JSC virtual call thunk shouldn't do a structure->classInfo lookup
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-21  Filip Pizlo  <fpizlo@apple.com>
2
3         JSC virtual call thunk shouldn't do a structure->classInfo lookup
4         https://bugs.webkit.org/show_bug.cgi?id=156874
5
6         Reviewed by Keith Miller.
7         
8         This lookup was unnecessary because we can just test the inlined type field.
9
10         But also, this meant that we were exempting JSBoundFunction from the virtual call optimization.
11         That's pretty bad.
12
13         * jit/ThunkGenerators.cpp:
14         (JSC::virtualThunkFor):
15
16 2016-04-21  Joseph Pecoraro  <pecoraro@apple.com>
17
18         Web Inspector: sourceMappingURL not loaded in generated script
19         https://bugs.webkit.org/show_bug.cgi?id=156022
20         <rdar://problem/25438595>
21
22         Reviewed by Geoffrey Garen.
23
24         * inspector/JSGlobalObjectInspectorController.cpp:
25         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
26         Synthetic CallFrames for native code will not have script identifiers.
27
28         * inspector/ScriptCallFrame.cpp:
29         (Inspector::ScriptCallFrame::ScriptCallFrame):
30         (Inspector::ScriptCallFrame::isEqual):
31         (Inspector::ScriptCallFrame::buildInspectorObject):
32         * inspector/ScriptCallFrame.h:
33         * inspector/protocol/Console.json:
34         Include the script identifier in ScriptCallFrame so we can correlate this
35         to the exactly script, even if there isn't a URL. The Script may have a
36         sourceURL, so the Web Inspector frontend may decide to show / link to it.
37
38         * inspector/ScriptCallStackFactory.cpp:
39         (Inspector::CreateScriptCallStackFunctor::operator()):
40         (Inspector::createScriptCallStackFromException):
41         Include SourceID when we have it.
42
43         * interpreter/Interpreter.cpp:
44         (JSC::GetStackTraceFunctor::operator()):
45         * interpreter/Interpreter.h:
46         * interpreter/StackVisitor.cpp:
47         (JSC::StackVisitor::Frame::sourceID):
48         * interpreter/StackVisitor.h:
49         Access the SourceID when we have it.
50
51 2016-04-21  Saam barati  <sbarati@apple.com>
52
53         Lets do less locking of symbol tables in the BytecodeGenerator where we don't have race conditions
54         https://bugs.webkit.org/show_bug.cgi?id=156821
55
56         Reviewed by Filip Pizlo.
57
58         The BytecodeGenerator allocates all the SymbolTables that it uses.
59         This is before any concurrent compiler thread can use that SymbolTable.
60         This means we don't actually need to lock for any operations of the
61         SymbolTable. This patch makes this change by removing all locking.
62         To do this, I've introduced a new constructor for ConcurrentJITLocker
63         which implies no locking is necessary. You instantiate such a ConcurrentJITLocker like so:
64         `ConcurrentJITLocker locker(ConcurrentJITLocker::NoLockingNecessary);`
65
66         This patch also removes all uses of Strong<SymbolTable> from the bytecode
67         generator and instead wraps bytecode generation in a DeferGC.
68
69         * bytecode/UnlinkedFunctionExecutable.cpp:
70         (JSC::generateUnlinkedFunctionCodeBlock):
71         * bytecompiler/BytecodeGenerator.cpp:
72         (JSC::BytecodeGenerator::BytecodeGenerator):
73         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
74         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
75         (JSC::BytecodeGenerator::instantiateLexicalVariables):
76         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
77         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
78         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
79         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
80         (JSC::BytecodeGenerator::popLexicalScopeInternal):
81         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
82         (JSC::BytecodeGenerator::variable):
83         (JSC::BytecodeGenerator::createVariable):
84         (JSC::BytecodeGenerator::emitResolveScope):
85         (JSC::BytecodeGenerator::emitPushWithScope):
86         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
87         * bytecompiler/BytecodeGenerator.h:
88         (JSC::BytecodeGenerator::constructorKind):
89         (JSC::BytecodeGenerator::superBinding):
90         (JSC::BytecodeGenerator::generate):
91         * runtime/CodeCache.cpp:
92         (JSC::CodeCache::getGlobalCodeBlock):
93         * runtime/ConcurrentJITLock.h:
94         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
95         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
96         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
97
98 2016-04-21  Saam barati  <sbarati@apple.com>
99
100         Remove some unnecessary RefPtrs in the parser
101         https://bugs.webkit.org/show_bug.cgi?id=156865
102
103         Reviewed by Filip Pizlo.
104
105         The IdentifierArena or the SourceProviderCacheItem will own these UniquedStringImpls
106         while we are using them. There is no need for us to reference count them.
107
108         This might be a 0.5% speedup on octane code-load.
109
110         * parser/Parser.cpp:
111         (JSC::Parser<LexerType>::parseInner):
112         * parser/Parser.h:
113         (JSC::Scope::setIsLexicalScope):
114         (JSC::Scope::isLexicalScope):
115         (JSC::Scope::closedVariableCandidates):
116         (JSC::Scope::declaredVariables):
117         (JSC::Scope::lexicalVariables):
118         (JSC::Scope::finalizeLexicalEnvironment):
119         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
120         (JSC::Scope::collectFreeVariables):
121         (JSC::Scope::getCapturedVars):
122         (JSC::Scope::setStrictMode):
123         (JSC::Scope::isValidStrictMode):
124         (JSC::Scope::shadowsArguments):
125         (JSC::Scope::copyCapturedVariablesToVector):
126         * parser/SourceProviderCacheItem.h:
127         (JSC::SourceProviderCacheItem::usedVariables):
128         (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
129         (JSC::SourceProviderCacheItem::create):
130         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
131         (JSC::SourceProviderCacheItem::writtenVariables): Deleted.
132
133 2016-04-21  Filip Pizlo  <fpizlo@apple.com>
134
135         PolymorphicAccess adds sizeof(CallerFrameAndPC) rather than subtracting it when calculating stack height
136         https://bugs.webkit.org/show_bug.cgi?id=156872
137
138         Reviewed by Geoffrey Garen.
139         
140         The code that added sizeof(CallerFrameAndPC) emerged from a bad copy-paste in r189586. That was
141         the revision that created the PolymorphicAccess class. It moved code for generating a
142         getter/setter call from Repatch.cpp to PolymorphicAccess.cpp. You can see the code doing a
143         subtraction here:
144         
145             http://trac.webkit.org/changeset/189586/trunk/Source/JavaScriptCore/jit/Repatch.cpp
146         
147         This makes the world right again.
148
149         * bytecode/PolymorphicAccess.cpp:
150         (JSC::AccessCase::generateImpl):
151
152 2016-04-21  Geoffrey Garen  <ggaren@apple.com>
153
154         Build warning: CODE_SIGN_ENTITLEMENTS specified without specifying CODE_SIGN_IDENTITY
155         https://bugs.webkit.org/show_bug.cgi?id=156862
156
157         Reviewed by Joseph Pecoraro.
158
159         * Configurations/Base.xcconfig: Specify the ad hoc signing identity by
160         default. See <http://trac.webkit.org/changeset/143544>.
161
162 2016-04-21  Andy Estes  <aestes@apple.com>
163
164         REGRESSION (r199734): WebKit crashes loading numerous websites in iOS Simulator
165         https://bugs.webkit.org/show_bug.cgi?id=156842
166
167         Reviewed by Daniel Bates.
168
169         Disable separated heap on iOS Simulator.
170
171         * runtime/Options.cpp:
172         (JSC::recomputeDependentOptions):
173
174 2016-04-21  Michael Saboff  <msaboff@apple.com>
175
176         Align RegExp[@@match] with other @@ methods
177         https://bugs.webkit.org/show_bug.cgi?id=156832
178
179         Reviewed by Mark Lam.
180
181         Various changes to align the RegExp[@@match] with [@@search] and [@@split].
182
183         Made RegExp.prototype.@exec a hidden property on the global object and
184         called it @regExpBuiltinExec to match the name it has in the standard.
185         Changed all places that used the old name to use the new one.
186
187         Made the match fast path function, which used to be call @match, to be called
188         @regExpMatchFast and put it on the global object.  Changed it to also handle
189         expressions both with and without the global flag.  Refactored the builtin
190         @match accordingly.
191
192         Added the builtin function @hasObservableSideEffectsForRegExpMatch() that
193         checks to see if we can use the fast path of if we need the explicit version.
194
195         Put the main RegExp functions @match, @search and @split in alphabetical
196         order in RegExpPrototype.js.  Did the same for @match, @repeat, @search and 
197         @split in StringPrototype.js.
198         
199         * builtins/RegExpPrototype.js:
200         (regExpExec):
201         (hasObservableSideEffectsForRegExpMatch): New.
202         (match):
203         (search):
204         (hasObservableSideEffectsForRegExpSplit):
205         Reordered in the file and updated to use @regExpBuiltinExec.
206
207         * builtins/StringPrototype.js:
208         (match):
209         (repeatSlowPath):
210         (repeat):
211         (search):
212         (split):
213         Reordered functions in the file.
214
215         * runtime/CommonIdentifiers.h:
216         * runtime/JSGlobalObject.cpp:
217         (JSC::JSGlobalObject::setGlobalThis):
218         (JSC::getById):
219         (JSC::getGetterById):
220         (JSC::JSGlobalObject::init):
221         * runtime/RegExpPrototype.cpp:
222         (JSC::RegExpPrototype::finishCreation):
223         (JSC::regExpProtoFuncExec):
224         (JSC::regExpProtoFuncMatchFast):
225         (JSC::regExpProtoFuncMatchPrivate): Deleted.
226         * runtime/RegExpPrototype.h:
227
228 2016-04-20  Geoffrey Garen  <ggaren@apple.com>
229
230         JavaScriptCore garbage collection is missing an autorelease pool
231         https://bugs.webkit.org/show_bug.cgi?id=156751
232         <rdar://problem/25787802>
233
234         Reviewed by Mark Lam.
235
236         * heap/Heap.cpp:
237         (JSC::Heap::releaseDelayedReleasedObjects): Add an autorelease pool to
238         catch autoreleases when we call out to arbitrary ObjC code.
239
240         We use the C interface here because this is not an ObjC compilation unit.
241
242 2016-04-20  Filip Pizlo  <fpizlo@apple.com>
243
244         DFG del_by_id support forgets to set()
245         https://bugs.webkit.org/show_bug.cgi?id=156830
246
247         Reviewed by Saam Barati.
248
249         * dfg/DFGByteCodeParser.cpp:
250         (JSC::DFG::ByteCodeParser::parseBlock):
251         * tests/stress/dfg-del-by-id.js: Added.
252
253 2016-04-20  Saam barati  <sbarati@apple.com>
254
255         Improve sampling profiler CLI JSC tool
256         https://bugs.webkit.org/show_bug.cgi?id=156824
257
258         Reviewed by Mark Lam.
259
260         This patch enhances the Sampling Profiler CLI tool from the JSC shell
261         to display the JITType of a particular CodeBlock. Because this happens
262         once we process a log of stack frames, the data for a particular frame
263         being in LLInt vs. Baseline could be wrong. For example, we may have taken 
264         a stack trace of a CodeBlock while it was executing in the LLInt, then 
265         it tiers up to the baseline, then we process the log. We will show such CodeBlocks
266         as being in the baseline JIT. We could be smarter about this in the future if
267         it turns out to truly be a problem.
268
269         This patch also adds a 'samplingProfilerTimingInterval' JSC option to allow
270         CLI users to control the sleep time between stack traces.
271
272         * jsc.cpp:
273         (jscmain):
274         * runtime/Options.h:
275         * runtime/SamplingProfiler.cpp:
276         (JSC::SamplingProfiler::SamplingProfiler):
277         (JSC::SamplingProfiler::processUnverifiedStackTraces):
278         (JSC::SamplingProfiler::reportTopBytecodes):
279         * runtime/SamplingProfiler.h:
280         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
281
282 2016-04-20  Benjamin Poulain  <bpoulain@apple.com>
283
284         [JSC] DFG should not generate two jumps when the target of DoubleBranch is the next block  
285         https://bugs.webkit.org/show_bug.cgi?id=156815
286
287         Reviewed by Mark Lam.
288
289         * dfg/DFGSpeculativeJIT.cpp:
290         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
291
292 2016-04-20  Benjamin Poulain  <bpoulain@apple.com>
293
294         [JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG
295         https://bugs.webkit.org/show_bug.cgi?id=155164
296
297         Reviewed by Mark Lam.
298
299         Every "inc" in loop was looking like this:
300             move rX, rY
301             inc rY
302             jo 0x230f4a200580
303
304         This patch add register Reuse to that case to remove
305         the extra "move".
306
307         * dfg/DFGOSRExit.h:
308         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
309         (JSC::DFG::SpeculationRecovery::immediate):
310         * dfg/DFGOSRExitCompiler32_64.cpp:
311         (JSC::DFG::OSRExitCompiler::compileExit):
312         * dfg/DFGOSRExitCompiler64.cpp:
313         (JSC::DFG::OSRExitCompiler::compileExit):
314         * dfg/DFGSpeculativeJIT.cpp:
315         (JSC::DFG::SpeculativeJIT::compileArithAdd):
316         * tests/stress/arith-add-with-constant-overflow.js: Added.
317         (opaqueAdd):
318
319 2016-04-20  Saam barati  <sbarati@apple.com>
320
321         We don't need a manual stack for an RAII object when the machine's stack will do just fine
322         https://bugs.webkit.org/show_bug.cgi?id=156807
323
324         Reviewed by Mark Lam.
325
326         We kept around a vector for an RAII object to maintain
327         the recursive nature of having these RAII objects on
328         the stack as the parser recursed. Instead, the RAII object
329         can just have a field with the value it wants to restore
330         and use the machine's stack.
331
332         This is a 1% octane code-load progression.
333
334         * parser/SyntaxChecker.h:
335         (JSC::SyntaxChecker::BinaryExprContext::BinaryExprContext):
336         (JSC::SyntaxChecker::BinaryExprContext::~BinaryExprContext):
337         (JSC::SyntaxChecker::UnaryExprContext::UnaryExprContext):
338         (JSC::SyntaxChecker::UnaryExprContext::~UnaryExprContext):
339         (JSC::SyntaxChecker::operatorStackPop):
340
341 2016-04-20  Michael Saboff  <msaboff@apple.com>
342
343         REGRESSION(r190289): Spin trying to view/sign in to hbogo.com
344         https://bugs.webkit.org/show_bug.cgi?id=156765
345
346         Reviewed by Saam Barati.
347
348         In the op_get_by_val case, we were holding the lock on a profiled CodeBlock
349         when we call into handleGetById(). Changed to drop the lock before calling
350         handleGetById().
351
352         The bug here was that the call to handleGetById() may end up calling in to
353         getPredictionWithoutOSRExit() for a tail call opcode. As part of that
354         processing, we walk back up the stack to find the effective caller and when
355         found, we lock the corresponding CodeBlock to get the predicition.
356         That CodeBLock may be the same one locked above. There is no need anyway
357         to hold the CodeBlock lock when calling handleGetById().
358
359         Added a new stress test.
360
361         * dfg/DFGByteCodeParser.cpp:
362         (JSC::DFG::ByteCodeParser::parseBlock):
363         * tests/stress/regress-156765.js: Added.
364         (realValue):
365         (object.get hello):
366         (ok):
367
368 2016-04-20  Mark Lam  <mark.lam@apple.com>
369
370         Unindent an unnecessary block in stringProtoFuncSplitFast().
371         https://bugs.webkit.org/show_bug.cgi?id=156802
372
373         Reviewed by Filip Pizlo.
374
375         In webkit.org/b/156013, I refactored stringProtoFuncSplit into
376         stringProtoFuncSplitFast.  In that patch, I left an unnecessary block of code in
377         its original block (with FIXMEs) to keep the diff for that patch minimal.  Now
378         that the patch for webkit.org/b/156013 has landed, I will unindent that block and
379         remove the FIXMEs.
380
381         * runtime/StringPrototype.cpp:
382         (JSC::stringProtoFuncSplitFast):
383
384 2016-04-20  Brady Eidson  <beidson@apple.com>
385
386         Modern IDB (Workers): Enable INDEXED_DATABASE_IN_WORKERS compile time flag, but disabled in RuntimeEnabledFeatures.
387         https://bugs.webkit.org/show_bug.cgi?id=156782
388
389         Reviewed by Alex Christensen.
390
391         * Configurations/FeatureDefines.xcconfig:
392
393 2016-04-20  Saam barati  <sbarati@apple.com>
394
395         Remove unused m_writtenVariables from the parser and related bits
396         https://bugs.webkit.org/show_bug.cgi?id=156784
397
398         Reviewed by Yusuke Suzuki.
399
400         This isn't a octane/codeload speedup even though we're doing less work in
401         collectFreeVariables. But it's good to get rid of things that are not used.
402
403         * parser/Nodes.h:
404         (JSC::ScopeNode::usesEval):
405         (JSC::ScopeNode::usesArguments):
406         (JSC::ScopeNode::usesArrowFunction):
407         (JSC::ScopeNode::isStrictMode):
408         (JSC::ScopeNode::setUsesArguments):
409         (JSC::ScopeNode::usesThis):
410         (JSC::ScopeNode::modifiesParameter): Deleted.
411         (JSC::ScopeNode::modifiesArguments): Deleted.
412         * parser/Parser.cpp:
413         (JSC::Parser<LexerType>::parseInner):
414         (JSC::Parser<LexerType>::parseAssignmentExpression):
415         * parser/Parser.h:
416         (JSC::Scope::Scope):
417         (JSC::Scope::hasDeclaredParameter):
418         (JSC::Scope::preventAllVariableDeclarations):
419         (JSC::Scope::collectFreeVariables):
420         (JSC::Scope::mergeInnerArrowFunctionFeatures):
421         (JSC::Scope::getSloppyModeHoistedFunctions):
422         (JSC::Scope::getCapturedVars):
423         (JSC::Scope::setStrictMode):
424         (JSC::Scope::strictMode):
425         (JSC::Scope::fillParametersForSourceProviderCache):
426         (JSC::Scope::restoreFromSourceProviderCache):
427         (JSC::Parser::hasDeclaredParameter):
428         (JSC::Parser::exportName):
429         (JSC::Scope::declareWrite): Deleted.
