Unreviwed, add a comment to describe the test's failure mode. Suggested by mlam.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviwed, add a comment to describe the test's failure mode. Suggested by mlam.
4
5         * tests/stress/override-map-constructor.js:
6         (Map):
7
8 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
9
10         Map should not be in JSGlobalObject's static hashtable because it's initialized eagerly via FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR
11         https://bugs.webkit.org/show_bug.cgi?id=158031
12         rdar://problem/26353661
13
14         Reviewed by Geoffrey Garen.
15         
16         We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
17         not a LazyClassStructure<> and there is nothing lazy about it.
18
19         * runtime/JSGlobalObject.cpp: The fix is to remove Map here.
20         * runtime/Lookup.cpp: Add some dumping on the assert path.
21         (JSC::setUpStaticFunctionSlot):
22         * tests/stress/override-map-constructor.js: Added. This test used to crash.
23         (Map):
24
25 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
26
27         LLInt64 should have typed array fast paths for get_by_val
28         https://bugs.webkit.org/show_bug.cgi?id=157931
29
30         Reviewed by Keith Miller.
31
32         I think that the LLInt should be able to access typed arrays more quickly than it does now.
33         Ideally we would have fast paths for every major typed array operation and we would use
34         inline cache optimizations. I don't want to do this all in one go, so my plan is to
35         incrementally add support for this as time allows.
36         
37         This change just adds the easy typed array fast paths for get_by_val in the 64-bit version
38         of LLInt.
39         
40         Another bug, https://bugs.webkit.org/show_bug.cgi?id=157922, tracks the overall task of
41         adding all typed array fast paths to both versions of the LLInt.
42         
43         This is a 30% speed-up on typed array benchmarks in LLInt. This is not a speed-up when the
44         JITs are enabled.
45
46         * llint/LLIntData.cpp:
47         (JSC::LLInt::Data::performAssertions):
48         * llint/LLIntOffsetsExtractor.cpp:
49         * llint/LowLevelInterpreter.asm:
50         * llint/LowLevelInterpreter64.asm:
51         * offlineasm/backends.rb:
52         * runtime/JSArrayBufferView.h:
53         * runtime/JSType.h:
54
55 2016-05-24  Saam barati  <sbarati@apple.com> and Yusuke Suzuki <utatane.tea@gmail.com>
56
57         ThisTDZMode is no longer needed
58         https://bugs.webkit.org/show_bug.cgi?id=157209
59
60         Reviewed by Saam Barati.
61
62         ThisTDZMode is no longer needed because we have ConstructorKind
63         and DerivedContextType. The value of ThisTDZMode is strictly less
64         expressive than the combination of those two values. We were
65         using those values anyways, and this patch just makes it official
66         by removing ThisTDZMode.
67
68         This patch also cleans up caching keys. We extract SourceCodeFlags
69         from SourceCodeKey and use it in EvalCodeCache. It correctly
70         contains needed cache attributes: EvalContextType, DerivedContextType,
71         etc. Here, we still use specialized keys for EvalCodeCache instead
72         of SourceCodeKey for performance; it does not include name String and
73         does not allocate SourceCode.
74
75         * bytecode/EvalCodeCache.h:
76         (JSC::EvalCodeCache::CacheKey::CacheKey):
77         (JSC::EvalCodeCache::CacheKey::operator==):
78         (JSC::EvalCodeCache::CacheKey::Hash::equal):
79         (JSC::EvalCodeCache::tryGet):
80         (JSC::EvalCodeCache::getSlow):
81         * bytecompiler/NodesCodegen.cpp:
82         (JSC::ThisNode::emitBytecode): Deleted.
83         * debugger/DebuggerCallFrame.cpp:
84         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
85         * interpreter/Interpreter.cpp:
86         (JSC::eval):
87         * parser/ASTBuilder.h:
88         (JSC::ASTBuilder::createThisExpr):
89         * parser/NodeConstructors.h:
90         (JSC::ThisNode::ThisNode):
91         * parser/Nodes.h:
92         * parser/Parser.cpp:
93         (JSC::Parser<LexerType>::Parser):
94         (JSC::Parser<LexerType>::parsePrimaryExpression):
95         * parser/Parser.h:
96         (JSC::parse):
97         * parser/ParserModes.h:
98         * parser/SourceCodeKey.h:
99         (JSC::SourceCodeFlags::SourceCodeFlags):
100         (JSC::SourceCodeFlags::operator==):
101         (JSC::SourceCodeKey::SourceCodeKey):
102         (JSC::SourceCodeKey::Hash::hash):
103         (JSC::SourceCodeKey::Hash::equal):
104         (JSC::SourceCodeKey::HashTraits::isEmptyValue):
105         (JSC::SourceCodeKeyHash::hash): Deleted.
106         (JSC::SourceCodeKeyHash::equal): Deleted.
107         (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
108         * parser/SyntaxChecker.h:
109         (JSC::SyntaxChecker::createThisExpr):
110         * runtime/CodeCache.cpp:
111         (JSC::CodeCache::getGlobalCodeBlock):
112         (JSC::CodeCache::getProgramCodeBlock):
113         (JSC::CodeCache::getEvalCodeBlock):
114         (JSC::CodeCache::getModuleProgramCodeBlock):
115         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
116         * runtime/CodeCache.h:
117         * runtime/Executable.cpp:
118         (JSC::EvalExecutable::create):
119         * runtime/Executable.h:
120         * runtime/JSGlobalObject.cpp:
121         (JSC::JSGlobalObject::createEvalCodeBlock):
122         * runtime/JSGlobalObject.h:
123         * runtime/JSGlobalObjectFunctions.cpp:
124         (JSC::globalFuncEval):
125         * tests/stress/code-cache-incorrect-caching.js: Added.
126         (shouldBe):
127         (hello):
128         (catch):
129         (shouldBe.test.hello):
130         (globalEval.ok):
131         (global.hello.hello):
132
133 2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
134
135         Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
136         https://bugs.webkit.org/show_bug.cgi?id=157080
137
138         Reviewed by Saam Barati.
139
140         In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
141         In this patch, we add a new parameter, "slotBase". This represents the base value offering
142         this custom getter. And use it in ProxyObject's performGet custom accessor getter.
143
144         * API/JSCallbackObject.h:
145         * API/JSCallbackObjectFunctions.h:
146         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
147         (JSC::JSCallbackObject<Parent>::callbackGetter):
148         * bytecode/PolymorphicAccess.cpp:
149         (JSC::AccessCase::generateImpl):
150         In PolymorphicAccess case, the thisValue and the slotBase are always cells.
151         This is because IC is enabled in the case that the base value is a cell.
152         And slotBase is always on the prototype chain from this base value.
153
154         * jit/CCallHelpers.h:
155         (JSC::CCallHelpers::setupArgumentsWithExecState):
156         * jsc.cpp:
157         (WTF::CustomGetter::customGetter):
158         (WTF::RuntimeArray::lengthGetter):
159         * runtime/CustomGetterSetter.cpp:
160         (JSC::callCustomSetter):
161         * runtime/JSBoundSlotBaseFunction.cpp:
162         (JSC::boundSlotBaseFunctionCall):
163         * runtime/JSFunction.cpp:
164         (JSC::JSFunction::argumentsGetter):
165         (JSC::JSFunction::callerGetter):
166         * runtime/JSFunction.h:
167         * runtime/JSModuleNamespaceObject.cpp:
168         (JSC::callbackGetter):
169         * runtime/PropertySlot.cpp:
170         (JSC::PropertySlot::customGetter):
171         * runtime/PropertySlot.h:
172         * runtime/ProxyObject.cpp:
173         (JSC::performProxyGet):
174         * runtime/RegExpConstructor.cpp:
175         (JSC::regExpConstructorDollar):
176         (JSC::regExpConstructorInput):
177         (JSC::regExpConstructorMultiline):
178         (JSC::regExpConstructorLastMatch):
179         (JSC::regExpConstructorLastParen):
180         (JSC::regExpConstructorLeftContext):
181         (JSC::regExpConstructorRightContext):
182         (JSC::regExpConstructorDollar1): Deleted.
183         (JSC::regExpConstructorDollar2): Deleted.
184         (JSC::regExpConstructorDollar3): Deleted.
185         (JSC::regExpConstructorDollar4): Deleted.
186         (JSC::regExpConstructorDollar5): Deleted.
187         (JSC::regExpConstructorDollar6): Deleted.
188         (JSC::regExpConstructorDollar7): Deleted.
189         (JSC::regExpConstructorDollar8): Deleted.
190         (JSC::regExpConstructorDollar9): Deleted.
191         * tests/stress/proxy-get-with-primitive-receiver.js: Added.
192         (shouldBe):
193
194 2016-05-23  Geoffrey Garen  <ggaren@apple.com>
195
196         REGRESSION (196374): deleting a global property is expensive
197         https://bugs.webkit.org/show_bug.cgi?id=158005
198
199         Reviewed by Chris Dumez.
200
201         * runtime/JSObject.cpp:
202         (JSC::JSObject::deleteProperty): We only need to reify static properties
203         if the name being deleted matches a static property. Otherwise, we can
204         be sure that delete won't observe any static properties.
205
206 2016-05-23  Saam barati  <sbarati@apple.com>
207
208         The baseline JIT crashes when compiling "(1,1)/1"
209         https://bugs.webkit.org/show_bug.cgi?id=157933
210
211         Reviewed by Benjamin Poulain.
212
213         op_div in the baseline JIT needed to better handle when both the lhs
214         and rhs are constants. It needs to make sure to load either the lhs or
215         the rhs into a register since the div generator can't handle both
216         the lhs and rhs being constants.
217
218         * jit/JITArithmetic.cpp:
219         (JSC::JIT::emit_op_div):
220         * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
221         (assert):
222         (test):
223
224 2016-05-23  Saam barati  <sbarati@apple.com>
225
226         String template don't handle let initialization properly inside eval
227         https://bugs.webkit.org/show_bug.cgi?id=157991
228
229         Reviewed by Oliver Hunt.
230
231         The fix is to make sure we emit TDZ checks. 
232
233         * bytecompiler/NodesCodegen.cpp:
234         (JSC::TaggedTemplateNode::emitBytecode):
235         * tests/stress/tagged-template-tdz.js: Added.
236         (shouldThrowTDZ):
237         (test):
238
239 2016-05-22  Saam barati  <sbarati@apple.com>
240
241         Unreviewed. Fixed debug assertion failures from r201235.
242
243         * runtime/JSScope.cpp:
244         (JSC::abstractAccess):
245
246 2016-05-22  Brady Eidson  <beidson@apple.com>
247
248         Attempted Yosemite build fix after http://trac.webkit.org/changeset/201255
249
250         Suggested by and reviewed by Anders Carlsson.
251
252         * b3/B3CCallValue.h: Initialize the effects member more conventionally.
253
254 2016-05-22  Brady Eidson  <beidson@apple.com>
255
256         Move to C++14.
257         https://bugs.webkit.org/show_bug.cgi?id=157948
258
259         Reviewed by Michael Catanzaro.
260
261         * Configurations/Base.xcconfig:
262
263 2016-05-22  Saam barati  <sbarati@apple.com>
264
265         REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
266         https://bugs.webkit.org/show_bug.cgi?id=157968
267         <rdar://problem/26404735>
268
269         Reviewed by Ryosuke Niwa and Filip Pizlo.
270
271         There was a bug in the DFG where we were checking a condition
272         on the wrong variable.
273
274         * dfg/DFGStrengthReductionPhase.cpp:
275         (JSC::DFG::StrengthReductionPhase::handleNode):
276
277 2016-05-22  Chris Dumez  <cdumez@apple.com>
278
279         Remove uses of PassRefPtr in JS bindings code
280         https://bugs.webkit.org/show_bug.cgi?id=157949
281
282         Reviewed by Andreas Kling.
283
284         Remove uses of PassRefPtr in JS bindings code.
285
286         * runtime/JSGlobalObject.cpp:
287         (JSC::JSGlobalObject::queueMicrotask):
288         * runtime/JSGlobalObject.h:
289
290 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
291
292         Remove LegacyProfiler
293         https://bugs.webkit.org/show_bug.cgi?id=153565
294
295         Reviewed by Mark Lam.
296
297         JavaScriptCore now provides a sampling profiler and it is enabled
298         by all ports. Web Inspector switched months ago to using the
299         sampling profiler and displaying its data. Remove the legacy
300         profiler, as it is no longer being used by anything other then
301         console.profile and tests. We will update console.profile's
302         behavior soon to have new behavior and use the sampling data.
303
304         * API/JSProfilerPrivate.cpp: Removed.
305         * API/JSProfilerPrivate.h: Removed.
306         * CMakeLists.txt:
307         * JavaScriptCore.xcodeproj/project.pbxproj:
308         * bytecode/BytecodeList.json:
309         * bytecode/BytecodeUseDef.h:
310         (JSC::computeUsesForBytecodeOffset): Deleted.
311         (JSC::computeDefsForBytecodeOffset): Deleted.
312         * bytecode/CodeBlock.cpp:
313         (JSC::CodeBlock::dumpBytecode): Deleted.
314         * bytecode/UnlinkedFunctionExecutable.cpp:
315         (JSC::generateUnlinkedFunctionCodeBlock):
316         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
317         * bytecode/UnlinkedFunctionExecutable.h:
318         * bytecompiler/BytecodeGenerator.cpp:
319         (JSC::BytecodeGenerator::BytecodeGenerator):
320         (JSC::BytecodeGenerator::emitCall):
321         (JSC::BytecodeGenerator::emitCallVarargs):
322         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
323         (JSC::BytecodeGenerator::emitConstructVarargs):
324         (JSC::BytecodeGenerator::emitConstruct):
325         * bytecompiler/BytecodeGenerator.h:
326         (JSC::CallArguments::profileHookRegister): Deleted.
327         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
328         * bytecompiler/NodesCodegen.cpp:
329         (JSC::CallFunctionCallDotNode::emitBytecode):
330         (JSC::ApplyFunctionCallDotNode::emitBytecode):
331         (JSC::CallArguments::CallArguments): Deleted.
332         * dfg/DFGAbstractInterpreterInlines.h:
333         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
334         * dfg/DFGByteCodeParser.cpp:
335         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
336         * dfg/DFGCapabilities.cpp:
337         (JSC::DFG::capabilityLevel): Deleted.
338         * dfg/DFGClobberize.h:
339         (JSC::DFG::clobberize): Deleted.
340         * dfg/DFGDoesGC.cpp:
341         (JSC::DFG::doesGC): Deleted.
342         * dfg/DFGFixupPhase.cpp:
343         (JSC::DFG::FixupPhase::fixupNode): Deleted.
344         * dfg/DFGNodeType.h:
345         * dfg/DFGPredictionPropagationPhase.cpp:
346         * dfg/DFGSafeToExecute.h:
347         (JSC::DFG::safeToExecute): Deleted.
348         * dfg/DFGSpeculativeJIT32_64.cpp:
349         (JSC::DFG::SpeculativeJIT::compile): Deleted.
350         * dfg/DFGSpeculativeJIT64.cpp:
351         (JSC::DFG::SpeculativeJIT::compile): Deleted.
352         * inspector/InjectedScriptBase.cpp:
353         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
354         * interpreter/Interpreter.cpp:
355         (JSC::UnwindFunctor::operator()): Deleted.
356         (JSC::Interpreter::execute): Deleted.
357         (JSC::Interpreter::executeCall): Deleted.
358         (JSC::Interpreter::executeConstruct): Deleted.
359         * jit/JIT.cpp:
360         (JSC::JIT::privateCompileMainPass): Deleted.
361         * jit/JIT.h:
362         * jit/JITOpcodes.cpp:
363         (JSC::JIT::emit_op_profile_will_call): Deleted.
364         (JSC::JIT::emit_op_profile_did_call): Deleted.
365         * jit/JITOpcodes32_64.cpp:
366         (JSC::JIT::emit_op_profile_will_call): Deleted.
367         (JSC::JIT::emit_op_profile_did_call): Deleted.
368         * jit/JITOperations.cpp:
369         * jit/JITOperations.h:
370         * llint/LLIntSlowPaths.cpp:
371         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
372         * llint/LLIntSlowPaths.h:
373         * llint/LowLevelInterpreter.asm:
374         * parser/ParserModes.h:
375         * profiler/CallIdentifier.h: Removed.
376         * profiler/LegacyProfiler.cpp: Removed.
377         * profiler/LegacyProfiler.h: Removed.
378         * profiler/Profile.cpp: Removed.
379         * profiler/Profile.h: Removed.
380         * profiler/ProfileGenerator.cpp: Removed.
381         * profiler/ProfileGenerator.h: Removed.
382         * profiler/ProfileNode.cpp: Removed.
383         * profiler/ProfileNode.h: Removed.
384         * profiler/ProfilerJettisonReason.cpp:
385         (WTF::printInternal): Deleted.
386         * profiler/ProfilerJettisonReason.h:
387         * runtime/CodeCache.cpp:
388         (JSC::CodeCache::getGlobalCodeBlock):
389         (JSC::CodeCache::getProgramCodeBlock):
390         (JSC::CodeCache::getEvalCodeBlock):
391         (JSC::CodeCache::getModuleProgramCodeBlock):
392         * runtime/CodeCache.h:
393         * runtime/Executable.cpp:
394         (JSC::ScriptExecutable::newCodeBlockFor):
395         * runtime/JSGlobalObject.cpp:
396         (JSC::JSGlobalObject::createProgramCodeBlock):
397         (JSC::JSGlobalObject::createEvalCodeBlock):
398         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
399         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
400         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
401         * runtime/JSGlobalObject.h:
402         * runtime/Options.h:
403         * runtime/VM.cpp:
404         (JSC::VM::VM): Deleted.
405         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
406         (JSC::VM::setEnabledProfiler): Deleted.
407         * runtime/VM.h:
408         (JSC::VM::enabledProfiler): Deleted.
409         (JSC::VM::enabledProfilerAddress): Deleted.
410
411 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
412
413         Remove LegacyProfiler
414         https://bugs.webkit.org/show_bug.cgi?id=153565
415
416         Reviewed by Saam Barati.
417
418         * inspector/protocol/Timeline.json:
419         * jsc.cpp:
420         * runtime/JSGlobalObject.cpp:
421         (JSC::JSGlobalObject::hasLegacyProfiler):
422         * runtime/JSGlobalObject.h:
423         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
424
425 2016-05-20  Saam barati  <sbarati@apple.com>
426
427         JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference
428         https://bugs.webkit.org/show_bug.cgi?id=157956
429
430         Reviewed by Geoffrey Garen.
431
432         A SymbolTableEntry may be a FatEntry. Copying a FatEntry is slow because we have to
433         malloc memory for it, then free the malloced memory once the entry goes out of
434         scope. abstractAccess uses a SymbolTableEntry temporarily when performing scope
435         accesses during bytecode linking. It copies out the SymbolTableEntry every time
436         it does a SymbolTable lookup. This is not cheap when the entry happens to be a
437         FatEntry. We should really just be using a reference to the entry because
438         there is no need to copy it in such a scenario.
