctionParameters::size):
1424         (JSC::FunctionParameters::at):
1425         (JSC::FunctionParameters::hasDefaultParameterValues):
1426         (JSC::FunctionParameters::append):
1427         * parser/Parser.cpp:
1428         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1429         (JSC::Parser<LexerType>::createBindingPattern):
1430         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1431         (JSC::Parser<LexerType>::parseDestructuringPattern):
1432         (JSC::Parser<LexerType>::parseFormalParameters):
1433         (JSC::Parser<LexerType>::parseFunctionParameters):
1434         * parser/Parser.h:
1435         (JSC::Scope::declareParameter):
1436         * parser/SyntaxChecker.h:
1437         (JSC::SyntaxChecker::createElementList):
1438         (JSC::SyntaxChecker::createFormalParameterList):
1439         (JSC::SyntaxChecker::appendParameter):
1440         (JSC::SyntaxChecker::createClause):
1441         (JSC::SyntaxChecker::createClauseList):
1442         * tests/stress/es6-default-parameters.js: Added.
1443         (assert):
1444         (shouldThrow):
1445         (shouldThrowSyntaxError):
1446         (shouldThrowTDZ):
1447         (basic):
1448         (basicFunctionCaptureInDefault.basicFunctionCaptureInDefault.basicCaptured):
1449         (basicCaptured.basicCaptured.tricky):
1450         (strict):
1451         (playground):
1452         (scoping):
1453         (augmentsArguments1):
1454         (augmentsArguments2):
1455         (augmentsArguments3):
1456         (augmentsArguments4):
1457         (augmentsArguments5):
1458
1459 2015-07-24  Xabier Rodriguez Calvar  <calvaris@igalia.com>
1460
1461         Remove JS Promise constructor unused piece of code
1462         https://bugs.webkit.org/show_bug.cgi?id=147262
1463
1464         Reviewed by Geoffrey Garen.
1465
1466         * runtime/JSPromiseConstructor.cpp:
1467         (JSC::constructPromise): Deleted.
1468         * runtime/JSPromiseConstructor.h: Removed JSC::constructPromise.
1469
1470 2015-07-24  Mark Lam  <mark.lam@apple.com>
1471
1472         Add WASM files to vcxproj files.
1473         https://bugs.webkit.org/show_bug.cgi?id=147264
1474
1475         Reviewed by Geoffrey Garen.
1476
1477         This is a follow up to http://trac.webkit.org/changeset/187254 where WASM files
1478         were introduced but were not able to be added to the vcxproj files yet.
1479
1480         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1481         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1482
1483 2015-07-23  Filip Pizlo  <fpizlo@apple.com>
1484
1485         DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
1486         https://bugs.webkit.org/show_bug.cgi?id=147250
1487
1488         Reviewed by Geoffrey Garen.
1489         
1490         This fixes a nasty - but currently benign - bug in DFG::safeToExecute(). That function
1491         will tell you if hoisting a node to some point is safe in the sense that the node will
1492         not crash the VM if it executes at that point. A node may be unsafe to execute if we
1493         cannot prove that at that point, the memory it is loading is not garbage. This is a
1494         necessarily loose notion - for example it's OK to hoist a load if we haven't proved
1495         that the load makes semantic sense at that point, since anyway the place where the node
1496         did get used will still be guarded by any such semantic checks. But because we may also
1497         hoist uses of the load, we need to make sure that it doesn't produce a garbage value.
1498         Also, we need to ensure that the load won't trap. Hence safeToExecute() returns true
1499         anytime we can be sure that a node will not produce a garbage result (i.e. a malformed
1500         JSValue or object pointer) and will not trap when executed at the point in question.
1501         
1502         The bug is that this verification isn't performed for the loads from prototypes inside
1503         MultiGetByOffset. DFG::ByteCodeParser will guard MultiGetByOffset with CheckStructure's
1504         on the prototypes. So, hypothetically, you might end up hoisting a MultiGetByOffset
1505         above those structure checks, which would mean that we might load a value from a memory
1506         location without knowing that the location is valid. It might then return the value
1507         loaded.
1508         
1509         This never happens in practice. Those structure checks are more hoistable that the
1510         MultiGetByOffset, since they read a strict subset of the MultiGetByOffset's abstract
1511         heap reads. Also, we hoist in program order. So, those CheckStructure's will always be
1512         hoisted before the MultiGetByOffset gets hoisted.
1513         
1514         But we should fix this anyway. DFG::safeToExecute() has a clear definition of what a
1515         "true" return means for IR transformations, and it fails in satisfying that definition
1516         for MultiGetByOffset.
1517         
1518         There are various approaches we can use for making this safe. I considered two:
1519         
1520         1) Have MultiGetByOffset refer to the prototypes it is loading from in IR, so that we
1521            can check if it's safe to load from them.
1522         
1523         2) Turn off MultiGetByOffset hoisting when it will emit loads from prototypes, and the
1524            prototype structure isn't being watched.
1525         
1526         I ended up using (2), because it will be the most natural solution once I finish
1527         https://bugs.webkit.org/show_bug.cgi?id=146929. Already now, it's somewhat more natural
1528         than (1) since that requires more extensive IR changes. Also, (2) will give us what we
1529         want in *most* cases: we will usually watch the prototype structure, and we will
1530         usually constant-fold loads from prototypes. Both of these usually-true things would
1531         have to become false for MultiGetByOffset hoisting to be disabled by this change.
1532         
1533         This change also adds my attempt at a test, though it's not really a test of this bug.
1534         This bug is currently benign. But, the test does at least trigger the logic to run,
1535         which is better than nothing.
1536
1537         * dfg/DFGSafeToExecute.h:
1538         (JSC::DFG::safeToExecute):
1539         * tests/stress/multi-get-by-offset-hoist-around-structure-check.js: Added.
1540         (foo):
1541
1542 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1543
1544         Implement WebAssembly modules
1545         https://bugs.webkit.org/show_bug.cgi?id=147222
1546
1547         Reviewed by Filip Pizlo.
1548
1549         Make JSWASMModule inherit from JSDestructibleObject so that the destructor is called.
1550
1551         * wasm/JSWASMModule.h:
1552
1553 2015-07-23  Alex Christensen  <achristensen@webkit.org>
1554
1555         Remove compile and runtime flags for promises.
1556         https://bugs.webkit.org/show_bug.cgi?id=147244
1557
1558         Reviewed by Yusuke Suzuki.
1559
1560         * API/JSCallbackObjectFunctions.h:
1561         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
1562         * API/JSContextRef.cpp:
1563         (JSGlobalContextCreateInGroup):
1564         * Configurations/FeatureDefines.xcconfig:
1565         * inspector/JSInjectedScriptHost.cpp:
1566         (Inspector::JSInjectedScriptHost::getInternalProperties):
1567         * runtime/JSGlobalObject.cpp:
1568         (JSC::JSGlobalObject::init):
1569         (JSC::JSGlobalObject::visitChildren):
1570         * runtime/JSGlobalObject.h:
1571         (JSC::JSGlobalObject::create):
1572         (JSC::JSGlobalObject::syntaxErrorConstructor):
1573         (JSC::JSGlobalObject::typeErrorConstructor):
1574         (JSC::JSGlobalObject::URIErrorConstructor):
1575         (JSC::JSGlobalObject::promiseConstructor):
1576         (JSC::JSGlobalObject::nullGetterFunction):
1577         (JSC::JSGlobalObject::nullSetterFunction):
1578         (JSC::JSGlobalObject::applyFunction):
1579         (JSC::JSGlobalObject::definePropertyFunction):
1580         (JSC::JSGlobalObject::arrayProtoValuesFunction):
1581         (JSC::JSGlobalObject::initializePromiseFunction):
1582         (JSC::JSGlobalObject::newPromiseDeferredFunction):
1583         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
1584         (JSC::JSGlobalObject::regExpPrototype):
1585         (JSC::JSGlobalObject::errorPrototype):
1586         (JSC::JSGlobalObject::iteratorPrototype):
1587         (JSC::JSGlobalObject::promisePrototype):
1588         (JSC::JSGlobalObject::debuggerScopeStructure):
1589         (JSC::JSGlobalObject::withScopeStructure):
1590         (JSC::JSGlobalObject::iteratorResultStructure):
1591         (JSC::JSGlobalObject::iteratorResultStructureOffset):
1592         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
1593         (JSC::JSGlobalObject::promiseStructure):
1594         * runtime/JSPromise.cpp:
1595         (JSC::JSPromise::result):
1596         * runtime/JSPromise.h:
1597         * runtime/JSPromiseConstructor.cpp:
1598         (JSC::constructPromise):
1599         * runtime/JSPromiseConstructor.h:
1600         * runtime/JSPromiseDeferred.cpp:
1601         (JSC::JSPromiseDeferred::visitChildren):
1602         * runtime/JSPromiseDeferred.h:
1603         * runtime/JSPromisePrototype.cpp:
1604         (JSC::JSPromisePrototype::getOwnPropertySlot):
1605         * runtime/JSPromisePrototype.h:
1606         * runtime/RuntimeFlags.h:
1607         * runtime/VM.cpp:
1608         (JSC::VM::VM):
1609         * runtime/VM.h:
1610
1611 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1612
1613         Implement WebAssembly modules
1614         https://bugs.webkit.org/show_bug.cgi?id=147222
1615
1616         Reviewed by Mark Lam.
1617
1618         Introducing the boilerplate data structure for the WebAssembly module.
1619         WebAssembly functionality will be added in a subsequent patch.
1620
1621         * CMakeLists.txt:
1622         * JavaScriptCore.xcodeproj/project.pbxproj:
1623         * wasm/JSWASMModule.cpp: Added.
1624         (JSC::JSWASMModule::visitChildren):
1625         * wasm/JSWASMModule.h: Added.
1626         (JSC::JSWASMModule::create):
1627         (JSC::JSWASMModule::createStructure):
1628         (JSC::JSWASMModule::JSWASMModule):
1629
1630 2015-07-23  Devin Rousso  <drousso@apple.com>
1631
1632         Web Inspector: Add a function to CSSCompletions to get a list of supported system fonts
1633         https://bugs.webkit.org/show_bug.cgi?id=147009
1634
1635         Reviewed by Joseph Pecoraro.
1636
1637         * inspector/protocol/CSS.json: Added getSupportedSystemFontFamilyNames function.
1638
1639 2015-07-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1640
1641         Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
1642         https://bugs.webkit.org/show_bug.cgi?id=147212
1643
1644         Reviewed by Filip Pizlo.
1645
1646         * Configurations/FeatureDefines.xcconfig:
1647
1648 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
1649
1650         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
1651         https://bugs.webkit.org/show_bug.cgi?id=147218
1652
1653         Reviewed by Sam Weinig.
1654         
1655         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
1656         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
1657         most Nodes that deal with identifiers use identifierNumbers and you can only create an
1658         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
1659         ability to create new identifierNumbers when inlining - it takes the inlined code's
1660         identifiers and either gives them new numbers or reuses numbers from the enclosing
1661         code.
1662         
1663         This patch takes that basic functionality and puts it in
1664         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
1665         UniquedStringImpl* into an identifierNumber. This data structure is already used by
1666         Plan to properly install any newly created identifier table entries into the CodeBlock.
1667
1668         * dfg/DFGByteCodeParser.cpp:
1669         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1670         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
1671         (JSC::DFG::ByteCodeParser::linkBlocks):
1672         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1673         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
1674         * dfg/DFGDesiredIdentifiers.cpp:
1675         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
1676         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
1677         (JSC::DFG::DesiredIdentifiers::ensure):
1678         (JSC::DFG::DesiredIdentifiers::at):
1679         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
1680         * dfg/DFGDesiredIdentifiers.h:
1681
1682 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
1683
1684         Simplify things like CompareEq(@x,@x)
1685         https://bugs.webkit.org/show_bug.cgi?id=145850
1686
1687         Reviewed by Sam Weinig.
1688         
1689         This simplifies x==x to true, except in cases where x might be a double (in which case this
1690         might still be false if x is NaN).