430         (JSC::Parser::declareWrite): Deleted.
431         * parser/ParserModes.h:
432
433 2016-04-19  Saam barati  <sbarati@apple.com>
434
435         Unreviewed, fix cloop build after r199754.
436
437         * jsc.cpp:
438         (jscmain):
439
440 2016-04-19  Michael Saboff  <msaboff@apple.com>
441
442         iTunes crashing JavaScriptCore.dll
443         https://bugs.webkit.org/show_bug.cgi?id=156647
444
445         Reviewed by Filip Pizlo.
446
447         Given that there there are only 128 FLS indices compared to over a 1000 for TLS,
448         I eliminated the thread specific m_threadSpecificForThread and instead we look
449         for the current thread in m_registeredThreads list when we need it.
450         In most cases there will only be one thread.
451
452         Added THREAD_SPECIFIC_CALL to signature of ThreadSpecific remove callbacks
453         to set the calling convention correctly for Windows 32 bit.
454
455         * heap/MachineStackMarker.cpp:
456         (JSC::ActiveMachineThreadsManager::remove):
457         (JSC::MachineThreads::MachineThreads):
458         (JSC::MachineThreads::~MachineThreads):
459         (JSC::MachineThreads::addCurrentThread):
460         (JSC::MachineThreads::machineThreadForCurrentThread):
461         (JSC::MachineThreads::removeThread):
462         * heap/MachineStackMarker.h:
463
464 2016-04-19  Benjamin Poulain  <bpoulain@webkit.org>
465
466         [JSC] Small cleanup of RegisterAtOffsetList
467         https://bugs.webkit.org/show_bug.cgi?id=156779
468
469         Reviewed by Mark Lam.
470
471         I was wondering why RegisterAtOffsetList always cache-miss.
472         It looks like it is doing more than it needs to.
473
474         We do not need to sort the values. The total order of
475         RegisterAtOffset is:
476         1) Order of Reg.
477         2) Order of offsets.
478         We already generate the list in order.
479
480         Also allocate the right array size ahead of filling the array.
481
482         * jit/RegisterAtOffsetList.cpp:
483         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
484         (JSC::RegisterAtOffsetList::sort): Deleted.
485         * jit/RegisterAtOffsetList.h:
486         (JSC::RegisterAtOffsetList::append): Deleted.
487
488 2016-04-19  Saam barati  <sbarati@apple.com>
489
490         Add a couple UNLIKELY macros in parseMemberExpression
491         https://bugs.webkit.org/show_bug.cgi?id=156775
492
493         Reviewed by Filip Pizlo.
494
495         These UNLIKELY macros have to do with the base of the
496         member expression being 'super'. I think it's safe to
497         argue that this is truly UNLIKELY. I am seeing speedups
498         sometimes on Octane codeload. Usually around 0.5%. Sometimes 1%.
499
500         * parser/Parser.cpp:
501         (JSC::Parser<LexerType>::parseMemberExpression):
502
503 2016-04-19  Saam barati  <sbarati@apple.com>
504
505         allow jsc shell to dump sampling profiler data
506         https://bugs.webkit.org/show_bug.cgi?id=156725
507
508         Reviewed by Benjamin Poulain.
509
510         This patch adds a '--reportSamplingProfilerData' option to the
511         JSC shell which will enable the sampling profiler and dump
512         its data at the end of execution. The dump will include the
513         40 hottest functions and the 80 hottest bytecode locations.
514         If you're using this option to debug, it's easy to just hack
515         on the code to make it dump more or less information.
516
517         * jsc.cpp:
518         (CommandLine::parseArguments):
519         (jscmain):
520         * runtime/Options.h:
521         * runtime/SamplingProfiler.cpp:
522         (JSC::SamplingProfiler::processUnverifiedStackTraces):
523         (JSC::SamplingProfiler::stackTracesAsJSON):
524         (JSC::SamplingProfiler::reportTopFunctions):
525         (JSC::SamplingProfiler::reportTopBytecodes):
526         * runtime/SamplingProfiler.h:
527         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
528         (JSC::SamplingProfiler::StackFrame::hasBytecodeIndex):
529         (JSC::SamplingProfiler::StackFrame::hasCodeBlockHash):
530         (JSC::SamplingProfiler::setStopWatch):
531
532 2016-04-19  Mark Lam  <mark.lam@apple.com>
533
534         Re-landing: ES6: Implement RegExp.prototype[@@search].
535         https://bugs.webkit.org/show_bug.cgi?id=156331
536
537         Reviewed by Keith Miller.
538
539         What changed?
540         1. Implemented search builtin in RegExpPrototype.js.
541            The native path is now used as a fast path.
542         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
543            IsJSArrayIntrinsic).
544         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
545         4. Change the esSpecIsRegExpObject() implementation to check if the object's
546            JSType is RegExpObjectType instead of walking the classinfo chain.
547
548         * builtins/RegExpPrototype.js:
549         (search):
550         * builtins/StringPrototype.js:
551         (search):
552         - fixed some indentation.
553
554         * dfg/DFGAbstractInterpreterInlines.h:
555         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
556         * dfg/DFGByteCodeParser.cpp:
557         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
558         * dfg/DFGClobberize.h:
559         (JSC::DFG::clobberize):
560         * dfg/DFGDoesGC.cpp:
561         (JSC::DFG::doesGC):
562         * dfg/DFGFixupPhase.cpp:
563         (JSC::DFG::FixupPhase::fixupNode):
564         * dfg/DFGNodeType.h:
565         * dfg/DFGPredictionPropagationPhase.cpp:
566         (JSC::DFG::PredictionPropagationPhase::propagate):
567         * dfg/DFGSafeToExecute.h:
568         (JSC::DFG::safeToExecute):
569         * dfg/DFGSpeculativeJIT.cpp:
570         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
571         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
572         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
573         * dfg/DFGSpeculativeJIT.h:
574         * dfg/DFGSpeculativeJIT32_64.cpp:
575         (JSC::DFG::SpeculativeJIT::compile):
576         * dfg/DFGSpeculativeJIT64.cpp:
577         (JSC::DFG::SpeculativeJIT::compile):
578         * ftl/FTLCapabilities.cpp:
579         (JSC::FTL::canCompile):
580         * ftl/FTLLowerDFGToB3.cpp:
581         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
582         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
583         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
584         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
585         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
586         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
587         (JSC::FTL::DFG::LowerDFGToB3::isType):
588         * runtime/Intrinsic.h:
589         - Added IsRegExpObjectIntrinsic.
590
591         * runtime/CommonIdentifiers.h:
592
593         * runtime/ECMAScriptSpecInternalFunctions.cpp:
594         (JSC::esSpecIsConstructor):
595         - Changed to use uncheckedArgument since this is only called from internal code.
596         (JSC::esSpecIsRegExpObject):
597         (JSC::esSpecIsRegExp): Deleted.
598         * runtime/ECMAScriptSpecInternalFunctions.h:
599         - Changed to check the object for a JSType of RegExpObjectType.
600
601         * runtime/JSGlobalObject.cpp:
602         (JSC::JSGlobalObject::init):
603         - Added split fast path.
604
605         * runtime/RegExpPrototype.cpp:
606         (JSC::RegExpPrototype::finishCreation):
607         (JSC::regExpProtoFuncSearchFast):
608         (JSC::regExpProtoFuncSearch): Deleted.
609         * runtime/RegExpPrototype.h:
610
611         * tests/es6.yaml:
612         * tests/stress/regexp-search.js:
613         - Rebased test.
614
615 2016-04-19  Mark Lam  <mark.lam@apple.com>
616
617         Replace $vm.printValue() with $vm.value().
618         https://bugs.webkit.org/show_bug.cgi?id=156767
619
620         Reviewed by Saam Barati.
621
622         When debugging with $vm, this change allows us to do this:
623
624             $vm.print("myObj = " + $vm.value(myObj) + "\n");
625
626         ... instead of having to do this:
627
628             $vm.print("myObj = ");
629             $vm.printValue(myObj);
630             $vm.print("\n");
631
632         * tools/JSDollarVMPrototype.cpp:
633         (JSC::JSDollarVMPrototype::printValue):
634         (JSC::functionValue):
635         (JSC::JSDollarVMPrototype::finishCreation):
636         (JSC::functionPrintValue): Deleted.
637
638 2016-04-18  Oliver Hunt  <oliver@apple.com>
639
640         Enable separated heap by default on ios
641         https://bugs.webkit.org/show_bug.cgi?id=156720
642
643         Reviewed by ggaren.
644
645         * runtime/Options.cpp:
646         (JSC::recomputeDependentOptions):
647
648 2016-04-19  Mark Lam  <mark.lam@apple.com>
649
650         Re-landing: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
651         https://bugs.webkit.org/show_bug.cgi?id=156013
652
653         Reviewed by Keith Miller.
654
655         * CMakeLists.txt:
656         * JavaScriptCore.xcodeproj/project.pbxproj:
657         * builtins/GlobalObject.js:
658         (speciesConstructor):
659         * builtins/PromisePrototype.js:
660         - refactored to use the @speciesConstructor internal function.
661
662         * builtins/RegExpPrototype.js:
663         (advanceStringIndex):
664         - refactored from @advanceStringIndexUnicode() to be match the spec.
665           Benchmarks show that there's no advantage in doing the unicode check outside
666           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
667           spec (especially since @@split needs to call advanceStringIndex from more than
668           1 location).
669         (match):
670         - Removed an unnecessary call to @Object because it was already proven above.
671         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
672           Again, there's no perf regression for this.
673         (regExpExec):
674         (hasObservableSideEffectsForRegExpSplit):
675         (split):
676         (advanceStringIndexUnicode): Deleted.
677
678         * builtins/StringPrototype.js:
679         (split):
680         - Modified to use RegExp.prototype[@@split].
681
682         * bytecode/BytecodeIntrinsicRegistry.cpp:
683         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
684         (JSC::BytecodeIntrinsicRegistry::lookup):
685         * bytecode/BytecodeIntrinsicRegistry.h:
686         - Added the @@split symbol.
687
688         * runtime/CommonIdentifiers.h:
689         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
690         (JSC::esSpecIsConstructor):
691         (JSC::esSpecIsRegExp):
692         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
693
694         * runtime/JSGlobalObject.cpp:
695         (JSC::getGetterById):
696         (JSC::JSGlobalObject::init):
697
698         * runtime/PropertyDescriptor.cpp:
699         (JSC::PropertyDescriptor::setDescriptor):
700         - Removed an assert that is no longer valid.
701
702         * runtime/RegExpObject.h:
703         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
704           fast path.
705
706         * runtime/RegExpPrototype.cpp:
707         (JSC::RegExpPrototype::finishCreation):
708         (JSC::regExpProtoFuncExec):
709         (JSC::regExpProtoFuncSearch):
710         (JSC::advanceStringIndex):
711         (JSC::regExpProtoFuncSplitFast):
712         * runtime/RegExpPrototype.h:
713
714         * runtime/StringObject.h:
715         (JSC::jsStringWithReuse):
716         (JSC::jsSubstring):
717         - Hoisted some utility functions from StringPrototype.cpp so that they can be
718           reused by the regexp split fast path.
719
720         * runtime/StringPrototype.cpp:
721         (JSC::StringPrototype::finishCreation):
722         (JSC::stringProtoFuncSplitFast):
723         (JSC::stringProtoFuncSubstr):
724         (JSC::builtinStringSubstrInternal):
725         (JSC::stringProtoFuncSubstring):
726         (JSC::stringIncludesImpl):
727         (JSC::stringProtoFuncIncludes):
728         (JSC::builtinStringIncludesInternal):
729         (JSC::jsStringWithReuse): Deleted.
730         (JSC::jsSubstring): Deleted.
731         (JSC::stringProtoFuncSplit): Deleted.
732         * runtime/StringPrototype.h:
733
734         * tests/es6.yaml:
735
736 2016-04-19  Commit Queue  <commit-queue@webkit.org>
737
738         Unreviewed, rolling out r199726.
739         https://bugs.webkit.org/show_bug.cgi?id=156748
740
741         WebKit tests crash on Windows 32 (Requested by msaboff on
742         #webkit).
743
744         Reverted changeset:
745
746         "iTunes crashing JavaScriptCore.dll"
747         https://bugs.webkit.org/show_bug.cgi?id=156647
748         http://trac.webkit.org/changeset/199726
749
750 2016-04-19  Michael Saboff  <msaboff@apple.com>
751
752         iTunes crashing JavaScriptCore.dll
753         https://bugs.webkit.org/show_bug.cgi?id=156647
754
755         Reviewed by Saam Barati.
756
757         Given that there there are only 128 FLS indices compared to over a 1000 for TLS, I
758         eliminated the thread specific m_threadSpecificForThread and instead we look for the
759         current thread in m_registeredThreads list when we need it.  In most cases there
760         will only be one thread.
761
762         * heap/MachineStackMarker.cpp:
763         (JSC::MachineThreads::MachineThreads):
764         (JSC::MachineThreads::~MachineThreads):
765         (JSC::MachineThreads::addCurrentThread):
766         (JSC::MachineThreads::machineThreadForCurrentThread):
767         (JSC::MachineThreads::removeThread):
768         * heap/MachineStackMarker.h:
769
770 2016-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
771
772         [INTL] Use @thisNumberValue instead of `instanceof @Number`
773         https://bugs.webkit.org/show_bug.cgi?id=156680
774
775         Reviewed by Saam Barati.
776
777         Use @thisNumberValue instead of `instanceof @Number`.
778         `instanceof @Number` is not enough;
779         For example, given 2 realms, the object created in one realm does not
780         inherit the Number of another realm.
781         Another example is that the object which does not inherit Number.
782
783         ```
784         var number = new Number(42);
785         number.__proto__ = null;
786         ```
787
788         * builtins/NumberPrototype.js:
789         (toLocaleString):
790         * runtime/CommonIdentifiers.h:
791         * runtime/JSGlobalObject.cpp:
792         (JSC::JSGlobalObject::init):
793         * runtime/NumberPrototype.cpp:
794         (JSC::numberProtoFuncValueOf):
795         * runtime/NumberPrototype.h:
796         * tests/stress/number-to-locale-string-should-accept-strange-number-objects.js: Added.
797         (shouldBe):
798
799 2016-04-19  Commit Queue  <commit-queue@webkit.org>
800
801         Unreviewed, rolling out r199712.
802         https://bugs.webkit.org/show_bug.cgi?id=156741
803
804         It caused a serious regression on 32 bit platform (Requested
805         by gskachkov on #webkit).
806
807         Reverted changeset:
808
809         "calling super() a second time in a constructor should throw"
810         https://bugs.webkit.org/show_bug.cgi?id=151113
811         http://trac.webkit.org/changeset/199712
812
813 2016-04-09  Skachkov Oleksandr  <gskachkov@gmail.com>
814
815         calling super() a second time in a constructor should throw
816         https://bugs.webkit.org/show_bug.cgi?id=151113
817
818         Reviewed by Saam Barati and Keith Miller.
819
820         Currently, our implementation checks if 'super()' was called in a constructor more 
821         than once and raises a RuntimeError before the second call. According to the spec 
822         we need to raise an error just after the second super() is finished and before 
823         the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
824         To implement this behavior this patch adds a new op code, op_is_empty, that is used 
825         to check if 'this' is empty.
826
827         * bytecode/BytecodeList.json:
828         * bytecode/BytecodeUseDef.h:
829         (JSC::computeUsesForBytecodeOffset):
830         (JSC::computeDefsForBytecodeOffset):
831         * bytecode/CodeBlock.cpp:
832         (JSC::CodeBlock::dumpBytecode):
833         * bytecompiler/BytecodeGenerator.cpp:
834         (JSC::BytecodeGenerator::emitIsEmpty):
835         * bytecompiler/BytecodeGenerator.h:
836         * bytecompiler/NodesCodegen.cpp:
837         (JSC::FunctionCallValueNode::emitBytecode):
838         * dfg/DFGAbstractInterpreterInlines.h:
839         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
840         * dfg/DFGByteCodeParser.cpp:
841         (JSC::DFG::ByteCodeParser::parseBlock):
842         * dfg/DFGCapabilities.cpp:
843         (JSC::DFG::capabilityLevel):
844         * dfg/DFGClobberize.h:
845         (JSC::DFG::clobberize):
846         * dfg/DFGDoesGC.cpp:
847         (JSC::DFG::doesGC):
848         * dfg/DFGFixupPhase.cpp:
849         (JSC::DFG::FixupPhase::fixupNode):
850         * dfg/DFGNodeType.h:
851         * dfg/DFGPredictionPropagationPhase.cpp:
852         (JSC::DFG::PredictionPropagationPhase::propagate):
853         * dfg/DFGSafeToExecute.h:
854         (JSC::DFG::safeToExecute):
855         * dfg/DFGSpeculativeJIT32_64.cpp:
856         (JSC::DFG::SpeculativeJIT::compile):
857         * dfg/DFGSpeculativeJIT64.cpp:
858         (JSC::DFG::SpeculativeJIT::compile):
859         * ftl/FTLCapabilities.cpp:
860         (JSC::FTL::canCompile):
861         * ftl/FTLLowerDFGToB3.cpp:
862         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
863         (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
864         * jit/JIT.cpp:
865         (JSC::JIT::privateCompileMainPass):
866         * jit/JIT.h:
867         * jit/JITOpcodes.cpp:
868         (JSC::JIT::emit_op_is_empty):
869         * jit/JITOpcodes32_64.cpp:
870         (JSC::JIT::emit_op_is_empty):
871         * llint/LowLevelInterpreter32_64.asm:
872         * llint/LowLevelInterpreter64.asm:
873         * tests/stress/class-syntax-double-constructor.js: Added.
874
875 2016-04-18  Benjamin Poulain  <bpoulain@apple.com>
876
877         [JSC] Fix some overhead affecting small codegen
878         https://bugs.webkit.org/show_bug.cgi?id=156728
879
880         Reviewed by Filip Pizlo.
881
882         * assembler/AbstractMacroAssembler.h:
883         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
884         (JSC::AbstractMacroAssembler::random):
885         cryptographicallyRandomNumber() is very costly.
