Debugger may dereference m_currentCallFrame even after the VM has gone idle
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-08  Saam barati  <sbarati@apple.com>
2
3         Debugger may dereference m_currentCallFrame even after the VM has gone idle
4         https://bugs.webkit.org/show_bug.cgi?id=156413
5
6         Reviewed by Mark Lam.
7
8         There is a bug where the debugger may dereference its m_currentCallFrame
9         pointer after that pointer becomes invalid to read from. This happens like so:
10
11         We may step over an instruction which causes the end of execution for the
12         current program. This causes the VM to exit. Then, we perform a GC which
13         causes us to collect the global object. The global object being collected
14         causes us to detach the debugger. In detaching, we think we still have a 
15         valid m_currentCallFrame, we dereference it, and crash. The solution is to
16         make sure we're paused when dereferencing this pointer inside ::detach().
17
18         * debugger/Debugger.cpp:
19         (JSC::Debugger::detach):
20
21 2016-04-08  Brian Burg  <bburg@apple.com>
22
23         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
24         https://bugs.webkit.org/show_bug.cgi?id=156407
25         <rdar://problem/25627659>
26
27         Reviewed by Timothy Hatcher.
28
29         There's no point having these subclasses as they don't save any space.
30         Add m_stringValue to the union and merge some implementations of writeJSON.
31         Move uses of the subclass to InspectorValue and delete redundant methods.
32         Now, most InspectorValue methods are non-virtual so they can be templated.
33
34         * bindings/ScriptValue.cpp:
35         (Deprecated::jsToInspectorValue):
36         * inspector/InjectedScriptBase.cpp:
37         (Inspector::InjectedScriptBase::makeCall):
38         Don't used deleted subclasses.
39
40         * inspector/InspectorValues.cpp:
41         (Inspector::InspectorValue::null):
42         (Inspector::InspectorValue::create):
43         (Inspector::InspectorValue::asValue):
44         (Inspector::InspectorValue::asBoolean):
45         (Inspector::InspectorValue::asDouble):
46         (Inspector::InspectorValue::asInteger):
47         (Inspector::InspectorValue::asString):
48         These only need one implementation now.
49
50         (Inspector::InspectorValue::writeJSON):
51         Still a virtual method since Object and Array need their members.
52
53         (Inspector::InspectorObjectBase::InspectorObjectBase):
54         (Inspector::InspectorBasicValue::asBoolean): Deleted.
55         (Inspector::InspectorBasicValue::asDouble): Deleted.
56         (Inspector::InspectorBasicValue::asInteger): Deleted.
57         (Inspector::InspectorBasicValue::writeJSON): Deleted.
58         (Inspector::InspectorString::asString): Deleted.
59         (Inspector::InspectorString::writeJSON): Deleted.
60         (Inspector::InspectorString::create): Deleted.
61         (Inspector::InspectorBasicValue::create): Deleted.
62
63         * inspector/InspectorValues.h:
64         (Inspector::InspectorObjectBase::setBoolean):
65         (Inspector::InspectorObjectBase::setInteger):
66         (Inspector::InspectorObjectBase::setDouble):
67         (Inspector::InspectorObjectBase::setString):
68         (Inspector::InspectorArrayBase::pushBoolean):
69         (Inspector::InspectorArrayBase::pushInteger):
70         (Inspector::InspectorArrayBase::pushDouble):
71         (Inspector::InspectorArrayBase::pushString):
72         Use new factory methods.
73
74         * replay/EncodedValue.cpp:
75         (JSC::ScalarEncodingTraits<bool>::encodeValue):
76         (JSC::ScalarEncodingTraits<double>::encodeValue):
77         (JSC::ScalarEncodingTraits<float>::encodeValue):
78         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
79         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
80         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
81         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
82         * replay/EncodedValue.h:
83         Use new factory methods.
84
85 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
86
87         Add IC support for arguments.length
88         https://bugs.webkit.org/show_bug.cgi?id=156389
89
90         Reviewed by Geoffrey Garen.
91         
92         This adds support for caching accesses to arguments.length for both DirectArguments and
93         ScopedArguments. In strict mode, we already cached these accesses since they were just
94         normal properties.
95
96         Amazingly, we also already supported caching of overridden arguments.length in both
97         DirectArguments and ScopedArguments. This is because when you override, the property gets
98         materialized as a normal JS property and the structure is changed.
99         
100         This patch painstakingly preserves our previous caching of overridden length while
101         introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
102         the case where it could either be overridden or not, since we just end up with an AccessCase
103         for each and they cascade to each other.
104
105         This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
106         Entirely monomorphic accesses were already handled by the DFG.
107
108         * bytecode/PolymorphicAccess.cpp:
109         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
110         (JSC::AccessCase::guardedByStructureCheck):
111         (JSC::AccessCase::generateWithGuard):
112         (JSC::AccessCase::generate):
113         (WTF::printInternal):
114         * bytecode/PolymorphicAccess.h:
115         * jit/ICStats.h:
116         * jit/JITOperations.cpp:
117         * jit/Repatch.cpp:
118         (JSC::tryCacheGetByID):
119         (JSC::tryCachePutByID):
120         (JSC::tryRepatchIn):
121         * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
122         (args):
123         (foo):
124         (result.foo):
125
126 2016-04-08  Benjamin Poulain  <bpoulain@apple.com>
127
128         UInt32ToNumber should have an Int52 path
129         https://bugs.webkit.org/show_bug.cgi?id=125704
130
131         Reviewed by Filip Pizlo.
132
133         When dealing with big numbers, fall back to Int52 instead
134         of double when possible.
135
136         * dfg/DFGAbstractInterpreterInlines.h:
137         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
138         * dfg/DFGFixupPhase.cpp:
139         (JSC::DFG::FixupPhase::fixupNode):
140         * dfg/DFGPredictionPropagationPhase.cpp:
141         (JSC::DFG::PredictionPropagationPhase::propagate):
142         * dfg/DFGSpeculativeJIT.cpp:
143         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
144         * ftl/FTLLowerDFGToB3.cpp:
145         (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):
146
147 2016-04-08  Brian Burg  <bburg@apple.com>
148
149         Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
150         https://bugs.webkit.org/show_bug.cgi?id=156275
151         <rdar://problem/25569331>
152
153         Reviewed by Darin Adler.
154
155         * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.
156
157         * inspector/scripts/codegen/models.py:
158         (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
159         (TypeReference.referenced_name): Update comment.
160
161         Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.
162
163         * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
164         * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
165         * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.
166
167 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
168
169         Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
170         https://bugs.webkit.org/show_bug.cgi?id=156384
171
172         Reviewed by Ryosuke Niwa.
173
174         * Configurations/FeatureDefines.xcconfig:
175         * features.json: Mark as Done.
176         * parser/Parser.cpp:
177         (JSC::Parser<LexerType>::parseExportDeclaration):
178         (JSC::Parser<LexerType>::parseStatementListItem):
179         (JSC::Parser<LexerType>::parsePrimaryExpression):
180         (JSC::Parser<LexerType>::parseMemberExpression):
181
182 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
183
184         Implementing caching transition puts that need to reallocate with indexing storage
185         https://bugs.webkit.org/show_bug.cgi?id=130914
186
187         Reviewed by Saam Barati.
188
189         This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
190         the butterfly has indexing storage. Like the DFG, we do this by calling operations that
191         reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
192         triggering a barrier.
193
194         This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
195         do it now because the hard work is hidden under AccessGenerationState methods. This means
196         that custom accessors now share logic with put_by_id transitions.
197
198         * bytecode/PolymorphicAccess.cpp:
199         (JSC::AccessGenerationState::succeed):
200         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
201         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
202         (JSC::AccessGenerationState::originalCallSiteIndex):
203         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
204         (JSC::AccessCase::AccessCase):
205         (JSC::AccessCase::transition):
206         (JSC::AccessCase::generate):
207         (JSC::PolymorphicAccess::regenerate):
208         * bytecode/PolymorphicAccess.h:
209         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
210         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
211         * dfg/DFGOperations.cpp:
212         * dfg/DFGOperations.h:
213         * jit/JITOperations.cpp:
214         * jit/JITOperations.h:
215
216 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
217
218         Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
219         https://bugs.webkit.org/show_bug.cgi?id=156380
220         <rdar://problem/25323727>
221
222         Reviewed by Timothy Hatcher.
223
224         * inspector/remote/RemoteInspector.mm:
225         (Inspector::RemoteInspector::updateTarget):
226         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
227         When a target has been updated and it no longer generates a listing,
228         we should remove the old listing as that is now stale and should
229         not be sent. Not generating a listing means this target is no
230         longer allowed to be debugged.
231
232 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
233
234         Web Inspector: Not necessary to validate webinspectord connection on iOS
235         https://bugs.webkit.org/show_bug.cgi?id=156377
236         <rdar://problem/25612460>
237
238         Reviewed by Simon Fraser.
239
240         * inspector/remote/RemoteInspectorXPCConnection.h:
241         * inspector/remote/RemoteInspectorXPCConnection.mm:
242         (Inspector::RemoteInspectorXPCConnection::handleEvent):
243
244 2016-04-07  Keith Miller  <keith_miller@apple.com>
245
246         Rename ArrayMode::supportsLength to supportsSelfLength
247         https://bugs.webkit.org/show_bug.cgi?id=156374
248
249         Reviewed by Filip Pizlo.
250
251         The name supportsLength is confusing because TypedArray have a
252         length function however it is on the prototype and not on the
253         instance. supportsSelfLength makes more sense since we use the
254         function during fixup to tell if we can intrinsic the length
255         property lookup on self accesses.
256
257         * dfg/DFGArrayMode.h:
258         (JSC::DFG::ArrayMode::supportsSelfLength):
259         (JSC::DFG::ArrayMode::supportsLength): Deleted.
260         * dfg/DFGFixupPhase.cpp:
261         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
262
263 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
264
265         Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
266         https://bugs.webkit.org/show_bug.cgi?id=156371
267
268         Reviewed by Timothy Hatcher.
269
270         * inspector/protocol/ScriptProfiler.json:
271         Clarify that these locations are 1-based.
272
273 2016-04-07  Jon Davis  <jond@apple.com>
274
275         Add Web Animations API to Feature Status Page
276         https://bugs.webkit.org/show_bug.cgi?id=156360
277
278         Reviewed by Timothy Hatcher.
279
280         * features.json:
281
282 2016-04-07  Saam barati  <sbarati@apple.com>
283
284         Invalid assertion inside DebuggerScope::getOwnPropertySlot
285         https://bugs.webkit.org/show_bug.cgi?id=156357
286
287         Reviewed by Keith Miller.
288
289         The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
290         on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
291         are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
292         might not always be in a valid state when its getOwnPropertySlot method is called.
293         Therefore, the assertion invalid.
294
295         * debugger/DebuggerScope.cpp:
296         (JSC::DebuggerScope::getOwnPropertySlot):
297
298 2016-04-07  Saam barati  <sbarati@apple.com>
299
300         Initial implementation of annex b.3.3 behavior was incorrect
301         https://bugs.webkit.org/show_bug.cgi?id=156276
302
303         Reviewed by Keith Miller.
304
305         I almost got annex B.3.3 correct in my first implementation.
306         There is a subtlety here I got wrong. We always create a local binding for
307         a function at the very beginning of execution of a block scope. So we
308         hoist function declarations to their local binding within a given
309         block scope. When we actually evaluate the function declaration statement
310         itself, we must lookup the binding in the current scope, and bind the
311         value to the binding in the "var" scope. We perform the following
312         abstract operations when executing a function declaration statement.
313
314         f = lookupBindingInCurrentScope("func")
315         store(varScope, "func", f)
316
317         I got this wrong by performing the store to the var binding at the beginning
318         of the block scope instead of when we evaluate the function declaration statement.
319         This behavior is observable. For example, a program could change the value
320         of "func" before the actual function declaration statement executes.
321         Consider the following two functions:
322         ```
323         function foo1() {
324             // func === undefined
325             {
326                 // typeof func === "function"
327                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
328                 func = 20 // This sets the local "func" binding to 20.
329             }
330             // typeof func === "function"
331         }
332
333         function foo2() {
334             // func === undefined
335             {
336                 // typeof func === "function"
337                 func = 20 // This sets the local "func" binding to 20.
338                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
339             }
340             // func === 20
341         }
342         ```
343
344         * bytecompiler/BytecodeGenerator.cpp:
345         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
346         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
347         * bytecompiler/BytecodeGenerator.h:
348         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
349         * bytecompiler/NodesCodegen.cpp:
350         (JSC::FuncDeclNode::emitBytecode):
351         * tests/stress/sloppy-mode-function-hoisting.js:
352         (test.foo):
353         (test):
354         (test.):
355         (test.bar):
356         (test.switch.case.0):
357         (test.capFoo1):
358         (test.switch.capFoo2):
359         (test.outer):
360         (foo):
361
362 2016-04-07  Alex Christensen  <achristensen@webkit.org>
363
364         Build fix after r199170
365
366         * CMakeLists.txt:
367
368 2016-04-07  Keith Miller  <keith_miller@apple.com>
369
370         We should support the ability to do a non-effectful getById
371         https://bugs.webkit.org/show_bug.cgi?id=156116
372
373         Reviewed by Benjamin Poulain.
374
375         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
376         useful because it enables us to take different code paths based on values that we would
377         otherwise not be able to have knowledge of. This patch adds this new feature called
378         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
379         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
380         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
381         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
382         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
383         the global object that indicates we could not get the result.
384
385         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
386         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
387         get_by_id the same way we would for load and return the value at the appropriate offset.
388         Additionally, in order to make sure the we can properly compare the GetterSetter object
389         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
390         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
391         likely to have little to no impact on memory usage as normal accessors are generally rare.
392
393         * JavaScriptCore.xcodeproj/project.pbxproj:
394         * builtins/BuiltinExecutableCreator.cpp: Added.
395         (JSC::createBuiltinExecutable):
396         * builtins/BuiltinExecutableCreator.h: Copied from Source/JavaScriptCore/builtins/BuiltinExecutables.h.
397         * builtins/BuiltinExecutables.cpp:
398         (JSC::BuiltinExecutables::createDefaultConstructor):
399         (JSC::BuiltinExecutables::createBuiltinExecutable):
400         (JSC::createBuiltinExecutable):
401         (JSC::BuiltinExecutables::createExecutable):
402         (JSC::createExecutableInternal): Deleted.
403         * builtins/BuiltinExecutables.h:
404         * bytecode/BytecodeIntrinsicRegistry.h:
405         * bytecode/BytecodeList.json:
406         * bytecode/BytecodeUseDef.h:
407         (JSC::computeUsesForBytecodeOffset):
408         (JSC::computeDefsForBytecodeOffset):
409         * bytecode/CodeBlock.cpp:
410         (JSC::CodeBlock::dumpBytecode):
411         * bytecode/PolymorphicAccess.cpp:
412         (JSC::AccessCase::tryGet):
413         (JSC::AccessCase::generate):
414         (WTF::printInternal):
415         * bytecode/PolymorphicAccess.h:
416         (JSC::AccessCase::isGet): Deleted.
417         (JSC::AccessCase::isPut): Deleted.
418         (JSC::AccessCase::isIn): Deleted.
419         * bytecode/StructureStubInfo.cpp:
420         (JSC::StructureStubInfo::reset):
421         * bytecode/StructureStubInfo.h:
422         * bytecompiler/BytecodeGenerator.cpp:
423         (JSC::BytecodeGenerator::emitTryGetById):
424         * bytecompiler/BytecodeGenerator.h:
425         * bytecompiler/NodesCodegen.cpp:
426         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
427         * dfg/DFGSpeculativeJIT32_64.cpp:
428         (JSC::DFG::SpeculativeJIT::cachedGetById):
429         * dfg/DFGSpeculativeJIT64.cpp:
430         (JSC::DFG::SpeculativeJIT::cachedGetById):
431         * ftl/FTLLowerDFGToB3.cpp:
432         (JSC::FTL::DFG::LowerDFGToB3::getById):
433         * jit/JIT.cpp:
434         (JSC::JIT::privateCompileMainPass):
435         (JSC::JIT::privateCompileSlowCases):
436         * jit/JIT.h:
437         * jit/JITInlineCacheGenerator.cpp:
438         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
439         * jit/JITInlineCacheGenerator.h:
440         * jit/JITInlines.h:
441         (JSC::JIT::callOperation):
442         * jit/JITOperations.cpp:
443         * jit/JITOperations.h:
444         * jit/JITPropertyAccess.cpp:
445         (JSC::JIT::emitGetByValWithCachedId):
446         (JSC::JIT::emit_op_try_get_by_id):
447         (JSC::JIT::emitSlow_op_try_get_by_id):
448         (JSC::JIT::emit_op_get_by_id):
449         * jit/JITPropertyAccess32_64.cpp:
450         (JSC::JIT::emitGetByValWithCachedId):
451         (JSC::JIT::emit_op_try_get_by_id):
452         (JSC::JIT::emitSlow_op_try_get_by_id):
453         (JSC::JIT::emit_op_get_by_id):
454         * jit/Repatch.cpp:
455         (JSC::repatchByIdSelfAccess):
456         (JSC::appropriateOptimizingGetByIdFunction):
457         (JSC::appropriateGenericGetByIdFunction):
458         (JSC::tryCacheGetByID):
459         (JSC::repatchGetByID):
460         (JSC::resetGetByID):
461         * jit/Repatch.h:
462         * jsc.cpp:
463         (GlobalObject::finishCreation):
464         (functionGetGetterSetter):
465         (functionCreateBuiltin):
466         * llint/LLIntData.cpp:
467         (JSC::LLInt::Data::performAssertions):
468         * llint/LLIntSlowPaths.cpp:
469         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
470         * llint/LLIntSlowPaths.h:
471         * llint/LowLevelInterpreter.asm:
472         * runtime/GetterSetter.cpp:
473         * runtime/GetterSetter.h:
474         * runtime/JSType.h:
475         * runtime/PropertySlot.cpp:
476         (JSC::PropertySlot::getPureResult):
477         * runtime/PropertySlot.h:
478         * runtime/ProxyObject.cpp:
479         (JSC::ProxyObject::getOwnPropertySlotCommon):
480         * tests/stress/try-get-by-id.js: Added.