1691
1692         * dfg/DFGAbstractInterpreterInlines.h:
1693         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1694         * tests/stress/nan-equal-untyped.js: Added.
1695         (foo):
1696         (test):
1697         * tests/stress/nan-equal.js: Added.
1698         (foo):
1699
1700 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
1701
1702         Web Inspector: Timeline should immediately start moving play head when starting a new recording
1703         https://bugs.webkit.org/show_bug.cgi?id=147210
1704
1705         Reviewed by Timothy Hatcher.
1706
1707         * inspector/protocol/Timeline.json:
1708         Add timestamps to recordingStarted and recordingStopped events.
1709
1710 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1711
1712         Introducing construct ability into JS executables
1713         https://bugs.webkit.org/show_bug.cgi?id=147183
1714
1715         Reviewed by Geoffrey Garen.
1716
1717         Decouple the construct ability from the builtin functions.
1718         Currently, all builtin functions are not constructors after r182995.
1719         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
1720
1721         But, we need to relax it to implement some constructors in builtins JS.
1722         By decoupling the construct ability from whether the function is builtin or not, we can provide
1723
1724         1. constructors written in builtin JS
1725         2. non-constructors in normal JS functions
1726
1727         (1) is needed for Promise constructor.
1728         And (2) is needed for method functions and arrow functions.
1729
1730         This patch introduces ConstructAbility into the unlinked function executables.
1731         It holds whether the given JS function has the construct ability or not.
1732         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
1733
1734         And at the same time, this patch introduces the annotation for constructor in builtin JS.
1735         We can define the function as follows,
1736
1737             constructor Promise(executor)
1738             {
1739                 ...
1740             }
1741
1742         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1743         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1744         * JavaScriptCore.xcodeproj/project.pbxproj:
1745         * builtins/BuiltinExecutables.cpp:
1746         (JSC::BuiltinExecutables::createDefaultConstructor):
1747         (JSC::BuiltinExecutables::createExecutableInternal):
1748         * builtins/BuiltinExecutables.h:
1749         * builtins/Iterator.prototype.js:
1750         (symbolIterator):
1751         (SymbolIterator): Deleted.
1752         * bytecode/UnlinkedCodeBlock.cpp:
1753         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1754         * bytecode/UnlinkedCodeBlock.h:
1755         * bytecompiler/BytecodeGenerator.h:
1756         (JSC::BytecodeGenerator::makeFunction):
1757         * generate-js-builtins:
1758         (getCopyright):
1759         (Function):
1760         (Function.__init__):
1761         (Function.mangleName):
1762         (getFunctions):
1763         (mangleName): Deleted.
1764         * jit/JITOperations.cpp:
1765         * llint/LLIntSlowPaths.cpp:
1766         (JSC::LLInt::setUpCall):
1767         * parser/Parser.cpp:
1768         (JSC::Parser<LexerType>::parseClass):
1769         * runtime/CodeCache.cpp:
1770         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1771         * runtime/CommonIdentifiers.h:
1772         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
1773         * runtime/Executable.h:
1774         * runtime/JSFunction.cpp:
1775         (JSC::JSFunction::getConstructData):
1776         * runtime/JSGlobalObject.cpp:
1777         (JSC::JSGlobalObject::init):
1778         * tests/stress/non-constructors.js: Added.
1779         (shouldThrow):
1780         (.prototype.method):
1781         (.prototype.get getter):
1782         (.prototype.set setter):
1783         (.method):
1784         (.get shouldThrow):
1785         (.set shouldThrow):
1786         (set var.test.get getter):
1787         (set var.test.set setter):
1788         (set var.test.normal):
1789         (.set var):
1790         (.set new):
1791
1792 2015-07-22  Csaba Osztrogon√°c  <ossy@webkit.org>
1793
1794         [JSC] Enable exception fuzzing for GCC too
1795         https://bugs.webkit.org/show_bug.cgi?id=146831
1796
1797         Reviewed by Darin Adler.
1798
1799         * jit/JITOperations.cpp:
1800
1801 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
1802
1803         Fixed pool allocation should always be aligned
1804         https://bugs.webkit.org/show_bug.cgi?id=147201
1805
1806         Reviewed by Simon Fraser.
1807         
1808         Passing an unaligned size to the allocator can cause asserts or even worse things. The
1809         Options reservation value isn't going to be aligned.
1810
1811         * jit/ExecutableAllocatorFixedVMPool.cpp:
1812         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1813
1814 2015-07-22  Csaba Osztrogon√°c  <ossy@webkit.org>
1815
1816         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
1817         https://bugs.webkit.org/show_bug.cgi?id=146829
1818
1819         Reviewed by Brent Fulgham.
1820
1821         * heap/GCAssertions.h:
1822
1823 2015-07-22  Alex Christensen  <achristensen@webkit.org>
1824
1825         Fix quirks in CMake build on Mac and Windows
1826         https://bugs.webkit.org/show_bug.cgi?id=147174
1827
1828         Reviewed by Gyuyoung Kim.
1829
1830         * PlatformMac.cmake:
1831         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
1832
1833 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1834
1835         Add newTarget accessor to JS constructor written in C++
1836         https://bugs.webkit.org/show_bug.cgi?id=147160
1837
1838         Reviewed by Geoffrey Garen.
1839
1840         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
1841         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
1842         its implementation.
1843
1844         When the constructor is called, |this| in the arguments is used for storing new.target instead.
1845         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
1846
1847         And at the same time, this patch extends the existing `construct` to accept new.target value.
1848         It is corresponding to the spec's Construct abstract operation.
1849
1850         * interpreter/CallFrame.h:
1851         (JSC::ExecState::newTarget):
1852         * interpreter/Interpreter.cpp:
1853         (JSC::Interpreter::executeConstruct):
1854         * interpreter/Interpreter.h:
1855         * runtime/ConstructData.cpp:
1856         (JSC::construct):
1857         * runtime/ConstructData.h:
1858         (JSC::construct):
1859
1860 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
1861
1862         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
1863
1864         * jsc.cpp:
1865         (main):
1866
1867 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
1868
1869         Fixed VM pool allocation should have a reserve for allocations that cannot fail
1870         https://bugs.webkit.org/show_bug.cgi?id=147154
1871         rdar://problem/21847618
1872
1873         Reviewed by Geoffrey Garen.
1874         
1875         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
1876         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
1877         a fraction rather than a constant because each allocation that can fail may cause some
1878         number of allocations that cannot fail (for example, the OSR exit thunks that we
1879         compile when we exit from some CodeBlock cannot fail).
1880         
1881         I've tested this by adding a test mode where we artificially limit the JIT pool size.
1882         Prior to the fix, we had >20 failures. Now we have none.
1883
1884         * heap/GCLogging.cpp:
1885         (WTF::printInternal): I needed a dump method on Options members when debugging this.
1886         * heap/GCLogging.h:
1887         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
1888         * jit/ExecutableAllocatorFixedVMPool.cpp:
1889         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
1890         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
1891         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
1892         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
1893         (main):
1894         (CommandLine::parseArguments):
1895         (jscmain):
1896         * runtime/Options.cpp: 
1897         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
1898         (JSC::Options::initialize): This can now be called more than once.
1899         * runtime/Options.h:
1900
1901 2015-07-21  Saam barati  <saambarati1@gmail.com>
1902
1903         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
1904         https://bugs.webkit.org/show_bug.cgi?id=147156
1905
1906         Reviewed by Andreas Kling.
1907
1908         * parser/Nodes.h:
1909
1910 2015-07-21  Basile Clement  <basile_clement@apple.com>
1911
1912         Object allocation sinking phase is performing needless HashMap copies
1913         https://bugs.webkit.org/show_bug.cgi?id=147159
1914
1915         Reviewed by Geoffrey Garen.
1916
1917         The points-to analyzer in the object allocation sinking phase is
1918         currently performing copies of its allocation and pointers tables in
1919         several places. While this is not a huge problem since those tables are
1920         usually small and we are in the FTL path anyway, we still shouldn't be
1921         doing such useless copying.
1922
1923         This patch also removes the DFGInsertOSRHintsForUpdate files that are
1924         no longer needed with the new object sinking phase and should have been
1925         removed in r186795.
1926
1927         * CMakeLists.txt:
1928         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1929         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1930         * JavaScriptCore.xcodeproj/project.pbxproj:
1931         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
1932         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
1933         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
1934         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1935
1936 2015-07-21  Saam barati  <saambarati1@gmail.com>
1937
1938         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
1939         https://bugs.webkit.org/show_bug.cgi?id=147140
1940
1941         Reviewed by Geoffrey Garen.
1942
1943         The descendants of DestructuringPatternNode that need destruction also
1944         inherit from ParserArenaDeletable.
1945
1946         * parser/Nodes.h:
1947         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
1948         (JSC::ObjectPatternNode::appendEntry):
1949         (JSC::DestructuringAssignmentNode::bindings):
1950
1951 2015-07-21  Keith Miller  <keith_miller@apple.com>
1952
1953         Add support for the new.target syntax.
1954         https://bugs.webkit.org/show_bug.cgi?id=147051
1955
1956         Reviewed by Yusuke Suzuki.
1957
1958         Add support for new.target. Essentially the implementation is, before constructor calls,
1959         the target of a "new" is placed where "this" noramlly goes in the calling convention.
1960         Then in the constructor before object is initialized we move the target of the "new"
1961         into a local variable.
1962
1963         * bytecompiler/BytecodeGenerator.cpp:
1964         (JSC::BytecodeGenerator::BytecodeGenerator):
1965         * bytecompiler/NodesCodegen.cpp:
1966         (JSC::NewTargetNode::emitBytecode):
1967         * parser/ASTBuilder.h:
1968         (JSC::ASTBuilder::newTargetExpr):
1969         * parser/NodeConstructors.h:
1970         (JSC::NewTargetNode::NewTargetNode):
1971         * parser/Nodes.h:
1972         * parser/Parser.cpp:
1973         (JSC::Parser<LexerType>::parseMemberExpression):
1974         * parser/SyntaxChecker.h:
1975         (JSC::SyntaxChecker::newTargetExpr):
1976         * runtime/CommonIdentifiers.h:
1977         * tests/stress/new-target.js: Added.
1978         (test):
1979         (call):
1980         (Constructor.subCall):
1981         (Constructor.SubConstructor):
1982         (Constructor):
1983         (noAssign):
1984         (doWeirdThings):
1985         (SuperClass):
1986         (SubClass):
1987
1988 2015-07-20  Saam barati  <saambarati1@gmail.com>
1989
1990         "let" scoping introduced incoherent story about symbol table cloning
1991         https://bugs.webkit.org/show_bug.cgi?id=147046
1992
1993         Reviewed by Filip Pizlo.
1994
1995         This patch now establishes a clear set of rules for how SymbolTables
1996         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
1997         instruction must live in CodeBlock's constant register pool. When CodeBlock
1998         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
1999         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
2000         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
2001         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
2002
2003         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
2004         with a CodeBlock. With lexical scoping, this view of the world is no longer
2005         correct. This patch begins to remove this assumption by making CodeBlock's
2006         symbolTable() getter method private. There is still one place where we need
2007         to purge our codebase of this assumption and that is the type profiler. It 
2008         has not been updated for lexical scoping. After it is updated in 
2009         https://bugs.webkit.org/show_bug.cgi?id=145438
2010         we will be able to remove CodeBlock's symbolTable() getter entirely.