886         We only need it in lowering some very particular cases
887         of non-trusted immediates. No inline cache needs that.
888
889         * assembler/LinkBuffer.h:
890         (JSC::LinkBuffer::link):
891         * jit/JIT.h:
892         * jit/JITInlines.h:
893         (JSC::JIT::addSlowCase):
894         Do not copy the JumpList to access its elements.
895
896 2016-04-18  Saam barati  <sbarati@apple.com>
897
898         implement dynamic scope accesses in the DFG/FTL
899         https://bugs.webkit.org/show_bug.cgi?id=156567
900
901         Reviewed by Geoffrey Garen.
902
903         This patch adds dynamic scope operations to the DFG/FTL.
904         This patch adds three new DFG nodes: ResolveScope, PutDynamicVar and GetDynamicVar.
905         When we encounter a Dynamic/UnresolvedProperty/UnresolvedPropertyWithVarInjectionChecks
906         resolve type, we will compile dynamic scope resolution nodes. When we encounter
907         a resolve type that needs var injection checks and the var injection
908         watchpoint has already been fired, we will compile dynamic scope resolution
909         nodes.
910
911         This patch also adds a new value to the InitializationMode enum: ConstInitialization.
912         There was a subtle bug where we used to never compile the var injection variant of the 
913         resolve type for an eval that injected a var where there was also a global lexical variable with the same name. 
914         For example, the store compiled in this eval("var foo = 20;") wouldn't be compiled 
915         with var injection checks if there was global let/const variable named "foo".
916         So there was the potential for the injected var to store to the GlobalLexicalObject.
917         I found this bug because my initial implementation in the DFG/FTL ran into it.
918         The reason this bug existed is because when we compile a const initialization,
919         we never need a var injections check. The const initialization always
920         knows where to store its value. This same logic leaked into the above eval's 
921         "var foo = 20" store. This new enum value allows us to distinguish const
922         initialization stores from non-const initialization stores.
923
924         (I also changed InitializationMode to be an enum class instead of an enum).
925
926         * bytecode/CodeBlock.cpp:
927         (JSC::CodeBlock::finishCreation):
928         * bytecompiler/BytecodeGenerator.cpp:
929         (JSC::BytecodeGenerator::generate):
930         (JSC::BytecodeGenerator::BytecodeGenerator):
931         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
932         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
933         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
934         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
935         (JSC::BytecodeGenerator::emitGetFromScope):
936         (JSC::BytecodeGenerator::initializeVariable):
937         (JSC::BytecodeGenerator::emitInstanceOf):
938         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
939         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
940         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
941         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
942         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
943         * bytecompiler/NodesCodegen.cpp:
944         (JSC::PostfixNode::emitResolve):
945         (JSC::PrefixNode::emitResolve):
946         (JSC::ReadModifyResolveNode::emitBytecode):
947         (JSC::initializationModeForAssignmentContext):
948         (JSC::AssignResolveNode::emitBytecode):
949         (JSC::EmptyLetExpression::emitBytecode):
950         (JSC::ForInNode::emitLoopHeader):
951         (JSC::ForOfNode::emitBytecode):
952         (JSC::ClassExprNode::emitBytecode):
953         (JSC::BindingNode::bindValue):
954         (JSC::AssignmentElementNode::bindValue):
955         (JSC::RestParameterNode::emit):
956         * dfg/DFGAbstractInterpreterInlines.h:
957         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
958         * dfg/DFGByteCodeParser.cpp:
959         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
960         (JSC::DFG::ByteCodeParser::promoteToConstant):
961         (JSC::DFG::ByteCodeParser::needsDynamicLookup):
962         (JSC::DFG::ByteCodeParser::planLoad):
963         (JSC::DFG::ByteCodeParser::parseBlock):
964         * dfg/DFGCapabilities.cpp:
965         (JSC::DFG::capabilityLevel):
966         * dfg/DFGClobberize.h:
967         (JSC::DFG::clobberize):
968         * dfg/DFGDoesGC.cpp:
969         (JSC::DFG::doesGC):
970         * dfg/DFGFixupPhase.cpp:
971         (JSC::DFG::FixupPhase::fixupNode):
972         * dfg/DFGNode.h:
973         (JSC::DFG::Node::hasIdentifier):
974         (JSC::DFG::Node::identifierNumber):
975         (JSC::DFG::Node::hasGetPutInfo):
976         (JSC::DFG::Node::getPutInfo):
977         (JSC::DFG::Node::hasAccessorAttributes):
978         * dfg/DFGNodeType.h:
979         * dfg/DFGOperations.cpp:
980         * dfg/DFGOperations.h:
981         * dfg/DFGPredictionPropagationPhase.cpp:
982         (JSC::DFG::PredictionPropagationPhase::propagate):
983         * dfg/DFGSafeToExecute.h:
984         (JSC::DFG::safeToExecute):
985         * dfg/DFGSpeculativeJIT.cpp:
986         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
987         (JSC::DFG::SpeculativeJIT::compileResolveScope):
988         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
989         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
990         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
991         * dfg/DFGSpeculativeJIT.h:
992         (JSC::DFG::SpeculativeJIT::callOperation):
993         * dfg/DFGSpeculativeJIT32_64.cpp:
994         (JSC::DFG::SpeculativeJIT::compile):
995         * dfg/DFGSpeculativeJIT64.cpp:
996         (JSC::DFG::SpeculativeJIT::compile):
997         * ftl/FTLCapabilities.cpp:
998         (JSC::FTL::canCompile):
999         * ftl/FTLLowerDFGToB3.cpp:
1000         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1001         (JSC::FTL::DFG::LowerDFGToB3::compare):
1002         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
1003         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
1004         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
1005         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
1006         * jit/CCallHelpers.h:
1007         (JSC::CCallHelpers::setupArgumentsWithExecState):
1008         * jit/JITOperations.cpp:
1009         * jit/JITOperations.h:
1010         * jit/JITPropertyAccess.cpp:
1011         (JSC::JIT::emit_op_put_to_scope):
1012         (JSC::JIT::emitSlow_op_put_to_scope):
1013         * jit/JITPropertyAccess32_64.cpp:
1014         (JSC::JIT::emit_op_put_to_scope):
1015         (JSC::JIT::emitSlow_op_put_to_scope):
1016         * llint/LLIntData.cpp:
1017         (JSC::LLInt::Data::performAssertions):
1018         * llint/LLIntSlowPaths.cpp:
1019         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1020         * llint/LowLevelInterpreter.asm:
1021         * llint/LowLevelInterpreter64.asm:
1022         * runtime/GetPutInfo.h:
1023         (JSC::resolveModeName):
1024         (JSC::initializationModeName):
1025         (JSC::isInitialization):
1026         (JSC::makeType):
1027         (JSC::GetPutInfo::GetPutInfo):
1028         * runtime/JSScope.cpp:
1029         (JSC::abstractAccess):
1030
1031 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
1032
1033         Disable AVX.
1034
1035         Rubber stampted by Benjamin Poulain.
1036
1037         AVX is silly. If you use it and some of your other code isn't careful with float register bits, you
1038         will run 10x slower. We could fix the underlying issue, but it's better to stay away from this odd
1039         instruction subset.
1040
1041         This fixes a massive regression on some real code.
1042
1043         * assembler/MacroAssemblerX86Common.h:
1044         (JSC::MacroAssemblerX86Common::supportsAVX):
1045         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
1046
1047 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
1048
1049         ToThis should have a fast path based on type info flags
1050         https://bugs.webkit.org/show_bug.cgi?id=156712
1051
1052         Reviewed by Geoffrey Garen.
1053
1054         Prior to this change, if we couldn't nail down the type of ToThis to something easy, we'd emit code
1055         that would take slow path if the argument was not a final object. We'd end up taking that slow path
1056         a lot.
1057
1058         This adds a type info flag for ToThis having non-obvious behavior and changes the DFG and FTL paths
1059         to test this flag. This is a sub-1% speed-up on SunSpider and Octane.
1060
1061         * dfg/DFGSpeculativeJIT32_64.cpp:
1062         (JSC::DFG::SpeculativeJIT::compile):
1063         * dfg/DFGSpeculativeJIT64.cpp:
1064         (JSC::DFG::SpeculativeJIT::compile):
1065         * ftl/FTLLowerDFGToB3.cpp:
1066         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1067         * runtime/JSGlobalObject.h:
1068         (JSC::JSGlobalObject::create):
1069         * runtime/JSLexicalEnvironment.h:
1070         (JSC::JSLexicalEnvironment::create):
1071         * runtime/JSString.h:
1072         * runtime/JSTypeInfo.h:
1073         (JSC::TypeInfo::overridesGetOwnPropertySlot):
1074         (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
1075         (JSC::TypeInfo::structureIsImmortal):
1076         (JSC::TypeInfo::overridesToThis):
1077         (JSC::TypeInfo::overridesGetPropertyNames):
1078         (JSC::TypeInfo::prohibitsPropertyCaching):
1079         (JSC::TypeInfo::getOwnPropertySlotIsImpure):
1080         * runtime/StrictEvalActivation.h:
1081         (JSC::StrictEvalActivation::create):
1082         * runtime/Symbol.h:
1083
1084 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
1085
1086         Check to see how the perf bots react to megamorphic load being disabled.
1087
1088         Rubber stamped by Chris Dumez.
1089
1090         * runtime/Options.h:
1091
1092 2016-04-18  Keith Miller  <keith_miller@apple.com>
1093
1094         We should support delete in the DFG
1095         https://bugs.webkit.org/show_bug.cgi?id=156607
1096
1097         Reviewed by Benjamin Poulain.
1098
1099         This patch adds support for the delete in the DFG as it appears that
1100         some major frameworks use the operation in particularly hot functions.
1101         As a result, even if the function rarely ever calls delete we would never
1102         tier up to the DFG. This patch also changes operationDeleteById to take a
1103         UniquedStringImpl and return a size_t.
1104
1105         * dfg/DFGAbstractInterpreterInlines.h:
1106         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1107         * dfg/DFGByteCodeParser.cpp:
1108         (JSC::DFG::ByteCodeParser::parseBlock):
1109         * dfg/DFGCapabilities.cpp:
1110         (JSC::DFG::capabilityLevel):
1111         * dfg/DFGClobberize.h:
1112         (JSC::DFG::clobberize):
1113         * dfg/DFGDoesGC.cpp:
1114         (JSC::DFG::doesGC):
1115         * dfg/DFGFixupPhase.cpp:
1116         (JSC::DFG::FixupPhase::fixupNode):
1117         * dfg/DFGNode.h:
1118         (JSC::DFG::Node::hasIdentifier):
1119         * dfg/DFGNodeType.h:
1120         * dfg/DFGPredictionPropagationPhase.cpp:
1121         (JSC::DFG::PredictionPropagationPhase::propagate):
1122         * dfg/DFGSafeToExecute.h:
1123         (JSC::DFG::safeToExecute):
1124         * dfg/DFGSpeculativeJIT.cpp:
1125         (JSC::DFG::SpeculativeJIT::compileDeleteById):
1126         * dfg/DFGSpeculativeJIT.h:
1127         (JSC::DFG::SpeculativeJIT::callOperation):
1128         * dfg/DFGSpeculativeJIT32_64.cpp:
1129         (JSC::DFG::SpeculativeJIT::compile):
1130         * dfg/DFGSpeculativeJIT64.cpp:
1131         (JSC::DFG::SpeculativeJIT::compile):
1132         * jit/JIT.h:
1133         * jit/JITInlines.h:
1134         (JSC::JIT::callOperation):
1135         * jit/JITOperations.cpp:
1136         * jit/JITOperations.h:
1137         * jit/JITPropertyAccess.cpp:
1138         (JSC::JIT::emit_op_del_by_id):
1139         * jit/JITPropertyAccess32_64.cpp:
1140         (JSC::JIT::emit_op_del_by_id):
1141
1142 2016-04-17  Filip Pizlo  <fpizlo@apple.com>
1143
1144         FTL should pin the tag registers at inline caches
1145         https://bugs.webkit.org/show_bug.cgi?id=156678
1146
1147         Reviewed by Saam Barati.
1148
1149         This is a long-overdue fix to our inline caches. Back when we had LLVM, we couldn't rely on the tags
1150         being pinned to any registers. So, if the inline caches needed tags, they'd have to materialize them.
1151         
1152         This removes those materializations. This should reduce the amount of code generated in inline caches
1153         and it should make inline caches faster. The effect appears to be small.
1154
1155         It may be that after this change, we'll even be able to kill the
1156         HaveTagRegisters/DoNotHaveTagRegisters logic.
1157
1158         * bytecode/PolymorphicAccess.cpp:
1159         (JSC::AccessCase::generateWithGuard):
1160         (JSC::AccessCase::generateImpl):
1161         * ftl/FTLLowerDFGToB3.cpp:
1162         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1163         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1164         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1165         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1166         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1167         (JSC::FTL::DFG::LowerDFGToB3::getById):
1168         * jit/Repatch.cpp:
1169         (JSC::readCallTarget):
1170         (JSC::linkPolymorphicCall):
1171         * jit/ThunkGenerators.cpp:
1172         (JSC::virtualThunkFor):
1173
1174 2016-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1175
1176         [ES7] yield star should not return if the inner iterator.throw returns { done: true }
1177         https://bugs.webkit.org/show_bug.cgi?id=156576
1178
1179         Reviewed by Saam Barati.
1180
1181         This is slight generator fix in ES7. When calling generator.throw(),
1182         the yield-star should call the throw() of the inner generator. At that
1183         time, when the result of throw() is { done: true}, the generator should
1184         not stop itself.
1185
1186             function * gen()
1187             {
1188                 yield * (function * () {
1189                     try {
1190                         yield 42;
1191                     } catch (error) { }
1192                 }());
1193                 // Continue executing.
1194                 yield 42;
1195             }
1196
1197             let g = gen();
1198             g.next();
1199             shouldBe(g.throw().value, 42);
1200
1201
1202         * builtins/GeneratorPrototype.js:
1203         (generatorResume):
1204         (next):
1205         (return):
1206         (throw):
1207         * bytecode/BytecodeIntrinsicRegistry.cpp:
1208         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1209         * bytecode/BytecodeIntrinsicRegistry.h:
1210         * bytecompiler/BytecodeGenerator.cpp:
1211         (JSC::BytecodeGenerator::emitDelegateYield):
1212         * runtime/JSGeneratorFunction.h:
1213         * tests/stress/generator-yield-star.js:
1214         (gen):
1215         * tests/stress/yield-star-throw-continue.js: Added.
1216         (shouldBe):
1217         (generator):
1218         (shouldThrow):
1219
1220 2016-04-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
1221
1222         Fix incorrect assumption that APPLE implies Mac.
1223         https://bugs.webkit.org/show_bug.cgi?id=156683
1224     
1225         Addresses build failure introduced in r199094
1226
1227         Reviewed by Alex Christensen.
1228
1229         * CMakeLists.txt:
1230
1231 2016-04-17  Benjamin Poulain  <bpoulain@apple.com>
1232
1233         [JSC] ReduceDoubleToFloat should work accross Phis
1234         https://bugs.webkit.org/show_bug.cgi?id=156603
1235         <rdar://problem/25736205>
1236
1237         Reviewed by Saam Barati and Filip Pizlo.
1238
1239         This patch extends B3's ReduceDoubleToFloat phase to work accross
1240         Upsilon-Phis. This is important to optimize loops and some crazy cases.
1241
1242         In its simplest form, we can have conversion propagated from something
1243         like this:
1244             Double @1 = Phi()
1245             Float @2 = DoubleToFloat(@1)
1246
1247         When that happens, we just need to propagate that the result only
1248         need float precision accross all values coming to this Phi.
1249
1250
1251         There are more complicated cases when the value produced is effectively Float
1252         but the user of the value does not do DoubleToFloat.
1253
1254         Typically, we have something like:
1255             #1
1256                 @1 = ConstDouble(1)
1257                 @2 = Upsilon(@1, ^5)
1258             #2
1259                 @3 = FloatToDouble(@x)
1260                 @4 = Upsilon(@3, ^5)
1261             #3
1262                 @5 = Phi()
1263                 @6 = Add(@5, @somethingFloat)
1264                 @7 = DoubleToFloat(@6)
1265
1266         Here with a Phi-Upsilon that is a Double but can be represented
1267         as Float without loss of precision.
1268
1269         It is valuable to convert such Phis to float if and only if the value
1270         is used as float. Otherwise, you may be just adding useless conversions
1271         (for example, two double constants that flow into a double Add should not
1272         turn into two float constant flowing into a FloatToDouble then Add).
1273
1274
1275         ReduceDoubleToFloat do two analysis passes to gather the necessary
1276         meta information. Then we have a simplify() phase to actually reduce
1277         operation. Finally, the cleanup() pass put the graph into a valid
1278         state again.
1279
1280         The two analysis passes work by disproving that something is float.
1281         -findCandidates() accumulates anything used as Double.
1282         -findPhisContainingFloat() accumulates phis that would lose precision
1283          by converting the input to float.
1284
1285         With this change, Unity3D improves by ~1.5%, box2d-f32 improves
1286         by ~2.8% (on Haswell).
1287
1288         * b3/B3ReduceDoubleToFloat.cpp:
1289         (JSC::B3::reduceDoubleToFloat):
1290         * b3/testb3.cpp:
1291         (JSC::B3::testCompareTwoFloatToDouble):
1292         (JSC::B3::testCompareOneFloatToDouble):
1293         (JSC::B3::testCompareFloatToDoubleThroughPhi):
1294         (JSC::B3::testDoubleToFloatThroughPhi):
1295         (JSC::B3::testDoubleProducerPhiToFloatConversion):
1296         (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
1297         (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
1298         (JSC::B3::testStoreDoubleConstantAsFloat):
1299         (JSC::B3::run):
1300         * tests/stress/double-compare-to-float.js: Added.
1301         (canSimplifyToFloat):
1302         (canSimplifyToFloatWithConstant):
1303         (cannotSimplifyA):
1304         (cannotSimplifyB):
1305         * tests/stress/double-to-float.js: Added.