481         (tryGetByIdText):
482         (getCaller.obj.1.throw.new.Error.let.func):
483         (getCaller.obj.1.throw.new.Error):
484         (throw.new.Error.get let):
485         (throw.new.Error.):
486         (throw.new.Error.let.get createBuiltin):
487         (get let):
488         (let.get createBuiltin):
489         (let.func):
490         (get let.func):
491         (get throw):
492
493 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
494
495         Rationalize the makeSpaceForCCall stuff
496         https://bugs.webkit.org/show_bug.cgi?id=156352
497
498         Reviewed by Mark Lam.
499
500         I want to add more code to PolymorphicAccess that makes C calls, so that I can finally fix
501         https://bugs.webkit.org/show_bug.cgi?id=130914 (allow transition caches to handle indexing
502         headers).
503
504         When trying to understand what it takes to make a C call, I came across code that was making
505         room on the stack for spilled arguments. This logic was guarded with some complicated
506         condition. At first, I tried to just refactor the code so that the same ugly condition
507         wouldn't have to be copy-pasted everywhere that we made C calls. But then I started thinking
508         about the condition, and realized that it was probably wrong: if the outer PolymorphicAccess
509         harness decides to reuse a register for the scratchGPR then the top of the stack will store
510         the old value of scratchGPR, but the condition wouldn't necessarily trigger. So if the call
511         then overwrote something on the stack, we'd have a bad time.
512
513         Making room on the stack for a call is a cheap operation. It's orders of magnitude cheaper
514         than the rest of the call. Therefore, I think that it's best to just unconditionally make
515         room on the stack.
516
517         This patch makes us do just that. I also made the relevant helpers not inline, because I
518         think that we have too many inline methods in our assemblers. Now it's much easier to make
519         C calls from PolymorphicAccess because you just call the AssemblyHelper methods for making
520         space. There are no special conditions or anything like that.
521
522         * bytecode/PolymorphicAccess.cpp:
523         (JSC::AccessCase::generate):
524         * jit/AssemblyHelpers.cpp:
525         (JSC::AssemblyHelpers::emitLoadStructure):
526         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
527         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
528         (JSC::emitRandomThunkImpl):
529         * jit/AssemblyHelpers.h:
530         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall): Deleted.
531         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall): Deleted.
532
533 2016-04-07  Commit Queue  <commit-queue@webkit.org>
534
535         Unreviewed, rolling out r199128 and r199141.
536         https://bugs.webkit.org/show_bug.cgi?id=156348
537
538         Causes crashes on multiple webpages (Requested by keith_mi_ on
539         #webkit).
540
541         Reverted changesets:
542
543         "[ES6] Add support for Symbol.isConcatSpreadable."
544         https://bugs.webkit.org/show_bug.cgi?id=155351
545         http://trac.webkit.org/changeset/199128
546
547         "Unreviewed, uncomment accidentally commented line in test."
548         http://trac.webkit.org/changeset/199141
549
550 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
551
552         Rationalize the handling of PutById transitions a bit
553         https://bugs.webkit.org/show_bug.cgi?id=156330
554
555         Reviewed by Mark Lam.
556
557         * bytecode/PolymorphicAccess.cpp:
558         (JSC::AccessCase::generate): Get rid of the specialized slow calls. We can just use the failAndIgnore jump target. We just need to make sure that we don't make observable effects until we're done with all of the fast path checks.
559         * bytecode/StructureStubInfo.cpp:
560         (JSC::StructureStubInfo::addAccessCase): MadeNoChanges indicates that we should keep trying to repatch. Currently PutById transitions might trigger the case that addAccessCase() sees null, if the transition involves an indexing header. Doing repatching in that case is probably not good. But, we should just fix this the right way eventually.
561
562 2016-04-07  Per Arne Vollan  <peavo@outlook.com>
563
564         [Win] Fix for JSC stress test failures.
565         https://bugs.webkit.org/show_bug.cgi?id=156343
566
567         Reviewed by Filip Pizlo.
568
569         We need to make it clear to MSVC that the method loadPtr(ImplicitAddress address, RegisterID dest)
570         should be used, and not loadPtr(const void* address, RegisterID dest).
571
572         * jit/CCallHelpers.cpp:
573         (JSC::CCallHelpers::setupShadowChickenPacket):
574
575 2016-04-06  Benjamin Poulain  <bpoulain@apple.com>
576
577         [JSC] UInt32ToNumber should be NodeMustGenerate
578         https://bugs.webkit.org/show_bug.cgi?id=156329
579
580         Reviewed by Filip Pizlo.
581
582         It exits on negative numbers on the integer path.
583
584         * dfg/DFGFixupPhase.cpp:
585         (JSC::DFG::FixupPhase::fixupNode):
586         * dfg/DFGNodeType.h:
587
588 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
589
590         Unreviewed, rolling out r199016.
591         https://bugs.webkit.org/show_bug.cgi?id=156140
592
593         "Perf bots are down, so I can't re-land this right now."
594
595         Reverted changeset:
596
597         CopiedBlock should be 16kB
598         https://bugs.webkit.org/show_bug.cgi?id=156168
599         http://trac.webkit.org/changeset/199016
600
601 2016-04-06  Mark Lam  <mark.lam@apple.com>
602
603         String.prototype.match() should be calling internal function RegExpCreate.
604         https://bugs.webkit.org/show_bug.cgi?id=156318
605
606         Reviewed by Filip Pizlo.
607
608         RegExpCreate is not the same as the RegExp constructor.  The current implementation
609         invokes new @RegExp which calls the constructor.  This results in failures in
610         es6/Proxy_internal_get_calls_String.prototype.match.js, and
611         es6/Proxy_internal_get_calls_String.prototype.search.js due to observable side
612         effects.
613
614         This patch fixes this by factoring out the part of the RegExp constructor that
615         makes the RegExpCreate function, and changing String's match and search to call
616         RegExpCreate instead in accordance with the ES6 spec. 
617
618         * builtins/StringPrototype.js:
619         (match):
620         (search):
621         * runtime/CommonIdentifiers.h:
622         * runtime/JSGlobalObject.cpp:
623         (JSC::JSGlobalObject::init):
624         * runtime/RegExpConstructor.cpp:
625         (JSC::toFlags):
626         (JSC::regExpCreate):
627         (JSC::constructRegExp):
628         (JSC::esSpecRegExpCreate):
629         (JSC::constructWithRegExpConstructor):
630         * runtime/RegExpConstructor.h:
631         (JSC::isRegExp):
632
633 2016-04-06  Keith Miller  <keith_miller@apple.com>
634
635         Unreviewed, uncomment accidentally commented line in test.
636
637         * tests/stress/array-concat-spread-object.js:
638
639 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
640
641         JSC should have a simple way of gathering IC statistics
642         https://bugs.webkit.org/show_bug.cgi?id=156317
643
644         Reviewed by Benjamin Poulain.
645
646         This adds a cheap, runtime-enabled way of gathering statistics about why we take the slow
647         paths for inline caches. This is complementary to our existing bytecode profiler. Eventually
648         we may want to combine the two things.
649         
650         This is not a slow-down on anything because we only do extra work on IC slow paths and if
651         it's disabled it's just a load-and-branch to skip the stats gathering code.
652
653         * CMakeLists.txt:
654         * JavaScriptCore.xcodeproj/project.pbxproj:
655         * jit/ICStats.cpp: Added.
656         * jit/ICStats.h: Added.
657         * jit/JITOperations.cpp:
658         * runtime/JSCJSValue.h:
659         * runtime/JSCJSValueInlines.h:
660         (JSC::JSValue::inherits):
661         (JSC::JSValue::classInfoOrNull):
662         (JSC::JSValue::toThis):
663         * runtime/Options.h:
664
665 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
666
667         32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing
668         https://bugs.webkit.org/show_bug.cgi?id=156292
669
670         Reviewed by Benjamin Poulain.
671
672         Make sure that we stash the callsite index before calling operationReallocateStorageAndFinishPut.
673
674         * bytecode/PolymorphicAccess.cpp:
675         (JSC::AccessCase::generate):
676
677 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
678
679         JSC test stress/arrowfunction-lexical-bind-superproperty.js failing
680         https://bugs.webkit.org/show_bug.cgi?id=156309
681
682         Reviewed by Saam Barati.
683
684         Just be honest about the fact that the ArgumentCount and Callee parts of inline callframe runtime
685         meta-data can be read at any time.
686         
687         We only have to say this for the inline callframe forms of ArgumentCount and Callee because we don't
688         sink any part of the machine prologue. This change just prevents us from sinking the pseudoprologue
689         of inlined varargs or closure calls.
690
691         Shockingly, this is not a regression on anything.
692
693         * dfg/DFGClobberize.h:
694         (JSC::DFG::clobberize):
695
696 2016-03-29  Keith Miller  <keith_miller@apple.com>
697
698         [ES6] Add support for Symbol.isConcatSpreadable.
699         https://bugs.webkit.org/show_bug.cgi?id=155351
700
701         Reviewed by Saam Barati.
702
703         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
704         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
705         a builtin performant. First, four new DFG intrinsics were added.
706
707         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
708            the Array.isArray function.
709         2) IsJSArray: checks the first child is a JSArray object.
710         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
711         4) CallObjectConstructor: an intrinsic of the Object constructor.
712
713         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
714         we are able to prove that the first child is an Array or for ToObject an Object.
715
716         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
717         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
718         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
719         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
720         into a contiguous array).
721
722         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
723         values onto the result array. This works roughly the same as the two array fast path using the same methodology
724         to decide if we can memcpy the other butterfly into the result butterfly.
725
726         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
727         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
728         dataLog function on it.
729
730         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
731         JSValueOperand if the operand's use count is one.
732
733         * JavaScriptCore.xcodeproj/project.pbxproj:
734         * builtins/ArrayPrototype.js:
735         (concatSlowPath):
736         (concat):
737         * bytecode/BytecodeIntrinsicRegistry.cpp:
738         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
739         * bytecode/BytecodeIntrinsicRegistry.h:
740         * dfg/DFGAbstractInterpreterInlines.h:
741         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
742         * dfg/DFGByteCodeParser.cpp:
743         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
744         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
745         * dfg/DFGClobberize.h:
746         (JSC::DFG::clobberize):
747         * dfg/DFGDoesGC.cpp:
748         (JSC::DFG::doesGC):
749         * dfg/DFGFixupPhase.cpp:
750         (JSC::DFG::FixupPhase::fixupNode):
751         * dfg/DFGNodeType.h:
752         * dfg/DFGOperations.cpp:
753         * dfg/DFGOperations.h:
754         * dfg/DFGPredictionPropagationPhase.cpp:
755         (JSC::DFG::PredictionPropagationPhase::propagate):
756         * dfg/DFGSafeToExecute.h:
757         (JSC::DFG::safeToExecute):
758         * dfg/DFGSpeculativeJIT.cpp:
759         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
760         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
761         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
762         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
763         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
764         * dfg/DFGSpeculativeJIT.h:
765         (JSC::DFG::SpeculativeJIT::callOperation):
766         * dfg/DFGSpeculativeJIT32_64.cpp:
767         (JSC::DFG::SpeculativeJIT::compile):
768         * dfg/DFGSpeculativeJIT64.cpp:
769         (JSC::DFG::SpeculativeJIT::compile):
770         * ftl/FTLCapabilities.cpp:
771         (JSC::FTL::canCompile):
772         * ftl/FTLLowerDFGToB3.cpp:
773         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
774         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
775         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
776         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
777         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
778         (JSC::FTL::DFG::LowerDFGToB3::isArray):
779         * jit/JITOperations.h:
780         * jsc.cpp:
781         (WTF::RuntimeArray::createStructure):
782         (GlobalObject::finishCreation):
783         (functionDebug):
784         (functionDataLogValue):
785         * runtime/ArrayConstructor.cpp:
786         (JSC::ArrayConstructor::finishCreation):
787         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
788         * runtime/ArrayConstructor.h:
789         (JSC::isArrayConstructor):
790         * runtime/ArrayPrototype.cpp:
791         (JSC::ArrayPrototype::finishCreation):
792         (JSC::arrayProtoPrivateFuncIsJSArray):
793         (JSC::moveElements):
794         (JSC::arrayProtoPrivateFuncConcatMemcpy):
795         (JSC::arrayProtoPrivateFuncAppendMemcpy):
796         (JSC::arrayProtoFuncConcat): Deleted.
797         * runtime/ArrayPrototype.h:
798         (JSC::ArrayPrototype::createStructure):
799         * runtime/CommonIdentifiers.h:
800         * runtime/Intrinsic.h:
801         * runtime/JSArray.cpp:
802         (JSC::JSArray::appendMemcpy):
803         (JSC::JSArray::fastConcatWith): Deleted.
804         * runtime/JSArray.h:
805         (JSC::JSArray::createStructure):
806         (JSC::JSArray::fastConcatType): Deleted.
807         * runtime/JSArrayInlines.h: Added.
808         (JSC::JSArray::memCopyWithIndexingType):
809         (JSC::JSArray::canFastCopy):
810         * runtime/JSGlobalObject.cpp:
811         (JSC::JSGlobalObject::init):
812         * runtime/JSType.h:
813         * runtime/ObjectConstructor.h:
814         (JSC::constructObject):
815         * tests/es6.yaml:
816         * tests/stress/array-concat-spread-object.js: Added.
817         (arrayEq):
818         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
819         (arrayEq):
820         * tests/stress/array-concat-spread-proxy.js: Added.
821         (arrayEq):
822         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
823         (arrayEq):
824         * tests/stress/array-species-config-array-constructor.js:
825
826 2016-04-06  Commit Queue  <commit-queue@webkit.org>
827
828         Unreviewed, rolling out r199070.
829         https://bugs.webkit.org/show_bug.cgi?id=156324
830
831         "It didn't fix the timeout" (Requested by saamyjoon on
832         #webkit).
833
834         Reverted changeset:
835
836         "jsc-layout-tests.yaml/js/script-tests/regress-141098.js
837         failing on Yosemite Debug after r198989"
838         https://bugs.webkit.org/show_bug.cgi?id=156187
839         http://trac.webkit.org/changeset/199070
840
841 2016-04-06  Geoffrey Garen  <ggaren@apple.com>
842
843         Unreviewed, rolling in r199016.
844         https://bugs.webkit.org/show_bug.cgi?id=156140
845
846         It might work this time without regression because 16kB aligned requests
847         now take the allocation fast path.
848
849         Restored changeset:
850
851         CopiedBlock should be 16kB
852         https://bugs.webkit.org/show_bug.cgi?id=156168
853         http://trac.webkit.org/changeset/199016
854
855 2016-04-06  Mark Lam  <mark.lam@apple.com>
856
857         Update es6.yaml to expect es6/Proxy_internal_get_calls_RegExp_constructor.js to pass.
858         https://bugs.webkit.org/show_bug.cgi?id=156314
859
860         Reviewed by Saam Barati.
861
862         * tests/es6.yaml:
863
864 2016-04-06  Commit Queue  <commit-queue@webkit.org>
865
866         Unreviewed, rolling out r199104.
867         https://bugs.webkit.org/show_bug.cgi?id=156301
868
869         Still breaks internal builds (Requested by keith_miller on
870         #webkit).
871
872         Reverted changeset:
873
874         "We should support the ability to do a non-effectful getById"
875         https://bugs.webkit.org/show_bug.cgi?id=156116
876         http://trac.webkit.org/changeset/199104
877
878 2016-04-06  Keith Miller  <keith_miller@apple.com>
879
880         RegExp constructor should use Symbol.match and other properties
881         https://bugs.webkit.org/show_bug.cgi?id=155873
882
883         Reviewed by Michael Saboff.
884
885         This patch updates the behavior of the RegExp constructor. Now the constructor
886         should get the Symbol.match property and check if it exists to decide if something
887         should be constructed like a regexp object.
888
889         * runtime/RegExpConstructor.cpp:
890         (JSC::toFlags):
891         (JSC::constructRegExp):
892         (JSC::constructWithRegExpConstructor):
893         (JSC::callRegExpConstructor):
894         * runtime/RegExpConstructor.h:
895         * tests/stress/regexp-constructor.js: Added.
896         (assert):
897         (throw.new.Error.get let):
898         (throw.new.Error.):
899         (throw.new.Error.get re):
900
901 2016-04-06  Keith Miller  <keith_miller@apple.com>
902
903         We should support the ability to do a non-effectful getById
904         https://bugs.webkit.org/show_bug.cgi?id=156116
905
906         Reviewed by Benjamin Poulain.
907
908         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
909         useful because it enables us to take different code paths based on values that we would
910         otherwise not be able to have knowledge of. This patch adds this new feature called
911         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
912         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
913         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
914         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
915         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
916         the global object that indicates we could not get the result.
917
918         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
919         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
920         get_by_id the same way we would for load and return the value at the appropriate offset.
921         Additionally, in order to make sure the we can properly compare the GetterSetter object
922         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
923         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
924         likely to have little to no impact on memory usage as normal accessors are generally rare.
925
926         * builtins/BuiltinExecutables.cpp:
927         (JSC::BuiltinExecutables::createDefaultConstructor):
928         (JSC::BuiltinExecutables::createBuiltinExecutable):
929         (JSC::createBuiltinExecutable):
930         (JSC::BuiltinExecutables::createExecutable):
931         (JSC::createExecutableInternal): Deleted.
932         * builtins/BuiltinExecutables.h:
933         * bytecode/BytecodeIntrinsicRegistry.h:
934         * bytecode/BytecodeList.json:
935         * bytecode/BytecodeUseDef.h:
936         (JSC::computeUsesForBytecodeOffset):
937         (JSC::computeDefsForBytecodeOffset):
938         * bytecode/CodeBlock.cpp:
939         (JSC::CodeBlock::dumpBytecode):
940         * bytecode/PolymorphicAccess.cpp:
941         (JSC::AccessCase::tryGet):
942         (JSC::AccessCase::generate):
943         (WTF::printInternal):
944         * bytecode/PolymorphicAccess.h:
945         (JSC::AccessCase::isGet): Deleted.
946         (JSC::AccessCase::isPut): Deleted.
947         (JSC::AccessCase::isIn): Deleted.