439
440         * runtime/JSScope.cpp:
441         (JSC::abstractAccess):
442
443 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
444
445         Web Inspector: retained size for typed arrays does not count native backing store
446         https://bugs.webkit.org/show_bug.cgi?id=157945
447         <rdar://problem/26392238>
448
449         Reviewed by Geoffrey Garen.
450
451         * runtime/JSArrayBuffer.h:
452         * runtime/JSArrayBuffer.cpp:
453         (JSC::JSArrayBuffer::estimatedSize):
454         Include an estimatedSize implementation for JSArrayBuffer.
455         ArrayBuffer has a unique path, different from other data
456         stored in the Heap.
457
458         * tests/heapProfiler/typed-array-sizes.js: Added.
459         Test sizes of TypedArray with and without an ArrayBuffer.
460         When the TypedArray is a view wrapping an ArrayBuffer, the
461         ArrayBuffer has the size.
462
463 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
464
465         reifyAllStaticProperties makes two copies of every string
466         https://bugs.webkit.org/show_bug.cgi?id=157953
467
468         Reviewed by Mark Lam.
469
470         Let's not do that.
471
472         * runtime/JSObject.cpp:
473         (JSC::JSObject::reifyAllStaticProperties): Pass our Identifier to
474         reifyStaticProperty so it doesn't have to make its own.
475
476         * runtime/Lookup.h:
477         (JSC::reifyStaticProperty): No need to null check because callers never
478         pass null anymore. No need to make an identifier because callers pass
479         us one.
480
481         (JSC::reifyStaticProperties): Honor new interface.
482
483 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
484
485         JSBench regression: CodeBlock linking always copies the symbol table
486         https://bugs.webkit.org/show_bug.cgi?id=157951
487
488         Reviewed by Saam Barati.
489
490         We always put a SymbolTable into the constant pool, even in simple
491         functions in which it won't be used -- i.e., there's on eval and there
492         are no captured variables and so on.
493
494         This is costly because linking must copy any provided symbol tables.
495
496         * bytecompiler/BytecodeGenerator.cpp:
497         (JSC::BytecodeGenerator::BytecodeGenerator):
498         (JSC::BytecodeGenerator::emitProfileType): Only add the symbol table
499         as a constant if we will use it at runtime.
500
501 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
502
503         [JSC] Improve int->float conversion in FTL
504         https://bugs.webkit.org/show_bug.cgi?id=157936
505
506         Reviewed by Filip Pizlo.
507
508         The integer -> floating point lowering was very barebone.
509
510         For example, converting a constant integer to double
511         was doing:
512             mov #const, %eax
513             xor %xmm0, %xmm0
514             cvtsi2sd %eax, %xmm0
515
516         Conversion from integer to float was also missing.
517         We were always converting to double then rounding the double
518         to float.
519
520         This patch adds the basics:
521         -Constant folding.
522         -Integer to Float opcode.
523         -Reducing int->double to int->float when used by DoubleToFloat.
524
525         * assembler/MacroAssemblerX86Common.h:
526         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
527         * assembler/MacroAssemblerX86_64.h:
528         (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
529         (JSC::MacroAssemblerX86_64::convertInt64ToFloat):
530         * assembler/X86Assembler.h:
531         (JSC::X86Assembler::cvtsi2ss_rr):
532         (JSC::X86Assembler::cvtsi2ssq_rr):
533         (JSC::X86Assembler::cvtsi2sdq_mr):
534         (JSC::X86Assembler::cvtsi2ssq_mr):
535         (JSC::X86Assembler::cvtsi2ss_mr):
536         * assembler/MacroAssemblerARM64.h:
537         * b3/B3Const32Value.cpp:
538         (JSC::B3::Const32Value::iToDConstant):
539         (JSC::B3::Const32Value::iToFConstant):
540         * b3/B3Const32Value.h:
541         * b3/B3Const64Value.cpp:
542         (JSC::B3::Const64Value::iToDConstant):
543         (JSC::B3::Const64Value::iToFConstant):
544         * b3/B3Const64Value.h:
545         * b3/B3LowerToAir.cpp:
546         (JSC::B3::Air::LowerToAir::lower):
547         * b3/B3Opcode.cpp:
548         (WTF::printInternal):
549         * b3/B3Opcode.h:
550         * b3/B3ReduceDoubleToFloat.cpp:
551         * b3/B3ReduceStrength.cpp:
552         * b3/B3Validate.cpp:
553         * b3/B3Value.cpp:
554         (JSC::B3::Value::iToDConstant):
555         (JSC::B3::Value::iToFConstant):
556         (JSC::B3::Value::isRounded):
557         (JSC::B3::Value::effects):
558         (JSC::B3::Value::key):
559         (JSC::B3::Value::typeFor):
560         * b3/B3Value.h:
561         * b3/B3ValueKey.cpp:
562         (JSC::B3::ValueKey::materialize):
563         * b3/air/AirFixPartialRegisterStalls.cpp:
564         * b3/air/AirOpcode.opcodes:
565         * b3/testb3.cpp:
566         (JSC::B3::int64Operands):
567         (JSC::B3::testIToD64Arg):
568         (JSC::B3::testIToF64Arg):
569         (JSC::B3::testIToD32Arg):
570         (JSC::B3::testIToF32Arg):
571         (JSC::B3::testIToD64Mem):
572         (JSC::B3::testIToF64Mem):
573         (JSC::B3::testIToD32Mem):
574         (JSC::B3::testIToF32Mem):
575         (JSC::B3::testIToD64Imm):
576         (JSC::B3::testIToF64Imm):
577         (JSC::B3::testIToD32Imm):
578         (JSC::B3::testIToF32Imm):
579         (JSC::B3::testIToDReducedToIToF64Arg):
580         (JSC::B3::testIToDReducedToIToF32Arg):
581         (JSC::B3::run):
582
583 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
584
585         [JSC] FTL can crash on stack overflow
586         https://bugs.webkit.org/show_bug.cgi?id=157881
587         rdar://problem/24665964
588
589         Reviewed by Michael Saboff.
590
591         The VM's m_largestFTLStackSize was never set anywhere (updateFTLLargestStackSize()
592         was never called). We forgot to change that when implementing B3.
593
594         Even when it is set, we still have a problem on OSR Exit.
595         If the last frame is a FTL frame and it OSR Exits, the space required for
596         that frame becomes significantly larger. What happens is we crash in the OSR Exit
597         instead of the FTL frame (this is what happens in rdar://problem/24665964).
598
599         This patch changes the stack boundary checks in FTL to be the same as DFG:
600         we verify that we have enough space for the current optimized function but
601         also for the baseline version (including inlining) in case of exit.
602
603         * ftl/FTLLowerDFGToB3.cpp:
604         (JSC::FTL::DFG::LowerDFGToB3::lower):
605         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack): Deleted.
606         * runtime/VM.cpp:
607         (JSC::VM::VM): Deleted.
608         (JSC::VM::updateStackLimit): Deleted.
609         (JSC::VM::updateFTLLargestStackSize): Deleted.
610         * runtime/VM.h:
611         (JSC::VM::addressOfFTLStackLimit): Deleted.
612
613 2016-05-18  Filip Pizlo  <fpizlo@apple.com>
614
615         DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header
616         https://bugs.webkit.org/show_bug.cgi?id=144527
617
618         Reviewed by Saam Barati.
619         
620         This adds a control flow equivalence analysis (called ControlEquivalenceAnalysis) based on
621         dominator analysis over the backwards CFG. Two basic blocks are control flow equivalent if
622         the execution of one implies that the other one must also execute. It means that the two
623         blocks' forward and backward dominance are reciprocated: (A dom B and B backdom A) or (B dom
624         A and A backdom B). LICM now uses it to become more conservative about hoisting checks, if
625         this has caused problems in the past. If we hoist something that may exit from a block that
626         was not control equivalent to the pre-header then it's possible that the node's speculation
627         will fail even though it wouldn't have if it wasn't hoisted. So, we flag these nodes'
628         origins as being "wasHoisted" and we track all of their exits as "HoistingFailed". LICM will
629         turn off such speculative hoisting if the CodeBlock from which we are hoisting had the
630         HoistingFailed exit kind.
631         
632         Note that this deliberately still allows us to hoist things that may exit even if they are
633         not control equivalent to the pre-header. This is necessary because the profitability of
634         hoisting is so huge in all of the cases that we're aware of that it's worth giving it a
635         shot.
636         
637         This is neutral on macrobenchmarks since none of the benchmarks we track have a hoistable
638         operation that would exit only if hoisted. I added microbenchmarks to illustrate the problem
639         and two of them speed up by ~40% while one of them is neutral (Int52 saves us from having
640         problems on that program even though LICM previously did the wrong thing).
641
642         * JavaScriptCore.xcodeproj/project.pbxproj:
643         * bytecode/ExitKind.cpp:
644         (JSC::exitKindToString):
645         * bytecode/ExitKind.h:
646         * dfg/DFGAtTailAbstractState.h:
647         (JSC::DFG::AtTailAbstractState::operator bool):
648         (JSC::DFG::AtTailAbstractState::initializeTo):
649         * dfg/DFGBackwardsCFG.h: Added.
650         (JSC::DFG::BackwardsCFG::BackwardsCFG):
651         * dfg/DFGBackwardsDominators.h: Added.
652         (JSC::DFG::BackwardsDominators::BackwardsDominators):
653         * dfg/DFGCommon.h:
654         (JSC::DFG::checkAndSet): Deleted.
655         * dfg/DFGControlEquivalenceAnalysis.h: Added.
656         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
657         (JSC::DFG::ControlEquivalenceAnalysis::dominatesEquivalently):
658         (JSC::DFG::ControlEquivalenceAnalysis::areEquivalent):
659         * dfg/DFGGraph.cpp:
660         (JSC::DFG::Graph::dump):
661         (JSC::DFG::Graph::dumpBlockHeader):
662         (JSC::DFG::Graph::invalidateCFG):
663         (JSC::DFG::Graph::substituteGetLocal):
664         (JSC::DFG::Graph::handleAssertionFailure):
665         (JSC::DFG::Graph::ensureDominators):
666         (JSC::DFG::Graph::ensurePrePostNumbering):
667         (JSC::DFG::Graph::ensureNaturalLoops):
668         (JSC::DFG::Graph::ensureBackwardsCFG):
669         (JSC::DFG::Graph::ensureBackwardsDominators):
670         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
671         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
672         * dfg/DFGGraph.h:
673         (JSC::DFG::Graph::hasDebuggerEnabled):
674         * dfg/DFGInPlaceAbstractState.h:
675         (JSC::DFG::InPlaceAbstractState::operator bool):
676         (JSC::DFG::InPlaceAbstractState::createValueForNode):
677         (JSC::DFG::InPlaceAbstractState::forNode):
678         * dfg/DFGLICMPhase.cpp:
679         (JSC::DFG::LICMPhase::run):
680         (JSC::DFG::LICMPhase::attemptHoist):
681         * dfg/DFGMayExit.cpp:
682         (JSC::DFG::mayExit):
683         * dfg/DFGMayExit.h:
684         * dfg/DFGNode.h:
685         * dfg/DFGNodeOrigin.cpp:
686         (JSC::DFG::NodeOrigin::dump):
687         * dfg/DFGNodeOrigin.h:
688         (JSC::DFG::NodeOrigin::takeValidExit):
689         (JSC::DFG::NodeOrigin::withWasHoisted):
690         (JSC::DFG::NodeOrigin::forInsertingAfter):
691         * dfg/DFGNullAbstractState.h: Added.
692         (JSC::DFG::NullAbstractState::NullAbstractState):
693         (JSC::DFG::NullAbstractState::operator bool):
694         (JSC::DFG::NullAbstractState::forNode):
695         * dfg/DFGOSRExit.cpp:
696         (JSC::DFG::OSRExit::OSRExit):
697         * dfg/DFGOSRExitBase.cpp:
698         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
699         * dfg/DFGOSRExitBase.h:
700         (JSC::DFG::OSRExitBase::OSRExitBase):
701         * dfg/DFGTypeCheckHoistingPhase.cpp:
702         (JSC::DFG::TypeCheckHoistingPhase::run):
703         * ftl/FTLOSRExit.cpp:
704         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
705         (JSC::FTL::OSRExit::OSRExit):
706         * ftl/FTLOSRExit.h:
707
708 2016-05-19  Mark Lam  <mark.lam@apple.com>
709
710         Code that null checks the VM pointer before any use should ref the VM.
711         https://bugs.webkit.org/show_bug.cgi?id=157864
712
713         Reviewed by Filip Pizlo and Keith Miller.
714
715         JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
716         through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
717         after their null checks.
718
719         * bytecode/CodeBlock.h:
720         (JSC::CodeBlock::vm):
721         (JSC::CodeBlock::setVM): Deleted.
722         - Not used, and suggests that it can be changed during the lifetime of the
723           CodeBlock (which should not be).
724
725         * heap/HeapTimer.cpp:
726         (JSC::HeapTimer::timerDidFire):
727         * runtime/JSLock.cpp:
728         (JSC::JSLock::willReleaseLock):
729         - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
730           the raw VM pointer.  This makes the null check a strong guarantee that the
731           VM pointer is valid while these functions are using it.
732
733 2016-05-19  Saam barati  <sbarati@apple.com>
734
735         arrow function lexical environment should reuse the same environment as the function's lexical environment where possible
736         https://bugs.webkit.org/show_bug.cgi?id=157908
737
738         Reviewed by Filip Pizlo.
739
740         We can safely combine these two environment when we have
741         a simple parameter list (no default parameters, no destructring parameters).
742
743         * bytecompiler/BytecodeGenerator.cpp:
744         (JSC::BytecodeGenerator::BytecodeGenerator):
745         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
746         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
747         * bytecompiler/BytecodeGenerator.h:
748
749 2016-05-19  Michael Saboff  <msaboff@apple.com>
750
751         Unreviewed build fix.
752
753         Skipping this new test as it times out on the bots.
754
755         Issue tracked in https://bugs.webkit.org/show_bug.cgi?id=157903
756
757         * tests/stress/regress-157595.js:
758         (MyRegExp):
759
760 2016-05-19  Guillaume Emont  <guijemont@igalia.com>
761
762         JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis
763         https://bugs.webkit.org/show_bug.cgi?id=157741
764
765         Reviewed by Saam Barati.
766
767         The PutByValWithThis case needs a special case for MIPS because we
768         don't have enough registers. The special case needs to be different
769         from the x86 one because we have a different ABI.
770
771         * dfg/DFGSpeculativeJIT32_64.cpp:
772         (JSC::DFG::SpeculativeJIT::compile):
773
774 2016-05-19  Brian Burg  <bburg@apple.com>
775
776         Web Inspector: use a consistent prefix for injected scripts
777         https://bugs.webkit.org/show_bug.cgi?id=157715
778         <rdar://problem/26287188>
779
780         Reviewed by Timothy Hatcher.
781
782         * CMakeLists.txt:
783         * DerivedSources.make:
784         * inspector/InjectedScriptSource.js:
785
786 2016-05-19  Csaba Osztrogonác  <ossy@webkit.org>
787
788         [ARM] Remove redefined macro after r200606
789         https://bugs.webkit.org/show_bug.cgi?id=157890
790
791         Reviewed by Michael Saboff.
792
793         * bytecode/PolymorphicAccess.cpp:
794         * jit/CCallHelpers.h:
795
796 2016-05-18  Saam barati  <sbarati@apple.com>
797
798         Function with default parameter values that are arrow functions that capture this isn't working
799         https://bugs.webkit.org/show_bug.cgi?id=157786
800         <rdar://problem/26327329>
801
802         Reviewed by Geoffrey Garen.
803
804         To make the scopes ordered properly, I needed to initialize the arrow 
805         function lexical environment before initializing default parameter values.
806         I also made the code easier to reason about by never reusing the function's
807         var lexical environment for the arrow function lexical environment. The
808         reason for this is that that code was wrong, and we just didn't have code to
809         that properly tested it. It was easy for that code to be wrong because
810         sometimes the function's lexical environment isn't the top-most scope
811         (namely, when a function's parameter list is non-simple) and sometimes
812         it is (when the function's parameter list is simple).
813
814         Also, because a function's default parameter values may capture the
815         'arguments' variable inside an arrow function, I needed to take care
816         to initialize the 'arguments' variable as part of whichever scope
817         is the top-most scope. It's either the function's var environment
818         if the parameter list is simple, or it's the function's parameter
819         environment if the parameter list is non-simple.
820
821         * bytecompiler/BytecodeGenerator.cpp:
822         (JSC::BytecodeGenerator::BytecodeGenerator):
823         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
824         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
825         (JSC::BytecodeGenerator::initializeParameters):
826         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
827         (JSC::BytecodeGenerator::visibleNameForParameter):
828         * bytecompiler/BytecodeGenerator.h:
829         * tests/stress/arrow-functions-as-default-parameter-values.js: Added.
830         (assert):
831         (test):
832         (test.foo):
833         * tests/stress/op-push-name-scope-crashes-profiler.js:
834         (test):
835
836 2016-05-18  Michael Saboff  <msaboff@apple.com>
837
838         r199812 broke test262
839         https://bugs.webkit.org/show_bug.cgi?id=157595
840
841         Reviewed by Filip Pizlo.
842
843         Added a reasonable limit to the size of the match result array to catch possible
844         infinite loops when matching.
845         Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
846         by creating a subclass of RegExp where the base RegExp's global flag is false and
847         the subclass overrides .global with a getter that always returns true.
848
849         * builtins/RegExpPrototype.js:
850         (match):
851         * tests/stress/regress-157595.js: Added.
852         (MyRegExp):
853         (MyRegExp.prototype.get global):
854         (test):
855         (catch):
856
857 2016-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
858
859         [ES6] Namespace object re-export should be handled as local export
860         https://bugs.webkit.org/show_bug.cgi?id=157806
861
862         Reviewed by Mark Lam.
863
864         We align the implementation of ExportEntry to the spec; remove Type::Namespace.
865         This Type::Namespace is used for re-exported namespace object binding. For example,
866
867             import * as namespace from "namespace.js"
868             export { namespace }
869
870         In the above case, we used ExportEntry(Type::Namespace). In this patch, we drop this
871         and use normal local export (Type::Local) instead because namespace object actually has
872         the local binding in the above module environment. And this handling strictly meets the
873         spec (Sec 15.2.1.16.1 step 11-a-ii-2-b).
874
875         And we also clean up the ExportEntry implementation; dropping unnecessary information.
876         This change fixes the test262/test/language/module-code/instn-star-equality.js crash.
877
878         * parser/ModuleAnalyzer.cpp:
879         (JSC::ModuleAnalyzer::exportVariable):
880         * runtime/JSModuleRecord.cpp:
881         (JSC::getExportedNames):
882         (JSC::JSModuleRecord::dump): Deleted.
883         * runtime/JSModuleRecord.h:
884         * tests/modules/namespace-re-export.js: Added.