1306         (upsilonReferencingItsPhi):
1307         (upsilonReferencingItsPhiAllFloat):
1308         (upsilonReferencingItsPhiWithoutConversion):
1309         (conversionPropagages):
1310         (chainedUpsilonBothConvert):
1311         (chainedUpsilonFirstConvert):
1312
1313 2016-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1314
1315         [ES6] Use @isObject to check Object Type instead of using instanceof
1316         https://bugs.webkit.org/show_bug.cgi?id=156676
1317
1318         Reviewed by Darin Adler.
1319
1320         Use @isObject instead of `instanceof @Object`.
1321         The `instanceof` check is not enough to check Object Type.
1322         For example, given 2 realms, the object created in one realm does not inherit the Object of another realm.
1323         Another example is that the object which does not inherit Object.
1324         This object can be easily created by calling `Object.create(null)`.
1325
1326         * builtins/RegExpPrototype.js:
1327         (match):
1328         * jsc.cpp:
1329         (GlobalObject::finishCreation):
1330         (functionCreateGlobalObject):
1331         * tests/stress/regexp-match-in-other-realm-should-work.js: Added.
1332         (shouldBe):
1333         * tests/stress/regexp-match-should-work-with-objects-not-inheriting-object-prototype.js: Added.
1334         (shouldBe):
1335         (regexp.exec):
1336
1337 2016-04-17  Darin Adler  <darin@apple.com>
1338
1339         Remove more uses of Deprecated::ScriptXXX
1340         https://bugs.webkit.org/show_bug.cgi?id=156660
1341
1342         Reviewed by Antti Koivisto.
1343
1344         * bindings/ScriptFunctionCall.cpp:
1345         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted
1346         unneeded overloads that take a ScriptObject and ScriptValue.
1347         * bindings/ScriptFunctionCall.h: Ditto.
1348
1349         * bindings/ScriptObject.h: Added operator so this can change
1350         itself into a JSObject*. Helps while phasing this class out.
1351
1352         * bindings/ScriptValue.h: Export toInspectorValue so it can be
1353         used in WebCore.
1354
1355         * inspector/InjectedScriptManager.cpp:
1356         (Inspector::InjectedScriptManager::createInjectedScript): Changed
1357         return value from Deprecated::ScriptObject to JSObject*.
1358         (Inspector::InjectedScriptManager::injectedScriptFor): Updated for
1359         the return value change above.
1360         * inspector/InjectedScriptManager.h: Ditto.
1361
1362 2016-04-16  Benjamin Poulain  <bpoulain@webkit.org>
1363
1364         [JSC] DFG should support relational comparisons of Number and Other
1365         https://bugs.webkit.org/show_bug.cgi?id=156669
1366
1367         Reviewed by Darin Adler.
1368
1369         In Sunspider/3d-raytrace, DFG falls back to JSValue in some important
1370         relational compare because profiling sees "undefined" from time to time.
1371
1372         This case is fairly common outside Sunspider too because of out-of-bounds array access.
1373         Unfortunately for us, our fallback for compare is really inefficient.
1374
1375         Fortunately, relational comparison with null/undefined/true/false are trival.
1376         We can just convert both side to Double. That's what this patch adds.
1377
1378         I also extended constant folding for those cases because I noticed
1379         a bunch of "undefined" constant going through DoubleRep at runtime.
1380
1381         * dfg/DFGAbstractInterpreterInlines.h:
1382         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1383         * dfg/DFGFixupPhase.cpp:
1384         (JSC::DFG::FixupPhase::fixupNode):
1385         * tests/stress/compare-number-and-other.js: Added.
1386         (opaqueSideEffect):
1387         (let.operator.of.operators.eval.testPolymorphic):
1388         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval.testMonomorphic):
1389         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicLeftConstant):
1390         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicRightConstant):
1391         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.i.testPolymorphic):
1392
1393 2016-04-16  Benjamin Poulain  <bpoulain@apple.com>
1394
1395         [JSC] FRound/Negate can produce an impure NaN out of a pure NaN
1396         https://bugs.webkit.org/show_bug.cgi?id=156528
1397
1398         Reviewed by Filip Pizlo.
1399
1400         If you fround a double with the bits 0xfff7000000000000
1401         you get 0xfffe000000000000. The first is a pure NaN, the second isn't.
1402
1403         This is without test because I could not find a way to create a 0xfff7000000000000
1404         while convincing DFG that its pure.
1405         When we purify NaNs from typed array, we use a specific value of NaN if the input
1406         is any NaN, making testing tricky.
1407
1408         * bytecode/SpeculatedType.cpp:
1409         (JSC::typeOfDoubleNegation):
1410
1411 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1412
1413         JS::DFG::nodeValuePairListDump does not compile with libstdc++ 4.8
1414         https://bugs.webkit.org/show_bug.cgi?id=156670
1415
1416         Reviewed by Darin Adler.
1417
1418         * dfg/DFGNode.h:
1419         (JSC::DFG::nodeValuePairListDump): Modified to use lambda as comparator.
1420
1421 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1422
1423         [mips] Implemented moveZeroToDouble.
1424         https://bugs.webkit.org/show_bug.cgi?id=155429
1425
1426         Reviewed by Darin Adler.
1427
1428         This function is required to fix compilation after r197687.
1429
1430         * assembler/MacroAssemblerMIPS.h:
1431         (JSC::MacroAssemblerMIPS::moveZeroToDouble):
1432
1433 2016-04-15  Darin Adler  <darin@apple.com>
1434
1435         Reduce use of Deprecated::ScriptXXX classes
1436         https://bugs.webkit.org/show_bug.cgi?id=156632
1437
1438         Reviewed by Alex Christensen.
1439
1440         * bindings/ScriptFunctionCall.cpp:
1441         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted version that takes a Deprecated::ScriptValue.
1442         (Deprecated::ScriptFunctionCall::call): Changed to return a JSValue.
1443         * bindings/ScriptFunctionCall.h: Updated for the above.
1444
1445         * bindings/ScriptValue.cpp:
1446         (Inspector::jsToInspectorValue): Moved from Deprecated namespace to Inspector namespace. Later, we should
1447         move this to another source file in the inspector directory.
1448         (Inspector::toInspectorValue): Added.
1449         (Deprecated::ScriptValue::toInspectorValue): Updated for change to underlying function.
1450         * bindings/ScriptValue.h: Update for the above.
1451
1452         * inspector/InjectedScript.cpp:
1453         (Inspector::InjectedScript::evaluateOnCallFrame): Changed arguments and return values from
1454         Deprecated::ScriptValue to JSC::JSValue.
1455         (Inspector::InjectedScript::functionDetails): Ditto.
1456         (Inspector::InjectedScript::wrapCallFrames): Ditto.
1457         (Inspector::InjectedScript::wrapObject): Ditto.
1458         (Inspector::InjectedScript::wrapTable): Ditto.
1459         (Inspector::InjectedScript::previewValue): Ditto.
1460         (Inspector::InjectedScript::setExceptionValue): Ditto.
1461         (Inspector::InjectedScript::findObjectById): Ditto.
1462         (Inspector::InjectedScript::inspectObject): Ditto.
1463         * inspector/InjectedScript.h: Ditto.
1464         * inspector/InjectedScriptBase.cpp:
1465         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): Ditto.
1466         (Inspector::InjectedScriptBase::makeCall): Ditto.
1467         * inspector/InjectedScriptBase.h: Ditto.
1468         * inspector/InjectedScriptModule.cpp:
1469         (Inspector::InjectedScriptModule::ensureInjected): Ditto.
1470         * inspector/ScriptDebugListener.h: Ditto.
1471         * inspector/ScriptDebugServer.cpp:
1472         (Inspector::ScriptDebugServer::evaluateBreakpointAction): Ditto.
1473         (Inspector::ScriptDebugServer::dispatchDidPause): Ditto.
1474         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
1475         (Inspector::ScriptDebugServer::exceptionOrCaughtValue): Ditto.
1476         * inspector/ScriptDebugServer.h: Ditto.
1477         * inspector/agents/InspectorDebuggerAgent.cpp:
1478         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason): Ditto.
1479         (Inspector::InspectorDebuggerAgent::didPause): Ditto.
1480         (Inspector::InspectorDebuggerAgent::breakpointActionProbe): Ditto.
1481         (Inspector::InspectorDebuggerAgent::didContinue): Ditto.
1482         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): Ditto.
1483         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
1484         * inspector/agents/InspectorHeapAgent.cpp:
1485         (Inspector::InspectorHeapAgent::getPreview): Ditto.
1486         (Inspector::InspectorHeapAgent::getRemoteObject): Ditto.
1487
1488 2016-04-15  Keith Miller  <keith_miller@apple.com>
1489
1490         Some JIT/DFG operations need NativeCallFrameTracers
1491         https://bugs.webkit.org/show_bug.cgi?id=156650
1492
1493         Reviewed by Michael Saboff.
1494
1495         Some of our operation functions did not have native call frame
1496         tracers. This meant that we would crash occasionally on some
1497         of our tests when they triggered a GC in one of the functions
1498         without a tracer. In particular, this was exemplified by another
1499         upcoming patch when calling operationSetFunctionName.
1500
1501         This patch does not add tests since this happens consistently in
1502         the patch adding delete_by_id to the DFG.
1503
1504         * dfg/DFGOperations.cpp:
1505         * jit/JITOperations.cpp:
1506
1507 2016-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1508
1509         Web Inspector: sourceMappingURL not used when sourceURL is set
1510         https://bugs.webkit.org/show_bug.cgi?id=156021
1511         <rdar://problem/25438417>
1512
1513         Reviewed by Timothy Hatcher.
1514
1515         Clean up Debugger.sourceParsed to separately include:
1516
1517             - url ("resource URL", "source url" in JSC APIs)
1518             - sourceURL - //# sourceURL directive
1519
1520         By always having the resource URL the Web Inspector frontend
1521         can better match this Script to a Resource of the same URL,
1522         and decide to use the sourceURL if it is available when
1523         appropriate.
1524
1525         * inspector/protocol/Debugger.json:
1526         * inspector/agents/InspectorDebuggerAgent.cpp:
1527         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1528         (Inspector::InspectorDebuggerAgent::didParseSource):
1529         Send the new sourceParsed parameters.
1530
1531 2016-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1532
1533         Web Inspector: Cleanup inspector/debugger tests
1534         https://bugs.webkit.org/show_bug.cgi?id=156619
1535
1536         Reviewed by Brian Burg.
1537
1538         While cleaning up the tests it exposed the fact that breakpoints
1539         were not getting disabled when the inspector closes. This means
1540         that opening the inspector, with breakpoints, and closing the
1541         inspector, would leave the JSC::Debugger thinking breakpoints
1542         are active. The JSC::Debugger should be reset.
1543
1544         * inspector/agents/InspectorDebuggerAgent.cpp:
1545         (Inspector::InspectorDebuggerAgent::disable):
1546
1547 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1548
1549         CopiedBlock should be 64kB
1550
1551         Reviewed by Benjamin Poulain.
1552
1553         Let's try another value.
1554
1555         This is 25% faster on kraken-audio-beat-detection on Mac Pro.
1556
1557         * heap/CopiedBlock.h:
1558
1559 2016-04-15  Zan Dobersek  <zdobersek@igalia.com>
1560
1561         Tail call optimizations lead to crashes on ARM Thumb + Linux
1562         https://bugs.webkit.org/show_bug.cgi?id=150083
1563
1564         Reviewed by Csaba Osztrogon√°c.
1565
1566         * assembler/AbstractMacroAssembler.h:
1567         (JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
1568         data location of the destination, and not the executable address. This is needed for
1569         the ARM Thumb2 platform where both the source and destination addresses of a jump relink
1570         must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
1571         * jit/Repatch.cpp:
1572         (JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
1573         address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().
1574
1575 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1576
1577         Unreviewed, rolling out r199567.
1578
1579         performance regression on kraken on macbook*
1580
1581         Reverted changeset:
1582
1583         "CopiedBlock should be 8kB"
1584         https://bugs.webkit.org/show_bug.cgi?id=156610
1585         http://trac.webkit.org/changeset/199567
1586
1587 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1588
1589         CopiedBlock should be 8kB
1590         https://bugs.webkit.org/show_bug.cgi?id=156610
1591
1592         Reviewed by Michael Saboff.
1593
1594         On Mac Pro, this is:
1595
1596             15% faster on kraken-audio-beat-detection
1597
1598             5% faster on v8-splay
1599
1600         Hopefully, this will be OK on MacBook* bots as well.
1601
1602         32kB is the full size of L1 cache on x86. So, allocating and zero-filling
1603         a 32kB CopiedBlock would basically flush the L1 cache. We can ameliorate
1604         this problem by using smaller blocks -- or, if that doesn't work, we can
1605         use larger blocks to amortize the cost.
1606
1607         * heap/CopiedBlock.h:
1608
1609 2016-04-14  Filip Pizlo  <fpizlo@apple.com>
1610
1611         PolymorphicAccess should try to generate a stub only once
1612         https://bugs.webkit.org/show_bug.cgi?id=156555
1613
1614         Reviewed by Geoffrey Garen.
1615         
1616         This changes the PolymorphicAccess heuristics to reduce the amount of code generation even
1617         more than before. We used to always generate a monomorphic stub for the first case we saw.
1618         This change disables that. This change also increases the buffering countdown to match the
1619         cool-down repatch count. This means that we will allow for ten slow paths for adding cases,
1620         then we will generate a stub, and then we will go into cool-down and the repatching slow
1621         paths will not even attempt repatching for a while. After we emerge from cool-down - which
1622         requires a bunch of slow path calls - we will again wait for ten slow paths to get new
1623         cases. Note that it only takes 13 cases to cause the stub to give up on future repatching
1624         entirely. Also, most stubs don't ever get to 10 cases. Therefore, for most stubs this change
1625         means that each IC will repatch once. If they make it to two repatching, then the likelihood
1626         of a third becomes infinitesimal because of all of the rules that come into play at that
1627         point (the size limit being 13, the fact that we go into exponential cool-down every time we
1628         generate code, and the fact that if we have lots of self cases then we will create a
1629         catch-all megamorphic load case).
1630
1631         This also undoes a change to the megamorphic optimization that I think was unintentional.
1632         As in the change that originally introduced megamorphic loads, we want to do this only if we
1633         would otherwise exhaust the max size of the IC. This is because megamorphic loads are pretty
1634         expensive and it's best to use them only if we know that the alternative is giving up on
1635         caching.
1636
1637         This is neutral on JS benchmarks, but looks like it's another speed-up for page loading.
1638
1639         * bytecode/PolymorphicAccess.cpp:
1640         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
1641         (JSC::AccessCase::canReplace):
1642         (JSC::AccessCase::dump):
1643         (JSC::PolymorphicAccess::regenerate):
1644         * bytecode/StructureStubInfo.cpp:
1645         (JSC::StructureStubInfo::StructureStubInfo):
1646         * runtime/Options.h:
1647
1648 2016-04-14  Mark Lam  <mark.lam@apple.com>
1649
1650         Update treatment of invoking RegExp.prototype methods on RegExp.prototype.
1651         https://bugs.webkit.org/show_bug.cgi?id=155922
1652
1653         Reviewed by Keith Miller.
1654
1655         According to the TC39 committee, when invoking the following RegExp.prototype
1656         methods on the RegExp.prototype:
1657         1. RegExp.prototype.flags yields ""
1658         2. RegExp.prototype.global yields undefined
1659         3. RegExp.prototype.ignoreCase yields undefined
1660         4. RegExp.prototype.multiline yields undefined
1661         5. RegExp.prototype.unicode yields undefined
1662         6. RegExp.prototype.source yields "(?:)"
1663         7. RegExp.prototype.sticky yields undefined
1664         8. RegExp.prototype.toString() yields "/(?:)/"
1665
1666         and RegExp.prototype is still NOT an instance of RegExp.  The above behavior
1667         changes is a special dispensation applicable only to RegExp.prototype.  The ES6
1668         spec of throwing errors still applies if those methods are applied to anything =
1669         else that is not a RegExp object.
1670
1671         * runtime/RegExpPrototype.cpp:
1672         (JSC::regExpProtoGetterGlobal):
1673         (JSC::regExpProtoGetterIgnoreCase):
1674         (JSC::regExpProtoGetterMultiline):
1675         (JSC::regExpProtoGetterSticky):
1676         (JSC::regExpProtoGetterUnicode):
1677         (JSC::regExpProtoGetterFlags):
1678         (JSC::regExpProtoGetterSource):
1679         - Implemented new behavior.
1680
1681         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
1682         (test):
1683         - Updated to match current kangax test.
1684
1685 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1686
1687         Some imported ES6 tests are missing __createIterableObject
1688         https://bugs.webkit.org/show_bug.cgi?id=156584
1689
1690         Reviewed by Keith Miller.
1691
1692         These tests were failing because I neglected to include __createIterableObject
1693         when I first imported them. Now they pass.