948         * bytecode/StructureStubInfo.cpp:
949         (JSC::StructureStubInfo::reset):
950         * bytecode/StructureStubInfo.h:
951         * bytecompiler/BytecodeGenerator.cpp:
952         (JSC::BytecodeGenerator::emitTryGetById):
953         * bytecompiler/BytecodeGenerator.h:
954         * bytecompiler/NodesCodegen.cpp:
955         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
956         * dfg/DFGSpeculativeJIT32_64.cpp:
957         (JSC::DFG::SpeculativeJIT::cachedGetById):
958         * dfg/DFGSpeculativeJIT64.cpp:
959         (JSC::DFG::SpeculativeJIT::cachedGetById):
960         * ftl/FTLLowerDFGToB3.cpp:
961         (JSC::FTL::DFG::LowerDFGToB3::getById):
962         * jit/JIT.cpp:
963         (JSC::JIT::privateCompileMainPass):
964         (JSC::JIT::privateCompileSlowCases):
965         * jit/JIT.h:
966         * jit/JITInlineCacheGenerator.cpp:
967         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
968         * jit/JITInlineCacheGenerator.h:
969         * jit/JITInlines.h:
970         (JSC::JIT::callOperation):
971         * jit/JITOperations.cpp:
972         * jit/JITOperations.h:
973         * jit/JITPropertyAccess.cpp:
974         (JSC::JIT::emitGetByValWithCachedId):
975         (JSC::JIT::emit_op_try_get_by_id):
976         (JSC::JIT::emitSlow_op_try_get_by_id):
977         (JSC::JIT::emit_op_get_by_id):
978         * jit/JITPropertyAccess32_64.cpp:
979         (JSC::JIT::emitGetByValWithCachedId):
980         (JSC::JIT::emit_op_try_get_by_id):
981         (JSC::JIT::emitSlow_op_try_get_by_id):
982         (JSC::JIT::emit_op_get_by_id):
983         * jit/Repatch.cpp:
984         (JSC::repatchByIdSelfAccess):
985         (JSC::appropriateOptimizingGetByIdFunction):
986         (JSC::appropriateGenericGetByIdFunction):
987         (JSC::tryCacheGetByID):
988         (JSC::repatchGetByID):
989         (JSC::resetGetByID):
990         * jit/Repatch.h:
991         * jsc.cpp:
992         (GlobalObject::finishCreation):
993         (functionGetGetterSetter):
994         (functionCreateBuiltin):
995         * llint/LLIntData.cpp:
996         (JSC::LLInt::Data::performAssertions):
997         * llint/LLIntSlowPaths.cpp:
998         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
999         * llint/LLIntSlowPaths.h:
1000         * llint/LowLevelInterpreter.asm:
1001         * runtime/GetterSetter.cpp:
1002         * runtime/GetterSetter.h:
1003         * runtime/JSType.h:
1004         * runtime/PropertySlot.cpp:
1005         (JSC::PropertySlot::getPureResult):
1006         * runtime/PropertySlot.h:
1007         * runtime/ProxyObject.cpp:
1008         (JSC::ProxyObject::getOwnPropertySlotCommon):
1009         * tests/stress/try-get-by-id.js: Added.
1010         (tryGetByIdText):
1011         (getCaller.obj.1.throw.new.Error.let.func):
1012         (getCaller.obj.1.throw.new.Error):
1013         (throw.new.Error.get let):
1014         (throw.new.Error.):
1015         (throw.new.Error.let.get createBuiltin):
1016         (get let):
1017         (let.get createBuiltin):
1018         (let.func):
1019         (get let.func):
1020         (get throw):
1021
1022 2016-04-05  Chris Dumez  <cdumez@apple.com>
1023
1024         Add support for [EnabledAtRuntime] operations on DOMWindow
1025         https://bugs.webkit.org/show_bug.cgi?id=156272
1026
1027         Reviewed by Alex Christensen.
1028
1029         Add identifier for 'fetch' so it can be used from the generated
1030         bindings.
1031
1032         * runtime/CommonIdentifiers.h:
1033
1034 2016-04-05  Alex Christensen  <achristensen@webkit.org>
1035
1036         Make CMake-generated binaries on Mac able to run
1037         https://bugs.webkit.org/show_bug.cgi?id=156268
1038
1039         Reviewed by Daniel Bates.
1040
1041         * CMakeLists.txt:
1042
1043 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1044
1045         Improve some other cases of context-sensitive inlining
1046         https://bugs.webkit.org/show_bug.cgi?id=156277
1047
1048         Reviewed by Benjamin Poulain.
1049         
1050         This implements some improvements for inlining:
1051
1052         - We no longer do guarded inlining when the profiling doesn't come from a stub. Doing so would have
1053           been risky, and according to benchmarks, it wasn't common enough to matter. I think it's better to
1054           err on the side of not inlining.
1055         
1056         - The jneq_ptr pattern for variadic calls no longer breaks the basic block. Not breaking the block
1057           increases the chances of the parser seeing the callee constant. While inlining doesn't require a
1058           callee constant, sometimes it makes a difference. Note that we were previously breaking the block
1059           for no reason at all: if the boundary after jneq_ptr is a jump target from some other jump, then
1060           the parser will automatically break the block for us. There is no reason to add any block breaking
1061           ourselves since we implement jneq_ptr by ignoring the affirmative jump destination and inserting a
1062           check and falling through.
1063         
1064         - get_by_id handling now tries to apply some common sense to its status object. In particular, if
1065           the source is a NewObject and there was no interfering operation that could clobber the structure,
1066           then we know which case of a polymorphic GetByIdStatus we would take. This arises in some
1067           constructor patterns.
1068         
1069         Long term, we should address all of these cases comprehensively by having a late inliner. The inliner
1070         being part of the bytecode parser means that there is a lot of complexity in the parser and it
1071         prevents us from inlining upon learning new information from static analysis. But for now, I think
1072         it's fine to experiment with one-off hacks, if only to learn what the possibilities are.
1073         
1074         This is a 14% speed-up on Octane/raytrace.
1075
1076         * bytecode/CallLinkStatus.cpp:
1077         (JSC::CallLinkStatus::dump):
1078         * bytecode/CallLinkStatus.h:
1079         (JSC::CallLinkStatus::couldTakeSlowPath):
1080         (JSC::CallLinkStatus::setCouldTakeSlowPath):
1081         (JSC::CallLinkStatus::variants):
1082         (JSC::CallLinkStatus::size):
1083         (JSC::CallLinkStatus::at):
1084         * bytecode/GetByIdStatus.cpp:
1085         (JSC::GetByIdStatus::makesCalls):
1086         (JSC::GetByIdStatus::filter):
1087         (JSC::GetByIdStatus::dump):
1088         * bytecode/GetByIdStatus.h:
1089         (JSC::GetByIdStatus::wasSeenInJIT):
1090         * dfg/DFGByteCodeParser.cpp:
1091         (JSC::DFG::ByteCodeParser::handleCall):
1092         (JSC::DFG::ByteCodeParser::refineStatically):
1093         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1094         (JSC::DFG::ByteCodeParser::handleInlining):
1095         (JSC::DFG::ByteCodeParser::handleGetById):
1096         (JSC::DFG::ByteCodeParser::parseBlock):
1097         * runtime/Options.h:
1098
1099 2016-04-05  Saam barati  <sbarati@apple.com>
1100
1101         JSC SamplingProfiler: Use a thread + sleep loop instead of WTF::WorkQueue for taking samples
1102         https://bugs.webkit.org/show_bug.cgi?id=154017
1103
1104         Reviewed by Geoffrey Garen.
1105
1106         By moving to an explicitly created seperate thread + sample-then-sleep
1107         loop, we can remove a lot of the crufty code around WorkQueue.
1108         We're also getting sample rates that are much closer to what we're
1109         asking the OS for. When the sampling handler was built off of WorkQueue,
1110         we'd often get sample rates much higher than the 1ms we asked for. On Kraken,
1111         we would average about 1.7ms sample rates, even though we'd ask for a 1ms rate.
1112         Now, on Kraken, we're getting about 1.2ms rates. Because we're getting
1113         higher rates, this patch is a performance regression. It's slower because
1114         we're sampling more frequently.
1115
1116         Before this patch, the sampling profiler had the following overhead:
1117         - 10% on Kraken
1118         - 12% on octane
1119         - 15% on AsmBench
1120
1121         With this patch, the sampling profiler has the following overhead:
1122         - 16% on Kraken
1123         - 17% on Octane
1124         - 30% on AsmBench
1125
1126         Comparatively, this new patch has the following overhead over the old sampling profiler:
1127         - 5% on Kraken
1128         - 3.5% on Octane
1129         - 13% slower on AsmBench
1130
1131         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1132         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1133         * runtime/SamplingProfiler.cpp:
1134         (JSC::SamplingProfiler::SamplingProfiler):
1135         (JSC::SamplingProfiler::~SamplingProfiler):
1136         (JSC::SamplingProfiler::createThreadIfNecessary):
1137         (JSC::SamplingProfiler::timerLoop):
1138         (JSC::SamplingProfiler::takeSample):
1139         (JSC::tryGetBytecodeIndex):
1140         (JSC::SamplingProfiler::shutdown):
1141         (JSC::SamplingProfiler::start):
1142         (JSC::SamplingProfiler::pause):
1143         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1144         (JSC::SamplingProfiler::noticeJSLockAcquisition):
1145         (JSC::SamplingProfiler::noticeVMEntry):
1146         (JSC::SamplingProfiler::clearData):
1147         (JSC::SamplingProfiler::stop): Deleted.
1148         (JSC::SamplingProfiler::dispatchIfNecessary): Deleted.
1149         (JSC::SamplingProfiler::dispatchFunction): Deleted.
1150         * runtime/SamplingProfiler.h:
1151         (JSC::SamplingProfiler::setTimingInterval):
1152         (JSC::SamplingProfiler::setStopWatch):
1153         * runtime/VM.cpp:
1154         (JSC::VM::VM):
1155
1156 2016-04-05  Commit Queue  <commit-queue@webkit.org>
1157
1158         Unreviewed, rolling out r199073.
1159         https://bugs.webkit.org/show_bug.cgi?id=156261
1160
1161         This change broke internal Mac builds (Requested by ryanhaddad
1162         on #webkit).
1163
1164         Reverted changeset:
1165
1166         "We should support the ability to do a non-effectful getById"
1167         https://bugs.webkit.org/show_bug.cgi?id=156116
1168         http://trac.webkit.org/changeset/199073
1169
1170 2016-04-05  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1171
1172         [Fetch API] Add a runtime flag to fetch API and related constructs
1173         https://bugs.webkit.org/show_bug.cgi?id=156113
1174  
1175         Reviewed by Alex Christensen.
1176
1177         Add a fetch API runtime flag based on preferences.
1178         Disable fetch API by default.
1179  
1180         * runtime/CommonIdentifiers.h:
1181
1182 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1183
1184         Unreviewed, fix cloop some more.
1185
1186         * runtime/RegExpInlines.h:
1187         (JSC::RegExp::hasCodeFor):
1188         (JSC::RegExp::hasMatchOnlyCodeFor):
1189
1190 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1191
1192         Unreviewed, fix cloop.
1193
1194         * jit/CCallHelpers.cpp:
1195
1196 2016-03-18  Filip Pizlo  <fpizlo@apple.com>
1197
1198         JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames
1199         https://bugs.webkit.org/show_bug.cgi?id=155598
1200
1201         Reviewed by Saam Barati.
1202         
1203         JSC is the first JSVM to have proper tail calls. This means that error.stack and the
1204         debugger will appear to "delete" strict mode stack frames, if the call that this frame made
1205         was in tail position. This is exactly what functional programmers expect - they don't want
1206         the VM to waste resources on tail-deleted frames to ensure that it's legal to loop forever
1207         using tail calls. It's also something that non-functional programmers fear. It's not clear
1208         that tail-deleted frames would actually degrade the debugging experience, but the fear is
1209         real, so it's worthwhile to do something about it.
1210
1211         It turns out that there is at least one tail call implementation that doesn't suffer from
1212         this problem. It implements proper tail calls in the sense that you won't run out of memory
1213         by tail-looping. It also has the power to show you tail-deleted frames in a backtrace, so
1214         long as you haven't yet run out of memory. It's called CHICKEN Scheme, and it's one of my
1215         favorite hacks:
1216         
1217         http://www.more-magic.net/posts/internals-gc.html
1218
1219         CHICKEN does many awesome things. The intuition from CHICKEN that we use here is a simple
1220         one: what if a tail call still kept the tail-deleted frame, and the GC actually deleted that
1221         frame only once we proved that there was insufficient memory to keep it around.
1222         
1223         CHICKEN does this by reshaping the C stack with longjmp/setjmp. We can't do that because we
1224         can have arbitrary native code, and that native code does not have relocatable stack frames.
1225         
1226         But we can do something almost like CHICKEN on a shadow stack. It's a common trick to have a
1227         VM maintain two stacks - the actual execution stack plus a shadow stack that has some extra
1228         information. The shadow stack can be reshaped, moved, etc, since the VM tightly controls its
1229         layout. The main stack can then continue to obey ABI rules.
1230
1231         This patch implements a mechanism for being able to display stack traces that include
1232         tail-deleted frames. It uses a shadow stack that behaves like a CHICKEN stack: it has all
1233         frames all the time, though we will collect the tail-deleted ones if the stack gets too big.
1234         This new mechanism is called ShadowChicken, obviously: it's CHICKEN on a shadow stack.
1235         
1236         ShadowChicken is always on, but individual CodeBlocks may make their own choices about
1237         whether to opt into it. They will do that at bytecompile time based on the debugger mode on
1238         their global object.
1239
1240         When no CodeBlock opts in, there is no overhead, since ShadowChicken ends up doing nothing
1241         in that case. Well, except when exceptions are thrown. Then it might do some work, but it's
1242         minor.
1243
1244         When all CodeBlocks opt in, there is about 6% overhead. That's too much overhead to enable
1245         this all the time, but it's low enough to justify enabling in the Inspector. It's currently
1246         enabled on all CodeBlocks only when you use an Option. Otherwise it will auto-enable if the
1247         debugger is on.
1248
1249         Note that ShadowChicken attempts to gracefully handle the presence of stack frames that have
1250         no logging. This is essential since we *can* have debugging enabled in one GlobalObject and
1251         disabled in another. Also, some frames don't do ShadowChicken because they just haven't been
1252         hacked to do it yet. Native frames fall into this category, as do the VM entry frames.
1253
1254         This doesn't yet wire ShadowChicken into DebuggerCallFrame. That will take more work. It
1255         just makes a ShadowChicken stack walk function available to jsc. It's used from the
1256         shadow-chicken tests.
1257
1258         * API/JSContextRef.cpp:
1259         (BacktraceFunctor::BacktraceFunctor):
1260         (BacktraceFunctor::operator()):
1261         (JSContextCreateBacktrace):
1262         * CMakeLists.txt:
1263         * JavaScriptCore.xcodeproj/project.pbxproj:
1264         * bytecode/BytecodeList.json:
1265         * bytecode/BytecodeUseDef.h:
1266         (JSC::computeUsesForBytecodeOffset):
1267         (JSC::computeDefsForBytecodeOffset):
1268         * bytecode/CodeBlock.cpp:
1269         (JSC::CodeBlock::dumpBytecode):
1270         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
1271         (JSC::RecursionCheckFunctor::operator()):
1272         (JSC::CodeBlock::noticeIncomingCall):
1273         * bytecompiler/BytecodeGenerator.cpp:
1274         (JSC::BytecodeGenerator::emitEnter):
1275         (JSC::BytecodeGenerator::emitCallInTailPosition):
1276         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1277         (JSC::BytecodeGenerator::emitCallVarargs):
1278         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
1279         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
1280         (JSC::BytecodeGenerator::emitCallDefineProperty):
1281         * bytecompiler/BytecodeGenerator.h:
1282         * debugger/DebuggerCallFrame.cpp:
1283         (JSC::LineAndColumnFunctor::operator()):
1284         (JSC::LineAndColumnFunctor::column):
1285         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
1286         (JSC::FindCallerMidStackFunctor::operator()):
1287         (JSC::DebuggerCallFrame::DebuggerCallFrame):
1288         * dfg/DFGAbstractInterpreterInlines.h:
1289         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1290         * dfg/DFGByteCodeParser.cpp:
1291         (JSC::DFG::ByteCodeParser::parseBlock):
1292         * dfg/DFGClobberize.h:
1293         (JSC::DFG::clobberize):
1294         * dfg/DFGDoesGC.cpp:
1295         (JSC::DFG::doesGC):
1296         * dfg/DFGFixupPhase.cpp:
1297         (JSC::DFG::FixupPhase::fixupNode):
1298         * dfg/DFGNodeType.h:
1299         * dfg/DFGPredictionPropagationPhase.cpp:
1300         (JSC::DFG::PredictionPropagationPhase::propagate):
1301         * dfg/DFGSafeToExecute.h:
1302         (JSC::DFG::safeToExecute):
1303         * dfg/DFGSpeculativeJIT32_64.cpp:
1304         (JSC::DFG::SpeculativeJIT::compile):
1305         * dfg/DFGSpeculativeJIT64.cpp:
1306         (JSC::DFG::SpeculativeJIT::compile):
1307         * ftl/FTLAbstractHeapRepository.cpp:
1308         * ftl/FTLAbstractHeapRepository.h:
1309         * ftl/FTLCapabilities.cpp:
1310         (JSC::FTL::canCompile):
1311         * ftl/FTLLowerDFGToB3.cpp:
1312         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1313         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1314         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
1315         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
1316         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1317         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1318         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket):
1319         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1320         * heap/Heap.cpp:
1321         (JSC::Heap::markRoots):
1322         (JSC::Heap::visitSamplingProfiler):
1323         (JSC::Heap::visitShadowChicken):
1324         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1325         (JSC::Heap::collectImpl):
1326         * heap/Heap.h:
1327         * inspector/ScriptCallStackFactory.cpp:
1328         (Inspector::CreateScriptCallStackFunctor::CreateScriptCallStackFunctor):
1329         (Inspector::CreateScriptCallStackFunctor::operator()):
1330         (Inspector::createScriptCallStack):
1331         * interpreter/CallFrame.h:
1332         (JSC::ExecState::iterate):
1333         * interpreter/Interpreter.cpp:
1334         (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
1335         (JSC::DumpRegisterFunctor::operator()):
1336         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1337         (JSC::GetStackTraceFunctor::operator()):
1338         (JSC::Interpreter::getStackTrace):
1339         (JSC::GetCatchHandlerFunctor::handler):
1340         (JSC::GetCatchHandlerFunctor::operator()):
1341         (JSC::notifyDebuggerOfUnwinding):
1342         (JSC::UnwindFunctor::UnwindFunctor):
1343         (JSC::UnwindFunctor::operator()):
1344         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
1345         * interpreter/ShadowChicken.cpp: Added.