2011
2012         * bytecode/CodeBlock.cpp:
2013         (JSC::CodeBlock::CodeBlock):
2014         (JSC::CodeBlock::nameForRegister):
2015         * bytecode/CodeBlock.h:
2016         (JSC::CodeBlock::addStringSwitchJumpTable):
2017         (JSC::CodeBlock::stringSwitchJumpTable):
2018         (JSC::CodeBlock::evalCodeCache):
2019         (JSC::CodeBlock::symbolTable):
2020         * bytecode/UnlinkedCodeBlock.cpp:
2021         (JSC::UnlinkedFunctionExecutable::visitChildren):
2022         (JSC::UnlinkedFunctionExecutable::link):
2023         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2024         * bytecode/UnlinkedCodeBlock.h:
2025         (JSC::UnlinkedCodeBlock::addExceptionHandler):
2026         (JSC::UnlinkedCodeBlock::exceptionHandler):
2027         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
2028         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
2029         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
2030         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
2031         * bytecompiler/BytecodeGenerator.cpp:
2032         (JSC::BytecodeGenerator::generate):
2033         (JSC::BytecodeGenerator::BytecodeGenerator):
2034         (JSC::BytecodeGenerator::pushLexicalScope):
2035         (JSC::BytecodeGenerator::variableForLocalEntry):
2036         (JSC::BytecodeGenerator::createVariable):
2037         (JSC::BytecodeGenerator::resolveType):
2038         (JSC::BytecodeGenerator::emitResolveScope):
2039         * bytecompiler/BytecodeGenerator.h:
2040         (JSC::BytecodeGenerator::thisRegister):
2041         (JSC::BytecodeGenerator::instructions):
2042         (JSC::BytecodeGenerator::symbolTable): Deleted.
2043         * dfg/DFGGraph.h:
2044         (JSC::DFG::Graph::baselineCodeBlockFor):
2045         (JSC::DFG::Graph::isStrictModeFor):
2046         (JSC::DFG::Graph::symbolTableFor): Deleted.
2047         * jit/AssemblyHelpers.h:
2048         (JSC::AssemblyHelpers::baselineCodeBlock):
2049         (JSC::AssemblyHelpers::argumentsStart):
2050         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
2051         * runtime/CommonSlowPaths.cpp:
2052         (JSC::SLOW_PATH_DECL):
2053         * runtime/Executable.cpp:
2054         (JSC::FunctionExecutable::visitChildren):
2055         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
2056         (JSC::FunctionExecutable::symbolTable): Deleted.
2057         * runtime/Executable.h:
2058
2059 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
2060
2061         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
2062         https://bugs.webkit.org/show_bug.cgi?id=147074
2063         rdar://problem/21869970
2064
2065         Reviewed by Michael Saboff.
2066         
2067         The OSR entry must-handle block/value widening introduced in r186691 would cause the
2068         CFA to reexecute if it caused any live local variables to change value. But this fails
2069         if the must-handle block has no live local variables, and the entry block otherwise
2070         appears to be unreachable.
2071         
2072         This fixes the bug by having the change detection include whether the block hadn't been
2073         visited in addition to whether any local variable values got widened.
2074         
2075         This is a ~4% speed-up on SunSpider in browser.
2076
2077         * dfg/DFGCFAPhase.cpp:
2078         (JSC::DFG::CFAPhase::run):
2079
2080 2015-07-20  Mark Lam  <mark.lam@apple.com>
2081
2082         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
2083         https://bugs.webkit.org/show_bug.cgi?id=147110
2084
2085         * heap/MachineStackMarker.cpp:
2086         (JSC::MachineThreads::addCurrentThread):
2087         * runtime/JSLock.cpp:
2088         (JSC::JSLockHolder::~JSLockHolder):
2089         (JSC::JSLock::JSLock):
2090         (JSC::JSLock::willDestroyVM):
2091         (JSC::JSLock::setExclusiveThread):
2092         (JSC::JSLock::lock):
2093         (JSC::JSLock::unlock):
2094         (JSC::JSLock::currentThreadIsHoldingLock):
2095         (JSC::JSLock::dropAllLocks):
2096         * runtime/JSLock.h:
2097         (JSC::JSLock::vm):
2098         (JSC::JSLock::hasExclusiveThread):
2099         (JSC::JSLock::exclusiveThread):
2100         * runtime/VM.h:
2101         (JSC::VM::hasExclusiveThread):
2102         (JSC::VM::exclusiveThread):
2103         (JSC::VM::setExclusiveThread):
2104
2105 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
2106
2107         Unreviewed debug build fix after r187020.
2108
2109         * heap/MachineStackMarker.cpp:
2110         (JSC::MachineThreads::addCurrentThread):
2111         VM::exclusiveThread() has changed return type to ThreadIdentifier.
2112
2113 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
2114
2115         JavaScriptCore performance is very bad on Windows
2116         https://bugs.webkit.org/show_bug.cgi?id=146448
2117
2118         Reviewed by Mark Lam.
2119
2120         Profiling shows that std::this_thread::get_id() is slow on Windows.
2121         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
2122         This is faster on Windows. The issue has been reported to Microsoft,
2123         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
2124
2125         * runtime/JSLock.cpp:
2126         (JSC::JSLockHolder::~JSLockHolder):
2127         (JSC::JSLock::JSLock):
2128         (JSC::JSLock::willDestroyVM):
2129         (JSC::JSLock::setExclusiveThread):
2130         (JSC::JSLock::lock):
2131         (JSC::JSLock::unlock):
2132         (JSC::JSLock::currentThreadIsHoldingLock):
2133         * runtime/JSLock.h:
2134         (JSC::JSLock::vm):
2135         (JSC::JSLock::hasExclusiveThread):
2136         (JSC::JSLock::exclusiveThread):
2137         * runtime/VM.h:
2138         (JSC::VM::hasExclusiveThread):
2139         (JSC::VM::exclusiveThread):
2140         (JSC::VM::setExclusiveThread):
2141
2142 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2143
2144         In strict mode, `Object.keys(arguments)` includes "length"
2145         https://bugs.webkit.org/show_bug.cgi?id=147071
2146
2147         Reviewed by Darin Adler.
2148
2149         ClonedAguments didn't set the "length" with DontEnum.
2150
2151         * runtime/ClonedArguments.cpp:
2152         (JSC::ClonedArguments::createWithInlineFrame):
2153         (JSC::ClonedArguments::createByCopyingFrom):
2154         * tests/stress/arguments-length-always-dont-enum.js: Added.
2155         (shouldBe):
2156         (argsSloppy):
2157         (argsStrict):
2158
2159 2015-07-19  Jordan Harband  <ljharb@gmail.com>
2160
2161         new Date(NaN).toJSON() must return null instead of throwing a TypeError
2162         https://bugs.webkit.org/show_bug.cgi?id=141115
2163
2164         Reviewed by Yusuke Suzuki.
2165
2166         * runtime/DatePrototype.cpp:
2167         (JSC::dateProtoFuncToJSON):
2168
2169 2015-07-19  Saam barati  <saambarati1@gmail.com>
2170
2171         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
2172         https://bugs.webkit.org/show_bug.cgi?id=147090
2173
2174         Reviewed by Yusuke Suzuki.
2175
2176         ArrowFunction's have there ParserFunctionInfo "name" field to 
2177         be a non-null pointer. This is obviously allowed and valid except we 
2178         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
2179
2180         Note: ArrowFunction's will never actually have a function name;
2181         there ParserFunctionInfo "name" field will be the empty string. 
2182         This is not be mistaken with the name field being a null pointer.
2183
2184         * parser/Parser.cpp:
2185         (JSC::Parser<LexerType>::parseFunctionInfo):
2186
2187 2015-07-18  Saam barati  <saambarati1@gmail.com>
2188
2189         [ES6] Add support for block scope const
2190         https://bugs.webkit.org/show_bug.cgi?id=31813
2191
2192         Reviewed by Filip Pizlo.
2193
2194         'const' is now implemented in an ES6 spec compliant manner.
2195         'const' variables are always block scoped and always live
2196         either on the stack or in a JSLexicalEnvironment. 'const'
2197         variables never live on the global object.
2198
2199         Inside the BytecodeGenerator, when assigning to a stack
2200         'const' variable or a LocalClosureVar 'const' variable,
2201         we will emit code that just throws a type error.
2202         When assigning to a ClosureVar const variable, CodeBlock linking
2203         will ensure that we perform a dynamic lookup of that variable so
2204         that put_to_scope's slow path throws a type error.
2205
2206         The old 'const' implementation has been removed in this patch.
2207
2208         * bytecode/BytecodeList.json:
2209         * bytecode/BytecodeUseDef.h:
2210         (JSC::computeUsesForBytecodeOffset):
2211         (JSC::computeDefsForBytecodeOffset):
2212         * bytecode/CodeBlock.cpp:
2213         (JSC::CodeBlock::dumpBytecode):
2214         (JSC::CodeBlock::CodeBlock):
2215         * bytecompiler/BytecodeGenerator.cpp:
2216         (JSC::BytecodeGenerator::BytecodeGenerator):
2217         (JSC::BytecodeGenerator::pushLexicalScope):
2218         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2219         (JSC::BytecodeGenerator::variable):
2220         (JSC::BytecodeGenerator::variableForLocalEntry):
2221         (JSC::BytecodeGenerator::createVariable):
2222         (JSC::BytecodeGenerator::emitResolveScope):
2223         (JSC::BytecodeGenerator::emitInstanceOf):
2224         (JSC::BytecodeGenerator::emitGetById):
2225         (JSC::BytecodeGenerator::isArgumentNumber):
2226         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2227         (JSC::BytecodeGenerator::emitEnumeration):
2228         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
2229         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
2230         * bytecompiler/BytecodeGenerator.h:
2231         (JSC::Variable::Variable):
2232         (JSC::Variable::isReadOnly):
2233         (JSC::Variable::isSpecial):
2234         (JSC::Variable::isConst):
2235         (JSC::BytecodeGenerator::thisRegister):
2236         (JSC::BytecodeGenerator::emitTypeOf):
2237         (JSC::BytecodeGenerator::emitIn):
2238         * bytecompiler/NodesCodegen.cpp:
2239         (JSC::PostfixNode::emitResolve):
2240         (JSC::PrefixNode::emitResolve):
2241         (JSC::ReadModifyResolveNode::emitBytecode):
2242         (JSC::AssignResolveNode::emitBytecode):
2243         (JSC::CommaNode::emitBytecode):
2244         (JSC::BindingNode::bindValue):
2245         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
2246         (JSC::ConstDeclNode::emitBytecode): Deleted.
2247         (JSC::ConstStatementNode::emitBytecode): Deleted.
2248         * dfg/DFGByteCodeParser.cpp:
2249         (JSC::DFG::ByteCodeParser::parseBlock):
2250         * dfg/DFGCapabilities.cpp:
2251         (JSC::DFG::capabilityLevel):
2252         * jit/JIT.cpp:
2253         (JSC::JIT::privateCompileMainPass):
2254         * jit/JIT.h:
2255         * jit/JITPropertyAccess.cpp:
2256         (JSC::JIT::emit_op_put_to_arguments):
2257         (JSC::JIT::emit_op_init_global_const): Deleted.
2258         * jit/JITPropertyAccess32_64.cpp:
2259         (JSC::JIT::emit_op_put_to_arguments):
2260         (JSC::JIT::emit_op_init_global_const): Deleted.