1694
1695         * tests/es6.yaml:
1696         * tests/es6/Array_static_methods_Array.from_generic_iterables.js:
1697         (iterator.next):
1698         (iterable.Symbol.iterator):
1699         (__createIterableObject):
1700         (test):
1701         * tests/es6/Array_static_methods_Array.from_instances_of_generic_iterables.js:
1702         (iterator.next):
1703         (iterable.Symbol.iterator):
1704         (__createIterableObject):
1705         (test):
1706         * tests/es6/Array_static_methods_Array.from_iterator_closing.js:
1707         (iterator.next):
1708         (iterable.Symbol.iterator):
1709         (__createIterableObject):
1710         * tests/es6/Array_static_methods_Array.from_map_function_generic_iterables.js:
1711         (iterator.next):
1712         (iterable.Symbol.iterator):
1713         (__createIterableObject):
1714         (test):
1715         * tests/es6/Array_static_methods_Array.from_map_function_instances_of_iterables.js:
1716         (iterator.next):
1717         (iterable.Symbol.iterator):
1718         (__createIterableObject):
1719         (test):
1720         * tests/es6/Map_iterator_closing.js:
1721         (iterator.next):
1722         (iterable.Symbol.iterator):
1723         (__createIterableObject):
1724         * tests/es6/Promise_Promise.all_generic_iterables.js:
1725         (iterator.next):
1726         (iterable.Symbol.iterator):
1727         (__createIterableObject):
1728         (test.asyncTestPassed):
1729         * tests/es6/Promise_Promise.race_generic_iterables.js:
1730         (iterator.next):
1731         (iterable.Symbol.iterator):
1732         (__createIterableObject):
1733         (test.asyncTestPassed):
1734         * tests/es6/Set_iterator_closing.js:
1735         (iterator.next):
1736         (iterable.Symbol.iterator):
1737         (__createIterableObject):
1738         * tests/es6/WeakMap_iterator_closing.js:
1739         (iterator.next):
1740         (iterable.Symbol.iterator):
1741         (__createIterableObject):
1742         * tests/es6/WeakSet_iterator_closing.js:
1743         (iterator.next):
1744         (iterable.Symbol.iterator):
1745         (__createIterableObject):
1746         * tests/es6/destructuring_iterator_closing.js:
1747         (iterator.next):
1748         (iterable.Symbol.iterator):
1749         (__createIterableObject):
1750         * tests/es6/destructuring_with_generic_iterables.js:
1751         (iterator.next):
1752         (iterable.Symbol.iterator):
1753         (__createIterableObject):
1754         (test):
1755         * tests/es6/destructuring_with_instances_of_generic_iterables.js:
1756         (iterator.next):
1757         (iterable.Symbol.iterator):
1758         (__createIterableObject):
1759         (test):
1760         * tests/es6/for..of_loops_iterator_closing_break.js:
1761         (iterator.next):
1762         (iterable.Symbol.iterator):
1763         (__createIterableObject):
1764         * tests/es6/for..of_loops_iterator_closing_throw.js:
1765         (iterator.next):
1766         (iterable.Symbol.iterator):
1767         (__createIterableObject):
1768         * tests/es6/for..of_loops_with_generic_iterables.js:
1769         (iterator.next):
1770         (iterable.Symbol.iterator):
1771         (__createIterableObject):
1772         (test):
1773         * tests/es6/for..of_loops_with_instances_of_generic_iterables.js:
1774         (iterator.next):
1775         (iterable.Symbol.iterator):
1776         (__createIterableObject):
1777         (test):
1778         * tests/es6/generators_yield_star_generic_iterables.js:
1779         (iterator.next):
1780         (iterable.Symbol.iterator):
1781         (__createIterableObject):
1782         * tests/es6/generators_yield_star_iterator_closing_via_throw.js:
1783         (iterator.next):
1784         (iterable.Symbol.iterator):
1785         (__createIterableObject):
1786         * tests/es6/spread_..._operator_with_generic_iterables_in_arrays.js:
1787         (iterator.next):
1788         (iterable.Symbol.iterator):
1789         (__createIterableObject):
1790         (test):
1791         * tests/es6/spread_..._operator_with_generic_iterables_in_calls.js:
1792         (iterator.next):
1793         (iterable.Symbol.iterator):
1794         (__createIterableObject):
1795         (test):
1796         * tests/es6/spread_..._operator_with_instances_of_iterables_in_arrays.js:
1797         (iterator.next):
1798         (iterable.Symbol.iterator):
1799         (__createIterableObject):
1800         (test):
1801         * tests/es6/spread_..._operator_with_instances_of_iterables_in_calls.js:
1802         (iterator.next):
1803         (iterable.Symbol.iterator):
1804         (__createIterableObject):
1805         (test):
1806
1807 2016-04-13  Alex Christensen  <achristensen@webkit.org>
1808
1809         CMake MiniBrowser should be an app bundle
1810         https://bugs.webkit.org/show_bug.cgi?id=156521
1811
1812         Reviewed by Brent Fulgham.
1813
1814         * PlatformMac.cmake:
1815         Unreviewed build fix.  Define __STDC_WANT_LIB_EXT1__ so we can find memset_s.
1816
1817 2016-04-13  Joseph Pecoraro  <pecoraro@apple.com>
1818
1819         JSContext Inspector: Improve Class instances and JSC API Exported Values view in Console / ObjectTree
1820         https://bugs.webkit.org/show_bug.cgi?id=156566
1821         <rdar://problem/16392365>
1822
1823         Reviewed by Timothy Hatcher.
1824
1825         * inspector/InjectedScriptSource.js:
1826         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
1827         Treat non-basic object types as not lossless so they can be expanded.
1828         Show non-enumerable native getters in Object previews.
1829
1830 2016-04-13  Michael Saboff  <msaboff@apple.com>
1831
1832         Some tests fail with ES6 `u` (Unicode) flag for regular expressions
1833         https://bugs.webkit.org/show_bug.cgi?id=151597
1834
1835         Reviewed by Geoffrey Garen.
1836
1837         Added two new tables to handle the anomolies of \w and \W CharacterClassEscapes
1838         when specified in RegExp's with both the unicode and ignoreCase flags.  Given the
1839         case folding rules described in the standard vie the meta function Canonicalize(),
1840         which allow cross ASCII case folding when unicode is specified, the unicode characters
1841         \u017f (small sharp s) and \u212a (kelvin symbol) are part of the \w (word) characterClassEscape.
1842         This is true because they case fold to 's' and 'k' respectively.  Because they case fold
1843         to lower case letters, the corresponding letters, 'k', 'K', 's' and 'S', are also matched with
1844         \W with the unicode and ignoreCase flags.
1845
1846         * create_regex_tables:
1847         * yarr/YarrPattern.cpp:
1848         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
1849         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
1850         (JSC::Yarr::YarrPattern::YarrPattern):
1851         * yarr/YarrPattern.h:
1852         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
1853         (JSC::Yarr::YarrPattern::wordUnicodeIgnoreCaseCharCharacterClass):
1854         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
1855         (JSC::Yarr::YarrPattern::nonwordUnicodeIgnoreCaseCharCharacterClass):
1856
1857 2016-04-13  Commit Queue  <commit-queue@webkit.org>
1858
1859         Unreviewed, rolling out r199502 and r199511.
1860         https://bugs.webkit.org/show_bug.cgi?id=156557
1861
1862         Appears to have in-browser perf regression (Requested by mlam
1863         on #webkit).
1864
1865         Reverted changesets:
1866
1867         "ES6: Implement String.prototype.split and
1868         RegExp.prototype[@@split]."
1869         https://bugs.webkit.org/show_bug.cgi?id=156013
1870         http://trac.webkit.org/changeset/199502
1871
1872         "ES6: Implement RegExp.prototype[@@search]."
1873         https://bugs.webkit.org/show_bug.cgi?id=156331
1874         http://trac.webkit.org/changeset/199511
1875
1876 2016-04-13  Keith Miller  <keith_miller@apple.com>
1877
1878         isJSArray should use ArrayType rather than the ClassInfo
1879         https://bugs.webkit.org/show_bug.cgi?id=156551
1880
1881         Reviewed by Filip Pizlo.
1882
1883         Using the JSType rather than the ClassInfo should be slightly faster
1884         since the type is inline on the cell whereas the ClassInfo is only
1885         on the structure.
1886
1887         * runtime/JSArray.h:
1888         (JSC::isJSArray):
1889
1890 2016-04-13  Mark Lam  <mark.lam@apple.com>
1891
1892         ES6: Implement RegExp.prototype[@@search].
1893         https://bugs.webkit.org/show_bug.cgi?id=156331
1894
1895         Reviewed by Keith Miller.
1896
1897         What changed?
1898         1. Implemented search builtin in RegExpPrototype.js.
1899            The native path is now used as a fast path.
1900         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
1901            IsJSArrayIntrinsic).
1902         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
1903         4. Change the esSpecIsRegExpObject() implementation to check if the object's
1904            JSType is RegExpObjectType instead of walking the classinfo chain.
1905
1906         * builtins/RegExpPrototype.js:
1907         (search):
1908         * builtins/StringPrototype.js:
1909         (search):
1910         - fixed some indentation.
1911
1912         * dfg/DFGAbstractInterpreterInlines.h:
1913         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1914         * dfg/DFGByteCodeParser.cpp:
1915         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1916         * dfg/DFGClobberize.h:
1917         (JSC::DFG::clobberize):
1918         * dfg/DFGDoesGC.cpp:
1919         (JSC::DFG::doesGC):
1920         * dfg/DFGFixupPhase.cpp:
1921         (JSC::DFG::FixupPhase::fixupNode):
1922         * dfg/DFGNodeType.h:
1923         * dfg/DFGPredictionPropagationPhase.cpp:
1924         (JSC::DFG::PredictionPropagationPhase::propagate):
1925         * dfg/DFGSafeToExecute.h:
1926         (JSC::DFG::safeToExecute):
1927         * dfg/DFGSpeculativeJIT.cpp:
1928         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1929         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
1930         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1931         * dfg/DFGSpeculativeJIT.h:
1932         * dfg/DFGSpeculativeJIT32_64.cpp:
1933         (JSC::DFG::SpeculativeJIT::compile):
1934         * dfg/DFGSpeculativeJIT64.cpp:
1935         (JSC::DFG::SpeculativeJIT::compile):
1936         * ftl/FTLCapabilities.cpp:
1937         (JSC::FTL::canCompile):
1938         * ftl/FTLLowerDFGToB3.cpp:
1939         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1940         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1941         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
1942         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1943         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
1944         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
1945         (JSC::FTL::DFG::LowerDFGToB3::isType):
1946         * runtime/Intrinsic.h:
1947         - Added IsRegExpObjectIntrinsic.
1948
1949         * runtime/CommonIdentifiers.h:
1950
1951         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1952         (JSC::esSpecIsConstructor):
1953         - Changed to use uncheckedArgument since this is only called from internal code.
1954         (JSC::esSpecIsRegExpObject):
1955         (JSC::esSpecIsRegExp): Deleted.
1956         * runtime/ECMAScriptSpecInternalFunctions.h:
1957         - Changed to check the object for a JSType of RegExpObjectType.
1958
1959         * runtime/JSGlobalObject.cpp:
1960         (JSC::JSGlobalObject::init):
1961         - Added split fast path.
1962
1963         * runtime/RegExpPrototype.cpp:
1964         (JSC::RegExpPrototype::finishCreation):
1965         (JSC::regExpProtoFuncSearchFast):
1966         (JSC::regExpProtoFuncSearch): Deleted.
1967         * runtime/RegExpPrototype.h:
1968
1969         * tests/es6.yaml:
1970         * tests/stress/regexp-search.js:
1971         - Rebased test.
1972
1973 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
1974
1975         PolymorphicAccess::regenerate() shouldn't have to clone non-generated AccessCases
1976         https://bugs.webkit.org/show_bug.cgi?id=156493
1977
1978         Reviewed by Geoffrey Garen.
1979
1980         Cloning AccessCases is only necessary if they hold some artifacts that are used by code that
1981         they already generated. So, if the state is not Generated, we don't have to bother with
1982         cloning them.
1983
1984         This should speed up PolymorphicAccess regeneration a bit more.
1985
1986         * bytecode/PolymorphicAccess.cpp:
1987         (JSC::AccessCase::commit):
1988         (JSC::PolymorphicAccess::regenerate):
1989
1990 2016-04-13  Mark Lam  <mark.lam@apple.com>
1991
1992         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1993         https://bugs.webkit.org/show_bug.cgi?id=156013
1994
1995         Reviewed by Keith Miller.
1996
1997         Re-landing r199393 now that the shadow chicken crash has been fixed.
1998
1999         * CMakeLists.txt:
2000         * JavaScriptCore.xcodeproj/project.pbxproj:
2001         * builtins/GlobalObject.js:
2002         (speciesConstructor):
2003         * builtins/PromisePrototype.js:
2004         - refactored to use the @speciesConstructor internal function.
2005
2006         * builtins/RegExpPrototype.js:
2007         (advanceStringIndex):
2008         - refactored from @advanceStringIndexUnicode() to be match the spec.
2009           Benchmarks show that there's no advantage in doing the unicode check outside
2010           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
2011           spec (especially since @@split needs to call advanceStringIndex from more than
2012           1 location).
2013         (match):
2014         - Removed an unnecessary call to @Object because it was already proven above.
2015         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
2016           Again, there's no perf regression for this.
2017         (regExpExec):
2018         (hasObservableSideEffectsForRegExpSplit):
2019         (split):
2020         (advanceStringIndexUnicode): Deleted.
2021
2022         * builtins/StringPrototype.js:
2023         (split):
2024         - Modified to use RegExp.prototype[@@split].
2025
2026         * bytecode/BytecodeIntrinsicRegistry.cpp:
2027         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2028         (JSC::BytecodeIntrinsicRegistry::lookup):
2029         * bytecode/BytecodeIntrinsicRegistry.h:
2030         - Added the @@split symbol.
2031
2032         * runtime/CommonIdentifiers.h:
2033         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
2034         (JSC::esSpecIsConstructor):
2035         (JSC::esSpecIsRegExp):
2036         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
2037
2038         * runtime/JSGlobalObject.cpp:
2039         (JSC::getGetterById):
2040         (JSC::JSGlobalObject::init):
2041
2042         * runtime/PropertyDescriptor.cpp:
2043         (JSC::PropertyDescriptor::setDescriptor):
2044         - Removed an assert that is no longer valid.
2045
2046         * runtime/RegExpObject.h:
2047         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
2048           fast path.
2049
2050         * runtime/RegExpPrototype.cpp:
2051         (JSC::RegExpPrototype::finishCreation):
2052         (JSC::regExpProtoFuncExec):
2053         (JSC::regExpProtoFuncSearch):
2054         (JSC::advanceStringIndex):
2055         (JSC::regExpProtoFuncSplitFast):
2056         * runtime/RegExpPrototype.h:
2057
2058         * runtime/StringObject.h:
2059         (JSC::jsStringWithReuse):
2060         (JSC::jsSubstring):
2061         - Hoisted some utility functions from StringPrototype.cpp so that they can be
2062           reused by the regexp split fast path.
2063
2064         * runtime/StringPrototype.cpp:
2065         (JSC::StringPrototype::finishCreation):
2066         (JSC::stringProtoFuncSplitFast):
2067         (JSC::stringProtoFuncSubstr):
2068         (JSC::builtinStringSubstrInternal):
2069         (JSC::stringProtoFuncSubstring):
2070         (JSC::stringIncludesImpl):
2071         (JSC::stringProtoFuncIncludes):
2072         (JSC::builtinStringIncludesInternal):
2073         (JSC::jsStringWithReuse): Deleted.
2074         (JSC::jsSubstring): Deleted.
2075         (JSC::stringProtoFuncSplit): Deleted.
2076         * runtime/StringPrototype.h:
2077
2078         * tests/es6.yaml:
2079
2080 2016-04-13  Mark Lam  <mark.lam@apple.com>
2081
2082         ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
2083         https://bugs.webkit.org/show_bug.cgi?id=156532
2084
2085         Reviewed by Saam Barati and Filip Pizlo.
2086
2087         ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
2088         the callee field of a log packet.  However, ShadowChicken::visitChildren()
2089         unconditionally visits the callee field of each packet as if they are real
2090         objects.  If visitChildren() encounters one of these markers in the log, we get a
2091         crash.
2092
2093         This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
2094         chicken when r199393 landed.  r199393 introduced tail calls to a RegExp split
2095         fast path, and the v8-regexp.js test exercised this fast path a lot.  Throw in
2096         some timely GCs, and we get a crash party.
2097
2098         The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
2099         throwMarker.
2100
2101         Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
2102         these markers so that ShadowChicken can continue to visit them.  For now, I'm
2103         going with the filter.
2104
2105         * interpreter/ShadowChicken.cpp:
2106         (JSC::ShadowChicken::visitChildren):
2107
2108 2016-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2109
2110         [ES6] Add @@toStringTag to GeneratorFunction
2111         https://bugs.webkit.org/show_bug.cgi?id=156499
2112
2113         Reviewed by Mark Lam.
2114
2115         GeneratorFunction.prototype has @@toStringTag property, "GeneratorFunction".
2116         https://tc39.github.io/ecma262/#sec-generatorfunction.prototype-@@tostringtag
2117
2118         * runtime/GeneratorFunctionPrototype.cpp:
2119         (JSC::GeneratorFunctionPrototype::finishCreation):
2120         * tests/es6.yaml:
2121         * tests/es6/well-known_symbols_Symbol.toStringTag_new_built-ins.js: Added.
2122         (test):
2123
2124 2016-04-13  Alberto Garcia  <berto@igalia.com>
2125
2126         Fix build in glibc-based BSD systems
2127         https://bugs.webkit.org/show_bug.cgi?id=156533
2128
2129         Reviewed by Carlos Garcia Campos.
2130
2131         Change the order of the #elif conditionals so glibc-based BSD
2132         systems (e.g. Debian GNU/kFreeBSD) use the code inside the
2133         OS(FREEBSD) blocks.
2134
2135         * heap/MachineStackMarker.cpp:
2136         (JSC::MachineThreads::Thread::Registers::stackPointer):
2137         (JSC::MachineThreads::Thread::Registers::framePointer):
2138         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2139         (JSC::MachineThreads::Thread::Registers::llintPC):
2140
2141 2016-04-12  Keith Miller  <keith_miller@apple.com>
2142
2143         Unreviewed undo change from ArrayClass to ArrayWithUndecided, which
2144         was not intedend to land with r199397.
2145
2146         * runtime/ArrayPrototype.h:
2147         (JSC::ArrayPrototype::createStructure):
2148
2149 2016-04-12  Mark Lam  <mark.lam@apple.com>
2150
2151         Rollout: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
2152         https://bugs.webkit.org/show_bug.cgi?id=156013
2153
2154         Speculative rollout to fix 32-bit shadow-chicken.yaml/tests/v8-v6/v8-regexp.js.shadow-chicken test failure.
2155
2156         Not reviewed.
2157
2158         * CMakeLists.txt:
2159         * JavaScriptCore.xcodeproj/project.pbxproj:
2160         * builtins/GlobalObject.js:
2161         (speciesGetter):
2162         (speciesConstructor): Deleted.
2163         * builtins/PromisePrototype.js:
2164         * builtins/RegExpPrototype.js:
2165         (advanceStringIndexUnicode):
2166         (match):
2167         (advanceStringIndex): Deleted.
2168         (regExpExec): Deleted.
2169         (hasObservableSideEffectsForRegExpSplit): Deleted.
2170         (split): Deleted.