1346         (JSC::ShadowChicken::Packet::dump):
1347         (JSC::ShadowChicken::Frame::dump):
1348         (JSC::ShadowChicken::ShadowChicken):
1349         (JSC::ShadowChicken::~ShadowChicken):
1350         (JSC::ShadowChicken::log):
1351         (JSC::ShadowChicken::update):
1352         (JSC::ShadowChicken::visitChildren):
1353         (JSC::ShadowChicken::reset):
1354         (JSC::ShadowChicken::dump):
1355         (JSC::ShadowChicken::functionsOnStack):
1356         * interpreter/ShadowChicken.h: Added.
1357         (JSC::ShadowChicken::Packet::Packet):
1358         (JSC::ShadowChicken::Packet::tailMarker):
1359         (JSC::ShadowChicken::Packet::throwMarker):
1360         (JSC::ShadowChicken::Packet::prologue):
1361         (JSC::ShadowChicken::Packet::tail):
1362         (JSC::ShadowChicken::Packet::throwPacket):
1363         (JSC::ShadowChicken::Packet::operator bool):
1364         (JSC::ShadowChicken::Packet::isPrologue):
1365         (JSC::ShadowChicken::Packet::isTail):
1366         (JSC::ShadowChicken::Packet::isThrow):
1367         (JSC::ShadowChicken::Frame::Frame):
1368         (JSC::ShadowChicken::Frame::operator==):
1369         (JSC::ShadowChicken::Frame::operator!=):
1370         (JSC::ShadowChicken::log):
1371         (JSC::ShadowChicken::logSize):
1372         (JSC::ShadowChicken::addressOfLogCursor):
1373         (JSC::ShadowChicken::logEnd):
1374         * interpreter/ShadowChickenInlines.h: Added.
1375         (JSC::ShadowChicken::iterate):
1376         * interpreter/StackVisitor.h:
1377         (JSC::StackVisitor::Frame::callee):
1378         (JSC::StackVisitor::Frame::codeBlock):
1379         (JSC::StackVisitor::Frame::bytecodeOffset):
1380         (JSC::StackVisitor::Frame::inlineCallFrame):
1381         (JSC::StackVisitor::Frame::isJSFrame):
1382         (JSC::StackVisitor::Frame::isInlinedFrame):
1383         (JSC::StackVisitor::visit):
1384         * jit/CCallHelpers.cpp: Added.
1385         (JSC::CCallHelpers::logShadowChickenProloguePacket):
1386         (JSC::CCallHelpers::logShadowChickenTailPacket):
1387         (JSC::CCallHelpers::setupShadowChickenPacket):
1388         * jit/CCallHelpers.h:
1389         (JSC::CCallHelpers::prepareForTailCallSlow):
1390         * jit/JIT.cpp:
1391         (JSC::JIT::privateCompileMainPass):
1392         * jit/JIT.h:
1393         * jit/JITExceptions.cpp:
1394         (JSC::genericUnwind):
1395         * jit/JITOpcodes.cpp:
1396         (JSC::JIT::emit_op_resume):
1397         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1398         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1399         * jit/JITOperations.cpp:
1400         * jit/JITOperations.h:
1401         * jsc.cpp:
1402         (GlobalObject::finishCreation):
1403         (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
1404         (FunctionJSCStackFunctor::operator()):
1405         (functionClearSamplingFlags):
1406         (functionShadowChickenFunctionsOnStack):
1407         (functionReadline):
1408         * llint/LLIntOffsetsExtractor.cpp:
1409         * llint/LLIntSlowPaths.cpp:
1410         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1411         (JSC::LLInt::llint_throw_stack_overflow_error):
1412         * llint/LLIntSlowPaths.h:
1413         * llint/LowLevelInterpreter.asm:
1414         * profiler/ProfileGenerator.cpp:
1415         (JSC::AddParentForConsoleStartFunctor::foundParent):
1416         (JSC::AddParentForConsoleStartFunctor::operator()):
1417         * runtime/Error.cpp:
1418         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1419         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1420         (JSC::addErrorInfoAndGetBytecodeOffset):
1421         * runtime/JSFunction.cpp:
1422         (JSC::RetrieveArgumentsFunctor::result):
1423         (JSC::RetrieveArgumentsFunctor::operator()):
1424         (JSC::retrieveArguments):
1425         (JSC::RetrieveCallerFunctionFunctor::result):
1426         (JSC::RetrieveCallerFunctionFunctor::operator()):
1427         (JSC::retrieveCallerFunction):
1428         * runtime/JSGlobalObjectFunctions.cpp:
1429         (JSC::GlobalFuncProtoGetterFunctor::result):
1430         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1431         (JSC::globalFuncProtoGetter):
1432         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
1433         (JSC::GlobalFuncProtoSetterFunctor::operator()):
1434         * runtime/NullSetterFunction.cpp:
1435         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
1436         (JSC::GetCallerStrictnessFunctor::operator()):
1437         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
1438         (JSC::callerIsStrict):
1439         * runtime/ObjectConstructor.cpp:
1440         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
1441         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1442         (JSC::objectConstructorGetPrototypeOf):
1443         * runtime/Options.h:
1444         * runtime/VM.cpp:
1445         (JSC::VM::VM):
1446         (JSC::SetEnabledProfilerFunctor::operator()):
1447         * runtime/VM.h:
1448         (JSC::VM::shouldBuilderPCToCodeOriginMapping):
1449         (JSC::VM::bytecodeIntrinsicRegistry):
1450         (JSC::VM::shadowChicken):
1451         * tests/stress/resources/shadow-chicken-support.js: Added.
1452         (describeFunction):
1453         (describeArray):
1454         (expectStack):
1455         (initialize):
1456         * tests/stress/shadow-chicken-disabled.js: Added.
1457         (test1.foo):
1458         (test1.bar):
1459         (test1.baz):
1460         (test1):
1461         (test2.foo):
1462         (test2.bar):
1463         (test2.baz):
1464         (test2):
1465         (test3.foo):
1466         (test3.bar):
1467         (test3.baz):
1468         (test3):
1469         * tests/stress/shadow-chicken-enabled.js: Added.
1470         (test1.foo):
1471         (test1.bar):
1472         (test1.baz):
1473         (test1):
1474         (test2.foo):
1475         (test2.bar):
1476         (test2.baz):
1477         (test2):
1478         (test3.bob):
1479         (test3.thingy):
1480         (test3.foo):
1481         (test3.bar):
1482         (test3.baz):
1483         (test3):
1484         (test4.bob):
1485         (test4.thingy):
1486         (test4.foo):
1487         (test4.bar):
1488         (test4.baz):
1489         (test4):
1490         (test5.foo):
1491         (test5):
1492         * tools/JSDollarVMPrototype.cpp:
1493         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
1494         (JSC::CallerFrameJITTypeFunctor::operator()):
1495         (JSC::CallerFrameJITTypeFunctor::jitType):
1496         (JSC::functionLLintTrue):
1497         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1498         (JSC::CellAddressCheckFunctor::operator()):
1499         (JSC::JSDollarVMPrototype::isValidCell):
1500         (JSC::JSDollarVMPrototype::isValidCodeBlock):
1501         (JSC::JSDollarVMPrototype::codeBlockForFrame):
1502         (JSC::PrintFrameFunctor::PrintFrameFunctor):
1503         (JSC::PrintFrameFunctor::operator()):
1504         (JSC::printCallFrame):
1505
1506 2016-03-19  Filip Pizlo  <fpizlo@apple.com>
1507
1508         DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace
1509         https://bugs.webkit.org/show_bug.cgi?id=155270
1510
1511         Reviewed by Saam Barati.
1512
1513         This enables constant-folding of RegExpExec, RegExpTest, and StringReplace.
1514
1515         It's now possible to run Yarr on the JIT threads. Since previous work on constant-folding
1516         strings gave the DFG an API for reasoning about JSString constants in terms of
1517         JIT-thread-local WTF::Strings, it's now super easy to just pass strings to Yarr and build IR
1518         based on the results.
1519
1520         But RegExpExec is hard: the folded version still must allocate a RegExpMatchesArray. We must
1521         use the same Structure that the code would have used or else we'll pollute the program's
1522         inline caches. Also, RegExpMatchesArray.h|cpp will allocate the array and its named
1523         properties in one go - we don't want to lose that optimization. So, this patch enables
1524         MaterializeNewObject to allocate objects or arrays with any number of indexed or named
1525         properties. Previously it could only handle objects (but not arrays) and named properties
1526         (but not indexed ones).
1527
1528         This also adds a few minor things for setting the RegExpConstructor cached result.
1529
1530         This is about a 2x speed-up on microbenchmarks when we fold a match success and about a
1531         8x speed-up when we fold a match failure. It's a 10% speed-up on Octane/regexp.
1532
1533         * JavaScriptCore.xcodeproj/project.pbxproj:
1534         * dfg/DFGAbstractInterpreterInlines.h:
1535         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1536         * dfg/DFGClobberize.h:
1537         (JSC::DFG::clobberize):
1538         * dfg/DFGDoesGC.cpp:
1539         (JSC::DFG::doesGC):
1540         * dfg/DFGFixupPhase.cpp:
1541         (JSC::DFG::FixupPhase::fixupNode):
1542         * dfg/DFGGraph.cpp:
1543         (JSC::DFG::Graph::dump):
1544         * dfg/DFGInsertionSet.cpp:
1545         (JSC::DFG::InsertionSet::insertSlow):
1546         (JSC::DFG::InsertionSet::execute):
1547         * dfg/DFGInsertionSet.h:
1548         (JSC::DFG::InsertionSet::insertCheck):
1549         * dfg/DFGLazyJSValue.cpp:
1550         (JSC::DFG::LazyJSValue::tryGetString):
1551         * dfg/DFGMayExit.cpp:
1552         (JSC::DFG::mayExit):
1553         * dfg/DFGNode.h:
1554         (JSC::DFG::StackAccessData::flushedAt):
1555         (JSC::DFG::OpInfo::OpInfo): Deleted.
1556         * dfg/DFGNodeType.h:
1557         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1558         * dfg/DFGObjectMaterializationData.cpp:
1559         (JSC::DFG::ObjectMaterializationData::dump):
1560         (JSC::DFG::PhantomPropertyValue::dump): Deleted.
1561         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore): Deleted.
1562         (JSC::DFG::ObjectMaterializationData::similarityScore): Deleted.
1563         * dfg/DFGObjectMaterializationData.h:
1564         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue): Deleted.
1565         (JSC::DFG::PhantomPropertyValue::operator==): Deleted.
1566         * dfg/DFGOpInfo.h: Added.
1567         (JSC::DFG::OpInfo::OpInfo):
1568         * dfg/DFGOperations.cpp:
1569         * dfg/DFGOperations.h:
1570         * dfg/DFGPredictionPropagationPhase.cpp:
1571         (JSC::DFG::PredictionPropagationPhase::propagate):
1572         * dfg/DFGPromotedHeapLocation.cpp:
1573         (WTF::printInternal):
1574         * dfg/DFGPromotedHeapLocation.h:
1575         * dfg/DFGSafeToExecute.h:
1576         (JSC::DFG::safeToExecute):
1577         * dfg/DFGSpeculativeJIT.cpp:
1578         (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
1579         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1580         (JSC::DFG::SpeculativeJIT::emitGetLength):
1581         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
1582         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
1583         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
1584         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): Deleted.
1585         * dfg/DFGSpeculativeJIT.h:
1586         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1587         * dfg/DFGSpeculativeJIT32_64.cpp:
1588         (JSC::DFG::SpeculativeJIT::compile):
1589         * dfg/DFGSpeculativeJIT64.cpp:
1590         (JSC::DFG::SpeculativeJIT::compile):
1591         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1592         * dfg/DFGStrengthReductionPhase.cpp:
1593         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
1594         (JSC::DFG::StrengthReductionPhase::handleNode):
1595         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1596         (JSC::DFG::StrengthReductionPhase::executeInsertionSet):
1597         * dfg/DFGValidate.cpp:
1598         (JSC::DFG::Validate::validate):
1599         (JSC::DFG::Validate::validateCPS):
1600         * ftl/FTLAbstractHeapRepository.cpp:
1601         * ftl/FTLAbstractHeapRepository.h:
1602         * ftl/FTLCapabilities.cpp:
1603         (JSC::FTL::canCompile):
1604         * ftl/FTLLowerDFGToB3.cpp:
1605         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1606         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1607         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1608         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1609         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1610         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
1611         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1612         (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
1613         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1614         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1615         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
1616         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
1617         * ftl/FTLOperations.cpp:
1618         (JSC::FTL::operationPopulateObjectInOSR):
1619         (JSC::FTL::operationNewObjectWithButterfly): Deleted.
1620         * ftl/FTLOperations.h:
1621         * inspector/ContentSearchUtilities.cpp:
1622         * runtime/JSObject.h:
1623         (JSC::JSObject::createRawObject):
1624         (JSC::JSFinalObject::create):
1625         * runtime/RegExp.cpp:
1626         (JSC::RegExp::compile):
1627         (JSC::RegExp::match):
1628         (JSC::RegExp::matchConcurrently):
1629         (JSC::RegExp::compileMatchOnly):
1630         (JSC::RegExp::deleteCode):
1631         * runtime/RegExp.h:
1632         * runtime/RegExpCachedResult.h:
1633         (JSC::RegExpCachedResult::offsetOfLastRegExp):
1634         (JSC::RegExpCachedResult::offsetOfLastInput):
1635         (JSC::RegExpCachedResult::offsetOfResult):
1636         (JSC::RegExpCachedResult::offsetOfReified):
1637         * runtime/RegExpConstructor.h:
1638         (JSC::RegExpConstructor::offsetOfCachedResult):
1639         * runtime/RegExpInlines.h:
1640         (JSC::RegExp::hasCodeFor):
1641         (JSC::RegExp::compileIfNecessary):
1642         (JSC::RegExp::matchInline):
1643         (JSC::RegExp::hasMatchOnlyCodeFor):
1644         (JSC::RegExp::compileIfNecessaryMatchOnly):
1645         * runtime/RegExpObjectInlines.h:
1646         (JSC::RegExpObject::execInline):
1647         * runtime/StringPrototype.cpp:
1648         (JSC::substituteBackreferencesSlow):
1649         (JSC::substituteBackreferencesInline):
1650         (JSC::substituteBackreferences):
1651         (JSC::StringRange::StringRange):
1652         * runtime/StringPrototype.h:
1653         * runtime/VM.h:
1654         * tests/stress/simple-regexp-exec-folding-fail.js: Added.
1655         (foo):
1656         * tests/stress/simple-regexp-exec-folding.js: Added.
1657         (foo):
1658         * tests/stress/simple-regexp-test-folding-fail.js: Added.
1659         (foo):
1660         * tests/stress/simple-regexp-test-folding.js: Added.
1661         (foo):
1662         * yarr/RegularExpression.cpp:
1663         * yarr/Yarr.h:
1664         * yarr/YarrInterpreter.cpp:
1665         (JSC::Yarr::Interpreter::interpret):
1666         (JSC::Yarr::ByteCompiler::ByteCompiler):
1667         (JSC::Yarr::ByteCompiler::compile):
1668         (JSC::Yarr::ByteCompiler::checkInput):
1669         (JSC::Yarr::byteCompile):
1670         (JSC::Yarr::interpret):
1671         * yarr/YarrInterpreter.h:
1672         (JSC::Yarr::BytecodePattern::BytecodePattern):
1673
1674 2016-04-05  Keith Miller  <keith_miller@apple.com>
1675
1676         We should support the ability to do a non-effectful getById
1677         https://bugs.webkit.org/show_bug.cgi?id=156116
1678
1679         Reviewed by Benjamin Poulain.
1680
1681         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
1682         useful because it enables us to take different code paths based on values that we would
1683         otherwise not be able to have knowledge of. This patch adds this new feature called
1684         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
1685         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
1686         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
1687         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
1688         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
1689         the global object that indicates we could not get the result.
1690
1691         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
1692         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
1693         get_by_id the same way we would for load and return the value at the appropriate offset.
1694         Additionally, in order to make sure the we can properly compare the GetterSetter object
1695         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
1696         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
1697         likely to have little to no impact on memory usage as normal accessors are generally rare.
1698
1699         * JavaScriptCore.xcodeproj/project.pbxproj:
1700         * builtins/BuiltinExecutables.cpp:
1701         (JSC::BuiltinExecutables::createDefaultConstructor):
1702         (JSC::BuiltinExecutables::createBuiltinExecutable):
1703         (JSC::createBuiltinExecutable):
1704         (JSC::BuiltinExecutables::createExecutable):
1705         (JSC::createExecutableInternal): Deleted.
1706         * builtins/BuiltinExecutables.h:
1707         * bytecode/BytecodeIntrinsicRegistry.h:
1708         * bytecode/BytecodeList.json:
1709         * bytecode/BytecodeUseDef.h:
1710         (JSC::computeUsesForBytecodeOffset):
1711         (JSC::computeDefsForBytecodeOffset):
1712         * bytecode/CodeBlock.cpp:
1713         (JSC::CodeBlock::dumpBytecode):
1714         * bytecode/PolymorphicAccess.cpp:
1715         (JSC::AccessCase::tryGet):
1716         (JSC::AccessCase::generate):
1717         (WTF::printInternal):
1718         * bytecode/PolymorphicAccess.h:
1719         (JSC::AccessCase::isGet): Deleted.
1720         (JSC::AccessCase::isPut): Deleted.
1721         (JSC::AccessCase::isIn): Deleted.