885         * tests/modules/namespace-re-export/namespace-re-export-fixture.js: Added.
886         * tests/modules/namespace-re-export/namespace-re-export.js: Added.
887         * tests/modules/resources/assert.js:
888         (export.shouldNotBe):
889
890 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
891
892         JSC should detect the right default locale even when it's not embedded in WebCore
893         https://bugs.webkit.org/show_bug.cgi?id=157755
894         rdar://problem/24665424
895
896         Reviewed by Keith Miller.
897         
898         This makes JSC try to use WTF's platform user preferred language detection if the DOM did
899         not register a defaultLanguage callback. The result is that when JSC runs standalone it
900         will detect the platform user preferred language almost the same way as when it's embedded
901         in WebCore. The only difference is that WebCore may have its own additional overrides via
902         the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
903         back to.
904         
905         We first found this bug because on iOS, the intl tests would fail because ICU would report
906         a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
907         back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
908         OS X, just less so. For example, setting things to Poland did not result in the jsc shell
909         printing dates Polish-style. Now it will print them Polish-style if your system preferences
910         say so. Also, the tests don't fail on iOS anymore.
911         
912         * runtime/IntlObject.cpp:
913         (JSC::defaultLocale):
914
915 2016-05-17  Dean Jackson  <dino@apple.com>
916
917         Remove ES6_GENERATORS flag
918         https://bugs.webkit.org/show_bug.cgi?id=157815
919         <rdar://problem/26332894>
920
921         Reviewed by Geoffrey Garen.
922
923         This flag isn't needed. Generators are enabled everywhere and
924         part of a stable specification.
925
926         * Configurations/FeatureDefines.xcconfig:
927         * parser/Parser.cpp:
928         (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
929         (JSC::Parser<LexerType>::parseClass): Deleted.
930         (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
931         (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
932         (JSC::Parser<LexerType>::parseProperty): Deleted.
933         (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.
934
935 2016-05-17  Keith Miller  <keith_miller@apple.com>
936
937         Rollout r200426 since it causes PLT regressions.
938         https://bugs.webkit.org/show_bug.cgi?id=157812
939
940         Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
941
942 2016-05-17  Keith Miller  <keith_miller@apple.com>
943
944         Add test262 harness support code
945         https://bugs.webkit.org/show_bug.cgi?id=157797
946
947         Reviewed by Filip Pizlo.
948
949         This patch adds some new tooling needed to run Test262 with the jsc
950         CLI. There were three options that needed to be added for Test262:
951
952         1) "--test262-async" This option overrides the print function in the test runner to look for
953         'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
954         and that string is not passed then the test is marked as failing.
955
956         2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
957         passed file before passing the source code to the VM. This option can, in theory, be passed
958         multiple times.
959
960         3) "--exception=<name>" This option asserts that at the end of the last script file passed
961         the VM has an uncaught exception with its name property equal to the passed name.
962
963         * jsc.cpp:
964         (Script::Script):
965         (fillBufferWithContentsOfFile):
966         (functionPrint):
967         (checkUncaughtException):
968         (runWithScripts):
969         (printUsageStatement):
970         (CommandLine::parseArguments):
971         (runJSC):
972
973 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
974
975         WTF should know about Language
976         https://bugs.webkit.org/show_bug.cgi?id=157756
977
978         Reviewed by Geoffrey Garen.
979
980         Teach our scripts that a ObjC class beginning with WTF is totally cool.
981
982         * JavaScriptCore.xcodeproj/project.pbxproj:
983
984 2016-05-17  Joseph Pecoraro  <pecoraro@apple.com>
985
986         console namespace breaks putting properties on console.__proto__
987         https://bugs.webkit.org/show_bug.cgi?id=157782
988         <rdar://problem/26250526>
989
990         Reviewed by Geoffrey Garen.
991
992         Some websites currently depend on console.__proto__ existing and being
993         a separate object from Object.prototype. This patch adds back a basic
994         console.__proto__ object, but all the console functions are left on
995         the ConsoleObject itself.
996
997         * runtime/JSGlobalObject.cpp:
998         (JSC::createConsoleProperty):
999
1000 2016-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1001
1002         Unreviewed, dump more information when math-pow-stable-results.js failed
1003         https://bugs.webkit.org/show_bug.cgi?id=157168
1004
1005         * tests/stress/math-pow-stable-results.js:
1006
1007 2016-05-16  Saam barati  <sbarati@apple.com>
1008
1009         ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
1010         https://bugs.webkit.org/show_bug.cgi?id=157770
1011
1012         Reviewed by Filip Pizlo.
1013
1014         ShadowChicken was reading the scope from a half formed
1015         frame as it threw a stack overflow exception. The frame had
1016         a valid CodeBlock pointer, but it did not have a valid scope.
1017         The code in ShadowChicken's throw packet logging mechanism didn't
1018         account for this. The fix is to respect whether genericUnwind wants
1019         to unwind from the current frame or the caller's frame. For stack
1020         overflow errors, we always unwind the caller's frame.
1021
1022         * jit/JITExceptions.cpp:
1023         (JSC::genericUnwind):
1024
1025 2016-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1026
1027         REGRESSION(r200208): It made 2 JSC stress tests fail on x86
1028         https://bugs.webkit.org/show_bug.cgi?id=157168
1029
1030         Reviewed by Benjamin Poulain.
1031
1032         The fast path in operationMathPow produces different results between x87 and the other environments.
1033         This is because x87 calculates the double value in 80bit precision.
1034         The situation is the following: in x86 32bit environment, floating point operations are compiled to
1035         x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
1036         if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
1037         and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
1038         problem since x87 has 80bit precision while SSE2 has 64bit precision.
1039
1040         In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
1041         is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
1042         occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.
1043
1044         * b3/B3MathExtras.cpp:
1045         (JSC::B3::powDoubleInt32):
1046         * runtime/MathCommon.cpp:
1047         (JSC::operationMathPow):
1048
1049 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1050
1051         [JSC] "return this" in a constructor does not need a branch on isObject(this)
1052         https://bugs.webkit.org/show_bug.cgi?id=157775
1053
1054         Reviewed by Saam Barati and Ryosuke Niwa.
1055
1056         When returning "this" in a constructor, the bytecode generator was generating:
1057             is_object         locX, this
1058             jtrue             locX, 5(->second ret)
1059             ret               this
1060             ret               this
1061
1062         That code is eliminated in DFG but it is pretty costly lower tiers.
1063
1064         This patch changes bytecode generation to avoid the is_object test
1065         when possible and not generate two ret if they encode the same thing.
1066
1067         * bytecompiler/BytecodeGenerator.cpp:
1068         (JSC::BytecodeGenerator::emitReturn):
1069
1070 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1071
1072         [JSC] Remove the index check from op_get_by_val/op_put_by_val when the index is constant
1073         https://bugs.webkit.org/show_bug.cgi?id=157766
1074
1075         Reviewed by Geoffrey Garen.
1076
1077         If the index is an integer constant, do not generate the index check.
1078
1079         * jit/JITPropertyAccess.cpp:
1080         (JSC::JIT::emit_op_get_by_val):
1081         (JSC::JIT::emitSlow_op_get_by_val):
1082         (JSC::JIT::emit_op_put_by_val):
1083         (JSC::JIT::emitSlow_op_put_by_val):
1084
1085 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1086
1087         [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
1088         https://bugs.webkit.org/show_bug.cgi?id=157700
1089
1090         Reviewed by Michael Saboff.
1091
1092         In general, fillSpeculateInt32() originate from SpeculateInt32
1093         and the user does not care about the tag.
1094
1095         This is particularily obvious on Sunspider's math-spectral-norm.js.
1096         In that test, registers are frequently spilled because of x86's DIV.
1097
1098         When they are re-filled, they were always tagged.
1099         Since the loops are small, all the tagging adds up.
1100
1101         * dfg/DFGSpeculativeJIT64.cpp:
1102         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1103
1104 2016-05-16  Saam barati  <sbarati@apple.com>
1105
1106         Unreviewed Cloop build fix.
1107
1108         * bytecode/CodeBlock.cpp:
1109         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1110
1111 2016-05-16  Saam barati  <sbarati@apple.com>
1112
1113         Hook up ShadowChicken to the debugger to show tail deleted frames
1114         https://bugs.webkit.org/show_bug.cgi?id=156685
1115         <rdar://problem/25770521>
1116
1117         Reviewed by Filip Pizlo and Mark Lam and Joseph Pecoraro.
1118
1119         The heart of this patch hooks up ShadowChicken to DebuggerCallFrame to
1120         allow the Web Inspector to display the ShadowChicken's shadow stack.
1121         This means the Web Inspector can now display tail deleted frames.
1122         To make this work, I made the necessary changes to ShadowChicken and
1123         DebuggerCallFrame to allow DebuggerCallFrame to keep the same API
1124         when representing both machine frames and tail deleted frames.
1125
1126         - ShadowChicken prologue packets now log the current scope. Tail packets
1127           log the current scope, the 'this' value, the CodeBlock, and the
1128           CallSiteIndex. This allows the inspector to not only show the
1129           tail deleted frame, but also show exactly where the tail call happened (line and column numbers),
1130           with which scope it executed, and with which 'this' value. This
1131           patch also allows DebuggerCallFrame to execute console statements
1132           in a tail deleted frame.
1133
1134         - I changed ShadowChicken's stack resizing algorithm. ShadowChicken
1135           now only keeps a maximum number of tail deleted frames in its shadow stack.
1136           It will happily represent all machine frames without limit. Right now, the
1137           maximum number of tail deleted frames I chose to keep alive is 128.
1138           We will keep frames alive starting from the top of the stack. This
1139           allows us to have a strong defense against runaway memory usage. We will only
1140           keep around at most 128 "shadow" frames that wouldn't have naturally been kept
1141           alive by the executing program. We can play around with this number
1142           if we find that 128 is either too many or too few frames.
1143
1144         - DebuggerCallFrame is no longer a cheap class to create. When it is created,
1145           we will eagerly create the entire virtual debugger stack. So I modified the
1146           existing code to lazily create DebuggerCallFrames only when necessary. We
1147           used to eagerly create them at each op_debug statement even though we would
1148           just throw them away if we didn't hit a breakpoint.
1149
1150         - A valid DebuggerCallFrame will always have a valid CallFrame* pointer
1151           into the stack. This pointer won't always refer to the logical frame
1152           that the DebuggerCallFrame represents because a DebuggerCallFrame can
1153           now represent a tail deleted frame. To do this, DebuggerCallFrame now
1154           has a ShadowChicken::Frame member variable. This allows DebuggerCallFrame
1155           to know when it represents a tail deleted frame and gives DebuggerCallFrame
1156           a mechanism to ask the tail deleted frame for interesting information
1157           (like its 'this' value, scope, CodeBlock, etc). A tail deleted frame's
1158           machine frame pointer will be the machine caller of the tail deleted frame
1159           (or the machine caller of the first of a series of consecutive tail calls).
1160
1161         - I added a new flag to UnlinkedCodeBlock to indicate when it is compiled
1162           with debugging opcodes. I did this because ShadowChicken may read a JSScope
1163           from the machine stack. This is only safe if the machine CodeBlock was
1164           compiled with debugging opcodes. This is safer than asking if the
1165           CodeBlock's global object has an interactive debugger enabled because
1166           it's theoretically possible for the debugger to be enabled while code
1167           compiled without a debugger is still live on the stack. This field is
1168           also now used to indicate to the DFGGraph that the interactive debugger
1169           is enabled.
1170
1171         - Finally, this patch adds a new field to the Inspector's CallFrame protocol
1172           object called 'isTailDeleted' to allow the Inspector to know when a
1173           CallFrame represents a tail deleted frame.
1174
1175         * JavaScriptCore.xcodeproj/project.pbxproj:
1176         * bytecode/BytecodeList.json:
1177         * bytecode/BytecodeUseDef.h:
1178         (JSC::computeUsesForBytecodeOffset):
1179         * bytecode/CodeBlock.cpp:
1180         (JSC::CodeBlock::dumpBytecode):
1181         (JSC::CodeBlock::findPC):
1182         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1183         * bytecode/CodeBlock.h:
1184         (JSC::CodeBlock::clearDebuggerRequests):
1185         (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes):
1186         * bytecode/UnlinkedCodeBlock.cpp:
1187         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1188         * bytecode/UnlinkedCodeBlock.h:
1189         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes):
1190         (JSC::UnlinkedCodeBlock::finishCreation):
1191         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1192         * bytecode/UnlinkedFunctionExecutable.cpp:
1193         (JSC::generateUnlinkedFunctionCodeBlock):
1194         * bytecompiler/BytecodeGenerator.cpp:
1195         (JSC::BytecodeGenerator::generate):
1196         (JSC::BytecodeGenerator::BytecodeGenerator):
1197         (JSC::BytecodeGenerator::emitEnter):
1198         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
1199         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
1200         (JSC::BytecodeGenerator::emitCallDefineProperty):
1201         * debugger/Debugger.cpp:
1202         (JSC::DebuggerPausedScope::DebuggerPausedScope):
1203         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1204         (JSC::Debugger::didReachBreakpoint):
1205         (JSC::Debugger::currentDebuggerCallFrame):
1206         * debugger/Debugger.h:
1207         * debugger/DebuggerCallFrame.cpp:
1208         (JSC::LineAndColumnFunctor::operator()):
1209         (JSC::DebuggerCallFrame::create):
1210         (JSC::DebuggerCallFrame::DebuggerCallFrame):
1211         (JSC::DebuggerCallFrame::callerFrame):
1212         (JSC::DebuggerCallFrame::globalExec):
1213         (JSC::DebuggerCallFrame::vmEntryGlobalObject):
1214         (JSC::DebuggerCallFrame::sourceID):
1215         (JSC::DebuggerCallFrame::functionName):
1216         (JSC::DebuggerCallFrame::scope):
1217         (JSC::DebuggerCallFrame::type):
1218         (JSC::DebuggerCallFrame::thisValue):
1219         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1220         (JSC::DebuggerCallFrame::invalidate):
1221         (JSC::DebuggerCallFrame::currentPosition):
1222         (JSC::DebuggerCallFrame::positionForCallFrame):
1223         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1224         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): Deleted.
1225         (JSC::FindCallerMidStackFunctor::operator()): Deleted.
1226         (JSC::FindCallerMidStackFunctor::getCallerFrame): Deleted.
1227         (JSC::DebuggerCallFrame::thisValueForCallFrame): Deleted.
1228         * debugger/DebuggerCallFrame.h:
1229         (JSC::DebuggerCallFrame::isValid):
1230         (JSC::DebuggerCallFrame::isTailDeleted):
1231         (JSC::DebuggerCallFrame::create): Deleted.
1232         (JSC::DebuggerCallFrame::exec): Deleted.
1233         * dfg/DFGByteCodeParser.cpp:
1234         (JSC::DFG::ByteCodeParser::parseBlock):
1235         * dfg/DFGFixupPhase.cpp:
1236         (JSC::DFG::FixupPhase::fixupNode):
1237         * dfg/DFGGraph.cpp:
1238         (JSC::DFG::Graph::Graph):
1239         (JSC::DFG::Graph::~Graph):
1240         * dfg/DFGJITCompiler.h:
1241         (JSC::DFG::JITCompiler::addCallSite):
1242         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
1243         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
1244         * dfg/DFGSpeculativeJIT32_64.cpp:
1245         (JSC::DFG::SpeculativeJIT::compile):
1246         * dfg/DFGSpeculativeJIT64.cpp:
1247         (JSC::DFG::SpeculativeJIT::compile):
1248         * ftl/FTLAbstractHeapRepository.h:
1249         * ftl/FTLLowerDFGToB3.cpp:
1250         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
1251         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
1252         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
1253         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1254         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
1255         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket): Deleted.
1256         * inspector/InjectedScriptSource.js:
1257         (InjectedScript.CallFrameProxy):
1258         * inspector/JSJavaScriptCallFrame.cpp:
1259         (Inspector::JSJavaScriptCallFrame::thisObject):
1260         (Inspector::JSJavaScriptCallFrame::isTailDeleted):
1261         (Inspector::JSJavaScriptCallFrame::type):
1262         * inspector/JSJavaScriptCallFrame.h:
1263         * inspector/JSJavaScriptCallFramePrototype.cpp:
1264         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
1265         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
1266         (Inspector::jsJavaScriptCallFrameAttributeType):
1267         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
1268         * inspector/JavaScriptCallFrame.h:
1269         (Inspector::JavaScriptCallFrame::type):
1270         (Inspector::JavaScriptCallFrame::scopeChain):
1271         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
1272         (Inspector::JavaScriptCallFrame::isTailDeleted):
1273         (Inspector::JavaScriptCallFrame::thisValue):
1274         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
1275         * inspector/ScriptDebugServer.cpp:
1276         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
1277         * inspector/protocol/Debugger.json:
1278         * interpreter/ShadowChicken.cpp:
1279         (JSC::ShadowChicken::update):
1280         (JSC::ShadowChicken::visitChildren):
1281         (JSC::ShadowChicken::reset):
1282         * interpreter/ShadowChicken.h:
1283         (JSC::ShadowChicken::Packet::throwMarker):
1284         (JSC::ShadowChicken::Packet::prologue):
1285         (JSC::ShadowChicken::Packet::tail):
1286         (JSC::ShadowChicken::Frame::Frame):
1287         (JSC::ShadowChicken::Frame::operator==):
1288         * jit/CCallHelpers.cpp:
1289         (JSC::CCallHelpers::logShadowChickenProloguePacket):
1290         (JSC::CCallHelpers::logShadowChickenTailPacket):
1291         (JSC::CCallHelpers::ensureShadowChickenPacket):
1292         (JSC::CCallHelpers::setupShadowChickenPacket): Deleted.
1293         * jit/CCallHelpers.h:
1294         * jit/JITOpcodes.cpp:
1295         (JSC::JIT::emit_op_profile_type):
1296         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1297         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1298         (JSC::JIT::emit_op_get_enumerable_length):
1299         (JSC::JIT::emit_op_resume):
1300         * jit/JITOpcodes32_64.cpp:
1301         (JSC::JIT::emit_op_profile_type):
1302         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1303         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1304         * jit/RegisterSet.cpp:
1305         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
1306         (JSC::RegisterSet::argumentGPRS):
1307         (JSC::RegisterSet::registersToNotSaveForJSCall):
1308         * jit/RegisterSet.h:
1309         * llint/LLIntData.cpp:
1310         (JSC::LLInt::Data::performAssertions):
1311         * llint/LLIntSlowPaths.cpp:
1312         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1313         * llint/LowLevelInterpreter.asm:
1314         * llint/LowLevelInterpreter32_64.asm:
1315         * llint/LowLevelInterpreter64.asm:
1316         * runtime/CodeCache.cpp:
1317         (JSC::CodeCache::getGlobalCodeBlock):
1318         * runtime/Options.h:
1319         * tests/stress/shadow-chicken-enabled.js:
1320         (test5a.foo):
1321         (test5a):
1322         (test5b.foo):
1323         (test5b):
1324         (test6.foo):
1325         (test6):
1326
1327 2016-05-16  Saam barati  <sbarati@apple.com>
1328
1329         TypeSet/StructureShape have a flawed sense of JS prototype chains
1330         https://bugs.webkit.org/show_bug.cgi?id=157760
1331
1332         Reviewed by Joseph Pecoraro.
1333
1334         There was an assumption that we would bottom out in "Object". This is
1335         not true for many reasons. JS objects may not end in Object.prototype.