2171         * builtins/StringPrototype.js:
2172         (repeat):
2173         (split): Deleted.
2174         * bytecode/BytecodeIntrinsicRegistry.cpp:
2175         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2176         (JSC::BytecodeIntrinsicRegistry::lookup):
2177         * bytecode/BytecodeIntrinsicRegistry.h:
2178         * runtime/CommonIdentifiers.h:
2179         * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed.
2180         * runtime/ECMAScriptSpecInternalFunctions.h: Removed.
2181         * runtime/JSGlobalObject.cpp:
2182         (JSC::JSGlobalObject::setGlobalThis):
2183         (JSC::JSGlobalObject::init):
2184         (JSC::getGetterById): Deleted.
2185         * runtime/PropertyDescriptor.cpp:
2186         (JSC::PropertyDescriptor::setDescriptor):
2187         * runtime/RegExpObject.h:
2188         (JSC::RegExpObject::offsetOfLastIndexIsWritable):
2189         * runtime/RegExpPrototype.cpp:
2190         (JSC::RegExpPrototype::finishCreation):
2191         (JSC::regExpProtoFuncExec):
2192         (JSC::regExpProtoFuncSearch):
2193         (JSC::advanceStringIndex): Deleted.
2194         (JSC::regExpProtoFuncSplitFast): Deleted.
2195         * runtime/RegExpPrototype.h:
2196         * runtime/StringObject.h:
2197         (JSC::jsStringWithReuse): Deleted.
2198         (JSC::jsSubstring): Deleted.
2199         * runtime/StringPrototype.cpp:
2200         (JSC::StringPrototype::finishCreation):
2201         (JSC::jsStringWithReuse):
2202         (JSC::jsSubstring):
2203         (JSC::substituteBackreferencesSlow):
2204         (JSC::splitStringByOneCharacterImpl):
2205         (JSC::stringProtoFuncSplit):
2206         (JSC::stringProtoFuncSubstr):
2207         (JSC::stringProtoFuncSubstring):
2208         (JSC::stringProtoFuncEndsWith):
2209         (JSC::stringProtoFuncIncludes):
2210         (JSC::stringProtoFuncIterator):
2211         (JSC::stringProtoFuncSplitFast): Deleted.
2212         (JSC::builtinStringSubstrInternal): Deleted.
2213         (JSC::stringIncludesImpl): Deleted.
2214         (JSC::builtinStringIncludesInternal): Deleted.
2215         * runtime/StringPrototype.h:
2216         * tests/es6.yaml:
2217
2218 2016-04-12  Mark Lam  <mark.lam@apple.com>
2219
2220         Remove 2 unused JSC options.
2221         https://bugs.webkit.org/show_bug.cgi?id=156526
2222
2223         Reviewed by Benjamin Poulain.
2224
2225         The options JSC_assertICSizing and JSC_dumpFailedICSizing are no longer in use
2226         now that we have B3.
2227
2228         * runtime/Options.h:
2229
2230 2016-04-12  Keith Miller  <keith_miller@apple.com>
2231
2232         [ES6] Add support for Symbol.isConcatSpreadable.
2233         https://bugs.webkit.org/show_bug.cgi?id=155351
2234
2235         Reviewed by Saam Barati.
2236
2237         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
2238         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
2239         a builtin performant. First, four new DFG intrinsics were added.
2240
2241         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
2242            the Array.isArray function.
2243         2) IsJSArray: checks the first child is a JSArray object.
2244         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
2245         4) CallObjectConstructor: an intrinsic of the Object constructor.
2246
2247         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
2248         we are able to prove that the first child is an Array or for ToObject an Object.
2249
2250         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
2251         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
2252         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
2253         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
2254         into a contiguous array).
2255
2256         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
2257         values onto the result array. This works roughly the same as the two array fast path using the same methodology
2258         to decide if we can memcpy the other butterfly into the result butterfly.
2259
2260         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
2261         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
2262         dataLog function on it.
2263
2264         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
2265         JSValueOperand if the operand's use count is one.
2266
2267         * JavaScriptCore.xcodeproj/project.pbxproj:
2268         * builtins/ArrayPrototype.js:
2269         (concatSlowPath):
2270         (concat):
2271         * bytecode/BytecodeIntrinsicRegistry.cpp:
2272         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2273         * bytecode/BytecodeIntrinsicRegistry.h:
2274         * dfg/DFGAbstractInterpreterInlines.h:
2275         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2276         * dfg/DFGByteCodeParser.cpp:
2277         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2278         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2279         * dfg/DFGClobberize.h:
2280         (JSC::DFG::clobberize):
2281         * dfg/DFGDoesGC.cpp:
2282         (JSC::DFG::doesGC):
2283         * dfg/DFGFixupPhase.cpp:
2284         (JSC::DFG::FixupPhase::fixupNode):
2285         * dfg/DFGNodeType.h:
2286         * dfg/DFGOperations.cpp:
2287         * dfg/DFGOperations.h:
2288         * dfg/DFGPredictionPropagationPhase.cpp:
2289         (JSC::DFG::PredictionPropagationPhase::propagate):
2290         * dfg/DFGSafeToExecute.h:
2291         (JSC::DFG::safeToExecute):
2292         * dfg/DFGSpeculativeJIT.cpp:
2293         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2294         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
2295         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
2296         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
2297         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
2298         * dfg/DFGSpeculativeJIT.h:
2299         (JSC::DFG::SpeculativeJIT::callOperation):
2300         * dfg/DFGSpeculativeJIT32_64.cpp:
2301         (JSC::DFG::SpeculativeJIT::compile):
2302         * dfg/DFGSpeculativeJIT64.cpp:
2303         (JSC::DFG::SpeculativeJIT::compile):
2304         * ftl/FTLCapabilities.cpp:
2305         (JSC::FTL::canCompile):
2306         * ftl/FTLLowerDFGToB3.cpp:
2307         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2308         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
2309         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
2310         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
2311         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
2312         (JSC::FTL::DFG::LowerDFGToB3::isArray):
2313         * jit/JITOperations.h:
2314         * jsc.cpp:
2315         (GlobalObject::finishCreation):
2316         (functionDataLogValue):
2317         * runtime/ArrayConstructor.cpp:
2318         (JSC::ArrayConstructor::finishCreation):
2319         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
2320         * runtime/ArrayConstructor.h:
2321         (JSC::isArrayConstructor):
2322         * runtime/ArrayPrototype.cpp:
2323         (JSC::ArrayPrototype::finishCreation):
2324         (JSC::arrayProtoPrivateFuncIsJSArray):
2325         (JSC::moveElements):
2326         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2327         (JSC::arrayProtoPrivateFuncAppendMemcpy):
2328         (JSC::arrayProtoFuncConcat): Deleted.
2329         * runtime/ArrayPrototype.h:
2330         (JSC::ArrayPrototype::createStructure):
2331         * runtime/CommonIdentifiers.h:
2332         * runtime/Intrinsic.h:
2333         * runtime/JSArray.cpp:
2334         (JSC::JSArray::appendMemcpy):
2335         (JSC::JSArray::fastConcatWith): Deleted.
2336         * runtime/JSArray.h:
2337         (JSC::JSArray::createStructure):
2338         (JSC::JSArray::fastConcatType): Deleted.
2339         * runtime/JSArrayInlines.h: Added.
2340         (JSC::JSArray::memCopyWithIndexingType):
2341         (JSC::JSArray::canFastCopy):
2342         * runtime/JSGlobalObject.cpp:
2343         (JSC::JSGlobalObject::init):
2344         * runtime/JSType.h:
2345         * runtime/ObjectConstructor.h:
2346         (JSC::constructObject):
2347         * tests/es6.yaml:
2348         * tests/stress/array-concat-spread-object.js: Added.
2349         (arrayEq):
2350         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
2351         (arrayEq):
2352         * tests/stress/array-concat-spread-proxy.js: Added.
2353         (arrayEq):
2354         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
2355         (arrayEq):
2356         * tests/stress/array-species-config-array-constructor.js:
2357
2358 2016-04-12  Saam barati  <sbarati@apple.com>
2359
2360         Lets not iterate over the constant pool twice every time we link a code block
2361         https://bugs.webkit.org/show_bug.cgi?id=156517
2362
2363         Reviewed by Mark Lam.
2364
2365         I introduced a second iteration over the constant pool when I implemented
2366         block scoping. I did this because we must clone all the symbol tables when
2367         we link a CodeBlock. We can just do this cloning when setting the constant
2368         registers for the first time. There is no need to iterate over the constant
2369         pool a second time.
2370
2371         * bytecode/CodeBlock.cpp:
2372         (JSC::CodeBlock::finishCreation):
2373         (JSC::CodeBlock::~CodeBlock):
2374         (JSC::CodeBlock::setConstantRegisters):
2375         (JSC::CodeBlock::setAlternative):
2376         * bytecode/CodeBlock.h:
2377         (JSC::CodeBlock::replaceConstant):
2378         (JSC::CodeBlock::setConstantRegisters): Deleted.
2379
2380 2016-04-12  Mark Lam  <mark.lam@apple.com>
2381
2382         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
2383         https://bugs.webkit.org/show_bug.cgi?id=156013
2384
2385         Reviewed by Keith Miller.
2386
2387         * CMakeLists.txt:
2388         * JavaScriptCore.xcodeproj/project.pbxproj:
2389         * builtins/GlobalObject.js:
2390         (speciesConstructor):
2391         * builtins/PromisePrototype.js:
2392         - refactored to use the @speciesConstructor internal function.
2393
2394         * builtins/RegExpPrototype.js:
2395         (advanceStringIndex):
2396         - refactored from @advanceStringIndexUnicode() to be match the spec.
2397           Benchmarks show that there's no advantage in doing the unicode check outside
2398           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
2399           spec (especially since @@split needs to call advanceStringIndex from more than
2400           1 location).
2401         (match):
2402         - Removed an unnecessary call to @Object because it was already proven above.
2403         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
2404           Again, there's no perf regression for this.
2405         (regExpExec):
2406         (hasObservableSideEffectsForRegExpSplit):
2407         (split):
2408         (advanceStringIndexUnicode): Deleted.
2409
2410         * builtins/StringPrototype.js:
2411         (split):
2412         - Modified to use RegExp.prototype[@@split].
2413
2414         * bytecode/BytecodeIntrinsicRegistry.cpp:
2415         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2416         (JSC::BytecodeIntrinsicRegistry::lookup):
2417         * bytecode/BytecodeIntrinsicRegistry.h:
2418         - Added the @@split symbol.
2419
2420         * runtime/CommonIdentifiers.h:
2421         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
2422         (JSC::esSpecIsConstructor):
2423         (JSC::esSpecIsRegExp):
2424         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
2425
2426         * runtime/JSGlobalObject.cpp:
2427         (JSC::getGetterById):
2428         (JSC::JSGlobalObject::init):
2429
2430         * runtime/PropertyDescriptor.cpp:
2431         (JSC::PropertyDescriptor::setDescriptor):
2432         - Removed an assert that is no longer valid.
2433
2434         * runtime/RegExpObject.h:
2435         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
2436           fast path.
2437
2438         * runtime/RegExpPrototype.cpp:
2439         (JSC::RegExpPrototype::finishCreation):
2440         (JSC::regExpProtoFuncExec):
2441         (JSC::regExpProtoFuncSearch):
2442         (JSC::advanceStringIndex):
2443         (JSC::regExpProtoFuncSplitFast):
2444         * runtime/RegExpPrototype.h:
2445
2446         * runtime/StringObject.h:
2447         (JSC::jsStringWithReuse):
2448         (JSC::jsSubstring):
2449         - Hoisted some utility functions from StringPrototype.cpp so that they can be
2450           reused by the regexp split fast path.
2451
2452         * runtime/StringPrototype.cpp:
2453         (JSC::StringPrototype::finishCreation):
2454         (JSC::stringProtoFuncSplitFast):
2455         (JSC::stringProtoFuncSubstr):
2456         (JSC::builtinStringSubstrInternal):
2457         (JSC::stringProtoFuncSubstring):
2458         (JSC::stringIncludesImpl):
2459         (JSC::stringProtoFuncIncludes):
2460         (JSC::builtinStringIncludesInternal):
2461         (JSC::jsStringWithReuse): Deleted.
2462         (JSC::jsSubstring): Deleted.
2463         (JSC::stringProtoFuncSplit): Deleted.
2464         * runtime/StringPrototype.h:
2465
2466         * tests/es6.yaml:
2467
2468 2016-04-12  Keith Miller  <keith_miller@apple.com>
2469
2470         AbstractValue should use the result type to filter structures
2471         https://bugs.webkit.org/show_bug.cgi?id=156516
2472
2473         Reviewed by Geoffrey Garen.
2474
2475         When filtering an AbstractValue with a SpeculatedType we would not use the merged type when
2476         filtering out the valid structures (despite what the comment directly above said). This
2477         would cause us to crash if our structure-set was Top and the two speculated types were
2478         different kinds of cells.
2479
2480         * dfg/DFGAbstractValue.cpp:
2481         (JSC::DFG::AbstractValue::filter):
2482         * tests/stress/ai-consistency-filter-cells.js: Added.
2483         (get value):
2484         (attribute.value.get record):
2485         (attribute.attrs.get this):
2486         (get foo):
2487         (let.thisValue.return.serialize):
2488         (let.thisValue.transformFor):
2489
2490 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
2491
2492         Unreviewed, remove FIXME for https://bugs.webkit.org/show_bug.cgi?id=156457 and replace it
2493         with a comment that describes what we do now.
2494
2495         * bytecode/PolymorphicAccess.h:
2496
2497 2016-04-12  Saam barati  <sbarati@apple.com>
2498
2499         isLocked() assertion broke builds because ConcurrentJITLock isn't always a real lock.
2500
2501         Rubber-stamped by Filip Pizlo.
2502
2503         * bytecode/CodeBlock.cpp:
2504         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2505         (JSC::CodeBlock::ensureResultProfile):
2506
2507 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2508
2509         PolymorphicAccess should buffer AccessCases before regenerating
2510         https://bugs.webkit.org/show_bug.cgi?id=156457
2511
2512         Reviewed by Benjamin Poulain.
2513
2514         Prior to this change, whenever we added an AccessCase to a PolymorphicAccess, we would
2515         regenerate the whole stub. That meant that we'd do O(N^2) work for N access cases.
2516
2517         One way to fix this is to have each AccessCase generate a stub just for itself, which
2518         cascades down to the already-generated cases. But that removes the binary switch
2519         optimization, which makes the IC perform great even when there are many cases.
2520
2521         This change fixes the issue by buffering access cases. When we take slow path and try to add
2522         a new case, the StructureStubInfo will usually just buffer the new case without generating
2523         new code. We simply guarantee that after we buffer a case, we will take at most
2524         Options::repatchBufferingCountdown() slow path calls before generating code for it. That
2525         option is currently 7. Taking 7 more slow paths means that we have 7 more opportunities to
2526         gather more access cases, or to realize that this IC is too crazy to bother with.
2527
2528         This change ensures that the DFG still gets the same kind of profiling. This is because the
2529         buffered AccessCases are still part of PolymorphicAccess and so are still scanned by
2530         GetByIdStatus and PutByIdStatus. The fact that the AccessCases hadn't been generated and so
2531         hadn't executed doesn't change much. Mainly, it increases the likelihood that the DFG will
2532         see an access case that !couldStillSucceed(). The DFG's existing profile parsing logic can
2533         handle this just fine.
2534         
2535         There are a bunch of algorithmic changes here. StructureStubInfo now caches the set of
2536         structures that it has seen as a guard to prevent adding lots of redundant cases, in case
2537         we see the same 7 cases after buffering the first one. This cache means we won't wastefully
2538         allocate 7 identical AccessCase instances. PolymorphicAccess is now restructured around
2539         having separate addCase() and regenerate() calls. That means a bit more moving data around.
2540         So far that seems OK for performance, probably since it's O(N) work rather than O(N^2) work.
2541         There is room for improvement for future patches, to be sure.
2542         
2543         This is benchmarking as slightly positive or neutral on JS benchmarks. It's meant to reduce
2544         pathologies I saw in page loads.
2545
2546         * bytecode/GetByIdStatus.cpp:
2547         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2548         * bytecode/PolymorphicAccess.cpp:
2549         (JSC::PolymorphicAccess::PolymorphicAccess):
2550         (JSC::PolymorphicAccess::~PolymorphicAccess):
2551         (JSC::PolymorphicAccess::addCases):
2552         (JSC::PolymorphicAccess::addCase):
2553         (JSC::PolymorphicAccess::visitWeak):
2554         (JSC::PolymorphicAccess::dump):
2555         (JSC::PolymorphicAccess::commit):
2556         (JSC::PolymorphicAccess::regenerate):
2557         (JSC::PolymorphicAccess::aboutToDie):
2558         (WTF::printInternal):
2559         (JSC::PolymorphicAccess::regenerateWithCases): Deleted.
2560         (JSC::PolymorphicAccess::regenerateWithCase): Deleted.
2561         * bytecode/PolymorphicAccess.h:
2562         (JSC::AccessCase::isGetter):
2563         (JSC::AccessCase::callLinkInfo):
2564         (JSC::AccessGenerationResult::AccessGenerationResult):
2565         (JSC::AccessGenerationResult::madeNoChanges):
2566         (JSC::AccessGenerationResult::gaveUp):
2567         (JSC::AccessGenerationResult::buffered):
2568         (JSC::AccessGenerationResult::generatedNewCode):
2569         (JSC::AccessGenerationResult::generatedFinalCode):
2570         (JSC::AccessGenerationResult::shouldGiveUpNow):
2571         (JSC::AccessGenerationResult::generatedSomeCode):
2572         (JSC::PolymorphicAccess::isEmpty):
2573         (JSC::PolymorphicAccess::size):
2574         (JSC::PolymorphicAccess::at):
2575         * bytecode/PutByIdStatus.cpp:
2576         (JSC::PutByIdStatus::computeForStubInfo):
2577         * bytecode/StructureStubInfo.cpp:
2578         (JSC::StructureStubInfo::StructureStubInfo):
2579         (JSC::StructureStubInfo::addAccessCase):
2580         (JSC::StructureStubInfo::reset):
2581         (JSC::StructureStubInfo::visitWeakReferences):
2582         * bytecode/StructureStubInfo.h:
2583         (JSC::StructureStubInfo::considerCaching):
2584         (JSC::StructureStubInfo::willRepatch): Deleted.