1722         * bytecode/StructureStubInfo.cpp:
1723         (JSC::StructureStubInfo::reset):
1724         * bytecode/StructureStubInfo.h:
1725         * bytecompiler/BytecodeGenerator.cpp:
1726         (JSC::BytecodeGenerator::emitTryGetById):
1727         * bytecompiler/BytecodeGenerator.h:
1728         * bytecompiler/NodesCodegen.cpp:
1729         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
1730         * dfg/DFGSpeculativeJIT32_64.cpp:
1731         (JSC::DFG::SpeculativeJIT::cachedGetById):
1732         * dfg/DFGSpeculativeJIT64.cpp:
1733         (JSC::DFG::SpeculativeJIT::cachedGetById):
1734         * ftl/FTLLowerDFGToB3.cpp:
1735         (JSC::FTL::DFG::LowerDFGToB3::getById):
1736         * jit/JIT.cpp:
1737         (JSC::JIT::privateCompileMainPass):
1738         (JSC::JIT::privateCompileSlowCases):
1739         * jit/JIT.h:
1740         * jit/JITInlineCacheGenerator.cpp:
1741         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1742         * jit/JITInlineCacheGenerator.h:
1743         * jit/JITInlines.h:
1744         (JSC::JIT::callOperation):
1745         * jit/JITOperations.cpp:
1746         * jit/JITOperations.h:
1747         * jit/JITPropertyAccess.cpp:
1748         (JSC::JIT::emitGetByValWithCachedId):
1749         (JSC::JIT::emit_op_try_get_by_id):
1750         (JSC::JIT::emitSlow_op_try_get_by_id):
1751         (JSC::JIT::emit_op_get_by_id):
1752         * jit/JITPropertyAccess32_64.cpp:
1753         (JSC::JIT::emitGetByValWithCachedId):
1754         (JSC::JIT::emit_op_try_get_by_id):
1755         (JSC::JIT::emitSlow_op_try_get_by_id):
1756         (JSC::JIT::emit_op_get_by_id):
1757         * jit/Repatch.cpp:
1758         (JSC::repatchByIdSelfAccess):
1759         (JSC::appropriateOptimizingGetByIdFunction):
1760         (JSC::appropriateGenericGetByIdFunction):
1761         (JSC::tryCacheGetByID):
1762         (JSC::repatchGetByID):
1763         (JSC::resetGetByID):
1764         * jit/Repatch.h:
1765         * jsc.cpp:
1766         (GlobalObject::finishCreation):
1767         (functionGetGetterSetter):
1768         (functionCreateBuiltin):
1769         * llint/LLIntData.cpp:
1770         (JSC::LLInt::Data::performAssertions):
1771         * llint/LLIntSlowPaths.cpp:
1772         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1773         * llint/LLIntSlowPaths.h:
1774         * llint/LowLevelInterpreter.asm:
1775         * runtime/GetterSetter.cpp:
1776         * runtime/GetterSetter.h:
1777         * runtime/JSType.h:
1778         * runtime/PropertySlot.cpp:
1779         (JSC::PropertySlot::getPureResult):
1780         * runtime/PropertySlot.h:
1781         * runtime/ProxyObject.cpp:
1782         (JSC::ProxyObject::getOwnPropertySlotCommon):
1783         * tests/stress/try-get-by-id.js: Added.
1784         (tryGetByIdText):
1785         (getCaller.obj.1.throw.new.Error.let.func):
1786         (getCaller.obj.1.throw.new.Error):
1787         (throw.new.Error.get let):
1788         (throw.new.Error.):
1789         (throw.new.Error.let.get createBuiltin):
1790         (get let):
1791         (let.get createBuiltin):
1792         (let.func):
1793         (get let.func):
1794         (get throw):
1795
1796 2016-04-05  Saam barati  <sbarati@apple.com>
1797
1798         jsc-layout-tests.yaml/js/script-tests/regress-141098.js failing on Yosemite Debug after r198989
1799         https://bugs.webkit.org/show_bug.cgi?id=156187
1800
1801         Reviewed by Filip Pizlo.
1802
1803         This is a speculative fix. Lets see if the prevents the timeout.
1804
1805         * parser/Parser.cpp:
1806         (JSC::Parser<LexerType>::parseStatementListItem):
1807
1808 2016-04-04  Filip Pizlo  <fpizlo@apple.com>
1809
1810         PolymorphicAccess should have a MegamorphicLoad case
1811         https://bugs.webkit.org/show_bug.cgi?id=156182
1812
1813         Reviewed by Geoffrey Garen and Keith Miller.
1814
1815         This introduces a new case to PolymorphicAccess called MegamorphicLoad. This inlines the lookup in
1816         the PropertyTable. It's cheaper than switching on a huge number of cases and it's cheaper than
1817         calling into C++ to do the same job - particularly since inlining the lookup into an access means
1818         that we can precompute the hash code.
1819
1820         When writing the inline code for the hashtable lookup, I found that our hashing algorithm was not
1821         optimal. It used a double-hashing method for reducing collision pathologies. This is great for
1822         improving the performance of some worst-case scenarios. But this misses the point of a hashtable: we
1823         want to optimize the average-case performance. When optimizing for average-case, we can choose to
1824         either focus on maximizing the likelihood of the fast case happening, or to minimize the cost of the
1825         worst-case, or to minimize the cost of the fast case. Even a very basic hashtable will achieve a high
1826         probability of hitting the fast case. So, doing work to reduce the likelihood of a worst-case
1827         pathology only makes sense if it also preserves the good performance of the fast case, or reduces the
1828         likelihood of the worst-case by so much that it's a win for the average case even with a slow-down in
1829         the fast case.
1830
1831         I don't believe, based on looking at how the double-hashing is implemented, that it's possible that
1832         this preserves the good performance of the fast case. It requires at least one more value to be live
1833         around the loop, and dramatically increases the register pressure at key points inside the loop. The
1834         biggest offender is the doubleHash() method itself. There is no getting around how bad this is: if
1835         the compiler live-range-splits that method to death to avoid degrading register pressure elsewhere
1836         then we will pay a steep price anytime we take the second iteration around the loop; but if the
1837         compiler doesn't split around the call then the hashtable lookup fast path will be full of spills on
1838         some architectures (I performed biological register allocation and found that I needed 9 registers
1839         for complete lookup, while x86-64 has only 6 callee-saves; OTOH ARM64 has 10 callee-saves so it might
1840         be better off).
1841
1842         Hence, this patch changes the hashtable lookup to use simple linear probing. This was not a slow-down
1843         on anything, and it made MegamorphicLoad much more sensible since it is less likely to have to spill.
1844
1845         There are some other small changes in this patch, like rationalizing the IC's choice between giving
1846         up after a repatch (i.e. never trying again) and just pretending that nothing happened (so we can
1847         try to repatch again in the future). It looked like the code in Repatch.cpp was set up to be able to
1848         choose between those options, but we weren't fully taking advantage of it because the
1849         regenerateWithCase() method just returned null for any failure, and didn't say whether it was the
1850         sort of failure that renders the inline cache unrepatchable (like memory allocation failure). Now
1851         this is all made explicit. I wanted to make sure this change happened in this patch since the
1852         MegamorphicLoad code automagically generates a MegamorphicLoad case by coalescing other cases. Since
1853         this is intended to avoid blowing out the cache and making it unrepatchable, I wanted to make sure
1854         that the rules for giving up were something that made sense to me.
1855         
1856         This is a big win on microbenchmarks. It's neutral on traditional JS benchmarks. It's a slight
1857         speed-up for page loading, because many real websites like to have megamorphic property accesses.
1858
1859         * bytecode/PolymorphicAccess.cpp:
1860         (JSC::AccessGenerationResult::dump):
1861         (JSC::AccessGenerationState::addWatchpoint):
1862         (JSC::AccessCase::get):
1863         (JSC::AccessCase::megamorphicLoad):
1864         (JSC::AccessCase::replace):
1865         (JSC::AccessCase::guardedByStructureCheck):
1866         (JSC::AccessCase::couldStillSucceed):
1867         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
1868         (JSC::AccessCase::canReplace):
1869         (JSC::AccessCase::generateWithGuard):
1870         (JSC::AccessCase::generate):
1871         (JSC::PolymorphicAccess::PolymorphicAccess):
1872         (JSC::PolymorphicAccess::~PolymorphicAccess):
1873         (JSC::PolymorphicAccess::regenerateWithCases):
1874         (JSC::PolymorphicAccess::regenerateWithCase):
1875         (WTF::printInternal):
1876         * bytecode/PolymorphicAccess.h:
1877         (JSC::AccessCase::isGet):
1878         (JSC::AccessCase::isPut):
1879         (JSC::AccessCase::isIn):
1880         (JSC::AccessGenerationResult::AccessGenerationResult):
1881         (JSC::AccessGenerationResult::operator==):
1882         (JSC::AccessGenerationResult::operator!=):
1883         (JSC::AccessGenerationResult::operator bool):
1884         (JSC::AccessGenerationResult::kind):
1885         (JSC::AccessGenerationResult::code):
1886         (JSC::AccessGenerationResult::madeNoChanges):
1887         (JSC::AccessGenerationResult::gaveUp):
1888         (JSC::AccessGenerationResult::generatedNewCode):
1889         (JSC::PolymorphicAccess::isEmpty):
1890         (JSC::AccessGenerationState::AccessGenerationState):
1891         * bytecode/StructureStubInfo.cpp:
1892         (JSC::StructureStubInfo::aboutToDie):
1893         (JSC::StructureStubInfo::addAccessCase):
1894         * bytecode/StructureStubInfo.h:
1895         * jit/AssemblyHelpers.cpp:
1896         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1897         (JSC::AssemblyHelpers::loadProperty):
1898         (JSC::emitRandomThunkImpl):
1899         (JSC::AssemblyHelpers::emitRandomThunk):
1900         (JSC::AssemblyHelpers::emitLoadStructure):
1901         * jit/AssemblyHelpers.h:
1902         (JSC::AssemblyHelpers::loadValue):
1903         (JSC::AssemblyHelpers::moveValueRegs):
1904         (JSC::AssemblyHelpers::argumentsStart):
1905         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1906         (JSC::AssemblyHelpers::emitLoadStructure): Deleted.
1907         * jit/GPRInfo.cpp:
1908         (JSC::JSValueRegs::dump):
1909         * jit/GPRInfo.h:
1910         (JSC::JSValueRegs::uses):
1911         * jit/Repatch.cpp:
1912         (JSC::replaceWithJump):
1913         (JSC::tryCacheGetByID):
1914         (JSC::tryCachePutByID):
1915         (JSC::tryRepatchIn):
1916         * jit/ThunkGenerators.cpp:
1917         (JSC::virtualThunkFor):
1918         * runtime/Options.h:
1919         * runtime/PropertyMapHashTable.h:
1920         (JSC::PropertyTable::begin):
1921         (JSC::PropertyTable::find):
1922         (JSC::PropertyTable::get):
1923         * runtime/Structure.h:
1924
1925 2016-04-05  Antoine Quint  <graouts@apple.com>
1926
1927         [WebGL2] Turn the ENABLE_WEBGL2 flag on
1928         https://bugs.webkit.org/show_bug.cgi?id=156061
1929         <rdar://problem/25463193>
1930
1931         Reviewed by Alex Christensen.
1932
1933         * Configurations/FeatureDefines.xcconfig:
1934         * runtime/CommonIdentifiers.h:
1935
1936         Define the conditionalized classes WebGL2RenderingContext and WebGLVertexArrayObject. 
1937
1938 2016-04-04  Zan Dobersek  <zdobersek@igalia.com>
1939
1940         Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads
1941         https://bugs.webkit.org/show_bug.cgi?id=156161
1942
1943         Reviewed by Yusuke Suzuki.
1944
1945         r197641 added a couple of callOperation(J_JITOperation_EGReoJ, ...) overloads
1946         that handle arguments split into the tag and the payload. The two were split
1947         between the last argument register and the stack on 32-bit ARM EABI systems,
1948         causing incorrect behavior.
1949
1950         Adding EABI_32BIT_DUMMY_ARG pushes the tag and payload together onto the
1951         stack, removing the issue.
1952
1953         * dfg/DFGSpeculativeJIT.h:
1954         (JSC::DFG::SpeculativeJIT::callOperation):
1955
1956 2016-04-04  Joseph Pecoraro  <pecoraro@apple.com>
1957
1958         Avoid copying ModuleLoaderObject.js to resources bundle
1959         https://bugs.webkit.org/show_bug.cgi?id=156188
1960         <rdar://problem/25534383>
1961
1962         Reviewed by Alexey Proskuryakov.
1963
1964         * JavaScriptCore.xcodeproj/project.pbxproj:
1965
1966 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
1967
1968         Unreviewed, rolling out r199016.
1969         https://bugs.webkit.org/show_bug.cgi?id=156140
1970
1971         "Regressed Octane and Kraken on the perf bots."
1972
1973         Reverted changeset:
1974
1975         CopiedBlock should be 16kB
1976         https://bugs.webkit.org/show_bug.cgi?id=156168
1977         http://trac.webkit.org/changeset/199016
1978
1979 2016-04-04  Benjamin Poulain  <bpoulain@apple.com>
1980
1981         [JSC][x86] Fix an assertion in MacroAssembler::branch8()
1982         https://bugs.webkit.org/show_bug.cgi?id=156181
1983
1984         Reviewed by Geoffrey Garen.
1985
1986         * assembler/MacroAssemblerX86Common.h:
1987         (JSC::MacroAssemblerX86Common::branch8):
1988         The test was wrong because valid negative numbers have ones
1989         in the top bits.
1990
1991         I replaced the assertion to be explicit about the valid range.
1992
1993 2016-04-04  Chris Dumez  <cdumez@apple.com>
1994
1995         Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings
1996         https://bugs.webkit.org/show_bug.cgi?id=156136
1997         <rdar://problem/25410767>
1998
1999         Reviewed by Ryosuke Niwa.
2000
2001         Add a few more identifiers for using in the generated bindings.
2002
2003         * runtime/CommonIdentifiers.h:
2004
2005 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
2006
2007         CopiedBlock should be 16kB
2008         https://bugs.webkit.org/show_bug.cgi?id=156168
2009
2010         Reviewed by Mark Lam.
2011
2012         MarkedBlock is 16kB, and bmalloc's largest fast-path allocation is 16kB,
2013         and the largest page size on Apple devices is 16kB -- so this change
2014         should improve sharing and recycling and keep us on the fast path more.
2015
2016         32kB is also super aggro. At 16kB, we support allocations up to 8kB,
2017         which covers 99.3% of allocations on facebook.com. The 32kB block size
2018         only covered an additional 0.2% of allocations.
2019
2020         * heap/CopiedBlock.h:
2021
2022 2016-04-04  Carlos Garcia Campos  <cgarcia@igalia.com>
2023
2024         REGRESSION(r198792): [GTK] Inspector crashes in Inspector::Protocol::getEnumConstantValue since r198792
2025         https://bugs.webkit.org/show_bug.cgi?id=155745
2026         <rdar://problem/25289456>
2027
2028         Reviewed by Brian Burg.
2029
2030         The problem is that we are generating the Inspector::Protocol::getEnumConstantValue() method and the
2031         enum_constant_values array for every framework that has enum values. So, in case of GTK port we have two
2032         implementations, one for the inspector in JavaScriptCore and another one for Web Automation in WebKit2, but when
2033         using the inspector in WebKit2 we always end up using the one in WebKit2. Since the enum_constant_values array
2034         is smaller in WebKit2 than the one in JavaScriptCore, we crash every time we receive an enum value higher than
2035         the array size. We need to disambiguate the getEnumConstantValue() generated and used for every framework, so we
2036         can use a specific namespace for the enum conversion methods.
2037
2038         * inspector/agents/InspectorDebuggerAgent.cpp:
2039         (Inspector::breakpointActionTypeForString): Use Inspector::Protocol::InspectorHelpers.
2040         * inspector/scripts/codegen/cpp_generator.py:
2041         (CppGenerator.helpers_namespace): Return the namespace name that should be used for the helper methods.
2042         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2043         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): Use
2044         CppGenerator.helpers_namespace() to use the right namespace when using getEnumConstantValue().
2045         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Ditto.
2046         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2047         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): Ditto.
2048         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2049         (CppProtocolTypesHeaderGenerator.generate_output): Move declaration of getEnumConstantValue to a helper function.
2050         (_generate_enum_constant_value_conversion_methods): Do not emit any code if there aren't enums and ensure all
2051         conversion methods are declared inside the helpers namespace.
2052         (_generate_builder_setter_for_member): Use CppGenerator.helpers_namespace() to use the right namespace when
2053         using getEnumConstantValue().
2054         (_generate_unchecked_setter_for_member): Ditto.
2055         (_generate_declarations_for_enum_conversion_methods): Return a list instead of a string so that we can return an
2056         empty list in case of not emitting any code. The caller will use extend() that has no effect when an empty list
2057         is passed.
2058         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2059         (CppProtocolTypesImplementationGenerator.generate_output): Use the new helper function to generate both the enum
2060         mapping and conversion methods inside the helpers namespace.
2061         (CppProtocolTypesImplementationGenerator._generate_enum_mapping): Return a list instead of a string so that we
2062         can return an empty list in case of not emitting any code.
2063         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods): Ensure we only emit
2064         code when there are enum values, and it's generated inside the helpers namespace.
2065         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2066         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2067         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2068         * inspector/scripts/tests/expected/enum-values.json-result:
2069         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2070         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2071         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2072         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2073         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2074         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2075         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2076         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2077         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2078
2079 2016-04-04  Csaba Osztrogon√°c  <ossy@webkit.org>
2080
2081         Unreviewed ARM buildfix after r198981.
2082
2083         * assembler/MacroAssemblerARM.h:
2084         (JSC::MacroAssemblerARM::roundTowardZeroDouble):
2085
2086 2016-04-03  Saam barati  <sbarati@apple.com>
2087
2088         Implement Annex B.3.3 function hoisting rules for function code
2089         https://bugs.webkit.org/show_bug.cgi?id=155672
2090
2091         Reviewed by Geoffrey Garen.
2092
2093         The spec states that functions declared inside a function
2094         inside a block scope are subject to the rules of Annex B.3.3:
2095         https://tc39.github.io/ecma262/#sec-block-level-function-declarations-web-legacy-compatibility-semantics
2096
2097         The rule states that functions declared in such blocks should
2098         be local bindings of the block. If declaring the function's name
2099         as a "var" in the function would not lead to a syntax error (i.e,
2100         if we don't have a let/const/class variable with the same name)
2101         and if we don't have a parameter with the same name, then we
2102         implictly also declare the funcion name as a "var". When evaluating
2103         the block statement we bind the hoisted "var" to be the value
2104         of the local function binding.