2261         * llint/LowLevelInterpreter.asm:
2262         * llint/LowLevelInterpreter32_64.asm:
2263         * llint/LowLevelInterpreter64.asm:
2264         * parser/ASTBuilder.h:
2265         (JSC::ASTBuilder::createDeclarationStatement):
2266         (JSC::ASTBuilder::createEmptyVarExpression):
2267         (JSC::ASTBuilder::createDebugger):
2268         (JSC::ASTBuilder::appendStatement):
2269         (JSC::ASTBuilder::createVarStatement): Deleted.
2270         (JSC::ASTBuilder::createLetStatement): Deleted.
2271         (JSC::ASTBuilder::createConstStatement): Deleted.
2272         (JSC::ASTBuilder::appendConstDecl): Deleted.
2273         * parser/NodeConstructors.h:
2274         (JSC::CommaNode::CommaNode):
2275         (JSC::SourceElements::SourceElements):
2276         (JSC::SwitchNode::SwitchNode):
2277         (JSC::BlockNode::BlockNode):
2278         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
2279         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
2280         * parser/Nodes.h:
2281         (JSC::ConstDeclNode::hasInitializer): Deleted.
2282         (JSC::ConstDeclNode::ident): Deleted.
2283         * parser/Parser.cpp:
2284         (JSC::Parser<LexerType>::parseStatementListItem):
2285         (JSC::Parser<LexerType>::parseVariableDeclaration):
2286         (JSC::Parser<LexerType>::parseWhileStatement):
2287         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2288         (JSC::Parser<LexerType>::createBindingPattern):
2289         (JSC::Parser<LexerType>::parseDestructuringPattern):
2290         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
2291         (JSC::Parser<LexerType>::parseForStatement):
2292         (JSC::Parser<LexerType>::parseTryStatement):
2293         (JSC::Parser<LexerType>::parseFunctionInfo):
2294         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2295         (JSC::Parser<LexerType>::parseClass):
2296         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
2297         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
2298         * parser/Parser.h:
2299         (JSC::isEvalNode):
2300         (JSC::isEvalNode<EvalNode>):
2301         (JSC::isArguments):
2302         (JSC::isEval):
2303         (JSC::isEvalOrArgumentsIdentifier):
2304         (JSC::Scope::Scope):
2305         (JSC::Scope::declareCallee):
2306         (JSC::Scope::declareVariable):
2307         (JSC::Scope::declareLexicalVariable):
2308         (JSC::Scope::hasDeclaredVariable):
2309         (JSC::Scope::allowsVarDeclarations):
2310         (JSC::Scope::allowsLexicalDeclarations):
2311         (JSC::Scope::declareParameter):
2312         (JSC::Scope::declareBoundParameter):
2313         (JSC::Parser::destructuringKindFromDeclarationType):
2314         (JSC::Parser::assignmentContextFromDeclarationType):
2315         (JSC::Parser::isEvalOrArguments):
2316         (JSC::Parser::currentScope):
2317         (JSC::Parser::popScope):
2318         (JSC::Parser::declareVariable):
2319         (JSC::Parser::hasDeclaredVariable):
2320         (JSC::Parser::setStrictMode):
2321         (JSC::Parser::strictMode):
2322         (JSC::Parser::isValidStrictMode):
2323         (JSC::Parser::declareParameter):
2324         (JSC::Parser::declareBoundParameter):
2325         (JSC::Parser::breakIsValid):
2326         * parser/SyntaxChecker.h:
2327         (JSC::SyntaxChecker::createForInLoop):
2328         (JSC::SyntaxChecker::createForOfLoop):
2329         (JSC::SyntaxChecker::createEmptyStatement):
2330         (JSC::SyntaxChecker::createDeclarationStatement):
2331         (JSC::SyntaxChecker::createReturnStatement):
2332         (JSC::SyntaxChecker::createBreakStatement):
2333         (JSC::SyntaxChecker::createVarStatement): Deleted.
2334         (JSC::SyntaxChecker::createLetStatement): Deleted.
2335         * parser/VariableEnvironment.h:
2336         (JSC::VariableEnvironmentEntry::isCaptured):
2337         (JSC::VariableEnvironmentEntry::isConst):
2338         (JSC::VariableEnvironmentEntry::isVar):
2339         (JSC::VariableEnvironmentEntry::isLet):
2340         (JSC::VariableEnvironmentEntry::setIsCaptured):
2341         (JSC::VariableEnvironmentEntry::setIsConst):
2342         (JSC::VariableEnvironmentEntry::setIsVar):
2343         (JSC::VariableEnvironmentEntry::setIsLet):
2344         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
2345         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
2346         * runtime/Executable.cpp:
2347         (JSC::ProgramExecutable::initializeGlobalProperties):
2348         * runtime/JSGlobalObject.cpp:
2349         (JSC::JSGlobalObject::defineOwnProperty):
2350         (JSC::JSGlobalObject::addGlobalVar):
2351         (JSC::JSGlobalObject::addFunction):
2352         (JSC::lastInPrototypeChain):
2353         * runtime/JSGlobalObject.h:
2354         (JSC::JSGlobalObject::finishCreation):
2355         (JSC::JSGlobalObject::addVar):
2356         (JSC::JSGlobalObject::addConst): Deleted.
2357         * runtime/JSLexicalEnvironment.cpp:
2358         (JSC::JSLexicalEnvironment::symbolTablePut):
2359         * tests/stress/const-and-with-statement.js: Added.
2360         (truth):
2361         (assert):
2362         (shouldThrowInvalidConstAssignment):
2363         (.):
2364         * tests/stress/const-exception-handling.js: Added.
2365         (truth):
2366         (assert):
2367         (.):
2368         * tests/stress/const-loop-semantics.js: Added.
2369         (truth):
2370         (assert):
2371         (shouldThrowInvalidConstAssignment):
2372         (.):
2373         * tests/stress/const-not-strict-mode.js: Added.
2374         (truth):
2375         (assert):
2376         (shouldThrowTDZ):
2377         (.):
2378         * tests/stress/const-semantics.js: Added.
2379         (truth):
2380         (assert):
2381         (shouldThrowInvalidConstAssignment):
2382         (.):
2383         * tests/stress/const-tdz.js: Added.
2384         (truth):
2385         (assert):
2386         (shouldThrowTDZ):
2387         (.):
2388
2389 2015-07-18  Saam barati  <saambarati1@gmail.com>
2390
2391         lexical scoping is broken with respect to "break" and "continue"
2392         https://bugs.webkit.org/show_bug.cgi?id=147063
2393
2394         Reviewed by Filip Pizlo.
2395
2396         Bug #142944 which introduced "let" and lexical scoping
2397         didn't properly hook into the bytecode generator's machinery
2398         for calculating scope depth deltas for "break" and "continue". This
2399         resulted in the bytecode generator popping an incorrect number
2400         of scopes when lexical scopes were involved.
2401
2402         This patch fixes this problem and generalizes this machinery a bit.
2403         This patch also renames old functions in a sensible way that is more
2404         coherent in a world with lexical scoping.
2405
2406         * bytecompiler/BytecodeGenerator.cpp:
2407         (JSC::BytecodeGenerator::BytecodeGenerator):
2408         (JSC::BytecodeGenerator::newLabelScope):
2409         (JSC::BytecodeGenerator::emitProfileType):
2410         (JSC::BytecodeGenerator::pushLexicalScope):
2411         (JSC::BytecodeGenerator::popLexicalScope):
2412         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2413         (JSC::BytecodeGenerator::resolveType):
2414         (JSC::BytecodeGenerator::emitResolveScope):
2415         (JSC::BytecodeGenerator::emitGetFromScope):
2416         (JSC::BytecodeGenerator::emitPutToScope):
2417         (JSC::BytecodeGenerator::emitPushWithScope):
2418         (JSC::BytecodeGenerator::emitGetParentScope):
2419         (JSC::BytecodeGenerator::emitPopScope):
2420         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
2421         (JSC::BytecodeGenerator::emitPopScopes):
2422         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
2423         (JSC::BytecodeGenerator::localScopeDepth):
2424         (JSC::BytecodeGenerator::labelScopeDepth):
2425         (JSC::BytecodeGenerator::emitThrowReferenceError):
2426         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2427         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
2428         (JSC::BytecodeGenerator::popScopedControlFlowContext):
2429         (JSC::BytecodeGenerator::emitPushCatchScope):
2430         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
2431         * bytecompiler/BytecodeGenerator.h:
2432         (JSC::BytecodeGenerator::hasFinaliser):
2433         (JSC::BytecodeGenerator::scopeDepth): Deleted.
2434         * bytecompiler/NodesCodegen.cpp:
2435         (JSC::ContinueNode::trivialTarget):
2436         (JSC::BreakNode::trivialTarget):
2437         (JSC::ReturnNode::emitBytecode):
2438         (JSC::WithNode::emitBytecode):
2439         (JSC::TryNode::emitBytecode):
2440         * tests/stress/lexical-scoping-break-continue.js: Added.
2441         (assert):
2442         (.):
2443
2444 2015-07-18  Commit Queue  <commit-queue@webkit.org>
2445
2446         Unreviewed, rolling out r186996.
2447         https://bugs.webkit.org/show_bug.cgi?id=147070
2448
2449         Broke JSC tests (Requested by smfr on #webkit).
2450
2451         Reverted changeset:
2452
2453         "lexical scoping is broken with respect to "break" and
2454         "continue""
2455         https://bugs.webkit.org/show_bug.cgi?id=147063
2456         http://trac.webkit.org/changeset/186996
2457
2458 2015-07-18  Saam barati  <saambarati1@gmail.com>
2459
2460         lexical scoping is broken with respect to "break" and "continue"
2461         https://bugs.webkit.org/show_bug.cgi?id=147063
2462
2463         Reviewed by Filip Pizlo.
2464
2465         Bug #142944 which introduced "let" and lexical scoping
2466         didn't properly hook into the bytecode generator's machinery
2467         for calculating scope depth deltas for "break" and "continue". This
2468         resulted in the bytecode generator popping an incorrect number
2469         of scopes when lexical scopes were involved.
2470
2471         This patch fixes this problem and generalizes this machinery a bit.
2472         This patch also renames old functions in a sensible way that is more
2473         coherent in a world with lexical scoping.
2474
2475         * bytecompiler/BytecodeGenerator.cpp:
2476         (JSC::BytecodeGenerator::BytecodeGenerator):
2477         (JSC::BytecodeGenerator::newLabelScope):
2478         (JSC::BytecodeGenerator::emitProfileType):
2479         (JSC::BytecodeGenerator::pushLexicalScope):
2480         (JSC::BytecodeGenerator::popLexicalScope):
2481         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2482         (JSC::BytecodeGenerator::resolveType):
2483         (JSC::BytecodeGenerator::emitResolveScope):
2484         (JSC::BytecodeGenerator::emitGetFromScope):
2485         (JSC::BytecodeGenerator::emitPutToScope):
2486         (JSC::BytecodeGenerator::emitPushWithScope):
2487         (JSC::BytecodeGenerator::emitGetParentScope):
2488         (JSC::BytecodeGenerator::emitPopScope):
2489         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
2490         (JSC::BytecodeGenerator::emitPopScopes):
2491         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
2492         (JSC::BytecodeGenerator::localScopeDepth):
2493         (JSC::BytecodeGenerator::labelScopeDepth):
2494         (JSC::BytecodeGenerator::emitThrowReferenceError):
2495         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2496         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
2497         (JSC::BytecodeGenerator::popScopedControlFlowContext):
2498         (JSC::BytecodeGenerator::emitPushCatchScope):
2499         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
2500         * bytecompiler/BytecodeGenerator.h:
2501         (JSC::BytecodeGenerator::hasFinaliser):
2502         (JSC::BytecodeGenerator::scopeDepth): Deleted.