2585         (JSC::StructureStubInfo::willCoolDown): Deleted.
2586         * jit/JITOperations.cpp:
2587         * jit/Repatch.cpp:
2588         (JSC::tryCacheGetByID):
2589         (JSC::repatchGetByID):
2590         (JSC::tryCachePutByID):
2591         (JSC::repatchPutByID):
2592         (JSC::tryRepatchIn):
2593         (JSC::repatchIn):
2594         * runtime/JSCJSValue.h:
2595         * runtime/JSCJSValueInlines.h:
2596         (JSC::JSValue::putByIndex):
2597         (JSC::JSValue::structureOrNull):
2598         (JSC::JSValue::structureOrUndefined):
2599         * runtime/Options.h:
2600
2601 2016-04-12  Saam barati  <sbarati@apple.com>
2602
2603         There is a race with the compiler thread and the main thread with result profiles
2604         https://bugs.webkit.org/show_bug.cgi?id=156503
2605
2606         Reviewed by Filip Pizlo.
2607
2608         The compiler thread should not be asking for a result
2609         profile while the execution thread is creating one.
2610         We must guard against such races with a lock.
2611
2612         * bytecode/CodeBlock.cpp:
2613         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2614         (JSC::CodeBlock::ensureResultProfile):
2615         (JSC::CodeBlock::capabilityLevel):
2616         * bytecode/CodeBlock.h:
2617         (JSC::CodeBlock::couldTakeSlowCase):
2618         (JSC::CodeBlock::numberOfResultProfiles):
2619         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
2620         (JSC::CodeBlock::ensureResultProfile): Deleted.
2621
2622 2016-04-12  Commit Queue  <commit-queue@webkit.org>
2623
2624         Unreviewed, rolling out r199339.
2625         https://bugs.webkit.org/show_bug.cgi?id=156505
2626
2627         memset_s is indeed necessary (Requested by alexchristensen_ on
2628         #webkit).
2629
2630         Reverted changeset:
2631
2632         "Build fix after r199299."
2633         https://bugs.webkit.org/show_bug.cgi?id=155508
2634         http://trac.webkit.org/changeset/199339
2635
2636 2016-04-12  Guillaume Emont  <guijemont@igalia.com>
2637
2638         MIPS: add MacroAssemblerMIPS::store8(TrustedImm32,ImplicitAddress)
2639         https://bugs.webkit.org/show_bug.cgi?id=156481
2640
2641         This method with this signature is used by r199075, and therefore
2642         WebKit doesn't build on MIPS since then.
2643
2644         Reviewed by Mark Lam.
2645
2646         * assembler/MacroAssemblerMIPS.h:
2647         (JSC::MacroAssemblerMIPS::store8):
2648
2649 2016-04-12  Saam barati  <sbarati@apple.com>
2650
2651         We incorrectly parse arrow function expressions
2652         https://bugs.webkit.org/show_bug.cgi?id=156373
2653
2654         Reviewed by Mark Lam.
2655
2656         This patch removes the notion of "isEndOfArrowFunction".
2657         This was a very weird function and it was incorrect.
2658         It checked that the arrow functions with concise body
2659         grammar production "had a valid ending". "had a valid
2660         ending" is in quotes because concise body arrow functions
2661         have a valid ending as long as their body has a valid
2662         assignment expression. I've removed all notion of this
2663         function because it was wrong and was causing us
2664         to throw syntax errors on valid programs.
2665
2666         * parser/Lexer.cpp:
2667         (JSC::Lexer<T>::nextTokenIsColon):
2668         (JSC::Lexer<T>::lex):
2669         (JSC::Lexer<T>::setTokenPosition): Deleted.
2670         * parser/Lexer.h:
2671         (JSC::Lexer::setIsReparsingFunction):
2672         (JSC::Lexer::isReparsingFunction):
2673         (JSC::Lexer::lineNumber):
2674         * parser/Parser.cpp:
2675         (JSC::Parser<LexerType>::parseInner):
2676         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2677         (JSC::Parser<LexerType>::parseFunctionInfo):
2678         * parser/Parser.h:
2679         (JSC::Parser::matchIdentifierOrKeyword):
2680         (JSC::Parser::tokenStart):
2681         (JSC::Parser::autoSemiColon):
2682         (JSC::Parser::canRecurse):
2683         (JSC::Parser::isEndOfArrowFunction): Deleted.
2684         (JSC::Parser::setEndOfStatement): Deleted.
2685         * tests/stress/arrowfunction-others.js:
2686         (testCase):
2687         (simpleArrowFunction):
2688         (truthy):
2689         (falsey):
2690
2691 2016-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2692
2693         [JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG
2694         https://bugs.webkit.org/show_bug.cgi?id=155110
2695
2696         Reviewed by Saam Barati.
2697
2698         `addStaticGlobals` does not emit SymbolTableEntry watchpoints for the added entries.
2699         So, all the global variable lookups pointing to these static globals are not converted
2700         into constants in DFGBytecodeGenerator: this fact leaves these lookups as GetGlobalVar.
2701         Such thing avoids constant folding chance and emits CheckCell for @privateFunction inlining.
2702         This operation is pure overhead.
2703
2704         Static globals are not configurable, and they are typically non-writable.
2705         So they are constants in almost all the cases.
2706
2707         This patch initializes watchpoints for these static globals.
2708         These watchpoints allow DFG to convert these nodes into constants in DFG BytecodeParser.
2709         These watchpoints includes many builtin operations and `undefined`.
2710
2711         The microbenchmark, many-foreach-calls shows 5 - 7% improvement since it removes unnecessary CheckCell.
2712
2713         * bytecode/VariableWriteFireDetail.h:
2714         * runtime/JSGlobalObject.cpp:
2715         (JSC::JSGlobalObject::addGlobalVar):
2716         (JSC::JSGlobalObject::addStaticGlobals):
2717         * runtime/JSSymbolTableObject.h:
2718         (JSC::symbolTablePutTouchWatchpointSet):
2719         (JSC::symbolTablePutInvalidateWatchpointSet):
2720         (JSC::symbolTablePut):
2721         (JSC::symbolTablePutWithAttributesTouchWatchpointSet): Deleted.
2722         * runtime/SymbolTable.h:
2723         (JSC::SymbolTableEntry::SymbolTableEntry):
2724         (JSC::SymbolTableEntry::operator=):
2725         (JSC::SymbolTableEntry::swap):
2726
2727 2016-04-12  Alex Christensen  <achristensen@webkit.org>
2728
2729         Build fix after r199299.
2730         https://bugs.webkit.org/show_bug.cgi?id=155508
2731
2732         * jit/ExecutableAllocatorFixedVMPool.cpp:
2733         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2734         memset_s is not defined.  __STDC_WANT_LIB_EXT1__ is not defined anywhere.
2735         Since the return value is unused and set_constraint_handler_s is never called
2736         I'm chaning it to memset.
2737
2738 2016-04-11  Benjamin Poulain  <bpoulain@apple.com>
2739
2740         [JSC] B3 can use undefined bits or not defined required bits when spilling
2741         https://bugs.webkit.org/show_bug.cgi?id=156486
2742
2743         Reviewed by Filip Pizlo.
2744
2745         Spilling had issues when replacing arguments in place.
2746
2747         The problems are:
2748         1) If we have a 32bit stackslot, a x86 instruction could still try to load 64bits from it.
2749         2) If we have a 64bit stackslot, Move32 would only set half the bits.
2750         3) We were reducing Move to Move32 even if the top bits are read from the stack slot.
2751
2752         The case 1 appear with something like this:
2753             Move32 %tmp0, %tmp1
2754             Op64 %tmp1, %tmp2, %tmp3
2755         When we spill %tmp1, the stack slot is 32bit, Move32 sets 32bits
2756         but Op64 supports addressing for %tmp1. When we substitute %tmp1 in Op64,
2757         we are creating a 64bit read for a 32bit stack slot.
2758
2759         The case 2 is an other common one. If we have:
2760             BB#1
2761                 Move32 %tmp0, %tmp1
2762                 Jump #3
2763             BB#2
2764                 Op64 %tmp0, %tmp1
2765                 Jump #3
2766             BB#3
2767                 Use64 %tmp1
2768
2769         We have a stack slot of 64bits. When spilling %tmp1 in #1, we are
2770         effectively doing a 32bit store on the stack slot, leaving the top bits undefined.
2771
2772         Case 3 is pretty much the same as 2 but we create the Move32 ourself
2773         because the source is a 32bit with ZDef.
2774
2775         Case (1) is solved by requiring that the stack slot is at least as large as the largest
2776         use/def of that tmp.
2777
2778         Case (2) and (3) are solved by not replacing a Tmp by an Address if the Def
2779         is smaller than the stack slot.
2780
2781         * b3/air/AirIteratedRegisterCoalescing.cpp:
2782         * b3/testb3.cpp:
2783         (JSC::B3::testSpillDefSmallerThanUse):
2784         (JSC::B3::testSpillUseLargerThanDef):
2785         (JSC::B3::run):
2786
2787 2016-04-11  Brian Burg  <bburg@apple.com>
2788
2789         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
2790         https://bugs.webkit.org/show_bug.cgi?id=156407
2791         <rdar://problem/25627659>
2792
2793         Reviewed by Joseph Pecoraro.
2794
2795         There's no point having these subclasses as they don't save any space.
2796         Add a StringImpl to the union and merge some implementations of writeJSON.
2797
2798         Rename m_data to m_map and explicitly name the union as InspectorValue::m_value.
2799         If the value is a string and the string is not empty or null (i.e., it has a
2800         StringImpl), then we need to ref() and deref() the string as the InspectorValue
2801         is created or destroyed.
2802
2803         Move uses of the subclass to InspectorValue and delete redundant methods.
2804         Now, most InspectorValue methods are non-virtual so they can be templated.
2805
2806         * bindings/ScriptValue.cpp:
2807         (Deprecated::jsToInspectorValue):
2808         * inspector/InjectedScriptBase.cpp:
2809         (Inspector::InjectedScriptBase::makeCall):
2810         Don't used deleted subclasses.
2811
2812         * inspector/InspectorValues.cpp:
2813         (Inspector::InspectorValue::null):
2814         (Inspector::InspectorValue::create):
2815         (Inspector::InspectorValue::asValue):
2816         (Inspector::InspectorValue::asBoolean):
2817         (Inspector::InspectorValue::asDouble):
2818         (Inspector::InspectorValue::asInteger):
2819         (Inspector::InspectorValue::asString):
2820         These only need one implementation now.
2821
2822         (Inspector::InspectorValue::writeJSON):
2823         Still a virtual method since Object and Array need their members.
2824
2825         (Inspector::InspectorObjectBase::InspectorObjectBase):
2826         (Inspector::InspectorBasicValue::asBoolean): Deleted.
2827         (Inspector::InspectorBasicValue::asDouble): Deleted.
2828         (Inspector::InspectorBasicValue::asInteger): Deleted.
2829         (Inspector::InspectorBasicValue::writeJSON): Deleted.
2830         (Inspector::InspectorString::asString): Deleted.
2831         (Inspector::InspectorString::writeJSON): Deleted.
2832         (Inspector::InspectorString::create): Deleted.
2833         (Inspector::InspectorBasicValue::create): Deleted.
2834
2835         * inspector/InspectorValues.h:
2836         (Inspector::InspectorObjectBase::find):
2837         (Inspector::InspectorObjectBase::setBoolean):
2838         (Inspector::InspectorObjectBase::setInteger):
2839         (Inspector::InspectorObjectBase::setDouble):
2840         (Inspector::InspectorObjectBase::setString):
2841         (Inspector::InspectorObjectBase::setValue):
2842         (Inspector::InspectorObjectBase::setObject):
2843         (Inspector::InspectorObjectBase::setArray):
2844         (Inspector::InspectorArrayBase::pushBoolean):
2845         (Inspector::InspectorArrayBase::pushInteger):
2846         (Inspector::InspectorArrayBase::pushDouble):
2847         (Inspector::InspectorArrayBase::pushString):
2848         (Inspector::InspectorArrayBase::pushValue):
2849         (Inspector::InspectorArrayBase::pushObject):
2850         (Inspector::InspectorArrayBase::pushArray):
2851         Use new factory methods.
2852
2853         * replay/EncodedValue.cpp:
2854         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2855         (JSC::ScalarEncodingTraits<double>::encodeValue):
2856         (JSC::ScalarEncodingTraits<float>::encodeValue):
2857         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2858         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2859         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2860         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2861         * replay/EncodedValue.h:
2862         Use new factory methods.
2863
2864 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2865
2866         It should be possible to edit StructureStubInfo without recompiling the world
2867         https://bugs.webkit.org/show_bug.cgi?id=156470
2868
2869         Reviewed by Keith Miller.
2870
2871         This change makes it less painful to make changes to the IC code. It used to be that any
2872         change to StructureStubInfo caused every JIT-related file to get recompiled. Now only a
2873         smaller set of files - ones that actually peek into StructureStubInfo - will recompile. This
2874         is mainly because CodeBlock.h no longer includes StructureStubInfo.h.
2875
2876         * bytecode/ByValInfo.h:
2877         * bytecode/CodeBlock.cpp:
2878         * bytecode/CodeBlock.h:
2879         * bytecode/GetByIdStatus.cpp:
2880         * bytecode/GetByIdStatus.h:
2881         * bytecode/PutByIdStatus.cpp:
2882         * bytecode/PutByIdStatus.h:
2883         * bytecode/StructureStubInfo.h:
2884         (JSC::getStructureStubInfoCodeOrigin):
2885         * dfg/DFGByteCodeParser.cpp:
2886         * dfg/DFGJITCompiler.cpp:
2887         * dfg/DFGOSRExitCompilerCommon.cpp:
2888         * dfg/DFGSpeculativeJIT.h:
2889         * ftl/FTLLowerDFGToB3.cpp:
2890         * ftl/FTLSlowPathCall.h:
2891         * jit/IntrinsicEmitter.cpp:
2892         * jit/JITInlineCacheGenerator.cpp:
2893         * jit/JITInlineCacheGenerator.h:
2894         * jit/JITOperations.cpp:
2895         * jit/JITPropertyAccess.cpp:
2896         * jit/JITPropertyAccess32_64.cpp:
2897
2898 2016-04-11  Skachkov Oleksandr  <gskachkov@gmail.com>
2899
2900         Remove NewArrowFunction from DFG IR
2901         https://bugs.webkit.org/show_bug.cgi?id=156439
2902
2903         Reviewed by Saam Barati.
2904
2905         It seems that NewArrowFunction was left in DFG IR during refactoring by mistake.
2906
2907         * dfg/DFGAbstractInterpreterInlines.h:
2908         * dfg/DFGClobberize.h:
2909         (JSC::DFG::clobberize):
2910         * dfg/DFGClobbersExitState.cpp:
2911         * dfg/DFGDoesGC.cpp:
2912         * dfg/DFGFixupPhase.cpp:
2913         * dfg/DFGMayExit.cpp:
2914         * dfg/DFGNode.h:
2915         (JSC::DFG::Node::convertToPhantomNewFunction):
2916         * dfg/DFGNodeType.h:
2917         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2918         * dfg/DFGPredictionPropagationPhase.cpp:
2919         * dfg/DFGSafeToExecute.h:
2920         * dfg/DFGSpeculativeJIT.cpp:
2921         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2922         * dfg/DFGSpeculativeJIT32_64.cpp:
2923         * dfg/DFGSpeculativeJIT64.cpp:
2924         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2925         * dfg/DFGStructureRegistrationPhase.cpp:
2926         * ftl/FTLCapabilities.cpp:
2927         * ftl/FTLLowerDFGToB3.cpp:
2928         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2929
2930 2016-04-05  Oliver Hunt  <oliver@apple.com>
2931
2932         Remove compile time define for SEPARATED_HEAP
2933         https://bugs.webkit.org/show_bug.cgi?id=155508
2934
2935         Reviewed by Mark Lam.
2936
2937         Remove the SEPARATED_HEAP compile time flag. The separated
2938         heap is available, but off by default, on x86_64, ARMv7, and
2939         ARM64.
2940
2941         Working through the issues that happened last time essentially
2942         required implementing the ARMv7 path for the separated heap
2943         just so I could find all the ways it was going wrong.
2944
2945         We fixed all the logic by making the branch and jump logic in
2946         the linker and assemblers take two parameters, the location to
2947         write to, and the location we'll actually be writing to. We 
2948         need to do this because it's no longer sufficient to compute
2949         jumps relative to region the linker is writing to.
2950
2951         The repatching jump, branch, and call functions only need the
2952         executable address as the patching is performed directly using
2953         performJITMemcpy function which works in terms of the executable
2954         address.
2955
2956         There is no performance impact on jsc-benchmarks with the separate
2957         heap either emabled or disabled.