2105
2106         There is one more thing we do for web compatibility. We allow
2107         function declarations inside if/else statements that aren't
2108         blocks. For such statements, we transform the code as if the
2109         function were declared inside a block statement. For example:
2110         ``` function foo() { if (cond) function baz() { } }```
2111         is transformed into:
2112         ``` function foo() { if (cond) { function baz() { } } }```
2113
2114         * bytecompiler/BytecodeGenerator.cpp:
2115         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2116         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
2117         * bytecompiler/BytecodeGenerator.h:
2118         * parser/Nodes.cpp:
2119         (JSC::ScopeNode::ScopeNode):
2120         (JSC::ProgramNode::ProgramNode):
2121         (JSC::ModuleProgramNode::ModuleProgramNode):
2122         (JSC::EvalNode::EvalNode):
2123         (JSC::FunctionNode::FunctionNode):
2124         * parser/Nodes.h:
2125         (JSC::ScopeNode::hasCapturedVariables):
2126         (JSC::ScopeNode::captures):
2127         (JSC::ScopeNode::hasSloppyModeHoistedFunction):
2128         (JSC::ScopeNode::varDeclarations):
2129         (JSC::ProgramNode::startColumn):
2130         (JSC::ProgramNode::endColumn):
2131         (JSC::EvalNode::startColumn):
2132         (JSC::EvalNode::endColumn):
2133         (JSC::ModuleProgramNode::startColumn):
2134         (JSC::ModuleProgramNode::endColumn):
2135         * parser/Parser.cpp:
2136         (JSC::Parser<LexerType>::Parser):
2137         (JSC::Parser<LexerType>::parseInner):
2138         (JSC::Parser<LexerType>::didFinishParsing):
2139         (JSC::Parser<LexerType>::parseStatement):
2140         (JSC::Parser<LexerType>::parseIfStatement):
2141         * parser/Parser.h:
2142         (JSC::Scope::declareVariable):
2143         (JSC::Scope::declareFunction):
2144         (JSC::Scope::addSloppyModeHoistableFunctionCandidate):
2145         (JSC::Scope::appendFunction):
2146         (JSC::Scope::declareParameter):
2147         (JSC::Scope::mergeInnerArrowFunctionFeatures):
2148         (JSC::Scope::getSloppyModeHoistedFunctions):
2149         (JSC::Scope::getCapturedVars):
2150         (JSC::ScopeRef::containingScope):
2151         (JSC::ScopeRef::operator==):
2152         (JSC::ScopeRef::operator!=):
2153         (JSC::Parser::declareFunction):
2154         (JSC::Parser::hasDeclaredVariable):
2155         (JSC::Parser::isFunctionMetadataNode):
2156         (JSC::Parser::DepthManager::DepthManager):
2157         (JSC::Parser<LexerType>::parse):
2158         * parser/VariableEnvironment.h:
2159         (JSC::VariableEnvironmentEntry::isImported):
2160         (JSC::VariableEnvironmentEntry::isImportedNamespace):
2161         (JSC::VariableEnvironmentEntry::isFunction):
2162         (JSC::VariableEnvironmentEntry::isParameter):
2163         (JSC::VariableEnvironmentEntry::isSloppyModeHoistingCandidate):
2164         (JSC::VariableEnvironmentEntry::setIsCaptured):
2165         (JSC::VariableEnvironmentEntry::setIsConst):
2166         (JSC::VariableEnvironmentEntry::setIsImported):
2167         (JSC::VariableEnvironmentEntry::setIsImportedNamespace):
2168         (JSC::VariableEnvironmentEntry::setIsFunction):
2169         (JSC::VariableEnvironmentEntry::setIsParameter):
2170         (JSC::VariableEnvironmentEntry::setIsSloppyModeHoistingCandidate):
2171         (JSC::VariableEnvironmentEntry::clearIsVar):
2172         * runtime/CodeCache.h:
2173         (JSC::SourceCodeValue::SourceCodeValue):
2174         * runtime/JSScope.cpp:
2175         * runtime/JSScope.h:
2176         * tests/es6.yaml:
2177         * tests/stress/sloppy-mode-function-hoisting.js: Added.
2178         (assert):
2179         (test):
2180         (falsey):
2181         (truthy):
2182         (test.):
2183         (test.a):
2184         (test.f):
2185         (test.let.funcs.f):
2186         (test.catch.f):
2187         (test.foo):
2188         (test.bar):
2189         (test.switch.case.0):
2190         (test.else.f):
2191         (test.b):
2192         (test.c):
2193         (test.d):
2194         (test.e):
2195         (test.g):
2196         (test.h):
2197         (test.i):
2198         (test.j):
2199         (test.k):
2200         (test.l):
2201         (test.m):
2202         (test.n):
2203         (test.o):
2204         (test.p):
2205         (test.q):
2206         (test.r):
2207         (test.s):
2208         (test.t):
2209         (test.u):
2210         (test.v):
2211         (test.w):
2212         (test.x):
2213         (test.y):
2214         (test.z):
2215         (foo):
2216         (bar):
2217         (falsey.bar):
2218         (baz):
2219         (falsey.baz):
2220
2221 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2222
2223         Unreviewed, turn ES6 for-in loop test success
2224         https://bugs.webkit.org/show_bug.cgi?id=155451
2225
2226         * tests/es6.yaml:
2227
2228 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2229
2230         [JSC] Add truncate operation (rounding to zero)
2231         https://bugs.webkit.org/show_bug.cgi?id=156072
2232
2233         Reviewed by Saam Barati.
2234
2235         Add TruncIntrinsic for Math.trunc. DFG handles it as ArithTrunc.
2236         In DFG, ArithTrunc behaves similar to ArithRound, ArithCeil, and ArithFloor.
2237         ArithTrunc rounds the value towards zero.
2238
2239         And we rewrite @toInteger to use @trunc instead of @abs, @floor, negation and branch.
2240         This is completely the same to what we do in JSValue::toInteger.
2241
2242         Since DFG recognize it, DFG can convert ArithTrunc to Identity if the given argument is Int32.
2243         This is useful because almost all the argument is Int32 in @toLength -> @toInteger -> @trunc case.
2244         In such cases, we can eliminate trunc() call.
2245
2246         As a bonus, to speed up Math.trunc operation, we use x86 SSE round and frintz in ARM64 for ArithRound.
2247         In DFG, we emit these instructions. In FTL, we use Patchpoint to emit these instructions to avoid adding a new B3 IR.
2248
2249         * assembler/MacroAssemblerARM64.h:
2250         (JSC::MacroAssemblerARM64::roundTowardZeroDouble):
2251         (JSC::MacroAssemblerARM64::roundTowardZeroFloat):
2252         * assembler/MacroAssemblerARMv7.h:
2253         (JSC::MacroAssemblerARMv7::roundTowardZeroDouble):
2254         * assembler/MacroAssemblerMIPS.h:
2255         (JSC::MacroAssemblerMIPS::roundTowardZeroDouble):
2256         * assembler/MacroAssemblerSH4.h:
2257         (JSC::MacroAssemblerSH4::roundTowardZeroDouble):
2258         * assembler/MacroAssemblerX86Common.h:
2259         (JSC::MacroAssemblerX86Common::roundTowardZeroDouble):
2260         (JSC::MacroAssemblerX86Common::roundTowardZeroFloat):
2261         * builtins/GlobalObject.js:
2262         (toInteger):
2263         * dfg/DFGAbstractInterpreterInlines.h:
2264         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2265         * dfg/DFGByteCodeParser.cpp:
2266         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2267         * dfg/DFGClobberize.h:
2268         (JSC::DFG::clobberize):
2269         * dfg/DFGDoesGC.cpp:
2270         (JSC::DFG::doesGC):
2271         * dfg/DFGFixupPhase.cpp:
2272         (JSC::DFG::FixupPhase::fixupNode):
2273         * dfg/DFGGraph.h:
2274         (JSC::DFG::Graph::roundShouldSpeculateInt32):
2275         * dfg/DFGNode.h:
2276         (JSC::DFG::Node::arithNodeFlags):
2277         (JSC::DFG::Node::hasHeapPrediction):
2278         (JSC::DFG::Node::hasArithRoundingMode):
2279         * dfg/DFGNodeType.h:
2280         * dfg/DFGPredictionPropagationPhase.cpp:
2281         (JSC::DFG::PredictionPropagationPhase::propagate):
2282         * dfg/DFGSafeToExecute.h:
2283         (JSC::DFG::safeToExecute):
2284         * dfg/DFGSpeculativeJIT.cpp:
2285         (JSC::DFG::SpeculativeJIT::compileArithRounding):
2286         * dfg/DFGSpeculativeJIT.h:
2287         * dfg/DFGSpeculativeJIT32_64.cpp:
2288         (JSC::DFG::SpeculativeJIT::compile):
2289         * dfg/DFGSpeculativeJIT64.cpp:
2290         (JSC::DFG::SpeculativeJIT::compile):
2291         * ftl/FTLCapabilities.cpp:
2292         (JSC::FTL::canCompile):
2293         * ftl/FTLLowerDFGToB3.cpp:
2294         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2295         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
2296         * ftl/FTLOutput.cpp:
2297         (JSC::FTL::Output::doubleTrunc):
2298         * ftl/FTLOutput.h:
2299         * jit/ThunkGenerators.cpp:
2300         (JSC::truncThunkGenerator):
2301         * jit/ThunkGenerators.h:
2302         * runtime/CommonIdentifiers.h:
2303         * runtime/Intrinsic.h:
2304         * runtime/JSGlobalObject.cpp:
2305         (JSC::JSGlobalObject::init):
2306         * runtime/MathObject.cpp:
2307         (JSC::MathObject::finishCreation):
2308         * runtime/MathObject.h:
2309         * runtime/VM.cpp:
2310         (JSC::thunkGeneratorForIntrinsic):
2311         * tests/stress/math-rounding-infinity.js:
2312         (testTrunc):
2313         * tests/stress/math-rounding-nan.js:
2314         (testTrunc):
2315         * tests/stress/math-rounding-negative-zero.js:
2316         (testTrunc):
2317         * tests/stress/math-trunc-arith-rounding-mode.js: Added.
2318         (firstCareAboutZeroSecondDoesNot):
2319         (firstDoNotCareAboutZeroSecondDoes):
2320         (warmup):
2321         (verifyNegativeZeroIsPreserved):
2322         * tests/stress/math-trunc-basics.js: Added.
2323         (mathTruncOnIntegers):
2324         (mathTruncOnDoubles):
2325         (mathTruncOnBooleans):
2326         (uselessMathTrunc):
2327         (mathTruncWithOverflow):
2328         (mathTruncConsumedAsDouble):
2329         (mathTruncDoesNotCareAboutMinusZero):
2330         (mathTruncNoArguments):
2331         (mathTruncTooManyArguments):
2332         (testMathTruncOnConstants):
2333         (mathTruncStructTransition):
2334         (Math.trunc):
2335         * tests/stress/math-trunc-should-be-truncate.js: Added.
2336         (mathTrunc):
2337
2338 2016-04-03  Skachkov Oleksandr  <gskachkov@gmail.com>
2339
2340         [ES6] Class syntax. Access to new.target inside of the eval should not lead to SyntaxError
2341         https://bugs.webkit.org/show_bug.cgi?id=155545
2342
2343         Reviewed by Saam Barati.
2344        
2345         Current patch allow to invoke new.target in eval if this eval is executed within function, 
2346         otherwise this will lead to Syntax error 
2347    
2348         * bytecode/EvalCodeCache.h:
2349         (JSC::EvalCodeCache::getSlow):
2350         * bytecode/ExecutableInfo.h:
2351         (JSC::ExecutableInfo::ExecutableInfo):
2352         (JSC::ExecutableInfo::evalContextType):
2353         * bytecode/UnlinkedCodeBlock.cpp:
2354         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2355         * bytecode/UnlinkedCodeBlock.h:
2356         (JSC::UnlinkedCodeBlock::evalContextType):
2357         * bytecode/UnlinkedFunctionExecutable.cpp:
2358         (JSC::generateUnlinkedFunctionCodeBlock):
2359         * debugger/DebuggerCallFrame.cpp:
2360         (JSC::DebuggerCallFrame::evaluate):
2361         * interpreter/Interpreter.cpp:
2362         (JSC::eval):
2363         * parser/Parser.cpp:
2364         (JSC::Parser<LexerType>::Parser):
2365         (JSC::Parser<LexerType>::parseMemberExpression):
2366         * parser/Parser.h:
2367         (JSC::Scope::Scope):
2368         (JSC::Scope::setEvalContextType):
2369         (JSC::Scope::evalContextType):
2370         (JSC::parse):
2371         * runtime/CodeCache.cpp:
2372         (JSC::CodeCache::getGlobalCodeBlock):
2373         (JSC::CodeCache::getProgramCodeBlock):
2374         (JSC::CodeCache::getEvalCodeBlock):
2375         (JSC::CodeCache::getModuleProgramCodeBlock):
2376         * runtime/CodeCache.h:
2377         * runtime/Executable.cpp:
2378         (JSC::ScriptExecutable::ScriptExecutable):
2379         (JSC::EvalExecutable::create):
2380         (JSC::EvalExecutable::EvalExecutable):
2381         (JSC::ProgramExecutable::ProgramExecutable):
2382         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2383         (JSC::FunctionExecutable::FunctionExecutable):
2384         * runtime/Executable.h:
2385         (JSC::ScriptExecutable::evalContextType):
2386         * runtime/JSGlobalObject.cpp:
2387         (JSC::JSGlobalObject::createEvalCodeBlock):
2388         * runtime/JSGlobalObjectFunctions.cpp:
2389         (JSC::globalFuncEval):
2390         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
2391         * tests/stress/new-target.js:
2392
2393 2016-04-02  Commit Queue  <commit-queue@webkit.org>
2394
2395         Unreviewed, rolling out r198976.
2396         https://bugs.webkit.org/show_bug.cgi?id=156140
2397
2398         "Causes js/regress/array-nonarray-polymorhpic-access.html to
2399         crash." (Requested by ddkilzer on #webkit).
2400
2401         Reverted changeset:
2402
2403         "[JSC] Initialize SSA's live values at tail lazily"
2404         https://bugs.webkit.org/show_bug.cgi?id=156126
2405         http://trac.webkit.org/changeset/198976
2406
2407 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
2408
2409         [JSC] Initialize SSA's live values at tail lazily
2410         https://bugs.webkit.org/show_bug.cgi?id=156126
2411
2412         Reviewed by Mark Lam.
2413
2414         Setting up the clean state early looks harmless but it is
2415         actually quite expensive.
2416
2417         The problem is AbstractValue is gigantic, you really want
2418         to minimize how much you touch that memory.
2419
2420         By removing the initialization, most blocks only
2421         get 2 or 3 accesses. Once to setup the value, and a few
2422         queries for merging the current block with the successors.
2423
2424         * dfg/DFGInPlaceAbstractState.cpp:
2425         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2426         (JSC::DFG::setLiveValues): Deleted.
2427         (JSC::DFG::InPlaceAbstractState::initialize): Deleted.
2428
2429 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
2430
2431         [JSC] Add an option to avoid disassembling baseline code for the JSC Profiler
2432         https://bugs.webkit.org/show_bug.cgi?id=156127
2433
2434         Reviewed by Mark Lam.
2435
2436         The profiler run out of memory on big programs if you dump
2437         the baseline disassembly.
2438
2439         * jit/JIT.cpp:
2440         (JSC::JIT::privateCompile):
2441         * runtime/Options.h:
2442
2443 2016-04-02  Dan Bernstein  <mitz@apple.com>
2444
2445         jsc binary embedded in relocatable JavaScriptCore.framework links against system JavaScriptCore.framework
2446         https://bugs.webkit.org/show_bug.cgi?id=156134
2447         <rdar://problem/25443824>
2448
2449         Reviewed by Mark Lam.
2450
2451         * Configurations/JSC.xcconfig: Define WK_RELOCATABLE_FRAMEWORKS_LDFLAGS when building
2452           relocatable frameworks to include a -dyld_env option setting DYLD_FRAMEWORK_PATH to point
2453           to the directory containing JavaScript.framework, and add
2454           WK_RELOCATABLE_FRAMEWORKS_LDFLAGS to OTHER_LDFLAGS.
2455
2456 2016-04-01  Benjamin Poulain  <bpoulain@apple.com>
2457
2458         [JSC][x86] Add the 3 operands form of floating point substraction
2459         https://bugs.webkit.org/show_bug.cgi?id=156095
2460
2461         Reviewed by Geoffrey Garen.
2462
2463         Same old, same old. Add the AVX form of subsd and subss.
2464
2465         Unfortunately, we cannot benefit from the 3 register form
2466         in B3 yet because the Air script does not support CPU flags yet.
2467         That can be fixed later.
2468
2469         * assembler/MacroAssemblerX86Common.h:
2470         (JSC::MacroAssemblerX86Common::subDouble):
2471         (JSC::MacroAssemblerX86Common::subFloat):
2472         * assembler/X86Assembler.h:
2473         (JSC::X86Assembler::vsubsd_rr):
2474         (JSC::X86Assembler::subsd_mr):
2475         (JSC::X86Assembler::vsubsd_mr):
2476         (JSC::X86Assembler::vsubss_rr):
2477         (JSC::X86Assembler::subss_mr):
2478         (JSC::X86Assembler::vsubss_mr):
2479         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2480         * b3/air/AirOpcode.opcodes:
2481
2482 2016-04-01  Alberto Garcia  <berto@igalia.com>
2483
2484         [JSC] Missing PATH_MAX definition
2485         https://bugs.webkit.org/show_bug.cgi?id=156102
2486
2487         Reviewed by Yusuke Suzuki.
2488
2489         Not all systems define PATH_MAX, so add a fallback value that is
2490         long enough.