2503         * bytecompiler/NodesCodegen.cpp:
2504         (JSC::ContinueNode::trivialTarget):
2505         (JSC::BreakNode::trivialTarget):
2506         (JSC::ReturnNode::emitBytecode):
2507         (JSC::WithNode::emitBytecode):
2508         (JSC::TryNode::emitBytecode):
2509         * tests/stress/lexical-scoping-break-continue.js: Added.
2510         (assert):
2511         (.):
2512
2513 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
2514
2515         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
2516         https://bugs.webkit.org/show_bug.cgi?id=147034
2517
2518         Reviewed by Mark Lam and Michael Saboff.
2519         
2520         This implements two guards against the DFG watching structures that are likely to fire
2521         their watchpoints:
2522         
2523         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
2524           can be flattened, and then they can transform back to dictionaries.
2525         
2526         - Don't watch structures whose past structures were transitioned-away from while their
2527           transition watchpoints were being watched. This property gives us monotonicity: if we
2528           recompile because we watched structure S1 of object O, then we won't make the same mistake
2529           again when object O has structure S2, S3, and so on.
2530         
2531         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
2532         help some of them, so on Octane it's basically neutral.
2533
2534         * bytecode/Watchpoint.h:
2535         (JSC::WatchpointSet::invalidate):
2536         (JSC::WatchpointSet::isBeingWatched):
2537         (JSC::WatchpointSet::addressOfState):
2538         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
2539         (JSC::InlineWatchpointSet::touch):
2540         (JSC::InlineWatchpointSet::isBeingWatched):
2541         * runtime/JSGlobalObject.h:
2542         (JSC::JSGlobalObject::createStructure):
2543         (JSC::JSGlobalObject::registerWeakMap):
2544         * runtime/Structure.cpp:
2545         (JSC::Structure::Structure):
2546         (JSC::Structure::toDictionaryTransition):
2547         (JSC::Structure::didTransitionFromThisStructure):
2548         * runtime/Structure.h:
2549
2550 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
2551
2552         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
2553         https://bugs.webkit.org/show_bug.cgi?id=147030
2554
2555         Reviewed by Andreas Kling.
2556         
2557         All of the users of DesiredWriteBarriers were just using it to request that Plan
2558         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
2559         owning cell in the heap that compilation affects. So, we might as well just have Plan
2560         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
2561         all.
2562
2563         * CMakeLists.txt:
2564         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2565         * JavaScriptCore.xcodeproj/project.pbxproj:
2566         * dfg/DFGByteCodeParser.cpp:
2567         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2568         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
2569         * dfg/DFGDesiredWriteBarriers.h: Removed.
2570         * dfg/DFGGraph.cpp:
2571         (JSC::DFG::Graph::registerFrozenValues):
2572         * dfg/DFGPlan.cpp:
2573         (JSC::DFG::Plan::reallyAdd):
2574         (JSC::DFG::Plan::notifyCompiling):
2575         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2576         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2577         (JSC::DFG::Plan::cancel):
2578         * dfg/DFGPlan.h:
2579
2580 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2581
2582         Integrate automatic microtask draining into JSC framework and re-enable Promise
2583         https://bugs.webkit.org/show_bug.cgi?id=146828
2584
2585         Reviewed by Sam Weinig.
2586
2587         Add automatic microtask draining system into JSC framework.
2588         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
2589         Enqueuing behavior can be injected by the JSGlobalObject's method table.
2590         It is utilized in WebCore to post the microtask to WebCore's event loop.
2591
2592         In the case of JSC interactive shell, VM depth is always greater than 0.
2593         So we manually drains the queued microtasks after evaluating the written line.
2594
2595         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
2596         So re-enable the Promise in the JSC framework context.
2597
2598         * API/JSContextRef.cpp:
2599         (javaScriptRuntimeFlags): Deleted.
2600         * API/tests/testapi.c:
2601         (main):
2602         * API/tests/testapi.mm:
2603         (testObjectiveCAPIMain):
2604         * jsc.cpp:
2605         (runInteractive):
2606         * runtime/JSGlobalObject.cpp:
2607         (JSC::JSGlobalObject::queueMicrotask):
2608         * runtime/JSLock.cpp:
2609         (JSC::JSLock::willReleaseLock):
2610         * runtime/VM.cpp:
2611         (JSC::VM::queueMicrotask):
2612         (JSC::VM::drainMicrotasks):
2613         (JSC::QueuedTask::run):
2614         * runtime/VM.h:
2615         (JSC::QueuedTask::QueuedTask):
2616
2617 2015-07-17  Saam barati  <saambarati1@gmail.com>
2618
2619         Function parameters should be parsed in the same parser arena as the function body
2620         https://bugs.webkit.org/show_bug.cgi?id=145995
2621
2622         Reviewed by Yusuke Suzuki.
2623
2624         This patch changes how functions are parsed in JSC. A function's
2625         parameters are now parsed in the same arena as the function itself.
2626         This allows us to arena allocate all destructuring AST nodes and
2627         the FunctionParameters node. This will help make implementing ES6
2628         default parameter values sane.
2629
2630         A source code that represents a function now includes the text of the function's 
2631         parameters. The starting offset is at the opening parenthesis of the parameter
2632         list or at the starting character of the identifier for arrow functions that
2633         have single arguments and don't start with parenthesis.
2634
2635         For example:
2636
2637         "function (param1, param2) { ... }"
2638                                    ^
2639                                    | This offset used to be the starting offset of a function's SourceCode
2640                   ^
2641                   | This is the new starting offset for a function's SourceCode.
2642
2643         This requires us to change how some offsets are calculated
2644         and also requires us to report some different line numbers for internal
2645         metrics that use a SourceCode's starting line and column numbers.
2646
2647         This patch also does a bit of cleanup with regards to how
2648         functions are parsed in general (especially arrow functions).
2649         It removes some unnecessary #ifdefs and the likes for arrow
2650         to make things clearer and more deliberate.
2651
2652         * API/JSScriptRef.cpp:
2653         (parseScript):
2654         * builtins/BuiltinExecutables.cpp:
2655         (JSC::BuiltinExecutables::createExecutableInternal):
2656         * bytecode/UnlinkedCodeBlock.cpp:
2657         (JSC::generateFunctionCodeBlock):
2658         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2659         (JSC::UnlinkedFunctionExecutable::visitChildren):
2660         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
2661         * bytecode/UnlinkedCodeBlock.h:
2662         * bytecompiler/NodesCodegen.cpp:
2663         (JSC::DestructuringAssignmentNode::emitBytecode):
2664         (JSC::assignDefaultValueIfUndefined):
2665         (JSC::ArrayPatternNode::collectBoundIdentifiers):
2666         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
2667         * parser/ASTBuilder.h:
2668         (JSC::ASTBuilder::createClassExpr):
2669         (JSC::ASTBuilder::createFunctionExpr):
2670         (JSC::ASTBuilder::createFunctionBody):
2671         (JSC::ASTBuilder::createArrowFunctionExpr):
2672         (JSC::ASTBuilder::createGetterOrSetterProperty):
2673         (JSC::ASTBuilder::createElementList):
2674         (JSC::ASTBuilder::createFormalParameterList):
2675         (JSC::ASTBuilder::appendParameter):
2676         (JSC::ASTBuilder::createClause):
2677         (JSC::ASTBuilder::createClauseList):
2678         (JSC::ASTBuilder::createFuncDeclStatement):
2679         (JSC::ASTBuilder::createForInLoop):
2680         (JSC::ASTBuilder::createForOfLoop):
2681         (JSC::ASTBuilder::isResolve):
2682         (JSC::ASTBuilder::createDestructuringAssignment):
2683         (JSC::ASTBuilder::createArrayPattern):
2684         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
2685         (JSC::ASTBuilder::appendArrayPatternEntry):
2686         (JSC::ASTBuilder::appendArrayPatternRestEntry):
2687         (JSC::ASTBuilder::finishArrayPattern):
2688         (JSC::ASTBuilder::createObjectPattern):
2689         (JSC::ASTBuilder::appendObjectPatternEntry):
2690         (JSC::ASTBuilder::createBindingLocation):
2691         (JSC::ASTBuilder::setEndOffset):
2692         * parser/Lexer.cpp:
2693         (JSC::Lexer<T>::Lexer):
2694         (JSC::Lexer<T>::nextTokenIsColon):
2695         (JSC::Lexer<T>::setTokenPosition):
2696         (JSC::Lexer<T>::lex):
2697         (JSC::Lexer<T>::clear):
2698         * parser/Lexer.h:
2699         (JSC::Lexer::setIsReparsingFunction):
2700         (JSC::Lexer::isReparsingFunction):
2701         (JSC::Lexer::lineNumber):
2702         (JSC::Lexer::setIsReparsing): Deleted.
2703         (JSC::Lexer::isReparsing): Deleted.
2704         * parser/NodeConstructors.h:
2705         (JSC::TryNode::TryNode):
2706         (JSC::FunctionParameters::FunctionParameters):
2707         (JSC::FuncExprNode::FuncExprNode):
2708         (JSC::FuncDeclNode::FuncDeclNode):
2709         (JSC::ArrayPatternNode::ArrayPatternNode):
2710         (JSC::ObjectPatternNode::ObjectPatternNode):
2711         (JSC::BindingNode::BindingNode):
2712         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2713         (JSC::ParameterNode::ParameterNode): Deleted.
2714         (JSC::ArrayPatternNode::create): Deleted.
2715         (JSC::ObjectPatternNode::create): Deleted.
2716         (JSC::BindingNode::create): Deleted.
2717         * parser/Nodes.cpp:
2718         (JSC::ProgramNode::ProgramNode):
2719         (JSC::EvalNode::EvalNode):
2720         (JSC::FunctionBodyNode::FunctionBodyNode):
2721         (JSC::FunctionBodyNode::finishParsing):
2722         (JSC::FunctionNode::FunctionNode):
2723         (JSC::FunctionNode::finishParsing):
2724         (JSC::FunctionParameters::create): Deleted.
2725         (JSC::FunctionParameters::FunctionParameters): Deleted.
2726         (JSC::FunctionParameters::~FunctionParameters): Deleted.
2727         * parser/Nodes.h:
2728         (JSC::ProgramNode::startColumn):
2729         (JSC::ProgramNode::endColumn):
2730         (JSC::EvalNode::startColumn):
2731         (JSC::EvalNode::endColumn):
2732         (JSC::FunctionParameters::size):
2733         (JSC::FunctionParameters::at):
2734         (JSC::FunctionParameters::append):
2735         (JSC::FuncExprNode::body):
2736         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
2737         (JSC::DestructuringPatternNode::isBindingNode):
2738         (JSC::DestructuringPatternNode::emitDirectBinding):
2739         (JSC::ArrayPatternNode::appendIndex):
2740         (JSC::ObjectPatternNode::appendEntry):
2741         (JSC::BindingNode::boundProperty):
2742         (JSC::BindingNode::divotStart):
2743         (JSC::BindingNode::divotEnd):
2744         (JSC::DestructuringAssignmentNode::bindings):
2745         (JSC::FuncDeclNode::body):
2746         (JSC::ParameterNode::pattern): Deleted.
2747         (JSC::ParameterNode::nextParam): Deleted.
2748         (JSC::FunctionParameters::patterns): Deleted.
2749         * parser/Parser.cpp:
2750         (JSC::Parser<LexerType>::Parser):
2751         (JSC::Parser<LexerType>::~Parser):
2752         (JSC::Parser<LexerType>::parseInner):
2753         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
2754         (JSC::Parser<LexerType>::parseSourceElements):
2755         (JSC::Parser<LexerType>::createBindingPattern):
2756         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2757         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2758         (JSC::Parser<LexerType>::parseSwitchClauses):
2759         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
2760         (JSC::Parser<LexerType>::parseBlockStatement):
2761         (JSC::Parser<LexerType>::parseStatement):
2762         (JSC::Parser<LexerType>::parseFormalParameters):
2763         (JSC::Parser<LexerType>::parseFunctionBody):
2764         (JSC::stringForFunctionMode):
2765         (JSC::Parser<LexerType>::parseFunctionParameters):
2766         (JSC::Parser<LexerType>::parseFunctionInfo):
2767         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2768         (JSC::Parser<LexerType>::parseClass):
2769         (JSC::Parser<LexerType>::parsePrimaryExpression):
2770         (JSC::Parser<LexerType>::parseMemberExpression):
2771         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2772         (JSC::operatorString):
2773         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
2774         * parser/Parser.h:
2775         (JSC::Parser::positionBeforeLastNewline):
2776         (JSC::Parser::locationBeforeLastToken):
2777         (JSC::Parser::findCachedFunctionInfo):
2778         (JSC::Parser::isofToken):
2779         (JSC::Parser::isEndOfArrowFunction):
2780         (JSC::Parser::isArrowFunctionParamters):
2781         (JSC::Parser::tokenStart):
2782         (JSC::Parser::isLETMaskedAsIDENT):
2783         (JSC::Parser::autoSemiColon):
2784         (JSC::Parser::setEndOfStatement):
2785         (JSC::Parser::canRecurse):
2786         (JSC::Parser<LexerType>::parse):
2787         (JSC::parse):
2788         * parser/ParserFunctionInfo.h:
2789         * parser/ParserModes.h:
2790         (JSC::functionNameIsInScope):
2791         * parser/SourceCode.h:
2792         (JSC::makeSource):
2793         (JSC::SourceCode::subExpression):
2794         (JSC::SourceCode::subArrowExpression): Deleted.
2795         * parser/SourceProviderCache.h:
2796         (JSC::SourceProviderCache::get):
2797         * parser/SourceProviderCacheItem.h:
2798         (JSC::SourceProviderCacheItem::endFunctionToken):
2799         (JSC::SourceProviderCacheItem::usedVariables):
2800         (JSC::SourceProviderCacheItem::writtenVariables):
2801         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
2802         * parser/SyntaxChecker.h:
2803         (JSC::SyntaxChecker::SyntaxChecker):
2804         (JSC::SyntaxChecker::createClassExpr):
2805         (JSC::SyntaxChecker::createFunctionExpr):
2806         (JSC::SyntaxChecker::createFunctionBody):
2807         (JSC::SyntaxChecker::createArrowFunctionExpr):
2808         (JSC::SyntaxChecker::setFunctionNameStart):
2809         (JSC::SyntaxChecker::createArguments):
2810         (JSC::SyntaxChecker::createPropertyList):
2811         (JSC::SyntaxChecker::createElementList):
2812         (JSC::SyntaxChecker::createFormalParameterList):
2813         (JSC::SyntaxChecker::appendParameter):
2814         (JSC::SyntaxChecker::createClause):
2815         (JSC::SyntaxChecker::createClauseList):
2816         * runtime/CodeCache.cpp:
2817         (JSC::CodeCache::getGlobalCodeBlock):
2818         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2819         * runtime/Completion.cpp:
2820         (JSC::checkSyntax):
2821         * runtime/Executable.cpp:
2822         (JSC::ProgramExecutable::checkSyntax):
2823         * tests/controlFlowProfiler/conditional-expression.js:
2824         (testConditionalFunctionCall):
2825
2826 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
2827
2828         Unreviewed, fix build for newer LLVMs.
2829
2830         * llvm/LLVMHeaders.h:
2831         * llvm/library/LLVMExports.cpp:
2832
2833 2015-07-16  Mark Lam  <mark.lam@apple.com>
2834
2835         RegExp::match() should set m_state to ByteCode if compilation fails.
2836         https://bugs.webkit.org/show_bug.cgi?id=147023
2837
2838         Reviewed by Michael Saboff.
2839
2840         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
2841         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
2842         Subsequently, if RegExp tries to compile another one of these but fails, m_state
2843         will be left untouched i.e. it still says JITCode.  As a result, when
2844         RegExp::match() later tries to execute the non-existant compiled code, it will
2845         crash.
2846
2847         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
2848         This failure should be rare.  We'll do the minimal work here to fix the issue and
2849         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
2850
2851         This issue is difficult to test for since it either requires a low memory condition
2852         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
2853         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
2854         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
2855         10 compilation attempts.
2856
2857         * runtime/RegExp.cpp:
2858         (JSC::RegExp::compile):
2859         (JSC::RegExp::compileMatchOnly):
2860
2861 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
2862
2863         [Win] Fix armv7 build.
2864
2865         * jit/CCallHelpers.h:
2866         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
2867         version of poke is not available on armv7 builds.
2868
2869 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
2870
2871         [Win] 64-bit Build Failure
2872         https://bugs.webkit.org/show_bug.cgi?id=146989
2873
2874         Reviewed by Mark Lam.
2875
2876         * jit/CCallHelpers.h:
2877         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
2878         declaration for 64-bit type on 4-argument register machines (like
2879         Windows).
2880
2881 2015-07-15  Saam barati  <saambarati1@gmail.com>
2882
2883         [ES6] implement block scoping to enable 'let'
2884         https://bugs.webkit.org/show_bug.cgi?id=142944
2885
2886         Reviewed by Filip Pizlo.
2887
2888         * CMakeLists.txt:
2889         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2890         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2891         * JavaScriptCore.xcodeproj/project.pbxproj:
2892         * builtins/BuiltinExecutables.cpp:
2893         (JSC::BuiltinExecutables::createExecutableInternal):
2894         * bytecode/BytecodeList.json:
2895         This patch adds a new opcode and removes op_pop_scope:
2896         1) op_get_parent_scope returns the parent scope but doesn't 
2897         implicitly write that scope into the scope register. op_pop_scope
2898         is now reduced to op_get_parent_scope followed by op_mov.
2899
2900         * bytecode/BytecodeUseDef.h:
2901         (JSC::computeUsesForBytecodeOffset):
2902         (JSC::computeDefsForBytecodeOffset):
2903         * bytecode/CodeBlock.cpp:
2904         (JSC::CodeBlock::dumpBytecode):
2905         (JSC::CodeBlock::CodeBlock):
2906         (JSC::CodeBlock::stronglyVisitStrongReferences):
2907         * bytecode/CodeBlock.h:
2908         (JSC::CodeBlock::addStringSwitchJumpTable):
2909         (JSC::CodeBlock::stringSwitchJumpTable):
2910         (JSC::CodeBlock::symbolTable):
2911         (JSC::CodeBlock::evalCodeCache):
2912         (JSC::CodeBlock::setConstantRegisters):
2913         (JSC::CodeBlock::replaceConstant):
2914         op_put_to_scope for LocalClosureVar now takes as an argument
2915         the constant index for the Symbol Table it will be putting into.
2916         This argument is only used to communicate from the BytecodeGenerator
2917         to CodeBlock linking time and it is not present in the linked bytecode.
2918
2919         op_put_to_scope for non LocalClosureVar takes, at the same index, an
2920         argument that represents the local scope depth which it uses for
2921         JSScope::abstractResolve to know how many scopes it needs to skip.
2922         Again, this is not in the linked code.
2923         op_get_from_scope and op_resolve_scope also take as an argument
2924         the local scope depth to use in JSScope::abstractResolve. Again,
2925         this is not used in the linked code.
2926
2927         * bytecode/EvalCodeCache.h:
2928         (JSC::EvalCodeCache::tryGet):
2929         (JSC::EvalCodeCache::getSlow):
2930         (JSC::EvalCodeCache::clear):
2931         (JSC::EvalCodeCache::isCacheable):
2932         When direct eval is called and passed a scope that 
2933         corresponds to a lexical scope, we can't safely cache 
2934         that code because we won't be able to guarantee
2935         that the cached code is always executed in the same scope.
2936         Consider this example:
2937         function foo() {
2938             let x = 20;
2939             eval("x;");
2940             if (b) {
2941                 let x = 30;
2942                 if (b) {
2943                     let y = 40;
2944                     eval("x;")
2945                 }
2946             }
2947         }
2948
2949         We can't reuse resolution depth when linking get_from_scope in evals.
2950
2951         * bytecode/UnlinkedCodeBlock.cpp:
2952         (JSC::generateFunctionCodeBlock):
2953         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2954         (JSC::UnlinkedFunctionExecutable::parameterCount):
2955         * bytecode/UnlinkedCodeBlock.h:
2956         Unlinked functions now know the variables that were under TDZ in their parent
2957         scope.
2958
2959         (JSC::UnlinkedCodeBlock::symbolTable):
2960         (JSC::UnlinkedCodeBlock::setSymbolTable):
2961         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
2962         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
2963         (JSC::UnlinkedCodeBlock::vm):
2964         * bytecompiler/BytecodeGenerator.cpp:
2965         (JSC::BytecodeGenerator::generate):
2966         (JSC::BytecodeGenerator::BytecodeGenerator):
2967         (JSC::BytecodeGenerator::~BytecodeGenerator):
2968         (JSC::BytecodeGenerator::newRegister):
2969         (JSC::BytecodeGenerator::reclaimFreeRegisters):
2970         (JSC::BytecodeGenerator::newBlockScopeVariable):
2971         (JSC::BytecodeGenerator::newTemporary):
2972         (JSC::BytecodeGenerator::emitProfileType):
2973         (JSC::BytecodeGenerator::emitLoadGlobalObject):
2974         (JSC::BytecodeGenerator::pushLexicalScope):
2975         (JSC::BytecodeGenerator::popLexicalScope):
2976         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2977         (JSC::BytecodeGenerator::variable):
2978         (JSC::BytecodeGenerator::variablePerSymbolTable):
2979         (JSC::BytecodeGenerator::variableForLocalEntry):
2980         (JSC::BytecodeGenerator::createVariable):
2981         (JSC::BytecodeGenerator::emitResolveScope):
2982         (JSC::BytecodeGenerator::emitGetFromScope):
2983         (JSC::BytecodeGenerator::emitPutToScope):
2984         (JSC::BytecodeGenerator::initializeVariable):
2985         (JSC::BytecodeGenerator::emitTDZCheck):
2986         (JSC::BytecodeGenerator::needsTDZCheck):
2987         (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
2988         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
2989         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
2990         (JSC::BytecodeGenerator::emitNewObject):
2991         (JSC::BytecodeGenerator::emitPushWithScope):
2992         (JSC::BytecodeGenerator::emitGetParentScope):
2993         (JSC::BytecodeGenerator::emitPopScope):
2994         (JSC::BytecodeGenerator::emitDebugHook):
2995         (JSC::BytecodeGenerator::pushFinallyContext):
2996         (JSC::BytecodeGenerator::pushIteratorCloseContext):
2997         (JSC::BytecodeGenerator::emitComplexPopScopes):
2998         (JSC::BytecodeGenerator::emitPopScopes):
2999         (JSC::BytecodeGenerator::popTryAndEmitCatch):
3000         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
3001         (JSC::BytecodeGenerator::currentScopeDepth):
3002         (JSC::BytecodeGenerator::emitThrowReferenceError):
3003         (JSC::BytecodeGenerator::emitPushCatchScope):
3004         (JSC::BytecodeGenerator::beginSwitch):
3005         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3006         (JSC::BytecodeGenerator::emitEnumeration):
3007         * bytecompiler/BytecodeGenerator.h:
3008         (JSC::Variable::Variable):
3009         (JSC::Variable::isResolved):
3010         (JSC::Variable::symbolTableConstantIndex):
3011         (JSC::Variable::ident):
3012         (JSC::BytecodeGenerator::ignoredResult):
3013         (JSC::BytecodeGenerator::tempDestination):
3014         (JSC::BytecodeGenerator::lastOpcodeID):
3015         (JSC::BytecodeGenerator::makeFunction):
3016         (JSC::BytecodeGenerator::symbolTable):
3017         (JSC::BytecodeGenerator::shouldOptimizeLocals): Deleted.
3018         (JSC::BytecodeGenerator::canOptimizeNonLocals): Deleted.
3019         The heart of the changes in this patch are in the bytecode generator.
3020         The bytecode generator now keeps a stack of tuples of 
3021         {symbol table, scope register, flag indicating catch or with scope, symbol table index in constant pool}
3022         that models the runtime scope stack. This symbol table stack is used
3023         in resolving local variables.
3024
3025         Also, the bytecode generator handles pushing and popping of lexical scopes. 
3026         This is relatively straight forward:
3027         Captured 'let' variables end up in the JSLexicalEnvironment scope and non-captured
3028         variables end up on the stack. Some trickiness is involved in generating
3029         code for 'for' loops that have captured variables (I'm talking about variables in the loop
3030         header, not the loop body). Each iteration of the for loop ends up with 
3031         its own JSLexicalEnvironment. Static code must be generated in such a way 
3032         to create this runtime behavior. This is done by emitting instructions to 
3033         push and pop a lexical scope at the end of each loop and copying values
3034         from the previous loop's scope into the new scope. This code must also
3035         ensure that each loop iteration's scope refers to the same underlying 
3036         SymbolTable so that no scope is accidentally mistaken as being a singleton scope.
3037
3038         When the debugger is enabled, all lexically defined variables will end up in the
3039         JSLexicalEnvironment.
3040
3041         * bytecompiler/NodesCodegen.cpp:
3042         (JSC::ResolveNode::emitBytecode):
3043         (JSC::FunctionCallResolveNode::emitBytecode):
3044         (JSC::PostfixNode::emitResolve):
3045         (JSC::DeleteResolveNode::emitBytecode):
3046         (JSC::TypeOfResolveNode::emitBytecode):
3047         (JSC::PrefixNode::emitResolve):
3048         (JSC::ReadModifyResolveNode::emitBytecode):
3049         (JSC::AssignResolveNode::emitBytecode):
3050         (JSC::BlockNode::emitBytecode):
3051         (JSC::ExprStatementNode::emitBytecode):
3052         (JSC::DeclarationStatement::emitBytecode):
3053         (JSC::EmptyVarExpression::emitBytecode):
3054         (JSC::EmptyLetExpression::emitBytecode):
3055         (JSC::ForNode::emitBytecode):
3056         (JSC::ForInNode::emitMultiLoopBytecode):
3057         (JSC::ForOfNode::emitBytecode):
3058         (JSC::SwitchNode::emitBytecode):
3059         (JSC::BindingNode::bindValue):
3060         (JSC::VarStatementNode::emitBytecode): Deleted.
3061         * debugger/DebuggerCallFrame.cpp:
3062         (JSC::DebuggerCallFrame::evaluate):
3063         * debugger/DebuggerScope.cpp:
3064         (JSC::DebuggerScope::getOwnPropertySlot):
3065         (JSC::DebuggerScope::put):
3066         * dfg/DFGByteCodeParser.cpp:
3067         (JSC::DFG::ByteCodeParser::parseBlock):
3068         * dfg/DFGCapabilities.cpp:
3069         (JSC::DFG::capabilityLevel):
3070         * dfg/DFGNode.h:
3071         (JSC::DFG::Node::castConstant):
3072         (JSC::DFG::Node::initializationValueForActivation):
3073         (JSC::DFG::Node::containsMovHint):
3074         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3075         CreateActivation nodes now have a second OpInfo that tracks the 
3076         initial value that needs to be placed in the activation. This initial value 
3077         is also used in allocation sinking to create proper bottom values for all 
3078         scope variables.
3079
3080         * dfg/DFGOperations.cpp:
3081         * dfg/DFGOperations.h:
3082         * dfg/DFGSpeculativeJIT.cpp:
3083         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3084         * dfg/DFGSpeculativeJIT.h:
3085         (JSC::DFG::SpeculativeJIT::callOperation):
3086         * ftl/FTLIntrinsicRepository.h:
3087         * ftl/FTLLowerDFGToLLVM.cpp:
3088         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
3089         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
3090         * ftl/FTLOperations.cpp:
3091         (JSC::FTL::operationMaterializeObjectInOSR):
3092         * interpreter/Interpreter.cpp:
3093         (JSC::Interpreter::execute):
3094         * jit/CCallHelpers.h:
3095         (JSC::CCallHelpers::setupArgumentsWithExecState):
3096         * jit/JIT.cpp:
3097         (JSC::JIT::privateCompileMainPass):
3098         * jit/JIT.h:
3099         * jit/JITInlines.h:
3100         (JSC::JIT::callOperation):
3101         * jit/JITOpcodes.cpp:
3102         (JSC::JIT::emit_op_push_with_scope):
3103         (JSC::JIT::compileOpStrictEq):
3104         (JSC::JIT::emit_op_catch):
3105         (JSC::JIT::emit_op_create_lexical_environment):
3106         (JSC::JIT::emit_op_get_parent_scope):
3107         (JSC::JIT::emit_op_switch_imm):
3108         (JSC::JIT::emit_op_enter):
3109         (JSC::JIT::emit_op_get_scope):
3110         (JSC::JIT::emit_op_pop_scope): Deleted.
3111         * jit/JITOpcodes32_64.cpp:
3112         (JSC::JIT::emit_op_push_with_scope):
3113         (JSC::JIT::emit_op_to_number):
3114         (JSC::JIT::emit_op_catch):
3115         (JSC::JIT::emit_op_create_lexical_environment):
3116         (JSC::JIT::emit_op_get_parent_scope):
3117         (JSC::JIT::emit_op_switch_imm):
3118         (JSC::JIT::emit_op_enter):
3119         (JSC::JIT::emit_op_get_scope):
3120         (JSC::JIT::emit_op_pop_scope): Deleted.
3121         * jit/JITOperations.cpp:
3122         (JSC::canAccessArgumentIndexQuickly):
3123         * jit/JITOperations.h:
3124         * llint/LLIntSlowPaths.cpp:
3125         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3126         * llint/LLIntSlowPaths.h:
3127         * llint/LowLevelInterpreter.asm:
3128         * llint/LowLevelInterpreter32_64.asm:
3129         * llint/LowLevelInterpreter64.asm:
3130         * parser/ASTBuilder.h:
3131         (JSC::ASTBuilder::createSourceElements):
3132         (JSC::ASTBuilder::funcDeclarations):
3133         (JSC::ASTBuilder::features):
3134         (JSC::ASTBuilder::numConstants):
3135         (JSC::ASTBuilder::createConditionalExpr):
3136         (JSC::ASTBuilder::createAssignResolve):
3137         (JSC::ASTBuilder::createClassDeclStatement):
3138         (JSC::ASTBuilder::createBlockStatement):
3139         (JSC::ASTBuilder::createIfStatement):
3140         (JSC::ASTBuilder::createForLoop):
3141         (JSC::ASTBuilder::createForInLoop):
3142         (JSC::ASTBuilder::createForOfLoop):
3143         (JSC::ASTBuilder::isBindingNode):
3144         (JSC::ASTBuilder::createEmptyStatement):
3145         (JSC::ASTBuilder::createDeclarationStatement):
3146         (JSC::ASTBuilder::createVarStatement):
3147         (JSC::ASTBuilder::createLetStatement):
3148         (JSC::ASTBuilder::createEmptyVarExpression):
3149         (JSC::ASTBuilder::createEmptyLetExpression):
3150         (JSC::ASTBuilder::createReturnStatement):
3151         (JSC::ASTBuilder::createTryStatement):
3152         (JSC::ASTBuilder::createSwitchStatement):
3153         (JSC::ASTBuilder::appendStatement):
3154         (JSC::ASTBuilder::createCommaExpr):
3155         (JSC::ASTBuilder::appendObjectPatternEntry):
3156         (JSC::ASTBuilder::createBindingLocation):
3157         (JSC::ASTBuilder::setEndOffset):
3158         (JSC::ASTBuilder::Scope::Scope):
3159         (JSC::ASTBuilder::makeAssignNode):
3160         (JSC::ASTBuilder::varDeclarations): Deleted.
3161         (JSC::ASTBuilder::addVar): Deleted.
3162         * parser/Keywords.table:
3163         * parser/NodeConstructors.h:
3164         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
3165         (JSC::AssignResolveNode::AssignResolveNode):
3166         (JSC::ExprStatementNode::ExprStatementNode):
3167         (JSC::DeclarationStatement::DeclarationStatement):
3168         (JSC::EmptyVarExpression::EmptyVarExpression):
3169         (JSC::EmptyLetExpression::EmptyLetExpression):
3170         (JSC::IfElseNode::IfElseNode):
3171         (JSC::WhileNode::WhileNode):
3172         (JSC::ForNode::ForNode):
3173         (JSC::CaseBlockNode::CaseBlockNode):
3174         (JSC::SwitchNode::SwitchNode):
3175         (JSC::ConstDeclNode::ConstDeclNode):
3176         (JSC::BlockNode::BlockNode):
3177         (JSC::EnumerationNode::EnumerationNode):
3178         (JSC::ForInNode::ForInNode):
3179         (JSC::ForOfNode::ForOfNode):
3180         (JSC::ObjectPatternNode::create):
3181         (JSC::BindingNode::create):
3182         (JSC::BindingNode::BindingNode):
3183         (JSC::VarStatementNode::VarStatementNode): Deleted.
3184         * parser/Nodes.cpp:
3185         (JSC::ScopeNode::ScopeNode):
3186         (JSC::ScopeNode::singleStatement):
3187         (JSC::ProgramNode::ProgramNode):
3188         (JSC::EvalNode::EvalNode):
3189         (JSC::FunctionNode::FunctionNode):
3190         (JSC::FunctionNode::finishParsing):
3191         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
3192         * parser/Nodes.h:
3193         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
3194         (JSC::VariableEnvironmentNode::lexicalVariables):
3195         (JSC::ScopeNode::usesThis):
3196         (JSC::ScopeNode::needsActivationForMoreThanVariables):
3197         (JSC::ScopeNode::needsActivation):
3198         (JSC::ScopeNode::hasCapturedVariables):
3199         (JSC::ScopeNode::captures):
3200         (JSC::ScopeNode::varDeclarations):
3201         (JSC::ScopeNode::functionStack):
3202         (JSC::ScopeNode::neededConstants):
3203         (JSC::ProgramNode::startColumn):
3204         (JSC::ProgramNode::endColumn):
3205         (JSC::EvalNode::startColumn):
3206         (JSC::EvalNode::endColumn):
3207         (JSC::BindingNode::boundProperty):
3208         (JSC::BindingNode::divotStart):
3209         (JSC::BindingNode::divotEnd):
3210         (JSC::ScopeNode::capturedVariableCount): Deleted.
3211         (JSC::ScopeNode::capturedVariables): Deleted.
3212         (JSC::ScopeNode::varStack): Deleted.
3213         There is a new class called 'VariableEnvironmentNode' that has the
3214         necessary fields to model a lexical scope. Multiple AST nodes now 
3215         also inherit from VariableEnvironmentNode.
3216
3217         * parser/Parser.cpp:
3218         (JSC::Parser<LexerType>::parseInner):
3219         (JSC::Parser<LexerType>::didFinishParsing):
3220         (JSC::Parser<LexerType>::parseStatementListItem):
3221         (JSC::Parser<LexerType>::parseVariableDeclaration):
3222         (JSC::Parser<LexerType>::parseWhileStatement):
3223         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3224         (JSC::Parser<LexerType>::createBindingPattern):
3225         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
3226         (JSC::Parser<LexerType>::parseDestructuringPattern):
3227         (JSC::Parser<LexerType>::parseConstDeclarationList):
3228         (JSC::Parser<LexerType>::parseForStatement):
3229         (JSC::Parser<LexerType>::parseBreakStatement):
3230         (JSC::Parser<LexerType>::parseContinueStatement):
3231         (JSC::Parser<LexerType>::parseSwitchStatement):
3232         (JSC::Parser<LexerType>::parseTryStatement):
3233         (JSC::Parser<LexerType>::parseBlockStatement):
3234         (JSC::Parser<LexerType>::parseStatement):
3235         (JSC::Parser<LexerType>::parseFunctionInfo):
3236         (JSC::Parser<LexerType>::parseClassDeclaration):
3237         (JSC::Parser<LexerType>::parseClass):
3238         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
3239         (JSC::Parser<LexerType>::parseAssignmentExpression):
3240         (JSC::Parser<LexerType>::parseGetterSetter):
3241         (JSC::Parser<LexerType>::parsePrimaryExpression):
3242         (JSC::Parser<LexerType>::parseVarDeclaration): Deleted.
3243         (JSC::Parser<LexerType>::parseVarDeclarationList): Deleted.
3244         * parser/Parser.h:
3245         (JSC::Scope::Scope):
3246         (JSC::Scope::setIsFunction):
3247         (JSC::Scope::isFunction):
3248         (JSC::Scope::isFunctionBoundary):
3249         (JSC::Scope::setIsLexicalScope):
3250         (JSC::Scope::isLexicalScope):
3251         (JSC::Scope::declaredVariables):
3252         (JSC::Scope::finalizeLexicalEnvironment):
3253         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
3254         (JSC::Scope::declareCallee):
3255         (JSC::Scope::declareVariable):
3256         (JSC::Scope::declareLexicalVariable):
3257         (JSC::Scope::hasDeclaredVariable):
3258         (JSC::Scope::hasLexicallyDeclaredVariable):
3259         (JSC::Scope::hasDeclaredParameter):
3260         (JSC::Scope::declareWrite):
3261         (JSC::Scope::preventAllVariableDeclarations):
3262         (JSC::Scope::preventVarDeclarations):
3263         (JSC::Scope::allowsVarDeclarations):
3264         (JSC::Scope::allowsLexicalDeclarations):
3265         (JSC::Scope::declareParameter):
3266         (JSC::Scope::declareBoundParameter):
3267         (JSC::Scope::useVariable):
3268         (JSC::Scope::setNeedsFullActivation):
3269         (JSC::Scope::needsFullActivation):
3270         (JSC::Scope::hasDirectSuper):
3271         (JSC::Scope::setNeedsSuperBinding):
3272         (JSC::Scope::collectFreeVariables):
3273         (JSC::Scope::getCapturedVars):
3274         (JSC::Scope::copyCapturedVariablesToVector):
3275         (JSC::Parser::AutoCleanupLexicalScope::AutoCleanupLexicalScope):
3276         (JSC::Parser::AutoCleanupLexicalScope::~AutoCleanupLexicalScope):
3277         (JSC::Parser::AutoCleanupLexicalScope::setIsValid):
3278         (JSC::Parser::AutoCleanupLexicalScope::isValid):
3279         (JSC::Parser::AutoCleanupLexicalScope::setPopped):
3280         (JSC::Parser::AutoCleanupLexicalScope::scope):
3281         (JSC::Parser::currentScope):
3282         (JSC::Parser::pushScope):
3283         (JSC::Parser::popScopeInternal):
3284         (JSC::Parser::popScope):
3285         (JSC::Parser::declareVariable):
3286         (JSC::Parser::hasDeclaredVariable):
3287         (JSC::Parser::hasDeclaredParameter):
3288         (JSC::Parser::declareWrite):
3289         (JSC::Parser::findCachedFunctionInfo):
3290         (JSC::Parser::isFunctionBodyNode):
3291         (JSC::Parser::continueIsValid):
3292         (JSC::Parser::pushLabel):
3293         (JSC::Parser::popLabel):
3294         (JSC::Parser::getLabel):
3295         (JSC::Parser::isLETMaskedAsIDENT):
3296         (JSC::Parser<LexerType>::parse):
3297         (JSC::Scope::preventNewDecls): Deleted.
3298         (JSC::Scope::allowsNewDecls): Deleted.
3299         (JSC::Scope::getCapturedVariables): Deleted.
3300         There are basic parser changes that now allow for the 'let'
3301         keyword. The trickiest change is how we will still treat 'let' 
3302         as an identifier for sloppy-mode code sometimes. For example,
3303         "var let = ..." is allowed but "let let" or "const let" is not.
3304
3305         The most significant change to the parser made for this patch
3306         is appropriating the Scope struct to also also model a lexical 
3307         scope. Changes were made in how we track captured variables to 
3308         account for this. In general, I think some of this code could 
3309         benefit from a slight refactoring to make things cleaner.
3310
3311         * parser/ParserTokens.h:
3312         * parser/SyntaxChecker.h:
3313         (JSC::SyntaxChecker::createNewExpr):
3314         (JSC::SyntaxChecker::createConditionalExpr):
3315         (JSC::SyntaxChecker::createAssignResolve):
3316         (JSC::SyntaxChecker::createEmptyVarExpression):
3317         (JSC::SyntaxChecker::createEmptyLetExpression):
3318         (JSC::SyntaxChecker::createClassExpr):
3319         (JSC::SyntaxChecker::createClassDeclStatement):
3320         (JSC::SyntaxChecker::createBlockStatement):
3321         (JSC::SyntaxChecker::createExprStatement):
3322         (JSC::SyntaxChecker::createIfStatement):
3323         (JSC::SyntaxChecker::createForLoop):
3324         (JSC::SyntaxChecker::createForInLoop):
3325         (JSC::SyntaxChecker::createForOfLoop):
3326         (JSC::SyntaxChecker::createEmptyStatement):
3327         (JSC::SyntaxChecker::createVarStatement):
3328         (JSC::SyntaxChecker::createLetStatement):
3329         (JSC::SyntaxChecker::createReturnStatement):
3330         (JSC::SyntaxChecker::createBreakStatement):
3331         (JSC::SyntaxChecker::createContinueStatement):
3332         (JSC::SyntaxChecker::createTryStatement):
3333         (JSC::SyntaxChecker::createSwitchStatement):
3334         (JSC::SyntaxChecker::createWhileStatement):
3335         (JSC::SyntaxChecker::createWithStatement):
3336         (JSC::SyntaxChecker::createDoWhileStatement):
3337         (JSC::SyntaxChecker::createGetterOrSetterProperty):
3338         (JSC::SyntaxChecker::appendStatement):
3339         (JSC::SyntaxChecker::combineCommaNodes):
3340         (JSC::SyntaxChecker::evalCount):
3341         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
3342         (JSC::SyntaxChecker::operatorStackPop):
3343         (JSC::SyntaxChecker::addVar): Deleted.
3344         * parser/VariableEnvironment.cpp: Added.
3345         (JSC::VariableEnvironment::markVariableAsCapturedIfDefined):
3346         (JSC::VariableEnvironment::markVariableAsCaptured):
3347         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
3348         (JSC::VariableEnvironment::hasCapturedVariables):
3349         (JSC::VariableEnvironment::captures):
3350         (JSC::VariableEnvironment::swap):
3351         * parser/VariableEnvironment.h: Added.
3352         (JSC::VariableEnvironmentEntry::isCaptured):
3353         (JSC::VariableEnvironmentEntry::isConstant):
3354         (JSC::VariableEnvironmentEntry::isVar):
3355         (JSC::VariableEnvironmentEntry::isLet):
3356         (JSC::VariableEnvironmentEntry::setIsCaptured):
3357         (JSC::VariableEnvironmentEntry::setIsConstant):
3358         (JSC::VariableEnvironmentEntry::setIsVar):
3359         (JSC::VariableEnvironmentEntry::setIsLet):
3360         (JSC::VariableEnvironmentEntry::clearIsVar):
3361         (JSC::VariableEnvironment::begin):
3362         (JSC::VariableEnvironment::end):
3363         (JSC::VariableEnvironment::add):
3364         (JSC::VariableEnvironment::size):
3365         (JSC::VariableEnvironment::contains):
3366         (JSC::VariableEnvironment::remove):
3367         VariableEnvironment is a new class that keeps track
3368         of the static environment in the parser and the bytecode generator.
3369         VariableEnvironment behaves like SymbolTable but for the bytecode generator.
3370         It keeps track of variable types, i.e, if a variable is a "var", "let", "const" 
3371         and whether or not its captured.
3372
3373         * runtime/CodeCache.cpp:
3374         (JSC::CodeCache::getGlobalCodeBlock):
3375         (JSC::CodeCache::getProgramCodeBlock):
3376         (JSC::CodeCache::getEvalCodeBlock):
3377         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3378         * runtime/CodeCache.h:
3379         (JSC::CodeCache::clear):
3380         * runtime/CommonSlowPaths.cpp:
3381         (JSC::SLOW_PATH_DECL):
3382         * runtime/CommonSlowPaths.h:
3383         * runtime/ExceptionHelpers.cpp:
3384         (JSC::createErrorForInvalidGlobalAssignment):
3385         (JSC::createTDZError):
3386         (JSC::throwOutOfMemoryError):
3387         * runtime/ExceptionHelpers.h:
3388         * runtime/Executable.cpp:
3389         (JSC::EvalExecutable::create):
3390         (JSC::ProgramExecutable::initializeGlobalProperties):
3391         * runtime/Executable.h:
3392         * runtime/JSCJSValue.h:
3393         (JSC::jsUndefined):
3394         (JSC::jsTDZValue):
3395         (JSC::jsBoolean):
3396         * runtime/JSEnvironmentRecord.h:
3397         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
3398         (JSC::JSEnvironmentRecord::finishCreation):
3399         * runtime/JSGlobalObject.cpp:
3400         (JSC::JSGlobalObject::createProgramCodeBlock):
3401         (JSC::JSGlobalObject::createEvalCodeBlock):
3402         * runtime/JSGlobalObject.h:
3403         (JSC::JSGlobalObject::weakRandomInteger):
3404         * runtime/JSGlobalObjectFunctions.cpp:
3405         (JSC::globalFuncEval):
3406         * runtime/JSLexicalEnvironment.cpp:
3407         (JSC::JSLexicalEnvironment::symbolTableGet):
3408         * runtime/JSLexicalEnvironment.h:
3409         (JSC::JSLexicalEnvironment::create):
3410         * runtime/JSScope.cpp:
3411         (JSC::JSScope::resolve):
3412         (JSC::JSScope::abstractResolve):
3413         (JSC::JSScope::collectVariablesUnderTDZ):
3414         (JSC::JSScope::isLexicalScope):