2958
2959         * Configurations/FeatureDefines.xcconfig:
2960         * assembler/ARM64Assembler.h:
2961         (JSC::ARM64Assembler::linkJump):
2962         (JSC::ARM64Assembler::linkCall):
2963         (JSC::ARM64Assembler::relinkJump):
2964         (JSC::ARM64Assembler::relinkCall):
2965         (JSC::ARM64Assembler::link):
2966         (JSC::ARM64Assembler::linkJumpOrCall):
2967         (JSC::ARM64Assembler::linkCompareAndBranch):
2968         (JSC::ARM64Assembler::linkConditionalBranch):
2969         (JSC::ARM64Assembler::linkTestAndBranch):
2970         (JSC::ARM64Assembler::relinkJumpOrCall):
2971         * assembler/ARMv7Assembler.h:
2972         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
2973         (JSC::ARMv7Assembler::revertJumpTo_movT3):
2974         (JSC::ARMv7Assembler::link):
2975         (JSC::ARMv7Assembler::linkJump):
2976         (JSC::ARMv7Assembler::relinkJump):
2977         (JSC::ARMv7Assembler::repatchCompact):
2978         (JSC::ARMv7Assembler::replaceWithJump):
2979         (JSC::ARMv7Assembler::replaceWithLoad):
2980         (JSC::ARMv7Assembler::replaceWithAddressComputation):
2981         (JSC::ARMv7Assembler::setInt32):
2982         (JSC::ARMv7Assembler::setUInt7ForLoad):
2983         (JSC::ARMv7Assembler::isB):
2984         (JSC::ARMv7Assembler::isBX):
2985         (JSC::ARMv7Assembler::isMOV_imm_T3):
2986         (JSC::ARMv7Assembler::isMOVT):
2987         (JSC::ARMv7Assembler::isNOP_T1):
2988         (JSC::ARMv7Assembler::isNOP_T2):
2989         (JSC::ARMv7Assembler::linkJumpT1):
2990         (JSC::ARMv7Assembler::linkJumpT2):
2991         (JSC::ARMv7Assembler::linkJumpT3):
2992         (JSC::ARMv7Assembler::linkJumpT4):
2993         (JSC::ARMv7Assembler::linkConditionalJumpT4):
2994         (JSC::ARMv7Assembler::linkBX):
2995         (JSC::ARMv7Assembler::linkConditionalBX):
2996         (JSC::ARMv7Assembler::linkJumpAbsolute):
2997         * assembler/LinkBuffer.cpp:
2998         (JSC::LinkBuffer::copyCompactAndLinkCode):
2999         * assembler/MacroAssemblerARM64.h:
3000         (JSC::MacroAssemblerARM64::link):
3001         * assembler/MacroAssemblerARMv7.h:
3002         (JSC::MacroAssemblerARMv7::link):
3003         * jit/ExecutableAllocator.h:
3004         (JSC::performJITMemcpy):
3005         * jit/ExecutableAllocatorFixedVMPool.cpp:
3006         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
3007         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
3008         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
3009         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
3010         * runtime/Options.cpp:
3011         (JSC::recomputeDependentOptions):
3012         * runtime/Options.h:
3013
3014 2016-04-10  Filip Pizlo  <fpizlo@apple.com>
3015
3016         Clean up how we reason about the states of AccessCases
3017         https://bugs.webkit.org/show_bug.cgi?id=156454
3018
3019         Reviewed by Mark Lam.
3020         
3021         Currently when we add an AccessCase to a PolymorphicAccess stub, we regenerate the stub.
3022         That means that as we grow a stub to have N cases, we will do O(N^2) generation work. I want
3023         to explore buffering AccessCases so that we can do O(N) generation work instead. But to
3024         before I go there, I want to make sure that the statefulness of AccessCase makes sense. So,
3025         I broke it down into three different states and added assertions about the transitions. I
3026         also broke out a separate operation called AccessCase::commit(), which is the work that
3027         cannot be buffered since there cannot be any JS effects between when the AccessCase was
3028         created and when we do the work in commit().
3029         
3030         This opens up a fairly obvious path to buffering AccessCases: add them to the list without
3031         regenerating. Then when we do eventually trigger regeneration, those cases will get cloned
3032         and generated automagically. This patch doesn't implement this technique yet, but gives us
3033         an opportunity to independently test the scaffolding necessary to do it.
3034
3035         This is perf-neutral on lots of tests.
3036
3037         * bytecode/PolymorphicAccess.cpp:
3038         (JSC::AccessGenerationResult::dump):
3039         (JSC::AccessCase::clone):
3040         (JSC::AccessCase::commit):
3041         (JSC::AccessCase::guardedByStructureCheck):
3042         (JSC::AccessCase::dump):
3043         (JSC::AccessCase::generateWithGuard):
3044         (JSC::AccessCase::generate):
3045         (JSC::AccessCase::generateImpl):
3046         (JSC::PolymorphicAccess::regenerateWithCases):
3047         (JSC::PolymorphicAccess::regenerate):
3048         (WTF::printInternal):
3049         * bytecode/PolymorphicAccess.h:
3050         (JSC::AccessCase::type):
3051         (JSC::AccessCase::state):
3052         (JSC::AccessCase::offset):
3053         (JSC::AccessCase::viaProxy):
3054         (JSC::AccessCase::callLinkInfo):
3055         * bytecode/StructureStubInfo.cpp:
3056         (JSC::StructureStubInfo::addAccessCase):
3057         * bytecode/Watchpoint.h:
3058         * dfg/DFGOperations.cpp:
3059         * jit/Repatch.cpp:
3060         (JSC::repatchGetByID):
3061         (JSC::repatchPutByID):
3062         (JSC::repatchIn):
3063         * runtime/VM.cpp:
3064         (JSC::VM::dumpRegExpTrace):
3065         (JSC::VM::ensureWatchpointSetForImpureProperty):
3066         (JSC::VM::registerWatchpointForImpureProperty):
3067         (JSC::VM::addImpureProperty):
3068         * runtime/VM.h:
3069
3070 2016-04-11  Fujii Hironori  <Hironori.Fujii@jp.sony.com>
3071
3072         [CMake] Make FOLDER property INHERITED
3073         https://bugs.webkit.org/show_bug.cgi?id=156460
3074
3075         Reviewed by Brent Fulgham.
3076
3077         * CMakeLists.txt:
3078         * shell/CMakeLists.txt:
3079         * shell/PlatformWin.cmake:
3080         Set FOLDER property as a directory property not a target property
3081
3082 2016-04-09  Keith Miller  <keith_miller@apple.com>
3083
3084         tryGetById should be supported by the DFG/FTL
3085         https://bugs.webkit.org/show_bug.cgi?id=156378
3086
3087         Reviewed by Filip Pizlo.
3088
3089         This patch adds support for tryGetById in the DFG/FTL. It adds a new DFG node
3090         TryGetById, which acts similarly to the normal GetById DFG node. One key
3091         difference between GetById and TryGetById is that in the LLInt and Baseline
3092         we do not profile the result type. This profiling is unnessary for the current
3093         use case of tryGetById, which is expected to be a strict equality comparision
3094         against a specific object or undefined. In either case other DFG optimizations
3095         will make this equally fast with or without the profiling information.
3096
3097         Additionally, this patch adds new reuse modes for JSValueRegsTemporary that take
3098         an operand and attempt to reuse the registers for that operand if they are free
3099         after the current DFG node.
3100
3101         * bytecode/GetByIdStatus.cpp:
3102         (JSC::GetByIdStatus::computeFromLLInt):
3103         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3104         * dfg/DFGAbstractInterpreterInlines.h:
3105         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3106         * dfg/DFGByteCodeParser.cpp:
3107         (JSC::DFG::ByteCodeParser::handleGetById):
3108         (JSC::DFG::ByteCodeParser::parseBlock):
3109         * dfg/DFGCapabilities.cpp:
3110         (JSC::DFG::capabilityLevel):
3111         * dfg/DFGClobberize.h:
3112         (JSC::DFG::clobberize):
3113         * dfg/DFGDoesGC.cpp:
3114         (JSC::DFG::doesGC):
3115         * dfg/DFGFixupPhase.cpp:
3116         (JSC::DFG::FixupPhase::fixupNode):
3117         * dfg/DFGNode.h:
3118         (JSC::DFG::Node::hasIdentifier):
3119         * dfg/DFGNodeType.h:
3120         * dfg/DFGPredictionPropagationPhase.cpp:
3121         (JSC::DFG::PredictionPropagationPhase::propagate):
3122         * dfg/DFGSafeToExecute.h:
3123         (JSC::DFG::safeToExecute):
3124         * dfg/DFGSpeculativeJIT.cpp:
3125         (JSC::DFG::SpeculativeJIT::compileTryGetById):
3126         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
3127         * dfg/DFGSpeculativeJIT.h:
3128         (JSC::DFG::GPRTemporary::operator=):
3129         * dfg/DFGSpeculativeJIT32_64.cpp:
3130         (JSC::DFG::SpeculativeJIT::cachedGetById):
3131         (JSC::DFG::SpeculativeJIT::compile):
3132         * dfg/DFGSpeculativeJIT64.cpp:
3133         (JSC::DFG::SpeculativeJIT::cachedGetById):
3134         (JSC::DFG::SpeculativeJIT::compile):
3135         * ftl/FTLCapabilities.cpp:
3136         (JSC::FTL::canCompile):
3137         * ftl/FTLLowerDFGToB3.cpp:
3138         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3139         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3140         (JSC::FTL::DFG::LowerDFGToB3::getById):
3141         * jit/JITOperations.cpp:
3142         * jit/JITOperations.h:
3143         * tests/stress/try-get-by-id.js:
3144         (tryGetByIdTextStrict):
3145         (get let):
3146         (let.get createBuiltin):
3147         (get throw):
3148         (getCaller.obj.1.throw.new.Error): Deleted.
3149
3150 2016-04-09  Saam barati  <sbarati@apple.com>
3151
3152         Allocation sinking SSA Defs are allowed to have replacements
3153         https://bugs.webkit.org/show_bug.cgi?id=156444
3154
3155         Reviewed by Filip Pizlo.
3156
3157         Consider the following program and the annotations that explain why
3158         the SSA defs we create in allocation sinking can have replacements.
3159
3160         function foo(a1) {
3161             let o1 = {x: 20, y: 50};
3162             let o2 = {y: 40, o1: o1};
3163             let o3 = {};
3164         
3165             // We're Defing a new variable here, call it o3_field.
3166             // o3_field is defing the value that is the result of 
3167             // a GetByOffset that gets eliminated through allocation sinking.
3168             o3.field = o1.y;
3169         
3170             dontCSE();
3171         
3172             // This control flow is here to not allow the phase to consult
3173             // its local SSA mapping (which properly handles replacements)
3174             // for the value of o3_field.
3175             if (a1) {
3176                 a1 = true; 
3177             } else {
3178                 a1 = false;
3179             }
3180         
3181             // Here, we ask for the reaching def of o3_field, and assert
3182             // it doesn't have a replacement. It does have a replacement
3183             // though. The original Def was the GetByOffset. We replaced
3184             // that GetByOffset with the value of the o1_y variable.
3185             let value = o3.field;
3186             assert(value === 50);
3187         }
3188
3189         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3190         * tests/stress/allocation-sinking-defs-may-have-replacements.js: Added.
3191         (dontCSE):
3192         (assert):
3193         (foo):
3194
3195 2016-04-09  Commit Queue  <commit-queue@webkit.org>
3196
3197         Unreviewed, rolling out r199242.
3198         https://bugs.webkit.org/show_bug.cgi?id=156442
3199
3200         Caused many many leaks (Requested by ap on #webkit).
3201
3202         Reverted changeset:
3203
3204         "Web Inspector: get rid of InspectorBasicValue and
3205         InspectorString subclasses"
3206         https://bugs.webkit.org/show_bug.cgi?id=156407
3207         http://trac.webkit.org/changeset/199242
3208
3209 2016-04-09  Filip Pizlo  <fpizlo@apple.com>
3210
3211         Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
3212         https://bugs.webkit.org/show_bug.cgi?id=156406
3213
3214         Reviewed by Saam Barati.
3215
3216         The failure was because the GC ran from within the butterfly allocation call in a put_by_id
3217         transition AccessCase that had to deal with indexing storage. When the GC runs in a call from a stub,
3218         then we need to be extra careful:
3219
3220         1) The GC may reset the IC and delete the stub. So, the stub needs to tell the GC that it might be on
3221            the stack during GC, so that the GC keeps it alive if it's currently running.
3222         
3223         2) If the stub uses (dereferences or stores) some object after the call, then we need to ensure that
3224            the stub routine knows about that object independently of the IC.
3225         
3226         In the case of put_by_id transitions that use a helper to allocate the butterfly, we have both
3227         issues. A long time ago, we had to deal with (2), and we still had code to handle that case, although
3228         it appears to be dead. This change revives that code and glues it together with PolymorphicAccess.
3229
3230         * bytecode/PolymorphicAccess.cpp:
3231         (JSC::AccessCase::alternateBase):
3232         (JSC::AccessCase::doesCalls):
3233         (JSC::AccessCase::couldStillSucceed):
3234         (JSC::AccessCase::generate):
3235         (JSC::PolymorphicAccess::regenerate):
3236         * bytecode/PolymorphicAccess.h:
3237         (JSC::AccessCase::customSlotBase):
3238         (JSC::AccessCase::isGetter):
3239         (JSC::AccessCase::doesCalls): Deleted.
3240         * jit/GCAwareJITStubRoutine.cpp:
3241         (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
3242         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
3243         (JSC::MarkingGCAwareJITStubRoutine::~MarkingGCAwareJITStubRoutine):
3244         (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
3245         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
3246         (JSC::createJITStubRoutine):
3247         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
3248         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
3249         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal): Deleted.
3250         * jit/GCAwareJITStubRoutine.h:
3251         (JSC::createJITStubRoutine):
3252
3253 2016-04-08  Joseph Pecoraro  <pecoraro@apple.com>
3254
3255         Web Inspector: XHRs and Web Worker scripts are not searchable
3256         https://bugs.webkit.org/show_bug.cgi?id=154214
3257         <rdar://problem/24643587>
3258
3259         Reviewed by Timothy Hatcher.
3260
3261         * inspector/protocol/Page.json:
3262         Add optional requestId to search results properties and search
3263         parameters for when the frameId and url are not enough. XHR
3264         resources, and "Other" resources will use this.
3265
3266 2016-04-08  Guillaume Emont  <guijemont@igalia.com>
3267
3268         MIPS: support Signed cond in branchTest32()
3269         https://bugs.webkit.org/show_bug.cgi?id=156260
3270
3271         This is needed since r197688 makes use of it.
3272
3273         Reviewed by Mark Lam.
3274
3275         * assembler/MacroAssemblerMIPS.h:
3276         (JSC::MacroAssemblerMIPS::branchTest32):
3277
3278 2016-04-08  Alex Christensen  <achristensen@webkit.org>
3279
3280         Progress towards running CMake WebKit2 on Mac
3281         https://bugs.webkit.org/show_bug.cgi?id=156426
3282
3283         Reviewed by Tim Horton.
3284
3285         * PlatformMac.cmake:
3286
3287 2016-04-08  Saam barati  <sbarati@apple.com>
3288
3289         Debugger may dereference m_currentCallFrame even after the VM has gone idle
3290         https://bugs.webkit.org/show_bug.cgi?id=156413
3291
3292         Reviewed by Mark Lam.
3293
3294         There is a bug where the debugger may dereference its m_currentCallFrame
3295         pointer after that pointer becomes invalid to read from. This happens like so:
3296
3297         We may step over an instruction which causes the end of execution for the
3298         current program. This causes the VM to exit. Then, we perform a GC which
3299         causes us to collect the global object. The global object being collected
3300         causes us to detach the debugger. In detaching, we think we still have a 
3301         valid m_currentCallFrame, we dereference it, and crash. The solution is to
3302         make sure we're paused when dereferencing this pointer inside ::detach().
3303
3304         * debugger/Debugger.cpp:
3305         (JSC::Debugger::detach):
3306
3307 2016-04-08  Brian Burg  <bburg@apple.com>
3308
3309         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
3310         https://bugs.webkit.org/show_bug.cgi?id=156407
3311         <rdar://problem/25627659>
3312
3313         Reviewed by Timothy Hatcher.
3314
3315         There's no point having these subclasses as they don't save any space.
3316         Add m_stringValue to the union and merge some implementations of writeJSON.
3317         Move uses of the subclass to InspectorValue and delete redundant methods.
3318         Now, most InspectorValue methods are non-virtual so they can be templated.
3319
3320         * bindings/ScriptValue.cpp:
3321         (Deprecated::jsToInspectorValue):
3322         * inspector/InjectedScriptBase.cpp:
3323         (Inspector::InjectedScriptBase::makeCall):
3324         Don't used deleted subclasses.
3325
3326         * inspector/InspectorValues.cpp:
3327         (Inspector::InspectorValue::null):
3328         (Inspector::InspectorValue::create):
3329         (Inspector::InspectorValue::asValue):
3330         (Inspector::InspectorValue::asBoolean):
3331         (Inspector::InspectorValue::asDouble):
3332         (Inspector::InspectorValue::asInteger):
3333         (Inspector::InspectorValue::asString):
3334         These only need one implementation now.
3335
3336         (Inspector::InspectorValue::writeJSON):
3337         Still a virtual method since Object and Array need their members.
3338
3339         (Inspector::InspectorObjectBase::InspectorObjectBase):
3340         (Inspector::InspectorBasicValue::asBoolean): Deleted.
3341         (Inspector::InspectorBasicValue::asDouble): Deleted.
3342         (Inspector::InspectorBasicValue::asInteger): Deleted.
3343         (Inspector::InspectorBasicValue::writeJSON): Deleted.
3344         (Inspector::InspectorString::asString): Deleted.
3345         (Inspector::InspectorString::writeJSON): Deleted.
3346         (Inspector::InspectorString::create): Deleted.
3347         (Inspector::InspectorBasicValue::create): Deleted.
3348
3349         * inspector/InspectorValues.h:
3350         (Inspector::InspectorObjectBase::setBoolean):
3351         (Inspector::InspectorObjectBase::setInteger):
3352         (Inspector::InspectorObjectBase::setDouble):
3353         (Inspector::InspectorObjectBase::setString):
3354         (Inspector::InspectorArrayBase::pushBoolean):
3355         (Inspector::InspectorArrayBase::pushInteger):
3356         (Inspector::InspectorArrayBase::pushDouble):
3357         (Inspector::InspectorArrayBase::pushString):
3358         Use new factory methods.
3359
3360         * replay/EncodedValue.cpp:
3361         (JSC::ScalarEncodingTraits<bool>::encodeValue):
3362         (JSC::ScalarEncodingTraits<double>::encodeValue):
3363         (JSC::ScalarEncodingTraits<float>::encodeValue):
3364         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
3365         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
3366         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
3367         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
3368         * replay/EncodedValue.h:
3369         Use new factory methods.
3370
3371 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
3372
3373         Add IC support for arguments.length
3374         https://bugs.webkit.org/show_bug.cgi?id=156389
3375
3376         Reviewed by Geoffrey Garen.
3377         
3378         This adds support for caching accesses to arguments.length for both DirectArguments and
3379         ScopedArguments. In strict mode, we already cached these accesses since they were just
3380         normal properties.
3381
3382         Amazingly, we also already supported caching of overridden arguments.length in both
3383         DirectArguments and ScopedArguments. This is because when you override, the property gets