2491
2492         * jsc.cpp:
2493
2494 2016-03-31  Benjamin Poulain  <bpoulain@apple.com>
2495
2496         [JSC] CFA's valuesAtHead should be a list, not a map
2497         https://bugs.webkit.org/show_bug.cgi?id=156087
2498
2499         Reviewed by Mark Lam.
2500
2501         One more step toward moving to the Air-style of liveness analysis:
2502
2503         Make DFG's valuesAtHead a list of Node*-AbstractValue.
2504         This patch alone is already a speedup because our many CFAs
2505         spend an unreasonable amount of time updating at block boundaries.
2506
2507         * dfg/DFGBasicBlock.h:
2508         * dfg/DFGCFAPhase.cpp:
2509         (JSC::DFG::CFAPhase::performBlockCFA):
2510         * dfg/DFGGraph.cpp:
2511         (JSC::DFG::Graph::dump):
2512         * dfg/DFGInPlaceAbstractState.cpp:
2513         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2514         (JSC::DFG::setLiveValues):
2515         (JSC::DFG::InPlaceAbstractState::merge):
2516         * dfg/DFGNode.h:
2517         (JSC::DFG::nodeValuePairComparator):
2518         (JSC::DFG::nodeValuePairListDump):
2519
2520 2016-03-31  Saam barati  <sbarati@apple.com>
2521
2522         Revert rewrite const as var workaround
2523         https://bugs.webkit.org/show_bug.cgi?id=155393
2524
2525         Reviewed by Mark Lam.
2526
2527         * parser/Parser.h:
2528         (JSC::Parser::next):
2529         (JSC::Parser::nextExpectIdentifier):
2530         * runtime/VM.h:
2531         (JSC::VM::setShouldRewriteConstAsVar): Deleted.
2532         (JSC::VM::shouldRewriteConstAsVar): Deleted.
2533
2534 2016-03-31  Saam barati  <sbarati@apple.com>
2535
2536         [ES6] Disallow var assignments in for-in loops
2537         https://bugs.webkit.org/show_bug.cgi?id=155451
2538
2539         Reviewed by Mark Lam.
2540
2541         We're doing this in its own patch instead of the patch for https://bugs.webkit.org/show_bug.cgi?id=155384
2542         because last time we made this change it broke some websites. Lets try making
2543         it again because it's what the ES6 mandates. If it still breaks things we will
2544         roll it out.
2545
2546         * parser/Parser.cpp:
2547         (JSC::Parser<LexerType>::parseForStatement):
2548
2549 2016-03-31  Saam barati  <sbarati@apple.com>
2550
2551         parsing arrow function expressions slows down the parser by 8% lets recoup some loss
2552         https://bugs.webkit.org/show_bug.cgi?id=155988
2553
2554         Reviewed by Benjamin Poulain.
2555
2556         We used to eagerly check if we're parsing an arrow function.
2557         We did this inside parseAssignmentExpression(), and it was
2558         very costly. The reason it was costly is that arrow functions
2559         might start with an identifier. This means anytime we saw an
2560         identifier we would have to do a lookahead, and then most likely
2561         backtrack because more often than not, we wouldn't see "=>"
2562         as the next token.
2563
2564         In this patch I implement a new approach. We just parse
2565         the lhs of an assignment expression eagerly without doing any
2566         lookahead. Retroactively, if we see that we might have started
2567         with an arrow function, and we don't have a valid lhs or the
2568         next token is a "=>", we try to parse as an arrow function.
2569
2570         Here are a few examples motivating why this is valid:
2571
2572         `x => x`
2573         In this example:
2574         - "x" is a valid arrow function starting point.
2575         - "x" also happens to be a valid lhs
2576         - because we see "=>" as the next token, we parse as an arrow function and succeed.
2577
2578         `(x) => x`
2579         In this example:
2580         - "(" is a valid arrow function starting point.
2581         - "(x)" also happens to be a valid lhs
2582         - because we see "=>" as the next token, we parse as an arrow function and succeed.
2583
2584         `({x = 30}) => x;`
2585         In this example:
2586         - "(" is a valid arrow function starting point.
2587         - "({x = 30})" is NOT a valid lhs. Because of this, we try to parse it as an arrow function and succeed.
2588
2589         There is one interesting implementation detail where we might
2590         parse something that is both a valid LHS but happens
2591         to actually be the arrow function parameters. The valid LHS
2592         parsing might declare such variables as "uses" which would cause 
2593         weird capture analysis. This patch also introduces a mechanism
2594         to backtrack on used variable analysis.
2595
2596         This is a 3.5%-4.5% octane code load speedup.
2597
2598         * parser/Lexer.h:
2599         (JSC::Lexer::sawError):
2600         (JSC::Lexer::setSawError):
2601         (JSC::Lexer::getErrorMessage):
2602         (JSC::Lexer::setErrorMessage):
2603         (JSC::Lexer::sourceURL):
2604         (JSC::Lexer::sourceMappingURL):
2605         * parser/Parser.cpp:
2606         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2607         (JSC::Parser<LexerType>::parseAssignmentExpression):
2608         (JSC::Parser<LexerType>::parsePrimaryExpression):
2609         * parser/Parser.h:
2610         (JSC::Scope::Scope):
2611         (JSC::Scope::startSwitch):
2612         (JSC::Scope::declareParameter):
2613         (JSC::Scope::usedVariablesContains):
2614         (JSC::Scope::useVariable):
2615         (JSC::Scope::pushUsedVariableSet):
2616         (JSC::Scope::currentUsedVariablesSize):
2617         (JSC::Scope::revertToPreviousUsedVariables):
2618         (JSC::Scope::setNeedsFullActivation):
2619         (JSC::Scope::needsFullActivation):
2620         (JSC::Scope::isArrowFunctionBoundary):
2621         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
2622         (JSC::Scope::collectFreeVariables):
2623         (JSC::Scope::fillParametersForSourceProviderCache):
2624         (JSC::Scope::restoreFromSourceProviderCache):
2625         (JSC::Scope::setIsModule):
2626
2627 2016-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2628
2629         Fails to build in Linux / PowerPC due to different ucontext_t definition
2630         https://bugs.webkit.org/show_bug.cgi?id=156015
2631
2632         Reviewed by Michael Catanzaro.
2633
2634         PPC does not have mcontext_t in ucontext_t::uc_mcontext.
2635         So we take the special way to retrieve mcontext_t in PPC.
2636
2637         * heap/MachineStackMarker.cpp:
2638         (pthreadSignalHandlerSuspendResume):
2639
2640 2016-03-31  Benjamin Poulain  <benjamin@webkit.org>
2641
2642         [JSC][x86] Add the indexed forms of floating point addition and multiplication
2643         https://bugs.webkit.org/show_bug.cgi?id=156058
2644
2645         Reviewed by Geoffrey Garen.
2646
2647         B3 supports lowering [base, index] addresses into
2648         arbitrary instructions but we were not using that feature.
2649
2650         This patch adds the missing support for the lowering
2651         of Add and Mul.
2652
2653         * assembler/MacroAssemblerX86Common.h:
2654         (JSC::MacroAssemblerX86Common::addDouble):
2655         (JSC::MacroAssemblerX86Common::addFloat):
2656         (JSC::MacroAssemblerX86Common::mulDouble):
2657         (JSC::MacroAssemblerX86Common::mulFloat):
2658         * assembler/X86Assembler.h:
2659         (JSC::X86Assembler::addsd_mr):
2660         (JSC::X86Assembler::vaddsd_mr):
2661         (JSC::X86Assembler::addss_mr):
2662         (JSC::X86Assembler::vaddss_mr):
2663         (JSC::X86Assembler::mulsd_mr):
2664         (JSC::X86Assembler::vmulsd_mr):
2665         (JSC::X86Assembler::mulss_mr):
2666         (JSC::X86Assembler::vmulss_mr):
2667         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2668         * b3/B3LowerToAir.cpp:
2669         (JSC::B3::Air::LowerToAir::appendBinOp):
2670         Unlike the Addr form, we never need to transform a Tmp
2671         into an Index for spilling.
2672
2673         Instead of duplicating all the code in MacroAssembler, I can
2674         just have the lowering phase try using addresses for the first
2675         argument when possible.
2676
2677         * b3/air/AirOpcode.opcodes:
2678         * b3/air/testair.cpp:
2679         (JSC::B3::Air::testX86VMULSDBaseNeedsRex):
2680         (JSC::B3::Air::testX86VMULSDIndexNeedsRex):
2681         (JSC::B3::Air::testX86VMULSDBaseIndexNeedRex):
2682         (JSC::B3::Air::run):
2683
2684 2016-03-31  Saam barati  <sbarati@apple.com>
2685
2686         DFG JIT bug in typeof constant folding where the input to typeof is an object or function
2687         https://bugs.webkit.org/show_bug.cgi?id=156034
2688         <rdar://problem/25446785>
2689
2690         Reviewed by Ryosuke Niwa.
2691
2692         AI would constant fold TypeOf to the string "object" if it saw that
2693         its input type didn't expand past the types contained in the set 
2694         "SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
2695         And typeof of a function should return "function". This patch fixes
2696         this bug by making sure we constant fold to object iff the type
2697         doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".
2698
2699         * dfg/DFGAbstractInterpreterInlines.h:
2700         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2701         * tests/stress/typeof-dfg-function-or-object.js: Added.
2702         (assert):
2703         (foo.else.o):
2704         (foo):
2705
2706 2016-03-31  Mark Lam  <mark.lam@apple.com>
2707
2708         Gardening: Build and logic fix after r198873.
2709         https://bugs.webkit.org/show_bug.cgi?id=156043
2710
2711         Not reviewed.
2712
2713         * assembler/MacroAssemblerX86Common.h:
2714         (JSC::MacroAssemblerX86Common::addFloat):
2715         - 2 args were meant to be ordered differently in order to call the other addFloat.
2716           Instead, there was an infinite recursion bug.  This is now fixed.
2717
2718 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
2719
2720         [JSC][x86] Add the 3 operands forms of floating point addition and multiplication
2721         https://bugs.webkit.org/show_bug.cgi?id=156043
2722
2723         Reviewed by Geoffrey Garen.
2724
2725         When they are available, VADD and VMUL are better options to lower
2726         floating point addition and multiplication.
2727
2728         In the simple cases when one of the operands is aliased to the destination,
2729         those forms have the same size or 1 byte shorter depending on the registers.
2730
2731         In the more advanced cases, we gain nice advantages with the new forms:
2732         -We can get rid of the MoveDouble in front the instruction when we cannot
2733          alias.
2734         -We can disable aliasing entirely in Air. That is useful for latency
2735          since computing coalescing is not exactly cheap.
2736
2737         * assembler/MacroAssemblerX86Common.cpp:
2738         * assembler/MacroAssemblerX86Common.h:
2739         (JSC::MacroAssemblerX86Common::and32):
2740         (JSC::MacroAssemblerX86Common::mul32):
2741         (JSC::MacroAssemblerX86Common::or32):
2742         (JSC::MacroAssemblerX86Common::xor32):
2743         (JSC::MacroAssemblerX86Common::branchAdd32):
2744         The change in B3LowerToAir exposed a bug in the fake 3 operands
2745         forms of those instructions. If the address is equal to
2746         the destination, we were nuking the address.
2747
2748         For example,
2749             Add32([%r11], %eax, %r11)
2750         would generate:
2751             move %eax, %r11
2752             add32 [%r11], %r11
2753         which crashes.
2754
2755         I updated codegen of those cases to support that case through
2756             load32 [%r11], %r11
2757             add32 %eax, %r11
2758
2759         The weird case were all arguments have the same registers
2760         is handled too.
2761
2762         (JSC::MacroAssemblerX86Common::addDouble):
2763         (JSC::MacroAssemblerX86Common::addFloat):
2764         (JSC::MacroAssemblerX86Common::mulDouble):
2765         (JSC::MacroAssemblerX86Common::mulFloat):
2766         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
2767         (JSC::MacroAssemblerX86Common::supportsAVX):
2768         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
2769         * assembler/MacroAssemblerX86_64.h:
2770         (JSC::MacroAssemblerX86_64::branchAdd64):
2771         * assembler/X86Assembler.h:
2772         (JSC::X86Assembler::vaddsd_rr):
2773         (JSC::X86Assembler::vaddsd_mr):
2774         (JSC::X86Assembler::vaddss_rr):
2775         (JSC::X86Assembler::vaddss_mr):
2776         (JSC::X86Assembler::vmulsd_rr):
2777         (JSC::X86Assembler::vmulsd_mr):
2778         (JSC::X86Assembler::vmulss_rr):
2779         (JSC::X86Assembler::vmulss_mr):
2780         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2781         * b3/B3LowerToAir.cpp:
2782         (JSC::B3::Air::LowerToAir::appendBinOp):
2783         Add the 3 operand forms so that we lower Add and Mul
2784         to the best form directly.
2785
2786         I will change how we lower the fake 3 operands instructions
2787         but the codegen should end up the same in most cases.
2788         The new codegen is the load32 + op above.
2789
2790         * b3/air/AirInstInlines.h:
2791         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2792         * b3/air/testair.cpp:
2793         (JSC::B3::Air::testX86VMULSD):
2794         (JSC::B3::Air::testX86VMULSDDestRex):
2795         (JSC::B3::Air::testX86VMULSDOp1DestRex):
2796         (JSC::B3::Air::testX86VMULSDOp2DestRex):
2797         (JSC::B3::Air::testX86VMULSDOpsDestRex):
2798         (JSC::B3::Air::testX86VMULSDAddr):
2799         (JSC::B3::Air::testX86VMULSDAddrOpRexAddr):
2800         (JSC::B3::Air::testX86VMULSDDestRexAddr):
2801         (JSC::B3::Air::testX86VMULSDRegOpDestRexAddr):
2802         (JSC::B3::Air::testX86VMULSDAddrOpDestRexAddr):
2803         Make sure we have some coverage for AVX encoding of instructions.
2804
2805 2016-03-30  Saam Barati  <sbarati@apple.com>
2806
2807         Change some release asserts in CodeBlock linking into debug asserts
2808         https://bugs.webkit.org/show_bug.cgi?id=155500
2809
2810         Reviewed by Filip Pizlo.
2811
2812         * bytecode/CodeBlock.cpp:
2813         (JSC::CodeBlock::finishCreation):
2814
2815 2016-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2816
2817         Remove unused ScriptProfiler.Samples.totalTime
2818         https://bugs.webkit.org/show_bug.cgi?id=156002
2819
2820         Reviewed by Saam Barati.
2821
2822         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2823         (Inspector::buildSamples):
2824         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2825         * inspector/protocol/ScriptProfiler.json:
2826         Remove totalTime.
2827
2828         * runtime/SamplingProfiler.cpp:
2829         (JSC::SamplingProfiler::SamplingProfiler): Deleted.
2830         * runtime/SamplingProfiler.h:
2831         (JSC::SamplingProfiler::totalTime): Deleted.
2832         Remove now unused m_totalTime.
2833
2834 2016-03-30  Michael Saboff  <msaboff@apple.com>
2835
2836         [ES6] Quantified unicode regular expressions do not work for counts greater than 1
2837         https://bugs.webkit.org/show_bug.cgi?id=156044
2838
2839         Reviewed by Mark Lam.
2840
2841         Fixed incorrect indexing of non-BMP characters in fixed patterns.  The old code
2842         was indexing by character units, a single JS character, instead of code points
2843         which is 2 JS characters.
2844
2845         * yarr/YarrInterpreter.cpp:
2846         (JSC::Yarr::Interpreter::matchDisjunction):
2847
2848 2016-03-30  Mark Lam  <mark.lam@apple.com>
2849
2850         Make the $vm debugging tools available to builtins as @$vm.
2851         https://bugs.webkit.org/show_bug.cgi?id=156012
2852
2853         Reviewed by Saam Barati.
2854
2855         We also need some debugging tools for builtin development.  The $vm object will
2856         be made available to builtins as @$vm, which gives us, amongst many goodies,
2857         @$vm.print() (which prints the toString() values of its args) and
2858         @$vm.printValue() (which dataLogs its arg as a JSValue).  @$vm will only be
2859         available if we run with JSC_useDollarVM=true.
2860
2861         Also changed @$vm.print() to not automatically insert a space between the
2862         printing of each of its args.  This makes it clearer as to what will be printed
2863         i.e. it will only print what is passed to it.
2864
2865         * builtins/BuiltinNames.h:
2866         (JSC::BuiltinNames::BuiltinNames):
2867         (JSC::BuiltinNames::dollarVMPublicName):
2868         (JSC::BuiltinNames::dollarVMPrivateName):
2869         * runtime/JSGlobalObject.cpp:
2870         (JSC::JSGlobalObject::init):
2871         * tools/JSDollarVMPrototype.cpp:
2872         (JSC::functionPrint):
2873
2874 2016-03-30  Keith Miller  <keith_miller@apple.com>
2875
2876         Unreviewed, buildfix.
2877
2878         * bytecode/BytecodeIntrinsicRegistry.h:
2879
2880 2016-03-30  Keith Miller <keith_miller@apple.com>
2881
2882         Unreviewed, rollout r198808. The patch causes crashes on 32-bit and appears to be a JSBench regression.
2883
2884 2016-03-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2885
2886         [JSC] Implement String.prototype.repeat in builtins JS
2887         https://bugs.webkit.org/show_bug.cgi?id=155974
2888
2889         Reviewed by Darin Adler.
2890
2891         This patch converts C++ String.prototype.repeat implementation into JS builtins.
2892         |this| in strict mode is correctly inferred as String[1]. This fact encourages us
2893         to write PrimitiveTypes.prototype.XXX methods in builtin JS.
2894
2895         LayoutTests/js/string-repeat.html already covers the tests for this change.
2896
2897         Note: String.prototype.repeat functionality is similar to Harmony's
2898         String.prototype.{padStart, padEnd}. It's nice to port them to builtin JS in
2899         the other patch.
2900
2901         The existing C++ code has the fast path for singleCharacterString repeating.
2902         Since this use is important (e.g. generating N length spaces: ' '.repeat(N)),
2903         we keep this fast path as @repeatCharacter().