1336         Also, our mechanism of grabbing an Object's class name may also not
1337         bottom out in "Object". We were seeing this in the JS objects we use
1338         in the InjectedScriptSource.js inspector script.
1339
1340         * runtime/TypeSet.cpp:
1341         (JSC::StructureShape::leastCommonAncestor):
1342         * tests/typeProfiler/weird-prototype-chain.js: Added.
1343         (wrapper.foo):
1344         (wrapper.let.o2):
1345         (wrapper):
1346
1347 2016-05-16  Joseph Pecoraro  <pecoraro@apple.com>
1348
1349         Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
1350
1351         * API/JSProfilerPrivate.cpp: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
1352         (JSStartProfiling):
1353         (JSEndProfiling):
1354         * API/JSProfilerPrivate.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
1355         * CMakeLists.txt:
1356         * JavaScriptCore.xcodeproj/project.pbxproj:
1357         * bytecode/BytecodeList.json:
1358         * bytecode/BytecodeUseDef.h:
1359         (JSC::computeUsesForBytecodeOffset):
1360         (JSC::computeDefsForBytecodeOffset):
1361         * bytecode/CodeBlock.cpp:
1362         (JSC::CodeBlock::dumpBytecode):
1363         * bytecode/UnlinkedFunctionExecutable.cpp:
1364         (JSC::generateUnlinkedFunctionCodeBlock):
1365         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1366         * bytecode/UnlinkedFunctionExecutable.h:
1367         * bytecompiler/BytecodeGenerator.cpp:
1368         (JSC::BytecodeGenerator::BytecodeGenerator):
1369         (JSC::BytecodeGenerator::emitCall):
1370         (JSC::BytecodeGenerator::emitCallVarargs):
1371         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1372         (JSC::BytecodeGenerator::emitConstructVarargs):
1373         (JSC::BytecodeGenerator::emitConstruct):
1374         * bytecompiler/BytecodeGenerator.h:
1375         (JSC::CallArguments::profileHookRegister):
1376         (JSC::BytecodeGenerator::shouldEmitProfileHooks):
1377         * bytecompiler/NodesCodegen.cpp:
1378         (JSC::CallArguments::CallArguments):
1379         (JSC::CallFunctionCallDotNode::emitBytecode):
1380         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1381         * dfg/DFGAbstractInterpreterInlines.h:
1382         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1383         * dfg/DFGByteCodeParser.cpp:
1384         (JSC::DFG::ByteCodeParser::parseBlock):
1385         * dfg/DFGCapabilities.cpp:
1386         (JSC::DFG::capabilityLevel):
1387         * dfg/DFGClobberize.h:
1388         (JSC::DFG::clobberize):
1389         * dfg/DFGDoesGC.cpp:
1390         (JSC::DFG::doesGC):
1391         * dfg/DFGFixupPhase.cpp:
1392         (JSC::DFG::FixupPhase::fixupNode):
1393         * dfg/DFGNodeType.h:
1394         * dfg/DFGPredictionPropagationPhase.cpp:
1395         * dfg/DFGSafeToExecute.h:
1396         (JSC::DFG::safeToExecute):
1397         * dfg/DFGSpeculativeJIT32_64.cpp:
1398         (JSC::DFG::SpeculativeJIT::compile):
1399         * dfg/DFGSpeculativeJIT64.cpp:
1400         (JSC::DFG::SpeculativeJIT::compile):
1401         * inspector/InjectedScriptBase.cpp:
1402         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
1403         * inspector/protocol/Timeline.json:
1404         * interpreter/Interpreter.cpp:
1405         (JSC::UnwindFunctor::operator()):
1406         (JSC::Interpreter::execute):
1407         (JSC::Interpreter::executeCall):
1408         (JSC::Interpreter::executeConstruct):
1409         * jit/JIT.cpp:
1410         (JSC::JIT::privateCompileMainPass):
1411         * jit/JIT.h:
1412         * jit/JITOpcodes.cpp:
1413         (JSC::JIT::emit_op_profile_will_call):
1414         (JSC::JIT::emit_op_profile_did_call):
1415         * jit/JITOpcodes32_64.cpp:
1416         (JSC::JIT::emit_op_profile_will_call):
1417         (JSC::JIT::emit_op_profile_did_call):
1418         * jit/JITOperations.cpp:
1419         * jit/JITOperations.h:
1420         * jsc.cpp:
1421         * llint/LLIntSlowPaths.cpp:
1422         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1423         * llint/LLIntSlowPaths.h:
1424         * llint/LowLevelInterpreter.asm:
1425         * parser/ParserModes.h:
1426         * profiler/CallIdentifier.h: Added.
1427         (JSC::CallIdentifier::CallIdentifier):
1428         (JSC::CallIdentifier::functionName):
1429         (JSC::CallIdentifier::url):
1430         (JSC::CallIdentifier::lineNumber):
1431         (JSC::CallIdentifier::columnNumber):
1432         (JSC::CallIdentifier::operator==):
1433         (JSC::CallIdentifier::operator!=):
1434         (JSC::CallIdentifier::Hash::hash):
1435         (JSC::CallIdentifier::Hash::equal):
1436         (JSC::CallIdentifier::hash):
1437         (JSC::CallIdentifier::operator const char*):
1438         (JSC::CallIdentifier::c_str):
1439         (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
1440         (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
1441         * profiler/LegacyProfiler.cpp: Added.
1442         (JSC::LegacyProfiler::profiler):
1443         (JSC::LegacyProfiler::startProfiling):
1444         (JSC::LegacyProfiler::stopProfiling):
1445         (JSC::callFunctionForProfilesWithGroup):
1446         (JSC::LegacyProfiler::suspendProfiling):
1447         (JSC::LegacyProfiler::unsuspendProfiling):
1448         (JSC::LegacyProfiler::willExecute):
1449         (JSC::LegacyProfiler::didExecute):
1450         (JSC::LegacyProfiler::exceptionUnwind):
1451         (JSC::LegacyProfiler::createCallIdentifier):
1452         (JSC::createCallIdentifierFromFunctionImp):
1453         * profiler/LegacyProfiler.h: Added.
1454         (JSC::LegacyProfiler::currentProfiles):
1455         * profiler/Profile.cpp: Added.
1456         (JSC::Profile::create):
1457         (JSC::Profile::Profile):
1458         (JSC::Profile::~Profile):
1459         (JSC::Profile::debugPrint):
1460         (JSC::functionNameCountPairComparator):
1461         (JSC::Profile::debugPrintSampleStyle):
1462         * profiler/Profile.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
1463         * profiler/ProfileGenerator.cpp: Added.
1464         (JSC::ProfileGenerator::create):
1465         (JSC::ProfileGenerator::ProfileGenerator):
1466         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
1467         (JSC::AddParentForConsoleStartFunctor::foundParent):
1468         (JSC::AddParentForConsoleStartFunctor::operator()):
1469         (JSC::ProfileGenerator::addParentForConsoleStart):
1470         (JSC::ProfileGenerator::title):
1471         (JSC::ProfileGenerator::beginCallEntry):
1472         (JSC::ProfileGenerator::endCallEntry):
1473         (JSC::ProfileGenerator::willExecute):
1474         (JSC::ProfileGenerator::didExecute):
1475         (JSC::ProfileGenerator::exceptionUnwind):
1476         (JSC::ProfileGenerator::stopProfiling):
1477         (JSC::ProfileGenerator::removeProfileStart):
1478         (JSC::ProfileGenerator::removeProfileEnd):
1479         * profiler/ProfileGenerator.h: Added.
1480         (JSC::ProfileGenerator::profile):
1481         (JSC::ProfileGenerator::origin):
1482         (JSC::ProfileGenerator::profileGroup):
1483         (JSC::ProfileGenerator::setIsSuspended):
1484         * profiler/ProfileNode.cpp: Added.
1485         (JSC::ProfileNode::ProfileNode):
1486         (JSC::ProfileNode::addChild):
1487         (JSC::ProfileNode::removeChild):
1488         (JSC::ProfileNode::spliceNode):
1489         (JSC::ProfileNode::traverseNextNodePostOrder):
1490         (JSC::ProfileNode::debugPrint):
1491         (JSC::ProfileNode::debugPrintSampleStyle):
1492         (JSC::ProfileNode::debugPrintRecursively):
1493         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
1494         * profiler/ProfileNode.h: Added.
1495         (JSC::ProfileNode::create):
1496         (JSC::ProfileNode::Call::Call):
1497         (JSC::ProfileNode::Call::startTime):
1498         (JSC::ProfileNode::Call::setStartTime):
1499         (JSC::ProfileNode::Call::elapsedTime):
1500         (JSC::ProfileNode::Call::setElapsedTime):
1501         (JSC::ProfileNode::operator==):
1502         (JSC::ProfileNode::callerCallFrame):
1503         (JSC::ProfileNode::callIdentifier):
1504         (JSC::ProfileNode::id):
1505         (JSC::ProfileNode::functionName):
1506         (JSC::ProfileNode::url):
1507         (JSC::ProfileNode::lineNumber):
1508         (JSC::ProfileNode::columnNumber):
1509         (JSC::ProfileNode::parent):
1510         (JSC::ProfileNode::setParent):
1511         (JSC::ProfileNode::calls):
1512         (JSC::ProfileNode::lastCall):
1513         (JSC::ProfileNode::appendCall):
1514         (JSC::ProfileNode::children):
1515         (JSC::ProfileNode::firstChild):
1516         (JSC::ProfileNode::lastChild):
1517         (JSC::ProfileNode::nextSibling):
1518         (JSC::ProfileNode::setNextSibling):
1519         (JSC::ProfileNode::forEachNodePostorder):
1520         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1521         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
1522         * profiler/ProfilerJettisonReason.cpp:
1523         (WTF::printInternal):
1524         * profiler/ProfilerJettisonReason.h:
1525         * runtime/CodeCache.cpp:
1526         (JSC::CodeCache::getGlobalCodeBlock):
1527         (JSC::CodeCache::getProgramCodeBlock):
1528         (JSC::CodeCache::getEvalCodeBlock):
1529         (JSC::CodeCache::getModuleProgramCodeBlock):
1530         * runtime/CodeCache.h:
1531         * runtime/Executable.cpp:
1532         (JSC::ScriptExecutable::newCodeBlockFor):
1533         * runtime/JSGlobalObject.cpp:
1534         (JSC::JSGlobalObject::~JSGlobalObject):
1535         (JSC::JSGlobalObject::hasLegacyProfiler):
1536         (JSC::JSGlobalObject::createProgramCodeBlock):
1537         (JSC::JSGlobalObject::createEvalCodeBlock):
1538         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
1539         * runtime/JSGlobalObject.h:
1540         (JSC::JSGlobalObject::supportsLegacyProfiling):
1541         * runtime/Options.h:
1542         * runtime/VM.cpp:
1543         (JSC::VM::VM):
1544         (JSC::SetEnabledProfilerFunctor::operator()):
1545         (JSC::VM::setEnabledProfiler):
1546         * runtime/VM.h:
1547         (JSC::VM::enabledProfiler):
1548         (JSC::VM::enabledProfilerAddress):
1549
1550 2016-05-16  Konstantin Tokarev  <annulen@yandex.ru>
1551
1552         Unreviewed, fixed typo in a comment.
1553
1554         * assembler/MacroAssembler.h: Replaced "onvenience" with
1555         "convenience".
1556
1557 2016-05-16  Filip Pizlo  <fpizlo@apple.com>
1558
1559         FixupPhase should be more eager to demote bit math to untyped
1560         https://bugs.webkit.org/show_bug.cgi?id=157746
1561
1562         Reviewed by Mark Lam.
1563         
1564         This just makes the logic for how we fixup bit math match the way we do it in other places.
1565         This doesn't affect performance on any major benchmark but it's a big win on new
1566         microbenchmarks added in this change.
1567         
1568         Details:
1569
1570         object-and                                     11.1610+-0.7602     ^      4.8105+-0.1690        ^ definitely 2.3201x faster
1571         object-or                                      11.0845+-0.2487     ^      4.7146+-0.0374        ^ definitely 2.3511x faster
1572         object-xor                                     10.2946+-0.9946     ^      4.7278+-0.0814        ^ definitely 2.1775x faster
1573         object-lshift                                  10.4896+-1.0867     ^      4.7699+-0.0721        ^ definitely 2.1991x faster
1574         object-rshift                                  11.1239+-0.5010     ^      4.7194+-0.0445        ^ definitely 2.3570x faster
1575         object-urshift                                 10.9745+-0.1315     ^      4.7848+-0.0479        ^ definitely 2.2936x faster
1576
1577         * dfg/DFGFixupPhase.cpp:
1578         (JSC::DFG::FixupPhase::fixupNode):
1579
1580 2016-05-15  Michael Saboff  <msaboff@apple.com>
1581
1582         RegExp /y flag incorrect handling of mixed-length alternation
1583         https://bugs.webkit.org/show_bug.cgi?id=157723
1584
1585         Reviewed by Filip Pizlo.
1586
1587         Previously for sticky patterns, we were bailing out and exiting when backtracking
1588         alternatives with dissimilar match lengths.  Deleted that code.  Instead, for
1589         sticky patterns we need to process the backtracking except for advancing to the
1590         next input index.
1591
1592         * yarr/YarrJIT.cpp:
1593         (JSC::Yarr::YarrGenerator::backtrack):
1594
1595 2016-05-15  Filip Pizlo  <fpizlo@apple.com>
1596
1597         DFG::Plan shouldn't read from its VM once it's been cancelled
1598         https://bugs.webkit.org/show_bug.cgi?id=157726
1599
1600         Reviewed by Saam Barati.
1601         
1602         Plan::vm was a reference, not a pointer, and so wasn't nulled by Plan::cancel(). So, a
1603         cancelled plan may have a dangling pointer to a VM: we could delete the VM after cancelling
1604         the plan.
1605         
1606         Prior to http://trac.webkit.org/changeset/200705, this was probably fine because nobody
1607         would read Plan::vm if the plan was cancelled. But r200705 changed that. It was a hard
1608         regression to spot because usually a cancelled plan will still refer to a valid VM.
1609         
1610         This change fixes the regression and makes it a lot easier to spot the regression in the
1611         future. Plan::vm is now a pointer and we null it in Plan::cancel(). Now if you make this
1612         mistake, you will get a crash anytime the Plan is cancelled, not just anytime the plan is
1613         cancelled and the VM gets deleted. Also, it's now very clear what to do when you want to
1614         use Plan::vm on the cancel path: you can null-check vm; if it's null, assume the worst.
1615         
1616         Because we null the VM of a cancelled plan, we cannot have Safepoint::vm() return the
1617         plan's VM anymore. That's because when we cancel a plan that is at a safepoint, we use the
1618         safepoint's VM to determine whether this is one of our safepoints *after* the plan is
1619         already cancelled. So, Safepoint now has its own copy of m_vm, and that copy gets nulled
1620         when the Safepoint is cancelled. The Safepoint's m_vm will be nulled moments after Plan's
1621         vm gets nulled (see Worklist::removeDeadPlans(), which has a cancel path for Plans in one
1622         loop and a cancel path for Safepoints in the loop after it).
1623
1624         * dfg/DFGJITFinalizer.cpp:
1625         (JSC::DFG::JITFinalizer::finalizeCommon):
1626         * dfg/DFGPlan.cpp:
1627         (JSC::DFG::Plan::Plan):
1628         (JSC::DFG::Plan::computeCompileTimes):
1629         (JSC::DFG::Plan::reportCompileTimes):
1630         (JSC::DFG::Plan::compileInThreadImpl):
1631         (JSC::DFG::Plan::reallyAdd):
1632         (JSC::DFG::Plan::notifyCompiling):
1633         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1634         (JSC::DFG::Plan::cancel):
1635         * dfg/DFGPlan.h:
1636         (JSC::DFG::Plan::canTierUpAndOSREnter):
1637         * dfg/DFGSafepoint.cpp:
1638         (JSC::DFG::Safepoint::cancel):
1639         (JSC::DFG::Safepoint::vm):
1640         * dfg/DFGSafepoint.h:
1641         * dfg/DFGWorklist.cpp:
1642         (JSC::DFG::Worklist::isActiveForVM):
1643         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
1644         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
1645         (JSC::DFG::Worklist::rememberCodeBlocks):
1646         (JSC::DFG::Worklist::visitWeakReferences):
1647         (JSC::DFG::Worklist::removeDeadPlans):
1648         (JSC::DFG::Worklist::runThread):
1649         * ftl/FTLJITFinalizer.cpp:
1650         (JSC::FTL::JITFinalizer::finalizeFunction):
1651
1652 2016-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1653
1654         Modernize Intl constructors; using InternalFunction::createSubclassStructure
1655         https://bugs.webkit.org/show_bug.cgi?id=157082
1656
1657         Reviewed by Darin Adler.
1658
1659         Previously, Intl constructors retrieve "prototype" to inherit the "new.target".
1660         At that time, this mis-assumed that getDirect() always returns meaningful JS value.
1661         Actually, it returns an empty value if a property does not exist.
1662
1663         Instead of fixing this assertion, we now use InternalFunction::createSubclassStructure
1664         in Intl constructors. It is modern and preferable way since it can cache the derived
1665         structures in InternalFunction.
1666
1667         This patch also cleans up the workaround in Intl.NumberFormat and Intl.DateTimeFormat.
1668         Those code are largely duplicate. This is now extracted into
1669         constructIntlInstanceWithWorkaroundForLegacyIntlConstructor. This clean up does not
1670         have any behavior changes. They are already tested in LayoutTests/js/intl-datetimeformat
1671         and LayoutTests/js/intl-numberformat.
1672
1673         * JavaScriptCore.xcodeproj/project.pbxproj:
1674         * runtime/IntlCollator.cpp:
1675         (JSC::IntlCollator::create):
1676         * runtime/IntlCollator.h:
1677         * runtime/IntlCollatorConstructor.cpp:
1678         (JSC::constructIntlCollator):
1679         (JSC::callIntlCollator):
1680         * runtime/IntlDateTimeFormat.cpp:
1681         (JSC::IntlDateTimeFormat::create):
1682         * runtime/IntlDateTimeFormat.h:
1683         * runtime/IntlDateTimeFormatConstructor.cpp:
1684         (JSC::constructIntlDateTimeFormat):
1685         (JSC::callIntlDateTimeFormat):
1686         * runtime/IntlDateTimeFormatPrototype.cpp:
1687         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1688         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1689         * runtime/IntlNumberFormat.cpp:
1690         (JSC::IntlNumberFormat::create):
1691         * runtime/IntlNumberFormat.h:
1692         * runtime/IntlNumberFormatConstructor.cpp:
1693         (JSC::constructIntlNumberFormat):
1694         (JSC::callIntlNumberFormat):
1695         * runtime/IntlNumberFormatPrototype.cpp:
1696         (JSC::IntlNumberFormatPrototypeGetterFormat):
1697         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1698         * runtime/IntlObjectInlines.h: Added.
1699         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1700         * tests/stress/intl-constructors-with-proxy.js: Added.
1701         (shouldBe):
1702         (throw.new.Error.Empty):
1703         (throw.new.Error):
1704         (shouldBe.Empty):
1705
1706 2016-05-14  Joseph Pecoraro  <pecoraro@apple.com>
1707
1708         Remove LegacyProfiler
1709         https://bugs.webkit.org/show_bug.cgi?id=153565
1710
1711         Reviewed by Mark Lam.
1712
1713         JavaScriptCore now provides a sampling profiler and it is enabled
1714         by all ports. Web Inspector switched months ago to using the
1715         sampling profiler and displaying its data. Remove the legacy
1716         profiler, as it is no longer being used by anything other then
1717         console.profile and tests. We will update console.profile's
1718         behavior soon to have new behavior and use the sampling data.
1719
1720         * API/JSProfilerPrivate.cpp: Removed.
1721         * API/JSProfilerPrivate.h: Removed.
1722         * CMakeLists.txt:
1723         * JavaScriptCore.xcodeproj/project.pbxproj:
1724         * bytecode/BytecodeList.json:
1725         * bytecode/BytecodeUseDef.h:
1726         (JSC::computeUsesForBytecodeOffset): Deleted.
1727         (JSC::computeDefsForBytecodeOffset): Deleted.
1728         * bytecode/CodeBlock.cpp:
1729         (JSC::CodeBlock::dumpBytecode): Deleted.
1730         * bytecode/UnlinkedFunctionExecutable.cpp:
1731         (JSC::generateUnlinkedFunctionCodeBlock):
1732         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1733         * bytecode/UnlinkedFunctionExecutable.h:
1734         * bytecompiler/BytecodeGenerator.cpp:
1735         (JSC::BytecodeGenerator::BytecodeGenerator):
1736         (JSC::BytecodeGenerator::emitCall):
1737         (JSC::BytecodeGenerator::emitCallVarargs):
1738         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1739         (JSC::BytecodeGenerator::emitConstructVarargs):
1740         (JSC::BytecodeGenerator::emitConstruct):
1741         * bytecompiler/BytecodeGenerator.h:
1742         (JSC::CallArguments::profileHookRegister): Deleted.
1743         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
1744         * bytecompiler/NodesCodegen.cpp:
1745         (JSC::CallFunctionCallDotNode::emitBytecode):
1746         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1747         (JSC::CallArguments::CallArguments): Deleted.
1748         * dfg/DFGAbstractInterpreterInlines.h:
1749         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
1750         * dfg/DFGByteCodeParser.cpp:
1751         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
1752         * dfg/DFGCapabilities.cpp:
1753         (JSC::DFG::capabilityLevel): Deleted.
1754         * dfg/DFGClobberize.h:
1755         (JSC::DFG::clobberize): Deleted.
1756         * dfg/DFGDoesGC.cpp:
1757         (JSC::DFG::doesGC): Deleted.
1758         * dfg/DFGFixupPhase.cpp:
1759         (JSC::DFG::FixupPhase::fixupNode): Deleted.
1760         * dfg/DFGNodeType.h:
1761         * dfg/DFGPredictionPropagationPhase.cpp:
1762         * dfg/DFGSafeToExecute.h:
1763         (JSC::DFG::safeToExecute): Deleted.
1764         * dfg/DFGSpeculativeJIT32_64.cpp:
1765         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1766         * dfg/DFGSpeculativeJIT64.cpp:
1767         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1768         * inspector/InjectedScriptBase.cpp:
1769         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
1770         * inspector/protocol/Timeline.json:
1771         * interpreter/Interpreter.cpp:
1772         (JSC::UnwindFunctor::operator()): Deleted.
1773         (JSC::Interpreter::execute): Deleted.
1774         (JSC::Interpreter::executeCall): Deleted.
1775         (JSC::Interpreter::executeConstruct): Deleted.
1776         * jit/JIT.cpp:
1777         (JSC::JIT::privateCompileMainPass): Deleted.
1778         * jit/JIT.h:
1779         * jit/JITOpcodes.cpp:
1780         (JSC::JIT::emit_op_profile_will_call): Deleted.
1781         (JSC::JIT::emit_op_profile_did_call): Deleted.
1782         * jit/JITOpcodes32_64.cpp:
1783         (JSC::JIT::emit_op_profile_will_call): Deleted.
1784         (JSC::JIT::emit_op_profile_did_call): Deleted.
1785         * jit/JITOperations.cpp:
1786         * jit/JITOperations.h:
1787         * jsc.cpp:
1788         * llint/LLIntSlowPaths.cpp:
1789         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
1790         * llint/LLIntSlowPaths.h:
1791         * llint/LowLevelInterpreter.asm:
1792         * parser/ParserModes.h:
1793         * profiler/CallIdentifier.h: Removed.
1794         * profiler/LegacyProfiler.cpp: Removed.
1795         * profiler/LegacyProfiler.h: Removed.
1796         * profiler/Profile.cpp: Removed.
1797         * profiler/Profile.h: Removed.
1798         * profiler/ProfileGenerator.cpp: Removed.
1799         * profiler/ProfileGenerator.h: Removed.
1800         * profiler/ProfileNode.cpp: Removed.
1801         * profiler/ProfileNode.h: Removed.
1802         * profiler/ProfilerJettisonReason.cpp:
1803         (WTF::printInternal): Deleted.
1804         * profiler/ProfilerJettisonReason.h:
1805         * runtime/CodeCache.cpp:
1806         (JSC::CodeCache::getGlobalCodeBlock):
1807         (JSC::CodeCache::getProgramCodeBlock):
1808         (JSC::CodeCache::getEvalCodeBlock):
1809         (JSC::CodeCache::getModuleProgramCodeBlock):
1810         * runtime/CodeCache.h:
1811         * runtime/Executable.cpp:
1812         (JSC::ScriptExecutable::newCodeBlockFor):
1813         * runtime/JSGlobalObject.cpp:
1814         (JSC::JSGlobalObject::createProgramCodeBlock):
1815         (JSC::JSGlobalObject::createEvalCodeBlock):
1816         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
1817         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
1818         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
1819         * runtime/JSGlobalObject.h:
1820         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
1821         * runtime/Options.h:
1822         * runtime/VM.cpp:
1823         (JSC::VM::VM): Deleted.
1824         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
1825         (JSC::VM::setEnabledProfiler): Deleted.
1826         * runtime/VM.h:
1827         (JSC::VM::enabledProfiler): Deleted.
1828         (JSC::VM::enabledProfilerAddress): Deleted.
1829
1830 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
1831
1832         jsc: samplingProfilerStackTraces() without starting sampling should not cause jsc to crash
1833         https://bugs.webkit.org/show_bug.cgi?id=157704
1834
1835         Reviewed by Saam Barati.
1836
1837         * jsc.cpp:
1838         (functionStartSamplingProfiler):
1839         (functionSamplingProfilerStackTraces):
1840         Throw an exception instead of crashing if we haven't started sampling.
1841
1842         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1843         (Inspector::InspectorScriptProfilerAgent::startTracking):
1844         * runtime/VM.h:
1845         * runtime/VM.cpp:
1846         (JSC::VM::ensureSamplingProfiler):
1847         Switch ensure to returning a reference, like most other ensures.
1848
1849 2016-05-13  Saam barati  <sbarati@apple.com>
1850
1851         DFG/FTL have a few bugs in their reasoning about the scope
1852         https://bugs.webkit.org/show_bug.cgi?id=157696
1853
1854         Reviewed by Benjamin Poulain.
1855
1856         1. When the debugger is enabled, it is easier for the DFG to reason
1857         about the scope register by simply claiming all nodes read the scope
1858         register. This prevents us from ever entering the runtime where we
1859         may take a stack trace but there isn't a scope on the stack.
1860
1861         2. This patch fixes a bug where the FTL compilation wasn't properly
1862         setting the CodeBlock register. It was only doing this when there
1863         was inline data, but when the debugger is enabled, we never inline.
1864         So this code just needed to be removed from that loop. It was never
1865         right for it to be inside the loop.
1866
1867         * dfg/DFGClobberize.h:
1868         (JSC::DFG::clobberize):
1869         * ftl/FTLCompile.cpp:
1870         (JSC::FTL::compile):
1871
1872 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
1873
1874         [JSC] SetLocal without exit do not need phantoms
1875         https://bugs.webkit.org/show_bug.cgi?id=157653
1876
1877         Reviewed by Filip Pizlo.
1878
1879         I made a mistake in r200498.
1880
1881         If a SetLocal cannot possibly exit, we were not clearing
1882         the source of the operand. As a result, we sometime kept
1883         a value alive up to the end of the block.
1884
1885         That's uncommon because SetLocal typically appear
1886         toward the end of blocks. That's probably why there was
1887         no perf impact with that fix.
1888
1889         * dfg/DFGPhantomInsertionPhase.cpp:
1890
1891 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
1892
1893         [JSC] Move the CheckTierUp function calls out of the main path
1894         https://bugs.webkit.org/show_bug.cgi?id=157668
1895
1896         Reviewed by Mark Lam.
1897
1898         If you have a tiny tiny loop (for example, Sunspider's bits-in-byte),
1899         the size of CheckTierUp is a problem.
1900
1901         On multi-issue CPUs, the node is so big that we do not
1902         get to run anything from the loop in the instruction fetch.
1903
1904         On x86, having a bigger loop also pushes us out of the LSD.
1905
1906         This is a 6% improvement on bits-in-byte. Other Sunspider tests
1907         only improves marginally.
1908
1909         * dfg/DFGSpeculativeJIT.cpp:
1910         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
1911         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1912         * dfg/DFGSpeculativeJIT.h:
1913         (JSC::DFG::SpeculativeJIT::silentSpill):
1914         (JSC::DFG::SpeculativeJIT::silentFill):
1915         * dfg/DFGSpeculativeJIT64.cpp:
1916         (JSC::DFG::SpeculativeJIT::compile):
1917
1918 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
1919
1920         [JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used
1921         https://bugs.webkit.org/show_bug.cgi?id=157671
1922
1923         Reviewed by Mark Lam.
1924
1925         This improves the chances of having a value
1926         when issuing the TEST.
1927
1928         * jit/JITPropertyAccess.cpp:
1929         (JSC::JIT::emitLoadWithStructureCheck):
1930
1931 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
1932
1933         Web Inspector: Inform augmenting client when inspector controller is destroyed
1934         https://bugs.webkit.org/show_bug.cgi?id=157688
1935         <rdar://problem/25832724>
1936
1937         Reviewed by Timothy Hatcher.
1938
1939         * inspector/JSGlobalObjectInspectorController.cpp:
1940         (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
1941         * inspector/augmentable/AugmentableInspectorControllerClient.h:
1942         There is a weak relationship between the InspectorController and the
1943         AugmentingClient. Let the augmenting client know when the controller
1944         is destroyed so it doesn't try to use us anymore.
1945
1946 2016-05-13  Geoffrey Garen  <ggaren@apple.com>
1947
1948         Runaway malloc memory usage in this simple JSC program
1949         https://bugs.webkit.org/show_bug.cgi?id=157682
1950
1951         Reviewed by Mark Lam.
1952
1953         * heap/WeakSet.cpp:
1954         (JSC::WeakSet::sweep): Whenever we might add a block to
1955         m_logicallyEmptyWeakBlocks, be sure also to sweep a block in
1956         m_logicallyEmptyWeakBlocks. Otherwise, additions might outpace removals
1957         even when all memory is freed.
1958
1959         We do this whenever we *might* add a block and not just whenever we *do*
1960         add a block because we'd like to sweep the entries in
1961         m_logicallyEmptyWeakBlocks promptly even when it's not growing, and this
1962         is a reasonably rate-limited opportunity to do so.
1963
1964 2016-05-13  Mark Lam  <mark.lam@apple.com>
1965
1966         We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
1967         https://bugs.webkit.org/show_bug.cgi?id=157537
1968         <rdar://problem/24794845>
1969
1970         Reviewed by Michael Saboff.
1971
1972         The pre-existing code behaves this way:
1973
1974         1. When JS code throws an exception, it saves callee save registers in
1975            the VM calleeSaveRegistersBuffer.  These values are meant to be restored
1976            to the callee save registers later either at the catch handler or at the
1977            uncaught exception handler.
1978
1979         2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
1980            the exception.  That C++ code can change the values of the callee save
1981            registers.
1982
1983            The inspector code in turn re-enters the VM to execute JS inspector code.
1984
1985            The JS inspector code can run hot enough that we do an enterOptimizationCheck
1986            on it.  The enterOptimizationCheck first saves all callee save registers
1987            into the VM calleeSaveRegistersBuffer.
1988
1989            This effectively overwrites the values in the VM calleeSaveRegistersBuffer
1990            from (1).
1991
1992         3. Eventually, execution returns to the catch handler or the uncaught exception
1993            handler which restores the overwritten values in the VM
1994            calleeSaveRegistersBuffer to the callee save registers.
1995
1996            When execution returns to the C++ code that entered the VM before (1), the
1997            values in the callee registers are not what that code expects, and badness
1998            and/or crashes ensues.
1999
2000         This patch applies the following fix:
2001         
2002         1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
2003            This ensures that each VM entry session has its own buffer to use, and will
2004            not corrupt the one from the previous VM entry session.
2005
2006            Delete the VM calleeSaveRegistersBuffer.
2007
2008         2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
2009            calleeSaveRegistersBuffer in the current VMEntryFrame.
2010
2011         3. Renamed all uses of the term "VMCalleeSavesBuffer" to
2012            "VMEntryFrameCalleeSavesBuffer".
2013
2014         This fix has been tested on the following configurations:
2015         1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
2016         2. JSC tests on a release ASan build for 32-bit x86.
2017         3. JSC tests on a release normal (non-ASan) build for ARM64.
2018         4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
2019         5. JSC tests on a release ASan CLOOP build for x86_64.
2020
2021         These test runs did not produce any new crashes.  The ASan CLOOP has some
2022         pre-existing crashes which are not due to this patch.
2023
2024         This bug can be tested by running the inspector/debugger/regress-133182.html test
2025         on an ASan build.
2026
2027         * bytecode/PolymorphicAccess.cpp:
2028         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2029         * dfg/DFGJITCompiler.cpp:
2030         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2031         * dfg/DFGOSREntry.cpp:
2032         (JSC::DFG::prepareOSREntry):
2033         * dfg/DFGOSRExitCompiler.cpp:
2034         * dfg/DFGOSRExitCompiler32_64.cpp:
2035         (JSC::DFG::OSRExitCompiler::compileExit):
2036         * dfg/DFGOSRExitCompiler64.cpp:
2037         (JSC::DFG::OSRExitCompiler::compileExit):
2038         * dfg/DFGThunks.cpp:
2039         (JSC::DFG::osrEntryThunkGenerator):
2040         * ftl/FTLCompile.cpp:
2041         (JSC::FTL::compile):
2042         * ftl/FTLLowerDFGToB3.cpp:
2043         (JSC::FTL::DFG::LowerDFGToB3::lower):
2044         * ftl/FTLOSRExitCompiler.cpp:
2045         (JSC::FTL::compileStub):
2046         * interpreter/Interpreter.cpp:
2047         (JSC::UnwindFunctor::operator()):
2048         (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2049         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
2050         * interpreter/Interpreter.h:
2051         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2052         * interpreter/VMEntryRecord.h:
2053         (JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
2054         (JSC::VMEntryRecord::prevTopCallFrame):
2055         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
2056         (JSC::VMEntryFrame::vmEntryRecordOffset):
2057         (JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
2058         * jit/AssemblyHelpers.cpp:
2059         (JSC::AssemblyHelpers::emitRandomThunk):
2060         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2061         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
2062         * jit/AssemblyHelpers.h:
2063         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
2064         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2065         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
2066         (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
2067         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
2068         * jit/JIT.cpp:
2069         (JSC::JIT::emitEnterOptimizationCheck):
2070         (JSC::JIT::privateCompileExceptionHandlers):
2071         * jit/JITOpcodes.cpp:
2072         (JSC::JIT::emit_op_throw):
2073         (JSC::JIT::emit_op_catch):
2074         (JSC::JIT::emitSlow_op_loop_hint):
2075         * jit/JITOpcodes32_64.cpp:
2076         (JSC::JIT::emit_op_throw):
2077         (JSC::JIT::emit_op_catch):
2078         * jit/ThunkGenerators.cpp:
2079         (JSC::throwExceptionFromCallSlowPathGenerator):
2080         (JSC::nativeForGenerator):
2081         * llint/LLIntThunks.cpp:
2082         (JSC::vmEntryRecord):
2083         * llint/LowLevelInterpreter.asm:
2084         * llint/LowLevelInterpreter32_64.asm:
2085         * llint/LowLevelInterpreter64.asm:
2086         * runtime/VM.h:
2087         (JSC::VM::getCTIStub):
2088         (JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
2089         * wasm/WASMFunctionCompiler.h:
2090         (JSC::WASMFunctionCompiler::endFunction):
2091
2092 2016-05-13  Beth Dakin  <bdakin@apple.com>
2093
2094         Add dyldSPI.h for linked on or after checks, and add one for link preview
2095         https://bugs.webkit.org/show_bug.cgi?id=157401
2096         -and corresponding-
2097         rdar://problem/26253396
2098
2099         Reviewed by Darin Adler.
2100
2101         Import #import <wtf/spi/darwin/dyldSPI.h> which now declares all of the 
2102         needed dyld code.
2103         * API/JSWrapperMap.mm:
2104
2105 2016-05-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2106
2107         Assertion failure for direct eval in non-class method
2108         https://bugs.webkit.org/show_bug.cgi?id=157138
2109
2110         Reviewed by Saam Barati.
2111
2112         This assertion was incorrect. In method definitions in object literals,
2113         it can be sloppy mode, but its DerivedContextType may not be DerivedContextType::None.
2114
2115         * bytecode/EvalCodeCache.h:
2116         (JSC::EvalCodeCache::CacheKey::CacheKey):
2117         (JSC::EvalCodeCache::CacheKey::operator==):
2118         (JSC::EvalCodeCache::CacheKey::Hash::equal):
2119         (JSC::EvalCodeCache::tryGet):
2120         (JSC::EvalCodeCache::getSlow):
2121         * interpreter/Interpreter.cpp:
2122         (JSC::eval):
2123         * tests/stress/direct-eval-in-object-literal-methods.js: Added.
2124         (shouldBe):
2125         (throw.new.Error):
2126         (shouldBe.Parent.prototype.l):
2127         (shouldBe.Parent):
2128         (shouldBe.Derived.prototype.m):
2129         (shouldBe.Derived):
2130
2131 2016-05-13  Skachkov Oleksandr  <gskachkov@gmail.com>
2132
2133         Assertion failure for super() call in arrow function default parameters
2134         https://bugs.webkit.org/show_bug.cgi?id=157079
2135
2136         Reviewed by Saam Barati.
2137
2138         Root of the issue that in arrow function we load bounded variables this/super/new.target just after 
2139         input parameters were initialized, and did not covered case of default values for 
2140         function parameters. 
2141         Current patch tried to fix issue and allow to load bounded variables earlier, before the input 
2142         parameters are assigned by default values.
2143
2144         * bytecompiler/BytecodeGenerator.cpp:
2145         (JSC::BytecodeGenerator::BytecodeGenerator):
2146         * tests/stress/arrowfunction-lexical-bind-this-2.js:
2147
2148 2016-05-12  Mark Lam  <mark.lam@apple.com>
2149
2150         Baseline and DFG's JSC_report...CompileTimes needs CodeBlock hashes.
2151         https://bugs.webkit.org/show_bug.cgi?id=157643
2152
2153         Reviewed by Keith Miller.
2154
2155         * runtime/Options.cpp:
2156         (JSC::recomputeDependentOptions):
2157
2158 2016-05-12  Csaba Osztrogonác  <ossy@webkit.org>
2159
2160         Remove ENABLE(ES6_ARROWFUNCTION_SYNTAX) guards
2161         https://bugs.webkit.org/show_bug.cgi?id=157564
2162
2163         Reviewed by Darin Adler.
2164
2165         * Configurations/FeatureDefines.xcconfig:
2166         * parser/Parser.cpp:
2167
2168 2016-05-12  Joseph Pecoraro  <pecoraro@apple.com>
2169
2170         Web Inspector: CRASH getting internal properties of function with no bound arguments causes
2171         https://bugs.webkit.org/show_bug.cgi?id=157613
2172         <rdar://problem/26238754>
2173
2174         Reviewed by Timothy Hatcher.
2175
2176         * inspector/JSInjectedScriptHost.cpp:
2177         (Inspector::JSInjectedScriptHost::getInternalProperties):
2178         Gracefully handle a JSBoundFunction with no bound arguments.
2179         In this case boundArgs is JSValue() which we don't want to
2180         expose as the value of the internal property.
2181
2182 2016-05-11  Benjamin Poulain  <bpoulain@apple.com>
2183
2184         [JSC] Make sure StringRange is passed to Vector by register
2185         https://bugs.webkit.org/show_bug.cgi?id=157603
2186
2187         Reviewed by Darin Adler.
2188
2189         This is bizarre, but on my SDK, Vector::append(StringRange)
2190         is passing the values on the stack.
2191         The two integers are written to the stack, the address given
2192         to append(), then append() reads it back and store it.
2193
2194         This patch changes the code to use constructAndAppend(), ensuring
2195         the values are used directly.
2196
2197         On my machine, this helps Sunspider and Octane.
2198         This might be something wrong with my SDK but the fix is so easy
2199         that we might as well do this.
2200
2201         * runtime/StringPrototype.cpp:
2202         (JSC::removeUsingRegExpSearch):
2203         (JSC::replaceUsingRegExpSearch):
2204
2205 2016-05-11  Zan Dobersek  <zdobersek@igalia.com>
2206
2207         ARMv7Assembler: suppress a -Wnarrowing warning when compiling with GCC
2208         https://bugs.webkit.org/show_bug.cgi?id=157576
2209
2210         Reviewed by Csaba Osztrogonác.
2211
2212         * assembler/ARMv7Assembler.h:
2213         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2): Explicitly cast the
2214         `OP_CMP_reg_T2 | left` value to uint16_t, avoiding a narrowing conversion
2215         warning that's being reported when compiling with GCC. The warning is sprung
2216         due to RegisterID (which is the type of `left`) being an enum based on int,
2217         even when the enum itself only declares 23 values.
2218
2219 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2220
2221         Web Inspector: `this` in Scope Chain Sidebar does not have preview, looks poor
2222         https://bugs.webkit.org/show_bug.cgi?id=157602
2223
2224         Reviewed by Timothy Hatcher.
2225
2226         * inspector/InjectedScriptSource.js:
2227         (InjectedScript.CallFrameProxy):
2228         Include a preview when creating the RemoteObject for `this`.
2229
2230 2016-05-11  Keith Miller  <keith_miller@apple.com>
2231
2232         Unreviewed, correct the title of the ChangeLog for r200667.
2233
2234 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2235
2236         JSC test stress/reflect-set.js failing after 200694
2237         https://bugs.webkit.org/show_bug.cgi?id=157586
2238
2239         Unreviewed test rebaseline.
2240
2241         * tests/stress/reflect-set.js:
2242         Update the expected error message. We are in strict mode, so the
2243         improved error message makes sense.
2244
2245 2016-05-11  Filip Pizlo  <fpizlo@apple.com>
2246
2247         Beef up JSC profiler event log
2248         https://bugs.webkit.org/show_bug.cgi?id=157584
2249
2250         Reviewed by Saam Barati.
2251         
2252         Also log more about compilation.
2253
2254         * bytecode/ExecutionCounter.cpp: Changed the meaning of codeBlock to be the codeBlock that is doing the profiling. This will now get the baseline version if it needs it. This is needed for logging the threshold checking event.
2255         (JSC::applyMemoryUsageHeuristics):
2256         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2257         * dfg/DFGJITCode.cpp: Pass the right codeBlock.
2258         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
2259         (JSC::DFG::JITCode::optimizeNextInvocation):
2260         (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
2261         (JSC::DFG::JITCode::optimizeSoon):
2262         (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
2263         * dfg/DFGPlan.cpp: Log things about compile times and whether the compiler succeeded or failed.
2264         (JSC::DFG::Plan::computeCompileTimes):
2265         (JSC::DFG::Plan::reportCompileTimes):
2266         (JSC::DFG::Plan::compileInThread):
2267         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2268         * jit/ExecutableAllocatorFixedVMPool.cpp: Make it possible to look at memory usage, though separately from the log, for now.
2269         (JSC::ExecutableAllocator::allocate):
2270         * runtime/Options.h:
2271
2272 2016-05-11  Saam barati  <sbarati@apple.com>
2273
2274         Air may decide to put the result register of an arithmetic snippet in the tag register
2275         https://bugs.webkit.org/show_bug.cgi?id=157548
2276
2277         Reviewed by Filip Pizlo.
2278
2279         This patch adds a new ValueRep to B3 called LateRegister. The semantics
2280         are similar to Register in that it can be used to pin an argument to
2281         a particular register. It differs from ValueRep::Register in that the semantics of
2282         LateRegister are that it is used after the result of the node its an argument to
2283         is computed. This means that a LateRegister argument will interfere with the result
2284         of a node. LateRegister is not a valid result ValueRep.
2285
2286         This was needed because there was a bug where B3/Air would assign the
2287         result of a patchpoint to the TagTypeNumber register. This broke our
2288         code when we would box a double into a JSValue in a snippet when the
2289         result is the same as the TagTypeNumber register. To fix the issue,
2290         we pass TagMaskRegister and TagTypeNumberRegister as ValueRep::LateRegister
2291         arguments to various patchpoints.
2292
2293         * b3/B3LowerToAir.cpp:
2294         (JSC::B3::Air::LowerToAir::fillStackmap):
2295         * b3/B3PatchpointSpecial.cpp:
2296         (JSC::B3::PatchpointSpecial::admitsStack):
2297         * b3/B3StackmapSpecial.cpp:
2298         (JSC::B3::StackmapSpecial::forEachArgImpl):
2299         (JSC::B3::StackmapSpecial::isArgValidForRep):
2300         * b3/B3Validate.cpp:
2301         * b3/B3ValueRep.cpp:
2302         (JSC::B3::ValueRep::addUsedRegistersTo):
2303         (JSC::B3::ValueRep::dump):
2304         (JSC::B3::ValueRep::emitRestore):
2305         (JSC::B3::ValueRep::recoveryForJSValue):
2306         (WTF::printInternal):
2307         * b3/B3ValueRep.h:
2308         (JSC::B3::ValueRep::reg):
2309         (JSC::B3::ValueRep::lateReg):
2310         (JSC::B3::ValueRep::stack):
2311         (JSC::B3::ValueRep::operator==):
2312         (JSC::B3::ValueRep::isSomeRegister):
2313         (JSC::B3::ValueRep::isReg):
2314         * b3/testb3.cpp:
2315         (JSC::B3::testSpillUseLargerThanDef):
2316         (JSC::B3::testLateRegister):
2317         (JSC::B3::zero):
2318         (JSC::B3::run):
2319         * ftl/FTLLowerDFGToB3.cpp:
2320         (JSC::FTL::DFG::LowerDFGToB3::lower):
2321         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2322         (JSC::FTL::DFG::LowerDFGToB3::getById):
2323         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
2324         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
2325         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
2326
2327 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2328
2329         Improve error messages for accessing arguments.callee and similar getters in strict mode
2330         https://bugs.webkit.org/show_bug.cgi?id=157545
2331
2332         Reviewed by Mark Lam.
2333
2334         * runtime/ClonedArguments.cpp:
2335         (JSC::ClonedArguments::getOwnPropertySlot):
2336         (JSC::ClonedArguments::materializeSpecials):
2337         Provide better error GetterSetter in strict mode.
2338
2339         * runtime/JSFunction.cpp:
2340         (JSC::getThrowTypeErrorGetterSetter):
2341         (JSC::JSFunction::defineOwnProperty):
2342         Provide better error GetterSetter in strict mode.
2343
2344         * runtime/JSGlobalObject.cpp:
2345         (JSC::JSGlobalObject::init):
2346         (JSC::JSGlobalObject::visitChildren):
2347         * runtime/JSGlobalObject.h:
2348         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
2349         (JSC::JSGlobalObject::throwTypeErrorCalleeAndCallerGetterSetter):
2350         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInStrictModeGetterSetter):
2351         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInClassContextGetterSetter):
2352         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter): Deleted.
2353         * runtime/JSGlobalObjectFunctions.cpp:
2354         (JSC::globalFuncThrowTypeErrorCalleeAndCaller):
2355         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInStrictMode):
2356         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInClassContext):
2357         (JSC::globalFuncThrowTypeErrorArgumentsAndCaller): Deleted.
2358         * runtime/JSGlobalObjectFunctions.h:
2359         Rename and expose new handles for new error getter setter native functions.
2360
2361 2016-05-11  Commit Queue  <commit-queue@webkit.org>
2362
2363         Unreviewed, rolling out r200481.
2364         https://bugs.webkit.org/show_bug.cgi?id=157573
2365
2366         it's bad news for asm.js (Requested by pizlo on #webkit).
2367
2368         Reverted changeset:
2369
2370         "Reduce maximum JIT pool size on X86_64."
2371         http://trac.webkit.org/changeset/200481
2372
2373 2016-05-10  Keith Miller  <keith_miller@apple.com>
2374
2375         TypedArray.prototype.slice should not use the byteLength of the passed array for memmove
2376         https://bugs.webkit.org/show_bug.cgi?id=157551
2377         <rdar://problem/26179914>
2378
2379         Reviewed by Michael Saboff.
2380
2381         The TypedArray.prototype.slice function would use the byteLength of the passed array
2382         to determine the amount of data to copy. It should have been using the passed length
2383         times the size of each element. This fixes a crash on JavaPoly.com
2384
2385         * runtime/JSGenericTypedArrayViewInlines.h:
2386         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2387         * tests/stress/typedarray-slice.js:
2388
2389 2016-05-10  Michael Saboff  <msaboff@apple.com>
2390
2391         REGRESSION(r200447): Unable to build C_LOOP with clang version 800.0.12 or higher
2392         https://bugs.webkit.org/show_bug.cgi?id=157549
2393
2394         Reviewed by Keith Miller.
2395
2396         Disable debug annotations for C_LOOP builds.  They are inline assembly directives,
2397         unnecessary and they cause syntax errors.
2398
2399         * offlineasm/asm.rb:
2400
2401 2016-05-10  Filip Pizlo  <fpizlo@apple.com>
2402
2403         Internal JSC profiler should have a timestamped log of events for each code block
2404         https://bugs.webkit.org/show_bug.cgi?id=157538
2405
2406         Reviewed by Benjamin Poulain.
2407         
2408         For example, in 3d-cube, I can query the events for MMulti and I get:
2409
2410         1462917476.17083  MMulti#DTZ7qc                          installCode        
2411         1462917476.179663 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
2412         1462917476.179664 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline osrEntry           at bc#49
2413         1462917476.185651 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1011.214233/1717.000000, -707
2414         1462917476.187913 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      installCode        
2415         1462917476.187917 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      osrEntry           at bc#49
2416         1462917476.205365 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      jettison           due to OSRExit, counting = true, detail = (null)
2417         1462917476.205368 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#65: BadCache/FromDFG
2418         1462917476.205369 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
2419         1462917476.205482 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/3434.000000, -1000
2420         1462917476.211547 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/3434.000000, -1000
2421         1462917476.213721 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      installCode        
2422         1462917476.213726 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      osrEntry           at bc#49
2423         1462917476.223976 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      jettison           due to OSRExit, counting = true, detail = (null)
2424         1462917476.223981 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#77: BadCache/FromDFG
2425         1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#94: BadCache/FromDFG
2426         1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
2427         1462917476.224064 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/6868.000000, -1000
2428         1462917476.224151 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/6868.000000, -1000
2429         1462917476.224258 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 3013.000000/6868.000000, -1000
2430         1462917476.224337 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 4023.000000/6868.000000, -1000
2431         1462917476.224425 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 5023.000000/6868.000000, -1000
2432         1462917476.224785 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 6023.396484/6868.000000, -862
2433         1462917476.227669 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      installCode        
2434         1462917476.227675 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      osrEntry           at bc#0
2435         
2436         The output is ugly but useful. We can make it less ugly later.
2437
2438         * CMakeLists.txt:
2439         * JavaScriptCore.xcodeproj/project.pbxproj:
2440         * bytecode/CodeBlock.cpp:
2441         (JSC::CodeBlock::jettison):
2442         * bytecode/CodeBlock.h:
2443         (JSC::ScriptExecutable::forEachCodeBlock):
2444         * bytecode/DFGExitProfile.cpp:
2445         (JSC::DFG::ExitProfile::add):
2446         * dfg/DFGJITFinalizer.cpp:
2447         (JSC::DFG::JITFinalizer::finalizeCommon):
2448         * dfg/DFGOperations.cpp:
2449         * ftl/FTLJITFinalizer.cpp:
2450         (JSC::FTL::JITFinalizer::finalizeFunction):
2451         * jit/JIT.cpp:
2452         (JSC::JIT::privateCompile):
2453         * jit/JITOperations.cpp:
2454         * llint/LLIntSlowPaths.cpp:
2455         (JSC::LLInt::jitCompileAndSetHeuristics):
2456         (JSC::LLInt::entryOSR):
2457         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2458         * profiler/ProfilerCompilation.cpp:
2459         (JSC::Profiler::Compilation::Compilation):
2460         (JSC::Profiler::Compilation::setJettisonReason):
2461         (JSC::Profiler::Compilation::dump):
2462         (JSC::Profiler::Compilation::toJS):
2463         * profiler/ProfilerCompilation.h:
2464         (JSC::Profiler::Compilation::uid):
2465         * profiler/ProfilerDatabase.cpp:
2466         (JSC::Profiler::Database::ensureBytecodesFor):
2467         (JSC::Profiler::Database::notifyDestruction):
2468         (JSC::Profiler::Database::addCompilation):
2469         (JSC::Profiler::Database::toJS):
2470         (JSC::Profiler::Database::registerToSaveAtExit):
2471         (JSC::Profiler::Database::logEvent):
2472         (JSC::Profiler::Database::addDatabaseToAtExit):
2473         * profiler/ProfilerDatabase.h:
2474         * profiler/ProfilerEvent.cpp: Added.
2475         (JSC::Profiler::Event::dump):
2476         (JSC::Profiler::Event::toJS):
2477         * profiler/ProfilerEvent.h: Added.
2478         (JSC::Profiler::Event::Event):
2479         (JSC::Profiler::Event::operator bool):
2480         (JSC::Profiler::Event::time):
2481         (JSC::Profiler::Event::bytecodes):
2482         (JSC::Profiler::Event::compilation):
2483         (JSC::Profiler::Event::summary):
2484         (JSC::Profiler::Event::detail):
2485         * profiler/ProfilerUID.cpp: Added.
2486         (JSC::Profiler::UID::create):
2487         (JSC::Profiler::UID::dump):
2488         (JSC::Profiler::UID::toJS):
2489         * profiler/ProfilerUID.h: Added.
2490         (JSC::Profiler::UID::UID):
2491         (JSC::Profiler::UID::fromInt):
2492         (JSC::Profiler::UID::toInt):
2493         (JSC::Profiler::UID::operator==):
2494         (JSC::Profiler::UID::operator!=):
2495         (JSC::Profiler::UID::operator bool):
2496         (JSC::Profiler::UID::isHashTableDeletedValue):
2497         (JSC::Profiler::UID::hash):
2498         (JSC::Profiler::UIDHash::hash):
2499         (JSC::Profiler::UIDHash::equal):
2500         * runtime/CommonIdentifiers.h:
2501         * runtime/Executable.cpp:
2502         (JSC::ScriptExecutable::installCode):
2503         * runtime/VM.h:
2504         (JSC::VM::bytecodeIntrinsicRegistry):
2505         (JSC::VM::shadowChicken):
2506         * runtime/VMInlines.h:
2507         (JSC::VM::shouldTriggerTermination):
2508         (JSC::VM::logEvent):
2509
2510 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
2511
2512         Web Inspector: Backend should initiate timeline recordings on page navigations to ensure nothing is missed
2513         https://bugs.webkit.org/show_bug.cgi?id=157504
2514         <rdar://problem/26188642>
2515
2516         Reviewed by Brian Burg.
2517
2518         * inspector/protocol/Timeline.json:
2519         Add protocol commands to enable/disable auto capture and list the
2520         instruments that should be enabled when auto capture starts.
2521         Add protocol event for when the backend starts an auto capture.
2522
2523 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
2524
2525         Make the different evaluateWithScopeExtension implementations more consistent
2526         https://bugs.webkit.org/show_bug.cgi?id=157536
2527
2528         Reviewed by Timothy Hatcher.
2529
2530         * inspector/JSInjectedScriptHost.cpp:
2531         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2532         Throw the exception consistent with JSJavaScriptCallFrame.
2533
2534         * inspector/JSJavaScriptCallFrame.cpp:
2535         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2536         Better error message consistent with InjectedScriptHost.
2537
2538         * runtime/Completion.h:
2539         * runtime/Completion.cpp:
2540         (JSC::evaluateWithScopeExtension):
2541         Give this an Exception out parameter like other evaluations
2542         so the caller can decide what to do with it.
2543
2544 2016-05-10  Benjamin Poulain  <bpoulain@apple.com>
2545
2546         [JSC] FTL can produce GetByVal nodes without proper bounds checking
2547         https://bugs.webkit.org/show_bug.cgi?id=157502
2548         rdar://problem/26027027
2549
2550         Reviewed by Filip Pizlo.
2551
2552         It was possible for FTL to generates GetByVal on arbitrary offsets
2553         without any bounds checking.
2554
2555         The bug is caused by the order of optimization phases:
2556         -First, the Integer Range Optimization proves that a CheckInBounds
2557          test can never fail.
2558          This proof is based on control flow or preceeding instructions
2559          inside a loop.
2560         -The Loop Invariant Code Motion phase finds that the GetByVal does not
2561          depend on anything in the loop and hoist it out of the loop.
2562         -> As a result, the conditions that were necessary to eliminate
2563            the CheckInBounds are no longer met before the GetByVal.
2564
2565         This patch just moves the Integer Range Optimization phase after
2566         Loop Invariant Code Motion to make sure no code is moved after
2567         its integer ranges bounds proofs have been used.
2568
2569         * dfg/DFGPlan.cpp:
2570         (JSC::DFG::Plan::compileInThreadImpl):
2571         * tests/stress/bounds-check-not-eliminated-by-licm.js: Added.
2572         (testInLoopTests):
2573
2574 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
2575
2576         Web Inspector: Eliminate the crazy code for evaluateOnCallFrame
2577         https://bugs.webkit.org/show_bug.cgi?id=157510
2578         <rdar://problem/26191332>
2579
2580         Reviewed by Timothy Hatcher.
2581
2582         * debugger/DebuggerCallFrame.cpp:
2583         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2584         Set and clear an optional scope extension object.
2585
2586         * inspector/InjectedScriptSource.js:
2587         (InjectedScript.prototype.evaluate):
2588         (InjectedScript.prototype._evaluateOn):
2589         (InjectedScript.prototype.evaluateOnCallFrame):
2590         Unify the code to use the passed in evaluate function and object.
2591         When evaluating on a call frame the evaluate function ends up being
2592         DebuggerCallFrame::evaluateWithScopeExtension. When evaluating globally
2593         this ends up being JSInjectedScriptHost::evaluateWithScopeExtension.
2594         In both cases "object" is the preferred this object to use.
2595
2596         * debugger/DebuggerCallFrame.h:
2597         * inspector/JSJavaScriptCallFrame.cpp:
2598         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2599         (Inspector::JSJavaScriptCallFrame::evaluate): Deleted.
2600         * inspector/JSJavaScriptCallFrame.h:
2601         * inspector/JSJavaScriptCallFramePrototype.cpp:
2602         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
2603         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
2604         * inspector/JavaScriptCallFrame.h:
2605         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
2606         (Inspector::JavaScriptCallFrame::evaluate): Deleted.
2607         Pass through to DebuggerCallFrame with the proper arguments.
2608
2609         * debugger/Debugger.cpp:
2610         (JSC::Debugger::hasBreakpoint):
2611         * inspector/ScriptDebugServer.cpp:
2612         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
2613         Use the new evaluate on call frame method name and no scope extension object.
2614
2615 2016-05-10  Saam barati  <sbarati@apple.com>
2616
2617         Make super-property-access.js test run for less time because it was timing out in debug builds.
2618
2619         Rubber stamped by Filip Pizlo.
2620
2621         * tests/stress/super-property-access.js:
2622         (test):
2623         (test.value):
2624         (test.foo):
2625         (test.B.prototype.bar):
2626         (test.B):
2627
2628 2016-05-10  Csaba Osztrogonác  <ossy@webkit.org>
2629
2630         [JSC] Fix the !ENABLE(DFG_JIT) build
2631         https://bugs.webkit.org/show_bug.cgi?id=157512
2632
2633         Reviewed by Mark Lam.
2634
2635         * jit/Repatch.cpp:
2636
2637 2016-05-09  Joseph Pecoraro  <pecoraro@apple.com>
2638
2639         Web Inspector: CRASH under JSC::DebuggerCallFrame::thisValue when hitting breakpoint
2640         https://bugs.webkit.org/show_bug.cgi?id=157442
2641         <rdar://problem/24172015>
2642
2643         Reviewed by Saam Barati.
2644
2645         * debugger/DebuggerCallFrame.cpp:
2646         (JSC::DebuggerCallFrame::thisValueForCallFrame):
2647         When the thisValue is JSValue() return undefined and avoid calling
2648         toThisValue which would lead to a crash. Having `this` be an empty
2649         JSValue could happen inside an ES6 class constructor, before
2650         calling super.
2651
2652 2016-05-09  Filip Pizlo  <fpizlo@apple.com>
2653
2654         Unreviewed, fix cloop.
2655
2656         * bytecode/ValueProfile.cpp:
2657         (JSC::ResultProfile::emitDetectNumericness):
2658         (JSC::ResultProfile::emitSetNonNumber):
2659         * bytecode/ValueProfile.h:
2660         (JSC::ResultProfile::addressOfFlags):
2661         (JSC::ResultProfile::addressOfSpecialFastPathCount):
2662         (JSC::ResultProfile::detectNumericness):
2663         (JSC::ResultProfile::hasBits):
2664
2665 2016-05-09  Michael Saboff  <msaboff@apple.com>
2666
2667         Crash beneath ObjCCallbackFunctionImpl::call
2668         https://bugs.webkit.org/show_bug.cgi?id=157491
2669
2670         Reviewed by Saam Barati.
2671
2672         Clear any exceptions after the micro task runs.
2673
2674         Tried creating a test case, but I don't have source for the app.
2675         I can't seem to find the right combination of Promises and ObjC code.
2676
2677         * runtime/JSJob.cpp:
2678         (JSC::JSJobMicrotask::run):
2679
2680 2016-05-09  Filip Pizlo  <fpizlo@apple.com>
2681
2682         Polymorphic operands in operators coerces downstream values to double.
2683         https://bugs.webkit.org/show_bug.cgi?id=151793
2684
2685         Reviewed by Mark Lam.
2686         
2687         Previously if an object flowed into arithmetic, the prediction propagation phase would either
2688         assume that the output of the arithmetic had to be double or sometimes it would assume that it
2689         couldn't be double. We want it to only assume that the output is double if it actually had been.
2690         
2691         The first part of this patch is to roll out http://trac.webkit.org/changeset/200502. That removed
2692         some of the machinery that we had in place to detect whether the output of an operation is int or
2693         double. That changeset claimed that the machinery was "fundamentally broken". It actually wasn't.
2694         The reason why it didn't work was that ByteCodeParser was ignoring it if likelyToTakeSlowCase was
2695         false. I think this was a complete goof-up: the code in ByteCodeParser::makeSafe was structured
2696         in a way that made it non-obvious that the method is a no-op if !likelyToTakeSlowCase. So, this
2697         change rolls out r200502 and makes ResultProfile do its job by reshaping how makeSafe processes
2698         it.
2699         
2700         This also makes two other changes to shore up ResultProfile:
2701         - OSR exit can now refine a ResultProfile the same way that it refines ValueProfile.
2702         - Baseline JIT slow paths now set bits in ResultProfile.
2703         
2704         Based on this stuff, the DFG now predicts int/double/string in op_add/op_sub/op_mul based on
2705         ResultProfiles. To be conservative, we still only use the ResultProfiles if the incoming
2706         prediction is not number-or-boolean. This ensures that we exactly retain our old behavior in
2707         those cases for which it was tuned. But I hope to remove this soon. I believe that ResultProfile
2708         is already strictly better than what prediction propagation was doing before.
2709         
2710         This can be an enormous win. This patch adds some simple microbenchmarks that demonstrate the
2711         problem of assuming that arithmetic on objects returns double. The most extreme of these speeds
2712         up 8x with this change (object-int-add-array).
2713         
2714         * CMakeLists.txt:
2715         * JavaScriptCore.xcodeproj/project.pbxproj:
2716         * bytecode/CodeBlock.h:
2717         (JSC::CodeBlock::addFrequentExitSite):
2718         (JSC::CodeBlock::hasExitSite):
2719         * bytecode/DFGExitProfile.cpp:
2720         (JSC::DFG::FrequentExitSite::dump):
2721         (JSC::DFG::ExitProfile::ExitProfile):
2722         (JSC::DFG::ExitProfile::~ExitProfile):
2723         (JSC::DFG::ExitProfile::add):
2724         * bytecode/DFGExitProfile.h:
2725         (JSC::DFG::FrequentExitSite::isHashTableDeletedValue):
2726         * bytecode/MethodOfGettingAValueProfile.cpp:
2727         (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
2728         (JSC::MethodOfGettingAValueProfile::emitReportValue):
2729         (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): Deleted.
2730         * bytecode/MethodOfGettingAValueProfile.h:
2731         (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
2732         (JSC::MethodOfGettingAValueProfile::operator bool):
2733         (JSC::MethodOfGettingAValueProfile::operator!): Deleted.
2734         * bytecode/PolymorphicAccess.cpp:
2735         (JSC::AccessCase::generateImpl):
2736         * bytecode/ValueProfile.cpp:
2737         (JSC::ResultProfile::emitDetectBitsLight):
2738         (JSC::ResultProfile::emitSetDouble):
2739         (JSC::ResultProfile::emitSetNonNumber):
2740         (WTF::printInternal):
2741         * bytecode/ValueProfile.h:
2742         (JSC::ResultProfile::ResultProfile):
2743         (JSC::ResultProfile::bytecodeOffset):
2744         (JSC::ResultProfile::specialFastPathCount):
2745         (JSC::ResultProfile::didObserveNonInt32):
2746         (JSC::ResultProfile::didObserveDouble):
2747         (JSC::ResultProfile::didObserveNonNegZeroDouble):
2748         (JSC::ResultProfile::didObserveNegZeroDouble):
2749         (JSC::ResultProfile::didObserveNonNumber):
2750         (JSC::ResultProfile::didObserveInt32Overflow):
2751         (JSC::ResultProfile::didObserveInt52Overflow):
2752         (JSC::ResultProfile::setObservedNonNegZeroDouble):
2753         (JSC::ResultProfile::setObservedNegZeroDouble):
2754         (JSC::ResultProfile::setObservedNonNumber):
2755         (JSC::ResultProfile::setObservedInt32Overflow):
2756         (JSC::ResultProfile::addressOfFlags):
2757         (JSC::ResultProfile::addressOfSpecialFastPathCount):
2758         (JSC::ResultProfile::detectBitsLight):
2759         (JSC::ResultProfile::hasBits):
2760         * dfg/DFGByteCodeParser.cpp:
2761         (JSC::DFG::ByteCodeParser::makeSafe):
2762         * dfg/DFGFixupPhase.cpp:
2763         (JSC::DFG::FixupPhase::fixupNode):
2764         * dfg/DFGGraph.cpp:
2765         (JSC::DFG::Graph::ensureNaturalLoops):
2766         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2767         (JSC::DFG::Graph::valueProfileFor): Deleted.
2768         * dfg/DFGGraph.h:
2769         (JSC::DFG::Graph::hasExitSite):
2770         (JSC::DFG::Graph::numBlocks):
2771         * dfg/DFGNode.h:
2772         (JSC::DFG::Node::arithNodeFlags):
2773         (JSC::DFG::Node::mayHaveNonIntResult):
2774         (JSC::DFG::Node::mayHaveDoubleResult):
2775         (JSC::DFG::Node::mayHaveNonNumberResult):
2776         (JSC::DFG::Node::hasConstantBuffer):
2777         * dfg/DFGNodeFlags.cpp:
2778         (JSC::DFG::dumpNodeFlags):
2779         * dfg/DFGNodeFlags.h:
2780         * dfg/DFGOSRExitCompiler32_64.cpp:
2781         (JSC::DFG::OSRExitCompiler::compileExit):
2782         * dfg/DFGOSRExitCompiler64.cpp:
2783         (JSC::DFG::OSRExitCompiler::compileExit):
2784         * dfg/DFGOperations.cpp:
2785         * dfg/DFGOperations.h:
2786         * dfg/DFGPredictionPropagationPhase.cpp:
2787         * dfg/DFGSpeculativeJIT.h:
2788         (JSC::DFG::SpeculativeJIT::callOperation):
2789         * ftl/FTLOSRExitCompiler.cpp:
2790         (JSC::FTL::compileStub):
2791         * jit/AssemblyHelpers.h:
2792         (JSC::AssemblyHelpers::branchIfEqual):
2793         (JSC::AssemblyHelpers::branchIfNotCell):
2794         (JSC::AssemblyHelpers::branchIfNotNumber):
2795         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
2796         (JSC::AssemblyHelpers::branchIfBoolean):
2797         (JSC::AssemblyHelpers::branchIfEmpty):
2798         (JSC::AssemblyHelpers::branchStructure):
2799         * jit/CCallHelpers.h:
2800         (JSC::CCallHelpers::CCallHelpers):
2801         (JSC::CCallHelpers::setupArguments):
2802         (JSC::CCallHelpers::setupArgumentsWithExecState):
2803         * jit/IntrinsicEmitter.cpp:
2804         (JSC::AccessCase::emitIntrinsicGetter):
2805         * jit/JIT.h:
2806         * jit/JITAddGenerator.cpp:
2807         (JSC::JITAddGenerator::generateFastPath):
2808         * jit/JITAddGenerator.h:
2809         (JSC::JITAddGenerator::JITAddGenerator):
2810         * jit/JITArithmetic.cpp:
2811         (JSC::JIT::emit_op_add):
2812         (JSC::JIT::emitSlow_op_add):
2813         (JSC::JIT::emit_op_div):
2814         (JSC::JIT::emit_op_mul):
2815         (JSC::JIT::emitSlow_op_mul):
2816         (JSC::JIT::emit_op_sub):
2817         (JSC::JIT::emitSlow_op_sub):
2818         * jit/JITInlines.h:
2819         (JSC::JIT::callOperation):
2820         (JSC::JIT::callOperationNoExceptionCheck):
2821         * jit/JITMulGenerator.cpp:
2822         (JSC::JITMulGenerator::generateFastPath):
2823         * jit/JITOperations.cpp:
2824         * jit/JITOperations.h:
2825         * jit/JITSubGenerator.cpp:
2826         (JSC::JITSubGenerator::generateFastPath):
2827         * jit/JITSubGenerator.h:
2828         (JSC::JITSubGenerator::JITSubGenerator):
2829         * jit/TagRegistersMode.cpp: Added.
2830         (WTF::printInternal):
2831         * jit/TagRegistersMode.h: Added.
2832         * runtime/CommonSlowPaths.cpp:
2833         (JSC::updateResultProfileForBinaryArithOp):
2834
2835 2016-05-09  Keith Miller  <keith_miller@apple.com>
2836
2837         CallObjectConstructor should not call operationToThis in the FTL
2838         https://bugs.webkit.org/show_bug.cgi?id=157492
2839         <rdar://problem/26149904>
2840
2841         Reviewed by Mark Lam.
2842
2843         At some point when I was working on intrinsifying the Object
2844         constructor, I realized that the Object constructor was different
2845         from the ToObject operation. I fixed the DFG but I guess I didn't
2846         fix the FTL.
2847
2848         This patch fixes an issue with www.wunderground.com not loading
2849         the 10-day forecast and local map.
2850
2851         * ftl/FTLLowerDFGToB3.cpp:
2852         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
2853         * tests/stress/call-object-constructor.js: Added.
2854         (test):
2855         (assert):
2856
2857 2016-05-09  Saam barati  <sbarati@apple.com>
2858
2859         Getter and setter on super are called with wrong "this" object
2860         https://bugs.webkit.org/show_bug.cgi?id=147064
2861         <rdar://problem/21885916>
2862
2863         Reviewed by Filip Pizlo.
2864
2865         This patch implements calls to 'super' getters and setters.
2866         The problem before is we were passing the 'super' (i.e, the prototype
2867         object) as the this value to these getters/setters, which is wrong. 
2868         We should be passing the caller's this value.
2869
2870         To implement this behavior, I've introduced four new opcodes and their corresponding DFG nodes:
2871         - op_get_by_id_with_this | GetByIdWithThis
2872         - op_put_by_id_with_this | PutByIdWithThis
2873         - op_get_by_val_with_this | GetByValWithThis
2874         - op_put_by_val_with_this | PutByValWithThis
2875
2876         These are implemented with no optimizations. The future plan is 
2877         to unite them with the *by_id and *by_val opcodes and nodes:
2878         https://bugs.webkit.org/show_bug.cgi?id=157215
2879
2880         * bytecode/BytecodeList.json:
2881         * bytecode/BytecodeUseDef.h:
2882         (JSC::computeUsesForBytecodeOffset):
2883         (JSC::computeDefsForBytecodeOffset):
2884         * bytecode/CodeBlock.cpp:
2885         (JSC::CodeBlock::dumpBytecode):
2886         * bytecompiler/BytecodeGenerator.cpp:
2887         (JSC::BytecodeGenerator::emitGetById):
2888         (JSC::BytecodeGenerator::emitPutById):
2889         (JSC::BytecodeGenerator::emitDirectPutById):
2890         (JSC::BytecodeGenerator::emitGetByVal):
2891         (JSC::BytecodeGenerator::emitPutByVal):
2892         (JSC::BytecodeGenerator::emitDirectPutByVal):
2893         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
2894         (JSC::BytecodeGenerator::ensureThis):
2895         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
2896         * bytecompiler/BytecodeGenerator.h:
2897         * bytecompiler/NodesCodegen.cpp:
2898         (JSC::ThisNode::emitBytecode):
2899         (JSC::emitHomeObjectForCallee):
2900         (JSC::emitSuperBaseForCallee):
2901         (JSC::emitGetSuperFunctionForConstruct):
2902         (JSC::SuperNode::emitBytecode):
2903         (JSC::NewTargetNode::emitBytecode):
2904         (JSC::TaggedTemplateNode::emitBytecode):
2905         (JSC::BracketAccessorNode::emitBytecode):
2906         (JSC::DotAccessorNode::emitBytecode):
2907         (JSC::FunctionCallValueNode::emitBytecode):
2908         (JSC::FunctionCallBracketNode::emitBytecode):
2909         (JSC::FunctionCallDotNode::emitBytecode):
2910         (JSC::CallFunctionCallDotNode::emitBytecode):
2911         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2912         (JSC::PostfixNode::emitBracket):
2913         (JSC::PostfixNode::emitDot):
2914         (JSC::PrefixNode::emitBracket):
2915         (JSC::PrefixNode::emitDot):
2916         (JSC::AssignDotNode::emitBytecode):
2917         (JSC::ReadModifyDotNode::emitBytecode):
2918         (JSC::AssignBracketNode::emitBytecode):
2919         (JSC::ReadModifyBracketNode::emitBytecode):
2920         (JSC::ForInNode::emitLoopHeader):
2921         (JSC::ForOfNode::emitBytecode):
2922         (JSC::AssignmentElementNode::bindValue):
2923         * dfg/DFGAbstractInterpreterInlines.h:
2924         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2925         * dfg/DFGByteCodeParser.cpp:
2926         (JSC::DFG::ByteCodeParser::parseBlock):
2927         * dfg/DFGCapabilities.cpp:
2928         (JSC::DFG::capabilityLevel):
2929         * dfg/DFGClobberize.h:
2930         (JSC::DFG::clobberize):
2931         * dfg/DFGDoesGC.cpp:
2932         (JSC::DFG::doesGC):
2933         * dfg/DFGFixupPhase.cpp:
2934         (JSC::DFG::FixupPhase::fixupNode):
2935         * dfg/DFGNode.h:
2936         (JSC::DFG::Node::hasIdentifier):
2937         * dfg/DFGNodeType.h:
2938         * dfg/DFGOperations.cpp:
2939         (JSC::DFG::newTypedArrayWithSize):
2940         (JSC::DFG::putWithThis):
2941         * dfg/DFGOperations.h:
2942         * dfg/DFGPredictionPropagationPhase.cpp:
2943         * dfg/DFGSafeToExecute.h:
2944         (JSC::DFG::safeToExecute):
2945         * dfg/DFGSpeculativeJIT.h:
2946         (JSC::DFG::SpeculativeJIT::callOperation):
2947         * dfg/DFGSpeculativeJIT32_64.cpp:
2948         (JSC::DFG::SpeculativeJIT::compile):
2949         * dfg/DFGSpeculativeJIT64.cpp:
2950         (JSC::DFG::SpeculativeJIT::compile):
2951         * ftl/FTLCapabilities.cpp:
2952         (JSC::FTL::canCompile):
2953         * ftl/FTLLowerDFGToB3.cpp:
2954         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2955         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2956         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
2957         (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
2958         (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
2959         (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
2960         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2961         * jit/CCallHelpers.cpp:
2962         (JSC::CCallHelpers::setupShadowChickenPacket):
2963         (JSC::CCallHelpers::setupFourStubArgsGPR):
2964         * jit/CCallHelpers.h:
2965         (JSC::CCallHelpers::setupArgumentsWithExecState):
2966         (JSC::CCallHelpers::setupThreeStubArgsGPR):
2967         (JSC::CCallHelpers::setupTwoStubArgsFPR):
2968         (JSC::CCallHelpers::setupStubArguments134):
2969         * jit/GPRInfo.h:
2970         (JSC::argumentRegisterFor): Deleted.
2971         * jit/JIT.cpp:
2972         (JSC::JIT::privateCompileMainPass):
2973         * jit/JIT.h:
2974         * jit/JITOperations.h:
2975         * jit/JITPropertyAccess.cpp:
2976         (JSC::JIT::emit_op_put_by_val):
2977         (JSC::JIT::emit_op_put_by_val_with_this):
2978         (JSC::JIT::emitGenericContiguousPutByVal):
2979         (JSC::JIT::emit_op_get_by_id):
2980         (JSC::JIT::emit_op_get_by_id_with_this):
2981         (JSC::JIT::emit_op_get_by_val_with_this):
2982         (JSC::JIT::emitSlow_op_get_by_id):
2983         (JSC::JIT::emit_op_put_by_id):
2984         (JSC::JIT::emit_op_put_by_id_with_this):
2985         (JSC::JIT::emitSlow_op_put_by_id):
2986         * jit/JITPropertyAccess32_64.cpp:
2987         (JSC::JIT::emit_op_put_to_arguments):
2988         (JSC::JIT::emit_op_get_by_id_with_this):
2989         (JSC::JIT::emit_op_get_by_val_with_this):
2990         (JSC::JIT::emit_op_put_by_id_with_this):
2991         (JSC::JIT::emit_op_put_by_val_with_this):
2992         * llint/LowLevelInterpreter.asm:
2993         * runtime/CommonSlowPaths.cpp:
2994         (JSC::SLOW_PATH_DECL):
2995         * runtime/CommonSlowPaths.h:
2996         * tests/stress/super-property-access-exceptions.js: Added.
2997         (assert):
2998         (test):
2999         (test.fooProp):
3000         (test.A.prototype.get foo):
3001         (test.A.prototype.get x):
3002         (test.A):
3003         (test.B):
3004         (test.B.prototype.bar):
3005         (test.B.prototype.baz):
3006         (test.foo):
3007         (test.func):
3008         (test.A.prototype.set foo):
3009         * tests/stress/super-property-access-tdz.js: Added.
3010         (assert):
3011         (test):
3012         (shouldThrowTDZ):
3013         (test.A.prototype.get foo):
3014         (test.A.prototype.set foo):
3015         (test.A):
3016         (test.fooProp):
3017         (test.B):
3018         (test.C):
3019         (test.D):
3020         (test.E):
3021         (test.F):
3022         * tests/stress/super-property-access.js: Added.
3023         (assert):
3024         (test):
3025         (func):
3026         (test.A):
3027         (test.A.prototype.set value):
3028         (test.A.prototype.get value):
3029         (test.B.prototype.set value):
3030         (test.B.prototype.get value):
3031         (test.B):
3032         (test.value):
3033         (test.A.prototype.get func):
3034         (test.B.prototype.inc):
3035         (test.B.prototype.dec):
3036         (test.B.prototype.preInc):
3037         (test.B.prototype.preDec):
3038         (test.B.prototype.plusEq):
3039         (test.B.prototype.minusEq):
3040         (test.B.prototype.timesEq):
3041         (test.B.prototype.divEq):
3042         (test.B.prototype.funcDot):
3043         (test.B.prototype.funcBracket):
3044         (test.foo):
3045         (test.B.prototype.baz):
3046         (test.B.prototype.jaz):
3047         (test.B.prototype.bar):
3048         (test.B.prototype.index):
3049         (test.):
3050         (test.prototype.bar):
3051         (test.A.prototype.set foo):
3052         (test.A.prototype.get array):
3053         (test.A.prototype.get foo):
3054         (test.obj):
3055         (test.A.prototype.get call):
3056         (test.A.prototype.get apply):
3057         (test.B.prototype.foo):
3058         (test.A.prototype.get i):
3059
3060 2016-05-08  Chris Dumez  <cdumez@apple.com>
3061
3062         [COCOA] Disable HAVE_DTRACE at build time
3063         https://bugs.webkit.org/show_bug.cgi?id=157433
3064         <rdar://problem/26148841>
3065
3066         Reviewed by Mark Lam.
3067
3068         Drop DTRACE-related code from JSC since it is very old and seems
3069         unused.
3070
3071         * JavaScriptCore.xcodeproj/project.pbxproj:
3072         * PlatformMac.cmake:
3073         * heap/Heap.cpp:
3074         (JSC::Heap::collectImpl): Deleted.
3075         (JSC::Heap::didFinishCollection): Deleted.
3076         * profiler/ProfileGenerator.cpp:
3077         (JSC::ProfileGenerator::willExecute): Deleted.
3078         (JSC::ProfileGenerator::didExecute): Deleted.
3079         * runtime/Tracing.d: Removed.
3080         * runtime/Tracing.h: Removed.
3081
3082 2016-05-07  Mark Lam  <mark.lam@apple.com>
3083
3084         Add JSC options bytecodeRangeToJITCompile and jitWhitelist.
3085         https://bugs.webkit.org/show_bug.cgi?id=157428
3086
3087         Reviewed by Michael Saboff.
3088
3089         1. Added Options::bytecodeRangeToJITCompile and Options::jitWhitelist options.
3090
3091         2. Moved DFGFunctionWhitelist* to FunctionWhitelist* and made it generic so that
3092            it can be used for more than one whitelist instance.  In this case, we now have
3093            two: the dfgWhitelist and the jitWhitelist.
3094
3095         3. Added "can compile" checks in LLInt::shouldJIT() to check
3096            Options::bytecodeRangeToJITCompile and Options::jitWhitelist.
3097
3098         * CMakeLists.txt:
3099         * JavaScriptCore.xcodeproj/project.pbxproj:
3100         * dfg/DFGDriver.cpp:
3101         (JSC::DFG::getNumCompilations):
3102         (JSC::DFG::ensureGlobalDFGWhitelist):
3103         (JSC::DFG::compileImpl):
3104         * dfg/DFGFunctionWhitelist.cpp: Removed.
3105         * dfg/DFGFunctionWhitelist.h: Removed.
3106
3107         * llint/LLIntSlowPaths.cpp:
3108         (JSC::LLInt::ensureGlobalJITWhitelist):
3109         (JSC::LLInt::shouldJIT):
3110
3111         * runtime/Options.h:
3112
3113         * tools/FunctionWhitelist.cpp: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.cpp.
3114         (JSC::FunctionWhitelist::FunctionWhitelist):
3115         (JSC::FunctionWhitelist::contains):
3116         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): Deleted.
3117         (JSC::DFG::FunctionWhitelist::FunctionWhitelist): Deleted.
3118         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): Deleted.
3119         (JSC::DFG::FunctionWhitelist::contains): Deleted.
3120         * tools/FunctionWhitelist.h: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.h.
3121
3122 2016-05-07  Benjamin Poulain  <bpoulain@apple.com>
3123
3124         [JSC][32bit] stress/tagged-templates-template-object.js fails in debug
3125         https://bugs.webkit.org/show_bug.cgi?id=157436
3126
3127         Reviewed by Filip Pizlo.
3128
3129         * dfg/DFGSpeculativeJIT32_64.cpp:
3130         (JSC::DFG::SpeculativeJIT::compile):
3131         The node OverridesHasInstance had a speculation after a jump.
3132
3133 2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>
3134
3135         Web Inspector: Misc CommandLineAPI cleanup
3136         https://bugs.webkit.org/show_bug.cgi?id=157450
3137
3138         Reviewed by Ryosuke Niwa.
3139
3140         * inspector/InjectedScriptSource.js:
3141         (BasicCommandLineAPI):
3142         Fix mistake in r200533, and modernize related code.
3143
3144 2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>
3145
3146         Web Inspector: Improve console.count()
3147         https://bugs.webkit.org/show_bug.cgi?id=157439
3148         <rdar://problem/26152654>
3149
3150         Reviewed by Timothy Hatcher.
3151
3152           - make console.count() increment an unnamed global counter.
3153           - make console.count(label) increment a counter with that label name.
3154
3155         * inspector/agents/InspectorConsoleAgent.cpp:
3156         (Inspector::InspectorConsoleAgent::count):
3157
3158 2016-05-06  Simon Fraser  <simon.fraser@apple.com>
3159
3160         Enable IOS_TEXT_AUTOSIZING on Mac and make it testable
3161         https://bugs.webkit.org/show_bug.cgi?id=157432
3162         rdar://problem/16406720
3163
3164         Reviewed by Dean Jackson.
3165
3166         Enable IOS_TEXT_AUTOSIZING on Mac so it can be tested.
3167
3168         * Configurations/FeatureDefines.xcconfig:
3169
3170 2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>
3171
3172         Web Inspector: Console: Variables defined with let/const aren't accessible outside of console's scope
3173         https://bugs.webkit.org/show_bug.cgi?id=150752
3174         <rdar://problem/23343385>
3175
3176         Reviewed by Mark Lam.
3177
3178         This approach allows Web Inspector to hang a "Scope Extension", a
3179         WithObjectScope, off the GlobalObject. When resolving identifiers
3180         in fails to resolve anything in the normal scope chain, consult
3181         the scope extension.
3182
3183         This allows us to eliminate the `with (commandLineAPI) { ... }`
3184         block in global console evaluations, and instead makes it a full
3185         program evaluation, with the commandLineAPI available and safely
3186         shadowed by actual variables as expected.
3187
3188         * inspector/InjectedScriptSource.js:
3189         (InjectedScript.prototype._evaluateOn):
3190         Use the new evaluateWithScopeExtension and provide the CommandLineAPI
3191         object as the scope extension object.
3192
3193         (BasicCommandLineAPI):
3194         (BasicCommandLineAPI.inScopeVariables): Deleted.
3195         Simplify now that we don't need to check for variable shadowing ourselves.
3196
3197         * inspector/JSInjectedScriptHost.cpp:
3198         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3199         * inspector/JSInjectedScriptHost.h:
3200         * inspector/JSInjectedScriptHostPrototype.cpp:
3201         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3202         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
3203         Provide a new InjectedScriptHost method to evaluate a program
3204         with a scope extension.
3205
3206         * runtime/Completion.cpp:
3207         (JSC::evaluateWithScopeExtension):
3208         * runtime/Completion.h:
3209         General JSC::evaluate function to evaluate a program with a scope extension.
3210
3211         * runtime/JSGlobalObject.cpp:
3212         (JSC::JSGlobalObject::setGlobalScopeExtension):
3213         (JSC::JSGlobalObject::clearGlobalScopeExtension):
3214         (JSC::JSGlobalObject::visitChildren):
3215         * runtime/JSGlobalObject.h:
3216         (JSC::JSGlobalObject::globalScopeExtension):
3217         Hang a scope extension off the global object.
3218
3219         * runtime/JSScope.cpp:
3220         (JSC::JSScope::resolve):
3221         Consult the scope extension when resolve fails to find anything normally.
3222
3223 2016-05-06  Mark Lam  <mark.lam@apple.com>
3224
3225         Add JSC options reportBaselineCompileTimes and reportDFGCompileTimes.
3226         https://bugs.webkit.org/show_bug.cgi?id=157427
3227
3228         Reviewed by Filip Pizlo and Keith Miller.
3229
3230         The compile times reporting options are now:
3231             reportCompileTimes         -> report compile times in all tiers.
3232             reportBaselineCompileTimes -> report compile times in baseline JIT.
3233             reportDFGCompileTimes      -> report compile times in DFG and FTL.
3234             reportFTLCompileTimes      -> report compile times in FTL.
3235
3236         Also updated reportTotalCompileTimes() to collect stats that include the baseline
3237         JIT.  compileTimeStats() is now moved into JIT.cpp (from DFGPlan.cpp). 
3238
3239         * dfg/DFGPlan.cpp:
3240         (JSC::DFG::Plan::reportCompileTimes):
3241         (JSC::DFG::Plan::compileInThread):
3242         (JSC::DFG::Plan::compileInThreadImpl):
3243         (JSC::DFG::Plan::cancel):
3244         (JSC::DFG::Plan::compileTimeStats): Deleted.
3245         * dfg/DFGPlan.h:
3246         (JSC::DFG::Plan::compileTimeStats): Deleted.
3247         * jit/JIT.cpp:
3248         (JSC::ctiPatchCallByReturnAddress):
3249         (JSC::JIT::privateCompile):
3250         (JSC::JIT::stackPointerOffsetFor):
3251         (JSC::JIT::reportCompileTimes):
3252         (JSC::JIT::computeCompileTimes):
3253         (JSC::JIT::compileTimeStats):
3254         * jit/JIT.h:
3255         (JSC::JIT::shouldEmitProfiling):
3256         * jsc.cpp:
3257         (runJSC):
3258         * runtime/Options.h:
3259
3260 2016-05-05  Benjamin Poulain  <bpoulain@apple.com>
3261
3262         [JSC] Get rid of NonNegZeroDouble, it is broken
3263         https://bugs.webkit.org/show_bug.cgi?id=157399
3264         rdar://problem/25339647
3265
3266         Reviewed by Mark Lam.
3267
3268         The profile "NonNegZeroDouble" is fundamentally broken.
3269
3270         It is used by DFG to predict the result of ArithMul as being a Double
3271         or Int32.
3272         The problem is you are likely to mispredict, and when you do, you are
3273         guaranteed to end up in a recompile loop.
3274
3275         The compile loops usually happen like this:
3276         -We speculate you have Int32 despite producing doubles.
3277         -We OSR exit on another node (ValueToInt32 for example) from the result of this ArithMul.
3278         -When we compile this block again, ArithMul will do the same misprediction
3279          because it unconditionally predicts Int32.
3280
3281         The flag NonNegZeroDouble was very unlikely to be set correctly
3282         in the first place.
3283
3284         In LLINT, the flag is only set on the slow path.
3285         Since double*double is on the fast path, those cases are ignored.
3286
3287         In Baseline, the flag is set for any case that falls back on double
3288         multiplication. BUT, the DFG flag was only set for nodes that spend
3289         many iteration in slow path, which obviously does not apply to double*double.
3290
3291         Given the perf drawbacks and the recompile loops, I removed
3292         the whole flag for now.
3293
3294         * bytecode/ValueProfile.cpp:
3295         (WTF::printInternal):
3296         * bytecode/ValueProfile.h:
3297         (JSC::ResultProfile::didObserveNonInt32): Deleted.
3298         (JSC::ResultProfile::didObserveDouble): Deleted.
3299         (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
3300         (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
3301         * dfg/DFGByteCodeParser.cpp:
3302         (JSC::DFG::ByteCodeParser::makeSafe): Deleted.
3303         * dfg/DFGNode.h:
3304         (JSC::DFG::Node::mayHaveNonIntResult): Deleted.
3305         * dfg/DFGNodeFlags.cpp:
3306         (JSC::DFG::dumpNodeFlags): Deleted.
3307         * dfg/DFGNodeFlags.h:
3308         * dfg/DFGPredictionPropagationPhase.cpp:
3309         * jit/JITMulGenerator.cpp:
3310         (JSC::JITMulGenerator::generateFastPath): Deleted.
3311         * runtime/CommonSlowPaths.cpp:
3312         (JSC::updateResultProfileForBinaryArithOp): Deleted.
3313
3314 2016-05-05  Joseph Pecoraro  <pecoraro@apple.com>
3315
3316         REGRESSION(r200422): Web Inspector: Make new Array Iterator objects play nice with Web Inspector
3317         https://bugs.webkit.org/show_bug.cgi?id=157361
3318         <rdar://problem/26099793>
3319
3320         Reviewed by Timothy Hatcher.
3321
3322         * builtins/ArrayPrototype.js:
3323         (createArrayIterator):
3324         (values):
3325         (keys):
3326         (entries):
3327         * builtins/TypedArrayPrototype.js:
3328         (values):
3329         (keys):
3330         (entries):
3331         * runtime/CommonIdentifiers.h:
3332         Set the kind on the iterator object, that can be shown
3333         to the inspector if the object is shown in the console.
3334
3335         * inspector/InjectedScriptSource.js:
3336         (InjectedScript.prototype._describe):
3337         Get a better name for the new Array Iterator which is just an Object.
3338
3339         * inspector/JSInjectedScriptHost.cpp:
3340         (Inspector::JSInjectedScriptHost::subtype):
3341         (Inspector::JSInjectedScriptHost::getInternalProperties):
3342         Detect and handle ArrayIterator object instances. Porting the code
3343         from the JSArrayIterator code path.
3344
3345 2016-05-05  Benjamin Poulain  <bpoulain@apple.com>
3346
3347         [JSC] In DFG, an OSR Exit on SetLocal can trash its child node
3348         https://bugs.webkit.org/show_bug.cgi?id=157358
3349         rdar://problem/25339647