2904
2905         The performance results show that, while the performance of the single character fast path
2906         is neutral, other string repeating has significant speed up.
2907         There are two reasons.
2908
2909         1. Not resolving string rope.
2910
2911         We added several tests postfixed "not-resolving". In that tests, we do not touch the content
2912         of the generated string. As a result, the generated rope is not resolved.
2913
2914         2. O(log N) intermediate JSRopeStrings.
2915
2916         In the existing C++ implementation, we use JSString::RopeBuilder. We iterate N times and append
2917         the given string to the builder.
2918         In this case, the intermediate rope strings generated in JSString::RopeBuilder is O(N).
2919         In JS builtin implementation, we only iterate log N times. As a result, the number of the
2920         intermediate rope strings becomes O(log N).
2921
2922         [1]: http://trac.webkit.org/changeset/195938
2923
2924         * builtins/StringPrototype.js:
2925         (repeatSlowPath):
2926         (repeat):
2927         * bytecode/BytecodeIntrinsicRegistry.cpp:
2928         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2929         * bytecode/BytecodeIntrinsicRegistry.h:
2930         * runtime/CommonIdentifiers.h:
2931         * runtime/JSGlobalObject.cpp:
2932         (JSC::JSGlobalObject::init):
2933         * runtime/StringPrototype.cpp:
2934         (JSC::stringProtoFuncRepeatCharacter):
2935         (JSC::StringPrototype::finishCreation): Deleted.
2936         (JSC::stringProtoFuncRepeat): Deleted.
2937         * runtime/StringPrototype.h:
2938         * tests/stress/string-repeat-edge-cases.js: Added.
2939         (shouldBe):
2940         (let.object.toString):
2941         (valueOf):
2942         (shouldThrow):
2943
2944 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
2945
2946         [JSC] Update udis86
2947         https://bugs.webkit.org/show_bug.cgi?id=156005
2948
2949         Reviewed by Geoffrey Garen.
2950
2951         * CMakeLists.txt:
2952         * DerivedSources.make:
2953         * JavaScriptCore.xcodeproj/project.pbxproj:
2954         * disassembler/udis86/differences.txt:
2955         * disassembler/udis86/itab.py: Removed.
2956         * disassembler/udis86/optable.xml:
2957         * disassembler/udis86/ud_itab.py: Added.
2958         * disassembler/udis86/ud_opcode.py:
2959         * disassembler/udis86/ud_optable.py: Removed.
2960         * disassembler/udis86/udis86.c:
2961         * disassembler/udis86/udis86_decode.c:
2962         * disassembler/udis86/udis86_decode.h:
2963         * disassembler/udis86/udis86_extern.h:
2964         * disassembler/udis86/udis86_input.c: Removed.
2965         * disassembler/udis86/udis86_input.h: Removed.
2966         * disassembler/udis86/udis86_syn-att.c:
2967         * disassembler/udis86/udis86_syn.h:
2968         * disassembler/udis86/udis86_types.h:
2969         * disassembler/udis86/udis86_udint.h:
2970
2971 2016-03-30  Benjamin Poulain  <bpoulain@apple.com>
2972
2973         [JSC] Get rid of operationInitGlobalConst(), it is useless
2974         https://bugs.webkit.org/show_bug.cgi?id=156010
2975
2976         Reviewed by Geoffrey Garen.
2977
2978         * jit/JITOperations.cpp:
2979         * jit/JITOperations.h:
2980
2981 2016-03-29  Saam barati  <sbarati@apple.com>
2982
2983         Fix typos in our error messages and remove some trailing periods
2984         https://bugs.webkit.org/show_bug.cgi?id=155985
2985
2986         Reviewed by Mark Lam.
2987
2988         * bytecompiler/BytecodeGenerator.cpp:
2989         (JSC::BytecodeGenerator::BytecodeGenerator):
2990         * runtime/ArrayConstructor.h:
2991         (JSC::isArray):
2992         * runtime/ProxyConstructor.cpp:
2993         (JSC::makeRevocableProxy):
2994         (JSC::proxyRevocableConstructorThrowError):
2995         (JSC::ProxyConstructor::finishCreation):
2996         (JSC::constructProxyObject):
2997         * runtime/ProxyObject.cpp:
2998         (JSC::ProxyObject::finishCreation):
2999         (JSC::performProxyGet):
3000         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3001         (JSC::ProxyObject::performHasProperty):
3002         (JSC::ProxyObject::performPut):
3003         (JSC::performProxyCall):
3004         (JSC::performProxyConstruct):
3005         (JSC::ProxyObject::performDelete):
3006         (JSC::ProxyObject::performPreventExtensions):
3007         (JSC::ProxyObject::performIsExtensible):
3008         (JSC::ProxyObject::performDefineOwnProperty):
3009         (JSC::ProxyObject::performGetOwnPropertyNames):
3010         (JSC::ProxyObject::performSetPrototype):
3011         (JSC::ProxyObject::performGetPrototype):
3012         * runtime/StringPrototype.cpp:
3013         (JSC::stringProtoFuncStartsWith):
3014         (JSC::stringProtoFuncEndsWith):
3015         (JSC::stringProtoFuncIncludes):
3016         * runtime/Structure.cpp:
3017         (JSC::Structure::preventExtensionsTransition):
3018         * tests/stress/proxy-basic.js:
3019         * tests/stress/proxy-construct.js:
3020         (throw.new.Error):
3021         (assert):
3022         * tests/stress/proxy-define-own-property.js:
3023         (assert):
3024         (throw.new.Error):
3025         (i.catch):
3026         (assert.set get catch):
3027         * tests/stress/proxy-delete.js:
3028         (assert):
3029         * tests/stress/proxy-get-own-property.js:
3030         (assert):
3031         (i.catch):
3032         (set get let):
3033         * tests/stress/proxy-get-prototype-of.js:
3034         (assert):
3035         (assert.get let):
3036         (assert.get catch):
3037         * tests/stress/proxy-has-property.js:
3038         (assert):
3039         * tests/stress/proxy-is-array.js:
3040         (test):
3041         * tests/stress/proxy-is-extensible.js:
3042         (assert):
3043         * tests/stress/proxy-json.js:
3044         (assert):
3045         (test):
3046         * tests/stress/proxy-own-keys.js:
3047         (assert):
3048         (i.catch):
3049         * tests/stress/proxy-prevent-extensions.js:
3050         (assert):
3051         * tests/stress/proxy-property-descriptor.js:
3052         * tests/stress/proxy-revoke.js:
3053         (assert):
3054         (throw.new.Error.):
3055         (throw.new.Error):
3056         (shouldThrowNullHandler):
3057         * tests/stress/proxy-set-prototype-of.js:
3058         (assert.set let):
3059         (assert.set catch):
3060         (assert):
3061         (set catch):
3062         * tests/stress/proxy-set.js:
3063         (throw.new.Error.let.handler.set 45):
3064         (throw.new.Error):
3065         * tests/stress/proxy-with-private-symbols.js:
3066         (assert):
3067         * tests/stress/proxy-with-unbalanced-getter-setter.js:
3068         (assert):
3069         * tests/stress/reflect-set-proxy-set.js:
3070         (throw.new.Error.let.handler.set 45):
3071         (throw.new.Error):
3072         * tests/stress/reflect-set-receiver-proxy-set.js:
3073         (let.handler.set 45):
3074         (catch):
3075         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
3076         (test):
3077         (test.get let):
3078
3079 2016-03-29  Keith Miller  <keith_miller@apple.com>
3080
3081         [ES6] Add support for Symbol.isConcatSpreadable.
3082         https://bugs.webkit.org/show_bug.cgi?id=155351
3083
3084         Reviewed by Saam Barati.
3085
3086         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
3087         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
3088         a builtin performant. First, four new DFG intrinsics were added.
3089
3090         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
3091            the Array.isArray function.
3092         2) IsJSArray: checks the first child is a JSArray object.
3093         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
3094         4) CallObjectConstructor: an intrinsic of the Object constructor.
3095
3096         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
3097         we are able to prove that the first child is an Array or for ToObject an Object.
3098
3099         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
3100         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
3101         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
3102         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
3103         into a contiguous array).
3104
3105         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
3106         values onto the result array. This works roughly the same as the two array fast path using the same methodology
3107         to decide if we can memcpy the other butterfly into the result butterfly.
3108
3109         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
3110         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
3111         dataLog function on it.
3112
3113         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
3114         JSValueOperand if the operand's use count is one.
3115
3116         * JavaScriptCore.xcodeproj/project.pbxproj:
3117         * builtins/ArrayPrototype.js:
3118         (concatSlowPath):
3119         (concat):
3120         * bytecode/BytecodeIntrinsicRegistry.cpp:
3121         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3122         * bytecode/BytecodeIntrinsicRegistry.h:
3123         * dfg/DFGAbstractInterpreterInlines.h:
3124         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3125         * dfg/DFGByteCodeParser.cpp:
3126         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3127         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3128         * dfg/DFGClobberize.h:
3129         (JSC::DFG::clobberize):
3130         * dfg/DFGDoesGC.cpp:
3131         (JSC::DFG::doesGC):
3132         * dfg/DFGFixupPhase.cpp:
3133         (JSC::DFG::FixupPhase::fixupNode):
3134         * dfg/DFGNodeType.h:
3135         * dfg/DFGOperations.cpp:
3136         * dfg/DFGOperations.h:
3137         * dfg/DFGPredictionPropagationPhase.cpp:
3138         (JSC::DFG::PredictionPropagationPhase::propagate):
3139         * dfg/DFGSafeToExecute.h:
3140         (JSC::DFG::safeToExecute):
3141         * dfg/DFGSpeculativeJIT.cpp:
3142         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3143         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
3144         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
3145         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
3146         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
3147         * dfg/DFGSpeculativeJIT.h:
3148         (JSC::DFG::SpeculativeJIT::callOperation):
3149         * dfg/DFGSpeculativeJIT32_64.cpp:
3150         (JSC::DFG::SpeculativeJIT::compile):
3151         * dfg/DFGSpeculativeJIT64.cpp:
3152         (JSC::DFG::SpeculativeJIT::compile):
3153         * ftl/FTLCapabilities.cpp:
3154         (JSC::FTL::canCompile):
3155         * ftl/FTLLowerDFGToB3.cpp:
3156         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3157         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
3158         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
3159         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
3160         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
3161         (JSC::FTL::DFG::LowerDFGToB3::isArray):
3162         * jit/JITOperations.h:
3163         * jsc.cpp:
3164         (WTF::RuntimeArray::createStructure):
3165         (GlobalObject::finishCreation):
3166         (functionDebug):
3167         (functionDataLogValue):
3168         * runtime/ArrayConstructor.cpp:
3169         (JSC::ArrayConstructor::finishCreation):
3170         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
3171         * runtime/ArrayConstructor.h:
3172         (JSC::isArrayConstructor):
3173         * runtime/ArrayPrototype.cpp:
3174         (JSC::ArrayPrototype::finishCreation):
3175         (JSC::arrayProtoPrivateFuncIsJSArray):
3176         (JSC::moveElements):
3177         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3178         (JSC::arrayProtoPrivateFuncAppendMemcpy):
3179         (JSC::arrayProtoFuncConcat): Deleted.
3180         * runtime/ArrayPrototype.h:
3181         (JSC::ArrayPrototype::createStructure):
3182         * runtime/CommonIdentifiers.h:
3183         * runtime/Intrinsic.h:
3184         * runtime/JSArray.cpp:
3185         (JSC::JSArray::appendMemcpy):
3186         (JSC::JSArray::fastConcatWith): Deleted.
3187         * runtime/JSArray.h:
3188         (JSC::JSArray::createStructure):
3189         (JSC::JSArray::fastConcatType): Deleted.
3190         * runtime/JSArrayInlines.h: Added.
3191         (JSC::JSArray::memCopyWithIndexingType):
3192         (JSC::JSArray::canFastCopy):
3193         * runtime/JSGlobalObject.cpp:
3194         (JSC::JSGlobalObject::init):
3195         * runtime/JSType.h:
3196         * runtime/ObjectConstructor.h:
3197         (JSC::constructObject):
3198         * tests/es6.yaml:
3199         * tests/stress/array-concat-spread-object.js: Added.
3200         (arrayEq):
3201         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
3202         (arrayEq):
3203         * tests/stress/array-concat-spread-proxy.js: Added.
3204         (arrayEq):
3205         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
3206         (arrayEq):
3207         * tests/stress/array-species-config-array-constructor.js:
3208
3209 2016-03-29  Saam barati  <sbarati@apple.com>
3210
3211         We don't properly optimize TDZ checks when we declare a let variable without an initializer
3212         https://bugs.webkit.org/show_bug.cgi?id=150453
3213
3214         Reviewed by Mark Lam.
3215
3216         * bytecompiler/NodesCodegen.cpp:
3217         (JSC::EmptyLetExpression::emitBytecode):
3218
3219 2016-03-29  Saam barati  <sbarati@apple.com>
3220
3221         Allow builtin JS functions to be intrinsics
3222         https://bugs.webkit.org/show_bug.cgi?id=155960
3223
3224         Reviewed by Mark Lam.
3225
3226         Builtin functions can now be recognized as intrinsics inside
3227         the DFG. This gives us the flexibility to either lower a builtin
3228         as an intrinsic in the DFG or as a normal function call.
3229         Because we may decide to not lower it as an intrinsic, the DFG
3230         inliner could still inline the function call.
3231
3232         You can annotate a builtin function like so to make
3233         it be recognized as an intrinsic.
3234         ```
3235         [intrinsic=FooIntrinsic] function foo() { ... }
3236         ```
3237         where FooIntrinsic is an enum value of the Intrinsic enum.
3238
3239         So in the future if we write RegExp.prototype.test as a builtin, we would do:
3240         ``` RegExpPrototype.js
3241         [intrinsic=RegExpTestIntrinsic] function test() { ... }
3242         ```
3243
3244         * Scripts/builtins/builtins_generate_combined_implementation.py:
3245         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3246         * Scripts/builtins/builtins_generate_separate_implementation.py:
3247         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3248         * Scripts/builtins/builtins_generator.py:
3249         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
3250         * Scripts/builtins/builtins_model.py:
3251         (BuiltinObject.__init__):
3252         (BuiltinFunction):
3253         (BuiltinFunction.__init__):
3254         (BuiltinFunction.fromString):
3255         (BuiltinFunction.__str__):
3256         * Scripts/builtins/builtins_templates.py:
3257         * bytecode/UnlinkedFunctionExecutable.cpp:
3258         (JSC::UnlinkedFunctionExecutable::visitChildren):
3259         (JSC::UnlinkedFunctionExecutable::link):
3260         * bytecode/UnlinkedFunctionExecutable.h:
3261         * dfg/DFGByteCodeParser.cpp:
3262         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3263         * runtime/Executable.cpp:
3264         (JSC::ExecutableBase::clearCode):
3265         (JSC::NativeExecutable::destroy):
3266         (JSC::ScriptExecutable::ScriptExecutable):
3267         (JSC::EvalExecutable::create):
3268         (JSC::EvalExecutable::EvalExecutable):
3269         (JSC::ProgramExecutable::ProgramExecutable):
3270         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
3271         (JSC::FunctionExecutable::FunctionExecutable):
3272         (JSC::ExecutableBase::intrinsic): Deleted.
3273         (JSC::NativeExecutable::intrinsic): Deleted.
3274         * runtime/Executable.h:
3275         (JSC::ExecutableBase::ExecutableBase):
3276         (JSC::ExecutableBase::hasJITCodeFor):
3277         (JSC::ExecutableBase::intrinsic):
3278         (JSC::ExecutableBase::intrinsicFor):
3279         (JSC::ScriptExecutable::finishCreation):
3280         * runtime/Intrinsic.h:
3281
3282 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
3283
3284         JSC::Debugger cleanup after recent changes
3285         https://bugs.webkit.org/show_bug.cgi?id=155982
3286
3287         Reviewed by Mark Lam.
3288
3289         * debugger/Debugger.cpp:
3290         (JSC::Debugger::Debugger):
3291         Initialize with breakpoints disabled. Web Inspector always informs
3292         the backend if it should enable or disable breakpoints on startup.
3293
3294         (JSC::Debugger::setProfilingClient):
3295         When using the Sampling profiler we do not need to recompile.
3296
3297 2016-03-29  Saam barati  <sbarati@apple.com>
3298
3299         "Can not" => "cannot" in String.prototype error messages
3300         https://bugs.webkit.org/show_bug.cgi?id=155895
3301
3302         Reviewed by Mark Lam.
3303
3304         * runtime/StringPrototype.cpp:
3305         (JSC::stringProtoFuncStartsWith):
3306         (JSC::stringProtoFuncEndsWith):
3307         (JSC::stringProtoFuncIncludes):
3308         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
3309         (test):
3310         (test.get let):
3311
3312 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
3313
3314         Web Inspector: We should have a way to capture heap snapshots programatically.
3315         https://bugs.webkit.org/show_bug.cgi?id=154407
3316         <rdar://problem/24726292>
3317
3318         Reviewed by Timothy Hatcher.
3319
3320         * inspector/protocol/Console.json:
3321         Add a new Console.heapSnapshot event for when a heap snapshot is taken.
3322
3323         * runtime/ConsolePrototype.cpp:
3324         (JSC::ConsolePrototype::finishCreation):
3325         (JSC::consoleProtoFuncProfile):
3326         (JSC::consoleProtoFuncProfileEnd):
3327         (JSC::consoleProtoFuncTakeHeapSnapshot):
3328         * runtime/ConsoleClient.h:
3329         Add the console.takeHeapSnapshot method and dispatch to the ConsoleClient.
3330
3331         * inspector/JSGlobalObjectConsoleClient.cpp:
3332         (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot):
3333         * inspector/JSGlobalObjectConsoleClient.h:
3334         Have the InspectorConsoleAgent handle this.
3335
3336         * inspector/JSGlobalObjectInspectorController.cpp:
3337         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3338         * inspector/agents/InspectorConsoleAgent.cpp:
3339         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3340         (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
3341         * inspector/agents/InspectorConsoleAgent.h:
3342         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
3343         (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
3344         * inspector/agents/JSGlobalObjectConsoleAgent.h: