02759bf6daebcf59411c19719bdd9b3a27ca3785
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-08  Brian Burg  <bburg@apple.com>
2
3         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
4         https://bugs.webkit.org/show_bug.cgi?id=156407
5         <rdar://problem/25627659>
6
7         Reviewed by Timothy Hatcher.
8
9         There's no point having these subclasses as they don't save any space.
10         Add m_stringValue to the union and merge some implementations of writeJSON.
11         Move uses of the subclass to InspectorValue and delete redundant methods.
12         Now, most InspectorValue methods are non-virtual so they can be templated.
13
14         * bindings/ScriptValue.cpp:
15         (Deprecated::jsToInspectorValue):
16         * inspector/InjectedScriptBase.cpp:
17         (Inspector::InjectedScriptBase::makeCall):
18         Don't used deleted subclasses.
19
20         * inspector/InspectorValues.cpp:
21         (Inspector::InspectorValue::null):
22         (Inspector::InspectorValue::create):
23         (Inspector::InspectorValue::asValue):
24         (Inspector::InspectorValue::asBoolean):
25         (Inspector::InspectorValue::asDouble):
26         (Inspector::InspectorValue::asInteger):
27         (Inspector::InspectorValue::asString):
28         These only need one implementation now.
29
30         (Inspector::InspectorValue::writeJSON):
31         Still a virtual method since Object and Array need their members.
32
33         (Inspector::InspectorObjectBase::InspectorObjectBase):
34         (Inspector::InspectorBasicValue::asBoolean): Deleted.
35         (Inspector::InspectorBasicValue::asDouble): Deleted.
36         (Inspector::InspectorBasicValue::asInteger): Deleted.
37         (Inspector::InspectorBasicValue::writeJSON): Deleted.
38         (Inspector::InspectorString::asString): Deleted.
39         (Inspector::InspectorString::writeJSON): Deleted.
40         (Inspector::InspectorString::create): Deleted.
41         (Inspector::InspectorBasicValue::create): Deleted.
42
43         * inspector/InspectorValues.h:
44         (Inspector::InspectorObjectBase::setBoolean):
45         (Inspector::InspectorObjectBase::setInteger):
46         (Inspector::InspectorObjectBase::setDouble):
47         (Inspector::InspectorObjectBase::setString):
48         (Inspector::InspectorArrayBase::pushBoolean):
49         (Inspector::InspectorArrayBase::pushInteger):
50         (Inspector::InspectorArrayBase::pushDouble):
51         (Inspector::InspectorArrayBase::pushString):
52         Use new factory methods.
53
54         * replay/EncodedValue.cpp:
55         (JSC::ScalarEncodingTraits<bool>::encodeValue):
56         (JSC::ScalarEncodingTraits<double>::encodeValue):
57         (JSC::ScalarEncodingTraits<float>::encodeValue):
58         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
59         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
60         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
61         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
62         * replay/EncodedValue.h:
63         Use new factory methods.
64
65 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
66
67         Add IC support for arguments.length
68         https://bugs.webkit.org/show_bug.cgi?id=156389
69
70         Reviewed by Geoffrey Garen.
71         
72         This adds support for caching accesses to arguments.length for both DirectArguments and
73         ScopedArguments. In strict mode, we already cached these accesses since they were just
74         normal properties.
75
76         Amazingly, we also already supported caching of overridden arguments.length in both
77         DirectArguments and ScopedArguments. This is because when you override, the property gets
78         materialized as a normal JS property and the structure is changed.
79         
80         This patch painstakingly preserves our previous caching of overridden length while
81         introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
82         the case where it could either be overridden or not, since we just end up with an AccessCase
83         for each and they cascade to each other.
84
85         This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
86         Entirely monomorphic accesses were already handled by the DFG.
87
88         * bytecode/PolymorphicAccess.cpp:
89         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
90         (JSC::AccessCase::guardedByStructureCheck):
91         (JSC::AccessCase::generateWithGuard):
92         (JSC::AccessCase::generate):
93         (WTF::printInternal):
94         * bytecode/PolymorphicAccess.h:
95         * jit/ICStats.h:
96         * jit/JITOperations.cpp:
97         * jit/Repatch.cpp:
98         (JSC::tryCacheGetByID):
99         (JSC::tryCachePutByID):
100         (JSC::tryRepatchIn):
101         * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
102         (args):
103         (foo):
104         (result.foo):
105
106 2016-04-08  Benjamin Poulain  <bpoulain@apple.com>
107
108         UInt32ToNumber should have an Int52 path
109         https://bugs.webkit.org/show_bug.cgi?id=125704
110
111         Reviewed by Filip Pizlo.
112
113         When dealing with big numbers, fall back to Int52 instead
114         of double when possible.
115
116         * dfg/DFGAbstractInterpreterInlines.h:
117         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
118         * dfg/DFGFixupPhase.cpp:
119         (JSC::DFG::FixupPhase::fixupNode):
120         * dfg/DFGPredictionPropagationPhase.cpp:
121         (JSC::DFG::PredictionPropagationPhase::propagate):
122         * dfg/DFGSpeculativeJIT.cpp:
123         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
124         * ftl/FTLLowerDFGToB3.cpp:
125         (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):
126
127 2016-04-08  Brian Burg  <bburg@apple.com>
128
129         Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
130         https://bugs.webkit.org/show_bug.cgi?id=156275
131         <rdar://problem/25569331>
132
133         Reviewed by Darin Adler.
134
135         * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.
136
137         * inspector/scripts/codegen/models.py:
138         (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
139         (TypeReference.referenced_name): Update comment.
140
141         Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.
142
143         * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
144         * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
145         * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.
146
147 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
148
149         Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
150         https://bugs.webkit.org/show_bug.cgi?id=156384
151
152         Reviewed by Ryosuke Niwa.
153
154         * Configurations/FeatureDefines.xcconfig:
155         * features.json: Mark as Done.
156         * parser/Parser.cpp:
157         (JSC::Parser<LexerType>::parseExportDeclaration):
158         (JSC::Parser<LexerType>::parseStatementListItem):
159         (JSC::Parser<LexerType>::parsePrimaryExpression):
160         (JSC::Parser<LexerType>::parseMemberExpression):
161
162 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
163
164         Implementing caching transition puts that need to reallocate with indexing storage
165         https://bugs.webkit.org/show_bug.cgi?id=130914
166
167         Reviewed by Saam Barati.
168
169         This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
170         the butterfly has indexing storage. Like the DFG, we do this by calling operations that
171         reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
172         triggering a barrier.
173
174         This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
175         do it now because the hard work is hidden under AccessGenerationState methods. This means
176         that custom accessors now share logic with put_by_id transitions.
177
178         * bytecode/PolymorphicAccess.cpp:
179         (JSC::AccessGenerationState::succeed):
180         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
181         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
182         (JSC::AccessGenerationState::originalCallSiteIndex):
183         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
184         (JSC::AccessCase::AccessCase):
185         (JSC::AccessCase::transition):
186         (JSC::AccessCase::generate):
187         (JSC::PolymorphicAccess::regenerate):
188         * bytecode/PolymorphicAccess.h:
189         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
190         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
191         * dfg/DFGOperations.cpp:
192         * dfg/DFGOperations.h:
193         * jit/JITOperations.cpp:
194         * jit/JITOperations.h:
195
196 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
197
198         Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
199         https://bugs.webkit.org/show_bug.cgi?id=156380
200         <rdar://problem/25323727>
201
202         Reviewed by Timothy Hatcher.
203
204         * inspector/remote/RemoteInspector.mm:
205         (Inspector::RemoteInspector::updateTarget):
206         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
207         When a target has been updated and it no longer generates a listing,
208         we should remove the old listing as that is now stale and should
209         not be sent. Not generating a listing means this target is no
210         longer allowed to be debugged.
211
212 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
213
214         Web Inspector: Not necessary to validate webinspectord connection on iOS
215         https://bugs.webkit.org/show_bug.cgi?id=156377
216         <rdar://problem/25612460>
217
218         Reviewed by Simon Fraser.
219
220         * inspector/remote/RemoteInspectorXPCConnection.h:
221         * inspector/remote/RemoteInspectorXPCConnection.mm:
222         (Inspector::RemoteInspectorXPCConnection::handleEvent):
223
224 2016-04-07  Keith Miller  <keith_miller@apple.com>
225
226         Rename ArrayMode::supportsLength to supportsSelfLength
227         https://bugs.webkit.org/show_bug.cgi?id=156374
228
229         Reviewed by Filip Pizlo.
230
231         The name supportsLength is confusing because TypedArray have a
232         length function however it is on the prototype and not on the
233         instance. supportsSelfLength makes more sense since we use the
234         function during fixup to tell if we can intrinsic the length
235         property lookup on self accesses.
236
237         * dfg/DFGArrayMode.h:
238         (JSC::DFG::ArrayMode::supportsSelfLength):
239         (JSC::DFG::ArrayMode::supportsLength): Deleted.
240         * dfg/DFGFixupPhase.cpp:
241         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
242
243 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
244
245         Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
246         https://bugs.webkit.org/show_bug.cgi?id=156371
247
248         Reviewed by Timothy Hatcher.
249
250         * inspector/protocol/ScriptProfiler.json:
251         Clarify that these locations are 1-based.
252
253 2016-04-07  Jon Davis  <jond@apple.com>
254
255         Add Web Animations API to Feature Status Page
256         https://bugs.webkit.org/show_bug.cgi?id=156360
257
258         Reviewed by Timothy Hatcher.
259
260         * features.json:
261
262 2016-04-07  Saam barati  <sbarati@apple.com>
263
264         Invalid assertion inside DebuggerScope::getOwnPropertySlot
265         https://bugs.webkit.org/show_bug.cgi?id=156357
266
267         Reviewed by Keith Miller.
268
269         The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
270         on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
271         are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
272         might not always be in a valid state when its getOwnPropertySlot method is called.
273         Therefore, the assertion invalid.
274
275         * debugger/DebuggerScope.cpp:
276         (JSC::DebuggerScope::getOwnPropertySlot):
277
278 2016-04-07  Saam barati  <sbarati@apple.com>
279
280         Initial implementation of annex b.3.3 behavior was incorrect
281         https://bugs.webkit.org/show_bug.cgi?id=156276
282
283         Reviewed by Keith Miller.
284
285         I almost got annex B.3.3 correct in my first implementation.
286         There is a subtlety here I got wrong. We always create a local binding for
287         a function at the very beginning of execution of a block scope. So we
288         hoist function declarations to their local binding within a given
289         block scope. When we actually evaluate the function declaration statement
290         itself, we must lookup the binding in the current scope, and bind the
291         value to the binding in the "var" scope. We perform the following
292         abstract operations when executing a function declaration statement.
293
294         f = lookupBindingInCurrentScope("func")
295         store(varScope, "func", f)
296
297         I got this wrong by performing the store to the var binding at the beginning
298         of the block scope instead of when we evaluate the function declaration statement.
299         This behavior is observable. For example, a program could change the value
300         of "func" before the actual function declaration statement executes.
301         Consider the following two functions:
302         ```
303         function foo1() {
304             // func === undefined
305             {
306                 // typeof func === "function"
307                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
308                 func = 20 // This sets the local "func" binding to 20.
309             }
310             // typeof func === "function"
311         }
312
313         function foo2() {
314             // func === undefined
315             {
316                 // typeof func === "function"
317                 func = 20 // This sets the local "func" binding to 20.
318                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
319             }
320             // func === 20
321         }
322         ```
323
324         * bytecompiler/BytecodeGenerator.cpp:
325         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
326         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
327         * bytecompiler/BytecodeGenerator.h:
328         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
329         * bytecompiler/NodesCodegen.cpp:
330         (JSC::FuncDeclNode::emitBytecode):
331         * tests/stress/sloppy-mode-function-hoisting.js:
332         (test.foo):
333         (test):
334         (test.):
335         (test.bar):
336         (test.switch.case.0):
337         (test.capFoo1):
338         (test.switch.capFoo2):
339         (test.outer):
340         (foo):
341
342 2016-04-07  Alex Christensen  <achristensen@webkit.org>
343
344         Build fix after r199170
345
346         * CMakeLists.txt:
347
348 2016-04-07  Keith Miller  <keith_miller@apple.com>
349
350         We should support the ability to do a non-effectful getById
351         https://bugs.webkit.org/show_bug.cgi?id=156116
352
353         Reviewed by Benjamin Poulain.
354
355         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
356         useful because it enables us to take different code paths based on values that we would
357         otherwise not be able to have knowledge of. This patch adds this new feature called
358         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
359         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
360         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
361         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
362         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
363         the global object that indicates we could not get the result.
364
365         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
366         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
367         get_by_id the same way we would for load and return the value at the appropriate offset.
368         Additionally, in order to make sure the we can properly compare the GetterSetter object
369         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
370         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
371         likely to have little to no impact on memory usage as normal accessors are generally rare.
372
373         * JavaScriptCore.xcodeproj/project.pbxproj:
374         * builtins/BuiltinExecutableCreator.cpp: Added.
375         (JSC::createBuiltinExecutable):
376         * builtins/BuiltinExecutableCreator.h: Copied from Source/JavaScriptCore/builtins/BuiltinExecutables.h.
377         * builtins/BuiltinExecutables.cpp:
378         (JSC::BuiltinExecutables::createDefaultConstructor):
379         (JSC::BuiltinExecutables::createBuiltinExecutable):
380         (JSC::createBuiltinExecutable):
381         (JSC::BuiltinExecutables::createExecutable):
382         (JSC::createExecutableInternal): Deleted.
383         * builtins/BuiltinExecutables.h:
384         * bytecode/BytecodeIntrinsicRegistry.h:
385         * bytecode/BytecodeList.json:
386         * bytecode/BytecodeUseDef.h:
387         (JSC::computeUsesForBytecodeOffset):
388         (JSC::computeDefsForBytecodeOffset):
389         * bytecode/CodeBlock.cpp:
390         (JSC::CodeBlock::dumpBytecode):
391         * bytecode/PolymorphicAccess.cpp:
392         (JSC::AccessCase::tryGet):
393         (JSC::AccessCase::generate):
394         (WTF::printInternal):
395         * bytecode/PolymorphicAccess.h:
396         (JSC::AccessCase::isGet): Deleted.
397         (JSC::AccessCase::isPut): Deleted.
398         (JSC::AccessCase::isIn): Deleted.
399         * bytecode/StructureStubInfo.cpp:
400         (JSC::StructureStubInfo::reset):
401         * bytecode/StructureStubInfo.h:
402         * bytecompiler/BytecodeGenerator.cpp:
403         (JSC::BytecodeGenerator::emitTryGetById):
404         * bytecompiler/BytecodeGenerator.h:
405         * bytecompiler/NodesCodegen.cpp:
406         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
407         * dfg/DFGSpeculativeJIT32_64.cpp:
408         (JSC::DFG::SpeculativeJIT::cachedGetById):
409         * dfg/DFGSpeculativeJIT64.cpp:
410         (JSC::DFG::SpeculativeJIT::cachedGetById):
411         * ftl/FTLLowerDFGToB3.cpp:
412         (JSC::FTL::DFG::LowerDFGToB3::getById):
413         * jit/JIT.cpp:
414         (JSC::JIT::privateCompileMainPass):
415         (JSC::JIT::privateCompileSlowCases):
416         * jit/JIT.h:
417         * jit/JITInlineCacheGenerator.cpp:
418         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
419         * jit/JITInlineCacheGenerator.h:
420         * jit/JITInlines.h:
421         (JSC::JIT::callOperation):
422         * jit/JITOperations.cpp:
423         * jit/JITOperations.h:
424         * jit/JITPropertyAccess.cpp:
425         (JSC::JIT::emitGetByValWithCachedId):
426         (JSC::JIT::emit_op_try_get_by_id):
427         (JSC::JIT::emitSlow_op_try_get_by_id):
428         (JSC::JIT::emit_op_get_by_id):
429         * jit/JITPropertyAccess32_64.cpp:
430         (JSC::JIT::emitGetByValWithCachedId):
431         (JSC::JIT::emit_op_try_get_by_id):
432         (JSC::JIT::emitSlow_op_try_get_by_id):
433         (JSC::JIT::emit_op_get_by_id):
434         * jit/Repatch.cpp:
435         (JSC::repatchByIdSelfAccess):
436         (JSC::appropriateOptimizingGetByIdFunction):
437         (JSC::appropriateGenericGetByIdFunction):
438         (JSC::tryCacheGetByID):
439         (JSC::repatchGetByID):
440         (JSC::resetGetByID):
441         * jit/Repatch.h:
442         * jsc.cpp:
443         (GlobalObject::finishCreation):
444         (functionGetGetterSetter):
445         (functionCreateBuiltin):
446         * llint/LLIntData.cpp:
447         (JSC::LLInt::Data::performAssertions):
448         * llint/LLIntSlowPaths.cpp:
449         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
450         * llint/LLIntSlowPaths.h:
451         * llint/LowLevelInterpreter.asm:
452         * runtime/GetterSetter.cpp:
453         * runtime/GetterSetter.h:
454         * runtime/JSType.h:
455         * runtime/PropertySlot.cpp:
456         (JSC::PropertySlot::getPureResult):
457         * runtime/PropertySlot.h:
458         * runtime/ProxyObject.cpp:
459         (JSC::ProxyObject::getOwnPropertySlotCommon):
460         * tests/stress/try-get-by-id.js: Added.
461         (tryGetByIdText):
462         (getCaller.obj.1.throw.new.Error.let.func):
463         (getCaller.obj.1.throw.new.Error):
464         (throw.new.Error.get let):
465         (throw.new.Error.):
466         (throw.new.Error.let.get createBuiltin):
467         (get let):
468         (let.get createBuiltin):
469         (let.func):
470         (get let.func):
471         (get throw):
472
473 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
474
475         Rationalize the makeSpaceForCCall stuff
476         https://bugs.webkit.org/show_bug.cgi?id=156352
477
478         Reviewed by Mark Lam.
479
480         I want to add more code to PolymorphicAccess that makes C calls, so that I can finally fix
481         https://bugs.webkit.org/show_bug.cgi?id=130914 (allow transition caches to handle indexing
482         headers).
483
484         When trying to understand what it takes to make a C call, I came across code that was making
485         room on the stack for spilled arguments. This logic was guarded with some complicated
486         condition. At first, I tried to just refactor the code so that the same ugly condition
487         wouldn't have to be copy-pasted everywhere that we made C calls. But then I started thinking
488         about the condition, and realized that it was probably wrong: if the outer PolymorphicAccess
489         harness decides to reuse a register for the scratchGPR then the top of the stack will store
490         the old value of scratchGPR, but the condition wouldn't necessarily trigger. So if the call
491         then overwrote something on the stack, we'd have a bad time.
492
493         Making room on the stack for a call is a cheap operation. It's orders of magnitude cheaper
494         than the rest of the call. Therefore, I think that it's best to just unconditionally make
495         room on the stack.
496
497         This patch makes us do just that. I also made the relevant helpers not inline, because I
498         think that we have too many inline methods in our assemblers. Now it's much easier to make
499         C calls from PolymorphicAccess because you just call the AssemblyHelper methods for making
500         space. There are no special conditions or anything like that.
501
502         * bytecode/PolymorphicAccess.cpp:
503         (JSC::AccessCase::generate):
504         * jit/AssemblyHelpers.cpp:
505         (JSC::AssemblyHelpers::emitLoadStructure):
506         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
507         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
508         (JSC::emitRandomThunkImpl):
509         * jit/AssemblyHelpers.h:
510         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall): Deleted.
511         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall): Deleted.
512
513 2016-04-07  Commit Queue  <commit-queue@webkit.org>
514
515         Unreviewed, rolling out r199128 and r199141.
516         https://bugs.webkit.org/show_bug.cgi?id=156348
517
518         Causes crashes on multiple webpages (Requested by keith_mi_ on
519         #webkit).
520
521         Reverted changesets:
522
523         "[ES6] Add support for Symbol.isConcatSpreadable."
524         https://bugs.webkit.org/show_bug.cgi?id=155351
525         http://trac.webkit.org/changeset/199128
526
527         "Unreviewed, uncomment accidentally commented line in test."
528         http://trac.webkit.org/changeset/199141
529
530 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
531
532         Rationalize the handling of PutById transitions a bit
533         https://bugs.webkit.org/show_bug.cgi?id=156330
534
535         Reviewed by Mark Lam.
536
537         * bytecode/PolymorphicAccess.cpp:
538         (JSC::AccessCase::generate): Get rid of the specialized slow calls. We can just use the failAndIgnore jump target. We just need to make sure that we don't make observable effects until we're done with all of the fast path checks.
539         * bytecode/StructureStubInfo.cpp:
540         (JSC::StructureStubInfo::addAccessCase): MadeNoChanges indicates that we should keep trying to repatch. Currently PutById transitions might trigger the case that addAccessCase() sees null, if the transition involves an indexing header. Doing repatching in that case is probably not good. But, we should just fix this the right way eventually.
541
542 2016-04-07  Per Arne Vollan  <peavo@outlook.com>
543
544         [Win] Fix for JSC stress test failures.
545         https://bugs.webkit.org/show_bug.cgi?id=156343
546
547         Reviewed by Filip Pizlo.
548
549         We need to make it clear to MSVC that the method loadPtr(ImplicitAddress address, RegisterID dest)
550         should be used, and not loadPtr(const void* address, RegisterID dest).
551
552         * jit/CCallHelpers.cpp:
553         (JSC::CCallHelpers::setupShadowChickenPacket):
554
555 2016-04-06  Benjamin Poulain  <bpoulain@apple.com>
556
557         [JSC] UInt32ToNumber should be NodeMustGenerate
558         https://bugs.webkit.org/show_bug.cgi?id=156329
559
560         Reviewed by Filip Pizlo.
561
562         It exits on negative numbers on the integer path.
563
564         * dfg/DFGFixupPhase.cpp:
565         (JSC::DFG::FixupPhase::fixupNode):
566         * dfg/DFGNodeType.h:
567
568 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
569
570         Unreviewed, rolling out r199016.
571         https://bugs.webkit.org/show_bug.cgi?id=156140
572
573         "Perf bots are down, so I can't re-land this right now."
574
575         Reverted changeset:
576
577         CopiedBlock should be 16kB
578         https://bugs.webkit.org/show_bug.cgi?id=156168
579         http://trac.webkit.org/changeset/199016
580
581 2016-04-06  Mark Lam  <mark.lam@apple.com>
582
583         String.prototype.match() should be calling internal function RegExpCreate.
584         https://bugs.webkit.org/show_bug.cgi?id=156318
585
586         Reviewed by Filip Pizlo.
587
588         RegExpCreate is not the same as the RegExp constructor.  The current implementation
589         invokes new @RegExp which calls the constructor.  This results in failures in
590         es6/Proxy_internal_get_calls_String.prototype.match.js, and
591         es6/Proxy_internal_get_calls_String.prototype.search.js due to observable side
592         effects.
593
594         This patch fixes this by factoring out the part of the RegExp constructor that
595         makes the RegExpCreate function, and changing String's match and search to call
596         RegExpCreate instead in accordance with the ES6 spec. 
597
598         * builtins/StringPrototype.js:
599         (match):
600         (search):
601         * runtime/CommonIdentifiers.h:
602         * runtime/JSGlobalObject.cpp:
603         (JSC::JSGlobalObject::init):
604         * runtime/RegExpConstructor.cpp:
605         (JSC::toFlags):
606         (JSC::regExpCreate):
607         (JSC::constructRegExp):
608         (JSC::esSpecRegExpCreate):
609         (JSC::constructWithRegExpConstructor):
610         * runtime/RegExpConstructor.h:
611         (JSC::isRegExp):
612
613 2016-04-06  Keith Miller  <keith_miller@apple.com>
614
615         Unreviewed, uncomment accidentally commented line in test.
616
617         * tests/stress/array-concat-spread-object.js:
618
619 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
620
621         JSC should have a simple way of gathering IC statistics
622         https://bugs.webkit.org/show_bug.cgi?id=156317
623
624         Reviewed by Benjamin Poulain.
625
626         This adds a cheap, runtime-enabled way of gathering statistics about why we take the slow
627         paths for inline caches. This is complementary to our existing bytecode profiler. Eventually
628         we may want to combine the two things.
629         
630         This is not a slow-down on anything because we only do extra work on IC slow paths and if
631         it's disabled it's just a load-and-branch to skip the stats gathering code.
632
633         * CMakeLists.txt:
634         * JavaScriptCore.xcodeproj/project.pbxproj:
635         * jit/ICStats.cpp: Added.
636         * jit/ICStats.h: Added.
637         * jit/JITOperations.cpp:
638         * runtime/JSCJSValue.h:
639         * runtime/JSCJSValueInlines.h:
640         (JSC::JSValue::inherits):
641         (JSC::JSValue::classInfoOrNull):
642         (JSC::JSValue::toThis):
643         * runtime/Options.h:
644
645 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
646
647         32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing
648         https://bugs.webkit.org/show_bug.cgi?id=156292
649
650         Reviewed by Benjamin Poulain.
651
652         Make sure that we stash the callsite index before calling operationReallocateStorageAndFinishPut.
653
654         * bytecode/PolymorphicAccess.cpp:
655         (JSC::AccessCase::generate):
656
657 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
658
659         JSC test stress/arrowfunction-lexical-bind-superproperty.js failing
660         https://bugs.webkit.org/show_bug.cgi?id=156309
661
662         Reviewed by Saam Barati.
663
664         Just be honest about the fact that the ArgumentCount and Callee parts of inline callframe runtime
665         meta-data can be read at any time.
666         
667         We only have to say this for the inline callframe forms of ArgumentCount and Callee because we don't
668         sink any part of the machine prologue. This change just prevents us from sinking the pseudoprologue
669         of inlined varargs or closure calls.
670
671         Shockingly, this is not a regression on anything.
672
673         * dfg/DFGClobberize.h:
674         (JSC::DFG::clobberize):
675
676 2016-03-29  Keith Miller  <keith_miller@apple.com>
677
678         [ES6] Add support for Symbol.isConcatSpreadable.
679         https://bugs.webkit.org/show_bug.cgi?id=155351
680
681         Reviewed by Saam Barati.
682
683         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
684         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
685         a builtin performant. First, four new DFG intrinsics were added.
686
687         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
688            the Array.isArray function.
689         2) IsJSArray: checks the first child is a JSArray object.
690         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
691         4) CallObjectConstructor: an intrinsic of the Object constructor.
692
693         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
694         we are able to prove that the first child is an Array or for ToObject an Object.
695
696         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
697         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
698         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
699         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
700         into a contiguous array).
701
702         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
703         values onto the result array. This works roughly the same as the two array fast path using the same methodology
704         to decide if we can memcpy the other butterfly into the result butterfly.
705
706         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
707         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
708         dataLog function on it.
709
710         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
711         JSValueOperand if the operand's use count is one.
712
713         * JavaScriptCore.xcodeproj/project.pbxproj:
714         * builtins/ArrayPrototype.js:
715         (concatSlowPath):
716         (concat):
717         * bytecode/BytecodeIntrinsicRegistry.cpp:
718         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
719         * bytecode/BytecodeIntrinsicRegistry.h:
720         * dfg/DFGAbstractInterpreterInlines.h:
721         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
722         * dfg/DFGByteCodeParser.cpp:
723         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
724         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
725         * dfg/DFGClobberize.h:
726         (JSC::DFG::clobberize):
727         * dfg/DFGDoesGC.cpp:
728         (JSC::DFG::doesGC):
729         * dfg/DFGFixupPhase.cpp:
730         (JSC::DFG::FixupPhase::fixupNode):
731         * dfg/DFGNodeType.h:
732         * dfg/DFGOperations.cpp:
733         * dfg/DFGOperations.h:
734         * dfg/DFGPredictionPropagationPhase.cpp:
735         (JSC::DFG::PredictionPropagationPhase::propagate):
736         * dfg/DFGSafeToExecute.h:
737         (JSC::DFG::safeToExecute):
738         * dfg/DFGSpeculativeJIT.cpp:
739         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
740         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
741         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
742         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
743         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
744         * dfg/DFGSpeculativeJIT.h:
745         (JSC::DFG::SpeculativeJIT::callOperation):
746         * dfg/DFGSpeculativeJIT32_64.cpp:
747         (JSC::DFG::SpeculativeJIT::compile):
748         * dfg/DFGSpeculativeJIT64.cpp:
749         (JSC::DFG::SpeculativeJIT::compile):
750         * ftl/FTLCapabilities.cpp:
751         (JSC::FTL::canCompile):
752         * ftl/FTLLowerDFGToB3.cpp:
753         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
754         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
755         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
756         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
757         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
758         (JSC::FTL::DFG::LowerDFGToB3::isArray):
759         * jit/JITOperations.h:
760         * jsc.cpp:
761         (WTF::RuntimeArray::createStructure):
762         (GlobalObject::finishCreation):
763         (functionDebug):
764         (functionDataLogValue):
765         * runtime/ArrayConstructor.cpp:
766         (JSC::ArrayConstructor::finishCreation):
767         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
768         * runtime/ArrayConstructor.h:
769         (JSC::isArrayConstructor):
770         * runtime/ArrayPrototype.cpp:
771         (JSC::ArrayPrototype::finishCreation):
772         (JSC::arrayProtoPrivateFuncIsJSArray):
773         (JSC::moveElements):
774         (JSC::arrayProtoPrivateFuncConcatMemcpy):
775         (JSC::arrayProtoPrivateFuncAppendMemcpy):
776         (JSC::arrayProtoFuncConcat): Deleted.
777         * runtime/ArrayPrototype.h:
778         (JSC::ArrayPrototype::createStructure):
779         * runtime/CommonIdentifiers.h:
780         * runtime/Intrinsic.h:
781         * runtime/JSArray.cpp:
782         (JSC::JSArray::appendMemcpy):
783         (JSC::JSArray::fastConcatWith): Deleted.
784         * runtime/JSArray.h:
785         (JSC::JSArray::createStructure):
786         (JSC::JSArray::fastConcatType): Deleted.
787         * runtime/JSArrayInlines.h: Added.
788         (JSC::JSArray::memCopyWithIndexingType):
789         (JSC::JSArray::canFastCopy):
790         * runtime/JSGlobalObject.cpp:
791         (JSC::JSGlobalObject::init):
792         * runtime/JSType.h:
793         * runtime/ObjectConstructor.h:
794         (JSC::constructObject):
795         * tests/es6.yaml:
796         * tests/stress/array-concat-spread-object.js: Added.
797         (arrayEq):
798         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
799         (arrayEq):
800         * tests/stress/array-concat-spread-proxy.js: Added.
801         (arrayEq):
802         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
803         (arrayEq):
804         * tests/stress/array-species-config-array-constructor.js:
805
806 2016-04-06  Commit Queue  <commit-queue@webkit.org>
807
808         Unreviewed, rolling out r199070.
809         https://bugs.webkit.org/show_bug.cgi?id=156324
810
811         "It didn't fix the timeout" (Requested by saamyjoon on
812         #webkit).
813
814         Reverted changeset:
815
816         "jsc-layout-tests.yaml/js/script-tests/regress-141098.js
817         failing on Yosemite Debug after r198989"
818         https://bugs.webkit.org/show_bug.cgi?id=156187
819         http://trac.webkit.org/changeset/199070
820
821 2016-04-06  Geoffrey Garen  <ggaren@apple.com>
822
823         Unreviewed, rolling in r199016.
824         https://bugs.webkit.org/show_bug.cgi?id=156140
825
826         It might work this time without regression because 16kB aligned requests
827         now take the allocation fast path.
828
829         Restored changeset:
830
831         CopiedBlock should be 16kB
832         https://bugs.webkit.org/show_bug.cgi?id=156168
833         http://trac.webkit.org/changeset/199016
834
835 2016-04-06  Mark Lam  <mark.lam@apple.com>
836
837         Update es6.yaml to expect es6/Proxy_internal_get_calls_RegExp_constructor.js to pass.
838         https://bugs.webkit.org/show_bug.cgi?id=156314
839
840         Reviewed by Saam Barati.
841
842         * tests/es6.yaml:
843
844 2016-04-06  Commit Queue  <commit-queue@webkit.org>
845
846         Unreviewed, rolling out r199104.
847         https://bugs.webkit.org/show_bug.cgi?id=156301
848
849         Still breaks internal builds (Requested by keith_miller on
850         #webkit).
851
852         Reverted changeset:
853
854         "We should support the ability to do a non-effectful getById"
855         https://bugs.webkit.org/show_bug.cgi?id=156116
856         http://trac.webkit.org/changeset/199104
857
858 2016-04-06  Keith Miller  <keith_miller@apple.com>
859
860         RegExp constructor should use Symbol.match and other properties
861         https://bugs.webkit.org/show_bug.cgi?id=155873
862
863         Reviewed by Michael Saboff.
864
865         This patch updates the behavior of the RegExp constructor. Now the constructor
866         should get the Symbol.match property and check if it exists to decide if something
867         should be constructed like a regexp object.
868
869         * runtime/RegExpConstructor.cpp:
870         (JSC::toFlags):
871         (JSC::constructRegExp):
872         (JSC::constructWithRegExpConstructor):
873         (JSC::callRegExpConstructor):
874         * runtime/RegExpConstructor.h:
875         * tests/stress/regexp-constructor.js: Added.
876         (assert):
877         (throw.new.Error.get let):
878         (throw.new.Error.):
879         (throw.new.Error.get re):
880
881 2016-04-06  Keith Miller  <keith_miller@apple.com>
882
883         We should support the ability to do a non-effectful getById
884         https://bugs.webkit.org/show_bug.cgi?id=156116
885
886         Reviewed by Benjamin Poulain.
887
888         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
889         useful because it enables us to take different code paths based on values that we would
890         otherwise not be able to have knowledge of. This patch adds this new feature called
891         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
892         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
893         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
894         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
895         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
896         the global object that indicates we could not get the result.
897
898         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
899         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
900         get_by_id the same way we would for load and return the value at the appropriate offset.
901         Additionally, in order to make sure the we can properly compare the GetterSetter object
902         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
903         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
904         likely to have little to no impact on memory usage as normal accessors are generally rare.
905
906         * builtins/BuiltinExecutables.cpp:
907         (JSC::BuiltinExecutables::createDefaultConstructor):
908         (JSC::BuiltinExecutables::createBuiltinExecutable):
909         (JSC::createBuiltinExecutable):
910         (JSC::BuiltinExecutables::createExecutable):
911         (JSC::createExecutableInternal): Deleted.
912         * builtins/BuiltinExecutables.h:
913         * bytecode/BytecodeIntrinsicRegistry.h:
914         * bytecode/BytecodeList.json:
915         * bytecode/BytecodeUseDef.h:
916         (JSC::computeUsesForBytecodeOffset):
917         (JSC::computeDefsForBytecodeOffset):
918         * bytecode/CodeBlock.cpp:
919         (JSC::CodeBlock::dumpBytecode):
920         * bytecode/PolymorphicAccess.cpp:
921         (JSC::AccessCase::tryGet):
922         (JSC::AccessCase::generate):
923         (WTF::printInternal):
924         * bytecode/PolymorphicAccess.h:
925         (JSC::AccessCase::isGet): Deleted.
926         (JSC::AccessCase::isPut): Deleted.
927         (JSC::AccessCase::isIn): Deleted.
928         * bytecode/StructureStubInfo.cpp:
929         (JSC::StructureStubInfo::reset):
930         * bytecode/StructureStubInfo.h:
931         * bytecompiler/BytecodeGenerator.cpp:
932         (JSC::BytecodeGenerator::emitTryGetById):
933         * bytecompiler/BytecodeGenerator.h:
934         * bytecompiler/NodesCodegen.cpp:
935         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
936         * dfg/DFGSpeculativeJIT32_64.cpp:
937         (JSC::DFG::SpeculativeJIT::cachedGetById):
938         * dfg/DFGSpeculativeJIT64.cpp:
939         (JSC::DFG::SpeculativeJIT::cachedGetById):
940         * ftl/FTLLowerDFGToB3.cpp:
941         (JSC::FTL::DFG::LowerDFGToB3::getById):
942         * jit/JIT.cpp:
943         (JSC::JIT::privateCompileMainPass):
944         (JSC::JIT::privateCompileSlowCases):
945         * jit/JIT.h:
946         * jit/JITInlineCacheGenerator.cpp:
947         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
948         * jit/JITInlineCacheGenerator.h:
949         * jit/JITInlines.h:
950         (JSC::JIT::callOperation):
951         * jit/JITOperations.cpp:
952         * jit/JITOperations.h:
953         * jit/JITPropertyAccess.cpp:
954         (JSC::JIT::emitGetByValWithCachedId):
955         (JSC::JIT::emit_op_try_get_by_id):
956         (JSC::JIT::emitSlow_op_try_get_by_id):
957         (JSC::JIT::emit_op_get_by_id):
958         * jit/JITPropertyAccess32_64.cpp:
959         (JSC::JIT::emitGetByValWithCachedId):
960         (JSC::JIT::emit_op_try_get_by_id):
961         (JSC::JIT::emitSlow_op_try_get_by_id):
962         (JSC::JIT::emit_op_get_by_id):
963         * jit/Repatch.cpp:
964         (JSC::repatchByIdSelfAccess):
965         (JSC::appropriateOptimizingGetByIdFunction):
966         (JSC::appropriateGenericGetByIdFunction):
967         (JSC::tryCacheGetByID):
968         (JSC::repatchGetByID):
969         (JSC::resetGetByID):
970         * jit/Repatch.h:
971         * jsc.cpp:
972         (GlobalObject::finishCreation):
973         (functionGetGetterSetter):
974         (functionCreateBuiltin):
975         * llint/LLIntData.cpp:
976         (JSC::LLInt::Data::performAssertions):
977         * llint/LLIntSlowPaths.cpp:
978         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
979         * llint/LLIntSlowPaths.h:
980         * llint/LowLevelInterpreter.asm:
981         * runtime/GetterSetter.cpp:
982         * runtime/GetterSetter.h:
983         * runtime/JSType.h:
984         * runtime/PropertySlot.cpp:
985         (JSC::PropertySlot::getPureResult):
986         * runtime/PropertySlot.h:
987         * runtime/ProxyObject.cpp:
988         (JSC::ProxyObject::getOwnPropertySlotCommon):
989         * tests/stress/try-get-by-id.js: Added.
990         (tryGetByIdText):
991         (getCaller.obj.1.throw.new.Error.let.func):
992         (getCaller.obj.1.throw.new.Error):
993         (throw.new.Error.get let):
994         (throw.new.Error.):
995         (throw.new.Error.let.get createBuiltin):
996         (get let):
997         (let.get createBuiltin):
998         (let.func):
999         (get let.func):
1000         (get throw):
1001
1002 2016-04-05  Chris Dumez  <cdumez@apple.com>
1003
1004         Add support for [EnabledAtRuntime] operations on DOMWindow
1005         https://bugs.webkit.org/show_bug.cgi?id=156272
1006
1007         Reviewed by Alex Christensen.
1008
1009         Add identifier for 'fetch' so it can be used from the generated
1010         bindings.
1011
1012         * runtime/CommonIdentifiers.h:
1013
1014 2016-04-05  Alex Christensen  <achristensen@webkit.org>
1015
1016         Make CMake-generated binaries on Mac able to run
1017         https://bugs.webkit.org/show_bug.cgi?id=156268
1018
1019         Reviewed by Daniel Bates.
1020
1021         * CMakeLists.txt:
1022
1023 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1024
1025         Improve some other cases of context-sensitive inlining
1026         https://bugs.webkit.org/show_bug.cgi?id=156277
1027
1028         Reviewed by Benjamin Poulain.
1029         
1030         This implements some improvements for inlining:
1031
1032         - We no longer do guarded inlining when the profiling doesn't come from a stub. Doing so would have
1033           been risky, and according to benchmarks, it wasn't common enough to matter. I think it's better to
1034           err on the side of not inlining.
1035         
1036         - The jneq_ptr pattern for variadic calls no longer breaks the basic block. Not breaking the block
1037           increases the chances of the parser seeing the callee constant. While inlining doesn't require a
1038           callee constant, sometimes it makes a difference. Note that we were previously breaking the block
1039           for no reason at all: if the boundary after jneq_ptr is a jump target from some other jump, then
1040           the parser will automatically break the block for us. There is no reason to add any block breaking
1041           ourselves since we implement jneq_ptr by ignoring the affirmative jump destination and inserting a
1042           check and falling through.
1043         
1044         - get_by_id handling now tries to apply some common sense to its status object. In particular, if
1045           the source is a NewObject and there was no interfering operation that could clobber the structure,
1046           then we know which case of a polymorphic GetByIdStatus we would take. This arises in some
1047           constructor patterns.
1048         
1049         Long term, we should address all of these cases comprehensively by having a late inliner. The inliner
1050         being part of the bytecode parser means that there is a lot of complexity in the parser and it
1051         prevents us from inlining upon learning new information from static analysis. But for now, I think
1052         it's fine to experiment with one-off hacks, if only to learn what the possibilities are.
1053         
1054         This is a 14% speed-up on Octane/raytrace.
1055
1056         * bytecode/CallLinkStatus.cpp:
1057         (JSC::CallLinkStatus::dump):
1058         * bytecode/CallLinkStatus.h:
1059         (JSC::CallLinkStatus::couldTakeSlowPath):
1060         (JSC::CallLinkStatus::setCouldTakeSlowPath):
1061         (JSC::CallLinkStatus::variants):
1062         (JSC::CallLinkStatus::size):
1063         (JSC::CallLinkStatus::at):
1064         * bytecode/GetByIdStatus.cpp:
1065         (JSC::GetByIdStatus::makesCalls):
1066         (JSC::GetByIdStatus::filter):
1067         (JSC::GetByIdStatus::dump):
1068         * bytecode/GetByIdStatus.h:
1069         (JSC::GetByIdStatus::wasSeenInJIT):
1070         * dfg/DFGByteCodeParser.cpp:
1071         (JSC::DFG::ByteCodeParser::handleCall):
1072         (JSC::DFG::ByteCodeParser::refineStatically):
1073         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1074         (JSC::DFG::ByteCodeParser::handleInlining):
1075         (JSC::DFG::ByteCodeParser::handleGetById):
1076         (JSC::DFG::ByteCodeParser::parseBlock):
1077         * runtime/Options.h:
1078
1079 2016-04-05  Saam barati  <sbarati@apple.com>
1080
1081         JSC SamplingProfiler: Use a thread + sleep loop instead of WTF::WorkQueue for taking samples
1082         https://bugs.webkit.org/show_bug.cgi?id=154017
1083
1084         Reviewed by Geoffrey Garen.
1085
1086         By moving to an explicitly created seperate thread + sample-then-sleep
1087         loop, we can remove a lot of the crufty code around WorkQueue.
1088         We're also getting sample rates that are much closer to what we're
1089         asking the OS for. When the sampling handler was built off of WorkQueue,
1090         we'd often get sample rates much higher than the 1ms we asked for. On Kraken,
1091         we would average about 1.7ms sample rates, even though we'd ask for a 1ms rate.
1092         Now, on Kraken, we're getting about 1.2ms rates. Because we're getting
1093         higher rates, this patch is a performance regression. It's slower because
1094         we're sampling more frequently.
1095
1096         Before this patch, the sampling profiler had the following overhead:
1097         - 10% on Kraken
1098         - 12% on octane
1099         - 15% on AsmBench
1100
1101         With this patch, the sampling profiler has the following overhead:
1102         - 16% on Kraken
1103         - 17% on Octane
1104         - 30% on AsmBench
1105
1106         Comparatively, this new patch has the following overhead over the old sampling profiler:
1107         - 5% on Kraken
1108         - 3.5% on Octane
1109         - 13% slower on AsmBench
1110
1111         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1112         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1113         * runtime/SamplingProfiler.cpp:
1114         (JSC::SamplingProfiler::SamplingProfiler):
1115         (JSC::SamplingProfiler::~SamplingProfiler):
1116         (JSC::SamplingProfiler::createThreadIfNecessary):
1117         (JSC::SamplingProfiler::timerLoop):
1118         (JSC::SamplingProfiler::takeSample):
1119         (JSC::tryGetBytecodeIndex):
1120         (JSC::SamplingProfiler::shutdown):
1121         (JSC::SamplingProfiler::start):
1122         (JSC::SamplingProfiler::pause):
1123         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1124         (JSC::SamplingProfiler::noticeJSLockAcquisition):
1125         (JSC::SamplingProfiler::noticeVMEntry):
1126         (JSC::SamplingProfiler::clearData):
1127         (JSC::SamplingProfiler::stop): Deleted.
1128         (JSC::SamplingProfiler::dispatchIfNecessary): Deleted.
1129         (JSC::SamplingProfiler::dispatchFunction): Deleted.
1130         * runtime/SamplingProfiler.h:
1131         (JSC::SamplingProfiler::setTimingInterval):
1132         (JSC::SamplingProfiler::setStopWatch):
1133         * runtime/VM.cpp:
1134         (JSC::VM::VM):
1135
1136 2016-04-05  Commit Queue  <commit-queue@webkit.org>
1137
1138         Unreviewed, rolling out r199073.
1139         https://bugs.webkit.org/show_bug.cgi?id=156261
1140
1141         This change broke internal Mac builds (Requested by ryanhaddad
1142         on #webkit).
1143
1144         Reverted changeset:
1145
1146         "We should support the ability to do a non-effectful getById"
1147         https://bugs.webkit.org/show_bug.cgi?id=156116
1148         http://trac.webkit.org/changeset/199073
1149
1150 2016-04-05  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1151
1152         [Fetch API] Add a runtime flag to fetch API and related constructs
1153         https://bugs.webkit.org/show_bug.cgi?id=156113
1154  
1155         Reviewed by Alex Christensen.
1156
1157         Add a fetch API runtime flag based on preferences.
1158         Disable fetch API by default.
1159  
1160         * runtime/CommonIdentifiers.h:
1161
1162 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1163
1164         Unreviewed, fix cloop some more.
1165
1166         * runtime/RegExpInlines.h:
1167         (JSC::RegExp::hasCodeFor):
1168         (JSC::RegExp::hasMatchOnlyCodeFor):
1169
1170 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1171
1172         Unreviewed, fix cloop.
1173
1174         * jit/CCallHelpers.cpp:
1175
1176 2016-03-18  Filip Pizlo  <fpizlo@apple.com>
1177
1178         JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames
1179         https://bugs.webkit.org/show_bug.cgi?id=155598
1180
1181         Reviewed by Saam Barati.
1182         
1183         JSC is the first JSVM to have proper tail calls. This means that error.stack and the
1184         debugger will appear to "delete" strict mode stack frames, if the call that this frame made
1185         was in tail position. This is exactly what functional programmers expect - they don't want
1186         the VM to waste resources on tail-deleted frames to ensure that it's legal to loop forever
1187         using tail calls. It's also something that non-functional programmers fear. It's not clear
1188         that tail-deleted frames would actually degrade the debugging experience, but the fear is
1189         real, so it's worthwhile to do something about it.
1190
1191         It turns out that there is at least one tail call implementation that doesn't suffer from
1192         this problem. It implements proper tail calls in the sense that you won't run out of memory
1193         by tail-looping. It also has the power to show you tail-deleted frames in a backtrace, so
1194         long as you haven't yet run out of memory. It's called CHICKEN Scheme, and it's one of my
1195         favorite hacks:
1196         
1197         http://www.more-magic.net/posts/internals-gc.html
1198
1199         CHICKEN does many awesome things. The intuition from CHICKEN that we use here is a simple
1200         one: what if a tail call still kept the tail-deleted frame, and the GC actually deleted that
1201         frame only once we proved that there was insufficient memory to keep it around.
1202         
1203         CHICKEN does this by reshaping the C stack with longjmp/setjmp. We can't do that because we
1204         can have arbitrary native code, and that native code does not have relocatable stack frames.
1205         
1206         But we can do something almost like CHICKEN on a shadow stack. It's a common trick to have a
1207         VM maintain two stacks - the actual execution stack plus a shadow stack that has some extra
1208         information. The shadow stack can be reshaped, moved, etc, since the VM tightly controls its
1209         layout. The main stack can then continue to obey ABI rules.
1210
1211         This patch implements a mechanism for being able to display stack traces that include
1212         tail-deleted frames. It uses a shadow stack that behaves like a CHICKEN stack: it has all
1213         frames all the time, though we will collect the tail-deleted ones if the stack gets too big.
1214         This new mechanism is called ShadowChicken, obviously: it's CHICKEN on a shadow stack.
1215         
1216         ShadowChicken is always on, but individual CodeBlocks may make their own choices about
1217         whether to opt into it. They will do that at bytecompile time based on the debugger mode on
1218         their global object.
1219
1220         When no CodeBlock opts in, there is no overhead, since ShadowChicken ends up doing nothing
1221         in that case. Well, except when exceptions are thrown. Then it might do some work, but it's
1222         minor.
1223
1224         When all CodeBlocks opt in, there is about 6% overhead. That's too much overhead to enable
1225         this all the time, but it's low enough to justify enabling in the Inspector. It's currently
1226         enabled on all CodeBlocks only when you use an Option. Otherwise it will auto-enable if the
1227         debugger is on.
1228
1229         Note that ShadowChicken attempts to gracefully handle the presence of stack frames that have
1230         no logging. This is essential since we *can* have debugging enabled in one GlobalObject and
1231         disabled in another. Also, some frames don't do ShadowChicken because they just haven't been
1232         hacked to do it yet. Native frames fall into this category, as do the VM entry frames.
1233
1234         This doesn't yet wire ShadowChicken into DebuggerCallFrame. That will take more work. It
1235         just makes a ShadowChicken stack walk function available to jsc. It's used from the
1236         shadow-chicken tests.
1237
1238         * API/JSContextRef.cpp:
1239         (BacktraceFunctor::BacktraceFunctor):
1240         (BacktraceFunctor::operator()):
1241         (JSContextCreateBacktrace):
1242         * CMakeLists.txt:
1243         * JavaScriptCore.xcodeproj/project.pbxproj:
1244         * bytecode/BytecodeList.json:
1245         * bytecode/BytecodeUseDef.h:
1246         (JSC::computeUsesForBytecodeOffset):
1247         (JSC::computeDefsForBytecodeOffset):
1248         * bytecode/CodeBlock.cpp:
1249         (JSC::CodeBlock::dumpBytecode):
1250         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
1251         (JSC::RecursionCheckFunctor::operator()):
1252         (JSC::CodeBlock::noticeIncomingCall):
1253         * bytecompiler/BytecodeGenerator.cpp:
1254         (JSC::BytecodeGenerator::emitEnter):
1255         (JSC::BytecodeGenerator::emitCallInTailPosition):
1256         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1257         (JSC::BytecodeGenerator::emitCallVarargs):
1258         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
1259         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
1260         (JSC::BytecodeGenerator::emitCallDefineProperty):
1261         * bytecompiler/BytecodeGenerator.h:
1262         * debugger/DebuggerCallFrame.cpp:
1263         (JSC::LineAndColumnFunctor::operator()):
1264         (JSC::LineAndColumnFunctor::column):
1265         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
1266         (JSC::FindCallerMidStackFunctor::operator()):
1267         (JSC::DebuggerCallFrame::DebuggerCallFrame):
1268         * dfg/DFGAbstractInterpreterInlines.h:
1269         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1270         * dfg/DFGByteCodeParser.cpp:
1271         (JSC::DFG::ByteCodeParser::parseBlock):
1272         * dfg/DFGClobberize.h:
1273         (JSC::DFG::clobberize):
1274         * dfg/DFGDoesGC.cpp:
1275         (JSC::DFG::doesGC):
1276         * dfg/DFGFixupPhase.cpp:
1277         (JSC::DFG::FixupPhase::fixupNode):
1278         * dfg/DFGNodeType.h:
1279         * dfg/DFGPredictionPropagationPhase.cpp:
1280         (JSC::DFG::PredictionPropagationPhase::propagate):
1281         * dfg/DFGSafeToExecute.h:
1282         (JSC::DFG::safeToExecute):
1283         * dfg/DFGSpeculativeJIT32_64.cpp:
1284         (JSC::DFG::SpeculativeJIT::compile):
1285         * dfg/DFGSpeculativeJIT64.cpp:
1286         (JSC::DFG::SpeculativeJIT::compile):
1287         * ftl/FTLAbstractHeapRepository.cpp:
1288         * ftl/FTLAbstractHeapRepository.h:
1289         * ftl/FTLCapabilities.cpp:
1290         (JSC::FTL::canCompile):
1291         * ftl/FTLLowerDFGToB3.cpp:
1292         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1293         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1294         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
1295         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
1296         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1297         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1298         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket):
1299         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1300         * heap/Heap.cpp:
1301         (JSC::Heap::markRoots):
1302         (JSC::Heap::visitSamplingProfiler):
1303         (JSC::Heap::visitShadowChicken):
1304         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1305         (JSC::Heap::collectImpl):
1306         * heap/Heap.h:
1307         * inspector/ScriptCallStackFactory.cpp:
1308         (Inspector::CreateScriptCallStackFunctor::CreateScriptCallStackFunctor):
1309         (Inspector::CreateScriptCallStackFunctor::operator()):
1310         (Inspector::createScriptCallStack):
1311         * interpreter/CallFrame.h:
1312         (JSC::ExecState::iterate):
1313         * interpreter/Interpreter.cpp:
1314         (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
1315         (JSC::DumpRegisterFunctor::operator()):
1316         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1317         (JSC::GetStackTraceFunctor::operator()):
1318         (JSC::Interpreter::getStackTrace):
1319         (JSC::GetCatchHandlerFunctor::handler):
1320         (JSC::GetCatchHandlerFunctor::operator()):
1321         (JSC::notifyDebuggerOfUnwinding):
1322         (JSC::UnwindFunctor::UnwindFunctor):
1323         (JSC::UnwindFunctor::operator()):
1324         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
1325         * interpreter/ShadowChicken.cpp: Added.
1326         (JSC::ShadowChicken::Packet::dump):
1327         (JSC::ShadowChicken::Frame::dump):
1328         (JSC::ShadowChicken::ShadowChicken):
1329         (JSC::ShadowChicken::~ShadowChicken):
1330         (JSC::ShadowChicken::log):
1331         (JSC::ShadowChicken::update):
1332         (JSC::ShadowChicken::visitChildren):
1333         (JSC::ShadowChicken::reset):
1334         (JSC::ShadowChicken::dump):
1335         (JSC::ShadowChicken::functionsOnStack):
1336         * interpreter/ShadowChicken.h: Added.
1337         (JSC::ShadowChicken::Packet::Packet):
1338         (JSC::ShadowChicken::Packet::tailMarker):
1339         (JSC::ShadowChicken::Packet::throwMarker):
1340         (JSC::ShadowChicken::Packet::prologue):
1341         (JSC::ShadowChicken::Packet::tail):
1342         (JSC::ShadowChicken::Packet::throwPacket):
1343         (JSC::ShadowChicken::Packet::operator bool):
1344         (JSC::ShadowChicken::Packet::isPrologue):
1345         (JSC::ShadowChicken::Packet::isTail):
1346         (JSC::ShadowChicken::Packet::isThrow):
1347         (JSC::ShadowChicken::Frame::Frame):
1348         (JSC::ShadowChicken::Frame::operator==):
1349         (JSC::ShadowChicken::Frame::operator!=):
1350         (JSC::ShadowChicken::log):
1351         (JSC::ShadowChicken::logSize):
1352         (JSC::ShadowChicken::addressOfLogCursor):
1353         (JSC::ShadowChicken::logEnd):
1354         * interpreter/ShadowChickenInlines.h: Added.
1355         (JSC::ShadowChicken::iterate):
1356         * interpreter/StackVisitor.h:
1357         (JSC::StackVisitor::Frame::callee):
1358         (JSC::StackVisitor::Frame::codeBlock):
1359         (JSC::StackVisitor::Frame::bytecodeOffset):
1360         (JSC::StackVisitor::Frame::inlineCallFrame):
1361         (JSC::StackVisitor::Frame::isJSFrame):
1362         (JSC::StackVisitor::Frame::isInlinedFrame):
1363         (JSC::StackVisitor::visit):
1364         * jit/CCallHelpers.cpp: Added.
1365         (JSC::CCallHelpers::logShadowChickenProloguePacket):
1366         (JSC::CCallHelpers::logShadowChickenTailPacket):
1367         (JSC::CCallHelpers::setupShadowChickenPacket):
1368         * jit/CCallHelpers.h:
1369         (JSC::CCallHelpers::prepareForTailCallSlow):
1370         * jit/JIT.cpp:
1371         (JSC::JIT::privateCompileMainPass):
1372         * jit/JIT.h:
1373         * jit/JITExceptions.cpp:
1374         (JSC::genericUnwind):
1375         * jit/JITOpcodes.cpp:
1376         (JSC::JIT::emit_op_resume):
1377         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1378         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1379         * jit/JITOperations.cpp:
1380         * jit/JITOperations.h:
1381         * jsc.cpp:
1382         (GlobalObject::finishCreation):
1383         (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
1384         (FunctionJSCStackFunctor::operator()):
1385         (functionClearSamplingFlags):
1386         (functionShadowChickenFunctionsOnStack):
1387         (functionReadline):
1388         * llint/LLIntOffsetsExtractor.cpp:
1389         * llint/LLIntSlowPaths.cpp:
1390         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1391         (JSC::LLInt::llint_throw_stack_overflow_error):
1392         * llint/LLIntSlowPaths.h:
1393         * llint/LowLevelInterpreter.asm:
1394         * profiler/ProfileGenerator.cpp:
1395         (JSC::AddParentForConsoleStartFunctor::foundParent):
1396         (JSC::AddParentForConsoleStartFunctor::operator()):
1397         * runtime/Error.cpp:
1398         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1399         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1400         (JSC::addErrorInfoAndGetBytecodeOffset):
1401         * runtime/JSFunction.cpp:
1402         (JSC::RetrieveArgumentsFunctor::result):
1403         (JSC::RetrieveArgumentsFunctor::operator()):
1404         (JSC::retrieveArguments):
1405         (JSC::RetrieveCallerFunctionFunctor::result):
1406         (JSC::RetrieveCallerFunctionFunctor::operator()):
1407         (JSC::retrieveCallerFunction):
1408         * runtime/JSGlobalObjectFunctions.cpp:
1409         (JSC::GlobalFuncProtoGetterFunctor::result):
1410         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1411         (JSC::globalFuncProtoGetter):
1412         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
1413         (JSC::GlobalFuncProtoSetterFunctor::operator()):
1414         * runtime/NullSetterFunction.cpp:
1415         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
1416         (JSC::GetCallerStrictnessFunctor::operator()):
1417         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
1418         (JSC::callerIsStrict):
1419         * runtime/ObjectConstructor.cpp:
1420         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
1421         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1422         (JSC::objectConstructorGetPrototypeOf):
1423         * runtime/Options.h:
1424         * runtime/VM.cpp:
1425         (JSC::VM::VM):
1426         (JSC::SetEnabledProfilerFunctor::operator()):
1427         * runtime/VM.h:
1428         (JSC::VM::shouldBuilderPCToCodeOriginMapping):
1429         (JSC::VM::bytecodeIntrinsicRegistry):
1430         (JSC::VM::shadowChicken):
1431         * tests/stress/resources/shadow-chicken-support.js: Added.
1432         (describeFunction):
1433         (describeArray):
1434         (expectStack):
1435         (initialize):
1436         * tests/stress/shadow-chicken-disabled.js: Added.
1437         (test1.foo):
1438         (test1.bar):
1439         (test1.baz):
1440         (test1):
1441         (test2.foo):
1442         (test2.bar):
1443         (test2.baz):
1444         (test2):
1445         (test3.foo):
1446         (test3.bar):
1447         (test3.baz):
1448         (test3):
1449         * tests/stress/shadow-chicken-enabled.js: Added.
1450         (test1.foo):
1451         (test1.bar):
1452         (test1.baz):
1453         (test1):
1454         (test2.foo):
1455         (test2.bar):
1456         (test2.baz):
1457         (test2):
1458         (test3.bob):
1459         (test3.thingy):
1460         (test3.foo):
1461         (test3.bar):
1462         (test3.baz):
1463         (test3):
1464         (test4.bob):
1465         (test4.thingy):
1466         (test4.foo):
1467         (test4.bar):
1468         (test4.baz):
1469         (test4):
1470         (test5.foo):
1471         (test5):
1472         * tools/JSDollarVMPrototype.cpp:
1473         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
1474         (JSC::CallerFrameJITTypeFunctor::operator()):
1475         (JSC::CallerFrameJITTypeFunctor::jitType):
1476         (JSC::functionLLintTrue):
1477         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1478         (JSC::CellAddressCheckFunctor::operator()):
1479         (JSC::JSDollarVMPrototype::isValidCell):
1480         (JSC::JSDollarVMPrototype::isValidCodeBlock):
1481         (JSC::JSDollarVMPrototype::codeBlockForFrame):
1482         (JSC::PrintFrameFunctor::PrintFrameFunctor):
1483         (JSC::PrintFrameFunctor::operator()):
1484         (JSC::printCallFrame):
1485
1486 2016-03-19  Filip Pizlo  <fpizlo@apple.com>
1487
1488         DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace
1489         https://bugs.webkit.org/show_bug.cgi?id=155270
1490
1491         Reviewed by Saam Barati.
1492
1493         This enables constant-folding of RegExpExec, RegExpTest, and StringReplace.
1494
1495         It's now possible to run Yarr on the JIT threads. Since previous work on constant-folding
1496         strings gave the DFG an API for reasoning about JSString constants in terms of
1497         JIT-thread-local WTF::Strings, it's now super easy to just pass strings to Yarr and build IR
1498         based on the results.
1499
1500         But RegExpExec is hard: the folded version still must allocate a RegExpMatchesArray. We must
1501         use the same Structure that the code would have used or else we'll pollute the program's
1502         inline caches. Also, RegExpMatchesArray.h|cpp will allocate the array and its named
1503         properties in one go - we don't want to lose that optimization. So, this patch enables
1504         MaterializeNewObject to allocate objects or arrays with any number of indexed or named
1505         properties. Previously it could only handle objects (but not arrays) and named properties
1506         (but not indexed ones).
1507
1508         This also adds a few minor things for setting the RegExpConstructor cached result.
1509
1510         This is about a 2x speed-up on microbenchmarks when we fold a match success and about a
1511         8x speed-up when we fold a match failure. It's a 10% speed-up on Octane/regexp.
1512
1513         * JavaScriptCore.xcodeproj/project.pbxproj:
1514         * dfg/DFGAbstractInterpreterInlines.h:
1515         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1516         * dfg/DFGClobberize.h:
1517         (JSC::DFG::clobberize):
1518         * dfg/DFGDoesGC.cpp:
1519         (JSC::DFG::doesGC):
1520         * dfg/DFGFixupPhase.cpp:
1521         (JSC::DFG::FixupPhase::fixupNode):
1522         * dfg/DFGGraph.cpp:
1523         (JSC::DFG::Graph::dump):
1524         * dfg/DFGInsertionSet.cpp:
1525         (JSC::DFG::InsertionSet::insertSlow):
1526         (JSC::DFG::InsertionSet::execute):
1527         * dfg/DFGInsertionSet.h:
1528         (JSC::DFG::InsertionSet::insertCheck):
1529         * dfg/DFGLazyJSValue.cpp:
1530         (JSC::DFG::LazyJSValue::tryGetString):
1531         * dfg/DFGMayExit.cpp:
1532         (JSC::DFG::mayExit):
1533         * dfg/DFGNode.h:
1534         (JSC::DFG::StackAccessData::flushedAt):
1535         (JSC::DFG::OpInfo::OpInfo): Deleted.
1536         * dfg/DFGNodeType.h:
1537         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1538         * dfg/DFGObjectMaterializationData.cpp:
1539         (JSC::DFG::ObjectMaterializationData::dump):
1540         (JSC::DFG::PhantomPropertyValue::dump): Deleted.
1541         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore): Deleted.
1542         (JSC::DFG::ObjectMaterializationData::similarityScore): Deleted.
1543         * dfg/DFGObjectMaterializationData.h:
1544         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue): Deleted.
1545         (JSC::DFG::PhantomPropertyValue::operator==): Deleted.
1546         * dfg/DFGOpInfo.h: Added.
1547         (JSC::DFG::OpInfo::OpInfo):
1548         * dfg/DFGOperations.cpp:
1549         * dfg/DFGOperations.h:
1550         * dfg/DFGPredictionPropagationPhase.cpp:
1551         (JSC::DFG::PredictionPropagationPhase::propagate):
1552         * dfg/DFGPromotedHeapLocation.cpp:
1553         (WTF::printInternal):
1554         * dfg/DFGPromotedHeapLocation.h:
1555         * dfg/DFGSafeToExecute.h:
1556         (JSC::DFG::safeToExecute):
1557         * dfg/DFGSpeculativeJIT.cpp:
1558         (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
1559         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1560         (JSC::DFG::SpeculativeJIT::emitGetLength):
1561         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
1562         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
1563         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
1564         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): Deleted.
1565         * dfg/DFGSpeculativeJIT.h:
1566         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1567         * dfg/DFGSpeculativeJIT32_64.cpp:
1568         (JSC::DFG::SpeculativeJIT::compile):
1569         * dfg/DFGSpeculativeJIT64.cpp:
1570         (JSC::DFG::SpeculativeJIT::compile):
1571         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1572         * dfg/DFGStrengthReductionPhase.cpp:
1573         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
1574         (JSC::DFG::StrengthReductionPhase::handleNode):
1575         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1576         (JSC::DFG::StrengthReductionPhase::executeInsertionSet):
1577         * dfg/DFGValidate.cpp:
1578         (JSC::DFG::Validate::validate):
1579         (JSC::DFG::Validate::validateCPS):
1580         * ftl/FTLAbstractHeapRepository.cpp:
1581         * ftl/FTLAbstractHeapRepository.h:
1582         * ftl/FTLCapabilities.cpp:
1583         (JSC::FTL::canCompile):
1584         * ftl/FTLLowerDFGToB3.cpp:
1585         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1586         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1587         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1588         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1589         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1590         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
1591         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1592         (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
1593         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1594         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1595         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
1596         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
1597         * ftl/FTLOperations.cpp:
1598         (JSC::FTL::operationPopulateObjectInOSR):
1599         (JSC::FTL::operationNewObjectWithButterfly): Deleted.
1600         * ftl/FTLOperations.h:
1601         * inspector/ContentSearchUtilities.cpp:
1602         * runtime/JSObject.h:
1603         (JSC::JSObject::createRawObject):
1604         (JSC::JSFinalObject::create):
1605         * runtime/RegExp.cpp:
1606         (JSC::RegExp::compile):
1607         (JSC::RegExp::match):
1608         (JSC::RegExp::matchConcurrently):
1609         (JSC::RegExp::compileMatchOnly):
1610         (JSC::RegExp::deleteCode):
1611         * runtime/RegExp.h:
1612         * runtime/RegExpCachedResult.h:
1613         (JSC::RegExpCachedResult::offsetOfLastRegExp):
1614         (JSC::RegExpCachedResult::offsetOfLastInput):
1615         (JSC::RegExpCachedResult::offsetOfResult):
1616         (JSC::RegExpCachedResult::offsetOfReified):
1617         * runtime/RegExpConstructor.h:
1618         (JSC::RegExpConstructor::offsetOfCachedResult):
1619         * runtime/RegExpInlines.h:
1620         (JSC::RegExp::hasCodeFor):
1621         (JSC::RegExp::compileIfNecessary):
1622         (JSC::RegExp::matchInline):
1623         (JSC::RegExp::hasMatchOnlyCodeFor):
1624         (JSC::RegExp::compileIfNecessaryMatchOnly):
1625         * runtime/RegExpObjectInlines.h:
1626         (JSC::RegExpObject::execInline):
1627         * runtime/StringPrototype.cpp:
1628         (JSC::substituteBackreferencesSlow):
1629         (JSC::substituteBackreferencesInline):
1630         (JSC::substituteBackreferences):
1631         (JSC::StringRange::StringRange):
1632         * runtime/StringPrototype.h:
1633         * runtime/VM.h:
1634         * tests/stress/simple-regexp-exec-folding-fail.js: Added.
1635         (foo):
1636         * tests/stress/simple-regexp-exec-folding.js: Added.
1637         (foo):
1638         * tests/stress/simple-regexp-test-folding-fail.js: Added.
1639         (foo):
1640         * tests/stress/simple-regexp-test-folding.js: Added.
1641         (foo):
1642         * yarr/RegularExpression.cpp:
1643         * yarr/Yarr.h:
1644         * yarr/YarrInterpreter.cpp:
1645         (JSC::Yarr::Interpreter::interpret):
1646         (JSC::Yarr::ByteCompiler::ByteCompiler):
1647         (JSC::Yarr::ByteCompiler::compile):
1648         (JSC::Yarr::ByteCompiler::checkInput):
1649         (JSC::Yarr::byteCompile):
1650         (JSC::Yarr::interpret):
1651         * yarr/YarrInterpreter.h:
1652         (JSC::Yarr::BytecodePattern::BytecodePattern):
1653
1654 2016-04-05  Keith Miller  <keith_miller@apple.com>
1655
1656         We should support the ability to do a non-effectful getById
1657         https://bugs.webkit.org/show_bug.cgi?id=156116
1658
1659         Reviewed by Benjamin Poulain.
1660
1661         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
1662         useful because it enables us to take different code paths based on values that we would
1663         otherwise not be able to have knowledge of. This patch adds this new feature called
1664         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
1665         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
1666         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
1667         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
1668         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
1669         the global object that indicates we could not get the result.
1670
1671         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
1672         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
1673         get_by_id the same way we would for load and return the value at the appropriate offset.
1674         Additionally, in order to make sure the we can properly compare the GetterSetter object
1675         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
1676         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
1677         likely to have little to no impact on memory usage as normal accessors are generally rare.
1678
1679         * JavaScriptCore.xcodeproj/project.pbxproj:
1680         * builtins/BuiltinExecutables.cpp:
1681         (JSC::BuiltinExecutables::createDefaultConstructor):
1682         (JSC::BuiltinExecutables::createBuiltinExecutable):
1683         (JSC::createBuiltinExecutable):
1684         (JSC::BuiltinExecutables::createExecutable):
1685         (JSC::createExecutableInternal): Deleted.
1686         * builtins/BuiltinExecutables.h:
1687         * bytecode/BytecodeIntrinsicRegistry.h:
1688         * bytecode/BytecodeList.json:
1689         * bytecode/BytecodeUseDef.h:
1690         (JSC::computeUsesForBytecodeOffset):
1691         (JSC::computeDefsForBytecodeOffset):
1692         * bytecode/CodeBlock.cpp:
1693         (JSC::CodeBlock::dumpBytecode):
1694         * bytecode/PolymorphicAccess.cpp:
1695         (JSC::AccessCase::tryGet):
1696         (JSC::AccessCase::generate):
1697         (WTF::printInternal):
1698         * bytecode/PolymorphicAccess.h:
1699         (JSC::AccessCase::isGet): Deleted.
1700         (JSC::AccessCase::isPut): Deleted.
1701         (JSC::AccessCase::isIn): Deleted.
1702         * bytecode/StructureStubInfo.cpp:
1703         (JSC::StructureStubInfo::reset):
1704         * bytecode/StructureStubInfo.h:
1705         * bytecompiler/BytecodeGenerator.cpp:
1706         (JSC::BytecodeGenerator::emitTryGetById):
1707         * bytecompiler/BytecodeGenerator.h:
1708         * bytecompiler/NodesCodegen.cpp:
1709         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
1710         * dfg/DFGSpeculativeJIT32_64.cpp:
1711         (JSC::DFG::SpeculativeJIT::cachedGetById):
1712         * dfg/DFGSpeculativeJIT64.cpp:
1713         (JSC::DFG::SpeculativeJIT::cachedGetById):
1714         * ftl/FTLLowerDFGToB3.cpp:
1715         (JSC::FTL::DFG::LowerDFGToB3::getById):
1716         * jit/JIT.cpp:
1717         (JSC::JIT::privateCompileMainPass):
1718         (JSC::JIT::privateCompileSlowCases):
1719         * jit/JIT.h:
1720         * jit/JITInlineCacheGenerator.cpp:
1721         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1722         * jit/JITInlineCacheGenerator.h:
1723         * jit/JITInlines.h:
1724         (JSC::JIT::callOperation):
1725         * jit/JITOperations.cpp:
1726         * jit/JITOperations.h:
1727         * jit/JITPropertyAccess.cpp:
1728         (JSC::JIT::emitGetByValWithCachedId):
1729         (JSC::JIT::emit_op_try_get_by_id):
1730         (JSC::JIT::emitSlow_op_try_get_by_id):
1731         (JSC::JIT::emit_op_get_by_id):
1732         * jit/JITPropertyAccess32_64.cpp:
1733         (JSC::JIT::emitGetByValWithCachedId):
1734         (JSC::JIT::emit_op_try_get_by_id):
1735         (JSC::JIT::emitSlow_op_try_get_by_id):
1736         (JSC::JIT::emit_op_get_by_id):
1737         * jit/Repatch.cpp:
1738         (JSC::repatchByIdSelfAccess):
1739         (JSC::appropriateOptimizingGetByIdFunction):
1740         (JSC::appropriateGenericGetByIdFunction):
1741         (JSC::tryCacheGetByID):
1742         (JSC::repatchGetByID):
1743         (JSC::resetGetByID):
1744         * jit/Repatch.h:
1745         * jsc.cpp:
1746         (GlobalObject::finishCreation):
1747         (functionGetGetterSetter):
1748         (functionCreateBuiltin):
1749         * llint/LLIntData.cpp:
1750         (JSC::LLInt::Data::performAssertions):
1751         * llint/LLIntSlowPaths.cpp:
1752         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1753         * llint/LLIntSlowPaths.h:
1754         * llint/LowLevelInterpreter.asm:
1755         * runtime/GetterSetter.cpp:
1756         * runtime/GetterSetter.h:
1757         * runtime/JSType.h:
1758         * runtime/PropertySlot.cpp:
1759         (JSC::PropertySlot::getPureResult):
1760         * runtime/PropertySlot.h:
1761         * runtime/ProxyObject.cpp:
1762         (JSC::ProxyObject::getOwnPropertySlotCommon):
1763         * tests/stress/try-get-by-id.js: Added.
1764         (tryGetByIdText):
1765         (getCaller.obj.1.throw.new.Error.let.func):
1766         (getCaller.obj.1.throw.new.Error):
1767         (throw.new.Error.get let):
1768         (throw.new.Error.):
1769         (throw.new.Error.let.get createBuiltin):
1770         (get let):
1771         (let.get createBuiltin):
1772         (let.func):
1773         (get let.func):
1774         (get throw):
1775
1776 2016-04-05  Saam barati  <sbarati@apple.com>
1777
1778         jsc-layout-tests.yaml/js/script-tests/regress-141098.js failing on Yosemite Debug after r198989
1779         https://bugs.webkit.org/show_bug.cgi?id=156187
1780
1781         Reviewed by Filip Pizlo.
1782
1783         This is a speculative fix. Lets see if the prevents the timeout.
1784
1785         * parser/Parser.cpp:
1786         (JSC::Parser<LexerType>::parseStatementListItem):
1787
1788 2016-04-04  Filip Pizlo  <fpizlo@apple.com>
1789
1790         PolymorphicAccess should have a MegamorphicLoad case
1791         https://bugs.webkit.org/show_bug.cgi?id=156182
1792
1793         Reviewed by Geoffrey Garen and Keith Miller.
1794
1795         This introduces a new case to PolymorphicAccess called MegamorphicLoad. This inlines the lookup in
1796         the PropertyTable. It's cheaper than switching on a huge number of cases and it's cheaper than
1797         calling into C++ to do the same job - particularly since inlining the lookup into an access means
1798         that we can precompute the hash code.
1799
1800         When writing the inline code for the hashtable lookup, I found that our hashing algorithm was not
1801         optimal. It used a double-hashing method for reducing collision pathologies. This is great for
1802         improving the performance of some worst-case scenarios. But this misses the point of a hashtable: we
1803         want to optimize the average-case performance. When optimizing for average-case, we can choose to
1804         either focus on maximizing the likelihood of the fast case happening, or to minimize the cost of the
1805         worst-case, or to minimize the cost of the fast case. Even a very basic hashtable will achieve a high
1806         probability of hitting the fast case. So, doing work to reduce the likelihood of a worst-case
1807         pathology only makes sense if it also preserves the good performance of the fast case, or reduces the
1808         likelihood of the worst-case by so much that it's a win for the average case even with a slow-down in
1809         the fast case.
1810
1811         I don't believe, based on looking at how the double-hashing is implemented, that it's possible that
1812         this preserves the good performance of the fast case. It requires at least one more value to be live
1813         around the loop, and dramatically increases the register pressure at key points inside the loop. The
1814         biggest offender is the doubleHash() method itself. There is no getting around how bad this is: if
1815         the compiler live-range-splits that method to death to avoid degrading register pressure elsewhere
1816         then we will pay a steep price anytime we take the second iteration around the loop; but if the
1817         compiler doesn't split around the call then the hashtable lookup fast path will be full of spills on
1818         some architectures (I performed biological register allocation and found that I needed 9 registers
1819         for complete lookup, while x86-64 has only 6 callee-saves; OTOH ARM64 has 10 callee-saves so it might
1820         be better off).
1821
1822         Hence, this patch changes the hashtable lookup to use simple linear probing. This was not a slow-down
1823         on anything, and it made MegamorphicLoad much more sensible since it is less likely to have to spill.
1824
1825         There are some other small changes in this patch, like rationalizing the IC's choice between giving
1826         up after a repatch (i.e. never trying again) and just pretending that nothing happened (so we can
1827         try to repatch again in the future). It looked like the code in Repatch.cpp was set up to be able to
1828         choose between those options, but we weren't fully taking advantage of it because the
1829         regenerateWithCase() method just returned null for any failure, and didn't say whether it was the
1830         sort of failure that renders the inline cache unrepatchable (like memory allocation failure). Now
1831         this is all made explicit. I wanted to make sure this change happened in this patch since the
1832         MegamorphicLoad code automagically generates a MegamorphicLoad case by coalescing other cases. Since
1833         this is intended to avoid blowing out the cache and making it unrepatchable, I wanted to make sure
1834         that the rules for giving up were something that made sense to me.
1835         
1836         This is a big win on microbenchmarks. It's neutral on traditional JS benchmarks. It's a slight
1837         speed-up for page loading, because many real websites like to have megamorphic property accesses.
1838
1839         * bytecode/PolymorphicAccess.cpp:
1840         (JSC::AccessGenerationResult::dump):
1841         (JSC::AccessGenerationState::addWatchpoint):
1842         (JSC::AccessCase::get):
1843         (JSC::AccessCase::megamorphicLoad):
1844         (JSC::AccessCase::replace):
1845         (JSC::AccessCase::guardedByStructureCheck):
1846         (JSC::AccessCase::couldStillSucceed):
1847         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
1848         (JSC::AccessCase::canReplace):
1849         (JSC::AccessCase::generateWithGuard):
1850         (JSC::AccessCase::generate):
1851         (JSC::PolymorphicAccess::PolymorphicAccess):
1852         (JSC::PolymorphicAccess::~PolymorphicAccess):
1853         (JSC::PolymorphicAccess::regenerateWithCases):
1854         (JSC::PolymorphicAccess::regenerateWithCase):
1855         (WTF::printInternal):
1856         * bytecode/PolymorphicAccess.h:
1857         (JSC::AccessCase::isGet):
1858         (JSC::AccessCase::isPut):
1859         (JSC::AccessCase::isIn):
1860         (JSC::AccessGenerationResult::AccessGenerationResult):
1861         (JSC::AccessGenerationResult::operator==):
1862         (JSC::AccessGenerationResult::operator!=):
1863         (JSC::AccessGenerationResult::operator bool):
1864         (JSC::AccessGenerationResult::kind):
1865         (JSC::AccessGenerationResult::code):
1866         (JSC::AccessGenerationResult::madeNoChanges):
1867         (JSC::AccessGenerationResult::gaveUp):
1868         (JSC::AccessGenerationResult::generatedNewCode):
1869         (JSC::PolymorphicAccess::isEmpty):
1870         (JSC::AccessGenerationState::AccessGenerationState):
1871         * bytecode/StructureStubInfo.cpp:
1872         (JSC::StructureStubInfo::aboutToDie):
1873         (JSC::StructureStubInfo::addAccessCase):
1874         * bytecode/StructureStubInfo.h:
1875         * jit/AssemblyHelpers.cpp:
1876         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1877         (JSC::AssemblyHelpers::loadProperty):
1878         (JSC::emitRandomThunkImpl):
1879         (JSC::AssemblyHelpers::emitRandomThunk):
1880         (JSC::AssemblyHelpers::emitLoadStructure):
1881         * jit/AssemblyHelpers.h:
1882         (JSC::AssemblyHelpers::loadValue):
1883         (JSC::AssemblyHelpers::moveValueRegs):
1884         (JSC::AssemblyHelpers::argumentsStart):
1885         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1886         (JSC::AssemblyHelpers::emitLoadStructure): Deleted.
1887         * jit/GPRInfo.cpp:
1888         (JSC::JSValueRegs::dump):
1889         * jit/GPRInfo.h:
1890         (JSC::JSValueRegs::uses):
1891         * jit/Repatch.cpp:
1892         (JSC::replaceWithJump):
1893         (JSC::tryCacheGetByID):
1894         (JSC::tryCachePutByID):
1895         (JSC::tryRepatchIn):
1896         * jit/ThunkGenerators.cpp:
1897         (JSC::virtualThunkFor):
1898         * runtime/Options.h:
1899         * runtime/PropertyMapHashTable.h:
1900         (JSC::PropertyTable::begin):
1901         (JSC::PropertyTable::find):
1902         (JSC::PropertyTable::get):
1903         * runtime/Structure.h:
1904
1905 2016-04-05  Antoine Quint  <graouts@apple.com>
1906
1907         [WebGL2] Turn the ENABLE_WEBGL2 flag on
1908         https://bugs.webkit.org/show_bug.cgi?id=156061
1909         <rdar://problem/25463193>
1910
1911         Reviewed by Alex Christensen.
1912
1913         * Configurations/FeatureDefines.xcconfig:
1914         * runtime/CommonIdentifiers.h:
1915
1916         Define the conditionalized classes WebGL2RenderingContext and WebGLVertexArrayObject. 
1917
1918 2016-04-04  Zan Dobersek  <zdobersek@igalia.com>
1919
1920         Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads
1921         https://bugs.webkit.org/show_bug.cgi?id=156161
1922
1923         Reviewed by Yusuke Suzuki.
1924
1925         r197641 added a couple of callOperation(J_JITOperation_EGReoJ, ...) overloads
1926         that handle arguments split into the tag and the payload. The two were split
1927         between the last argument register and the stack on 32-bit ARM EABI systems,
1928         causing incorrect behavior.
1929
1930         Adding EABI_32BIT_DUMMY_ARG pushes the tag and payload together onto the
1931         stack, removing the issue.
1932
1933         * dfg/DFGSpeculativeJIT.h:
1934         (JSC::DFG::SpeculativeJIT::callOperation):
1935
1936 2016-04-04  Joseph Pecoraro  <pecoraro@apple.com>
1937
1938         Avoid copying ModuleLoaderObject.js to resources bundle
1939         https://bugs.webkit.org/show_bug.cgi?id=156188
1940         <rdar://problem/25534383>
1941
1942         Reviewed by Alexey Proskuryakov.
1943
1944         * JavaScriptCore.xcodeproj/project.pbxproj:
1945
1946 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
1947
1948         Unreviewed, rolling out r199016.
1949         https://bugs.webkit.org/show_bug.cgi?id=156140
1950
1951         "Regressed Octane and Kraken on the perf bots."
1952
1953         Reverted changeset:
1954
1955         CopiedBlock should be 16kB
1956         https://bugs.webkit.org/show_bug.cgi?id=156168
1957         http://trac.webkit.org/changeset/199016
1958
1959 2016-04-04  Benjamin Poulain  <bpoulain@apple.com>
1960
1961         [JSC][x86] Fix an assertion in MacroAssembler::branch8()
1962         https://bugs.webkit.org/show_bug.cgi?id=156181
1963
1964         Reviewed by Geoffrey Garen.
1965
1966         * assembler/MacroAssemblerX86Common.h:
1967         (JSC::MacroAssemblerX86Common::branch8):
1968         The test was wrong because valid negative numbers have ones
1969         in the top bits.
1970
1971         I replaced the assertion to be explicit about the valid range.
1972
1973 2016-04-04  Chris Dumez  <cdumez@apple.com>
1974
1975         Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings
1976         https://bugs.webkit.org/show_bug.cgi?id=156136
1977         <rdar://problem/25410767>
1978
1979         Reviewed by Ryosuke Niwa.
1980
1981         Add a few more identifiers for using in the generated bindings.
1982
1983         * runtime/CommonIdentifiers.h:
1984
1985 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
1986
1987         CopiedBlock should be 16kB
1988         https://bugs.webkit.org/show_bug.cgi?id=156168
1989
1990         Reviewed by Mark Lam.
1991
1992         MarkedBlock is 16kB, and bmalloc's largest fast-path allocation is 16kB,
1993         and the largest page size on Apple devices is 16kB -- so this change
1994         should improve sharing and recycling and keep us on the fast path more.
1995
1996         32kB is also super aggro. At 16kB, we support allocations up to 8kB,
1997         which covers 99.3% of allocations on facebook.com. The 32kB block size
1998         only covered an additional 0.2% of allocations.
1999
2000         * heap/CopiedBlock.h:
2001
2002 2016-04-04  Carlos Garcia Campos  <cgarcia@igalia.com>
2003
2004         REGRESSION(r198792): [GTK] Inspector crashes in Inspector::Protocol::getEnumConstantValue since r198792
2005         https://bugs.webkit.org/show_bug.cgi?id=155745
2006         <rdar://problem/25289456>
2007
2008         Reviewed by Brian Burg.
2009
2010         The problem is that we are generating the Inspector::Protocol::getEnumConstantValue() method and the
2011         enum_constant_values array for every framework that has enum values. So, in case of GTK port we have two
2012         implementations, one for the inspector in JavaScriptCore and another one for Web Automation in WebKit2, but when
2013         using the inspector in WebKit2 we always end up using the one in WebKit2. Since the enum_constant_values array
2014         is smaller in WebKit2 than the one in JavaScriptCore, we crash every time we receive an enum value higher than
2015         the array size. We need to disambiguate the getEnumConstantValue() generated and used for every framework, so we
2016         can use a specific namespace for the enum conversion methods.
2017
2018         * inspector/agents/InspectorDebuggerAgent.cpp:
2019         (Inspector::breakpointActionTypeForString): Use Inspector::Protocol::InspectorHelpers.
2020         * inspector/scripts/codegen/cpp_generator.py:
2021         (CppGenerator.helpers_namespace): Return the namespace name that should be used for the helper methods.
2022         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2023         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): Use
2024         CppGenerator.helpers_namespace() to use the right namespace when using getEnumConstantValue().
2025         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Ditto.
2026         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2027         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): Ditto.
2028         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2029         (CppProtocolTypesHeaderGenerator.generate_output): Move declaration of getEnumConstantValue to a helper function.
2030         (_generate_enum_constant_value_conversion_methods): Do not emit any code if there aren't enums and ensure all
2031         conversion methods are declared inside the helpers namespace.
2032         (_generate_builder_setter_for_member): Use CppGenerator.helpers_namespace() to use the right namespace when
2033         using getEnumConstantValue().
2034         (_generate_unchecked_setter_for_member): Ditto.
2035         (_generate_declarations_for_enum_conversion_methods): Return a list instead of a string so that we can return an
2036         empty list in case of not emitting any code. The caller will use extend() that has no effect when an empty list
2037         is passed.
2038         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2039         (CppProtocolTypesImplementationGenerator.generate_output): Use the new helper function to generate both the enum
2040         mapping and conversion methods inside the helpers namespace.
2041         (CppProtocolTypesImplementationGenerator._generate_enum_mapping): Return a list instead of a string so that we
2042         can return an empty list in case of not emitting any code.
2043         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods): Ensure we only emit
2044         code when there are enum values, and it's generated inside the helpers namespace.
2045         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2046         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2047         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2048         * inspector/scripts/tests/expected/enum-values.json-result:
2049         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2050         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2051         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2052         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2053         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2054         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2055         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2056         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2057         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2058
2059 2016-04-04  Csaba Osztrogon√°c  <ossy@webkit.org>
2060
2061         Unreviewed ARM buildfix after r198981.
2062
2063         * assembler/MacroAssemblerARM.h:
2064         (JSC::MacroAssemblerARM::roundTowardZeroDouble):
2065
2066 2016-04-03  Saam barati  <sbarati@apple.com>
2067
2068         Implement Annex B.3.3 function hoisting rules for function code
2069         https://bugs.webkit.org/show_bug.cgi?id=155672
2070
2071         Reviewed by Geoffrey Garen.
2072
2073         The spec states that functions declared inside a function
2074         inside a block scope are subject to the rules of Annex B.3.3:
2075         https://tc39.github.io/ecma262/#sec-block-level-function-declarations-web-legacy-compatibility-semantics
2076
2077         The rule states that functions declared in such blocks should
2078         be local bindings of the block. If declaring the function's name
2079         as a "var" in the function would not lead to a syntax error (i.e,
2080         if we don't have a let/const/class variable with the same name)
2081         and if we don't have a parameter with the same name, then we
2082         implictly also declare the funcion name as a "var". When evaluating
2083         the block statement we bind the hoisted "var" to be the value
2084         of the local function binding.
2085
2086         There is one more thing we do for web compatibility. We allow
2087         function declarations inside if/else statements that aren't
2088         blocks. For such statements, we transform the code as if the
2089         function were declared inside a block statement. For example:
2090         ``` function foo() { if (cond) function baz() { } }```
2091         is transformed into:
2092         ``` function foo() { if (cond) { function baz() { } } }```
2093
2094         * bytecompiler/BytecodeGenerator.cpp:
2095         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2096         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
2097         * bytecompiler/BytecodeGenerator.h:
2098         * parser/Nodes.cpp:
2099         (JSC::ScopeNode::ScopeNode):
2100         (JSC::ProgramNode::ProgramNode):
2101         (JSC::ModuleProgramNode::ModuleProgramNode):
2102         (JSC::EvalNode::EvalNode):
2103         (JSC::FunctionNode::FunctionNode):
2104         * parser/Nodes.h:
2105         (JSC::ScopeNode::hasCapturedVariables):
2106         (JSC::ScopeNode::captures):
2107         (JSC::ScopeNode::hasSloppyModeHoistedFunction):
2108         (JSC::ScopeNode::varDeclarations):
2109         (JSC::ProgramNode::startColumn):
2110         (JSC::ProgramNode::endColumn):
2111         (JSC::EvalNode::startColumn):
2112         (JSC::EvalNode::endColumn):
2113         (JSC::ModuleProgramNode::startColumn):
2114         (JSC::ModuleProgramNode::endColumn):
2115         * parser/Parser.cpp:
2116         (JSC::Parser<LexerType>::Parser):
2117         (JSC::Parser<LexerType>::parseInner):
2118         (JSC::Parser<LexerType>::didFinishParsing):
2119         (JSC::Parser<LexerType>::parseStatement):
2120         (JSC::Parser<LexerType>::parseIfStatement):
2121         * parser/Parser.h:
2122         (JSC::Scope::declareVariable):
2123         (JSC::Scope::declareFunction):
2124         (JSC::Scope::addSloppyModeHoistableFunctionCandidate):
2125         (JSC::Scope::appendFunction):
2126         (JSC::Scope::declareParameter):
2127         (JSC::Scope::mergeInnerArrowFunctionFeatures):
2128         (JSC::Scope::getSloppyModeHoistedFunctions):
2129         (JSC::Scope::getCapturedVars):
2130         (JSC::ScopeRef::containingScope):
2131         (JSC::ScopeRef::operator==):
2132         (JSC::ScopeRef::operator!=):
2133         (JSC::Parser::declareFunction):
2134         (JSC::Parser::hasDeclaredVariable):
2135         (JSC::Parser::isFunctionMetadataNode):
2136         (JSC::Parser::DepthManager::DepthManager):
2137         (JSC::Parser<LexerType>::parse):
2138         * parser/VariableEnvironment.h:
2139         (JSC::VariableEnvironmentEntry::isImported):
2140         (JSC::VariableEnvironmentEntry::isImportedNamespace):
2141         (JSC::VariableEnvironmentEntry::isFunction):
2142         (JSC::VariableEnvironmentEntry::isParameter):
2143         (JSC::VariableEnvironmentEntry::isSloppyModeHoistingCandidate):
2144         (JSC::VariableEnvironmentEntry::setIsCaptured):
2145         (JSC::VariableEnvironmentEntry::setIsConst):
2146         (JSC::VariableEnvironmentEntry::setIsImported):
2147         (JSC::VariableEnvironmentEntry::setIsImportedNamespace):
2148         (JSC::VariableEnvironmentEntry::setIsFunction):
2149         (JSC::VariableEnvironmentEntry::setIsParameter):
2150         (JSC::VariableEnvironmentEntry::setIsSloppyModeHoistingCandidate):
2151         (JSC::VariableEnvironmentEntry::clearIsVar):
2152         * runtime/CodeCache.h:
2153         (JSC::SourceCodeValue::SourceCodeValue):
2154         * runtime/JSScope.cpp:
2155         * runtime/JSScope.h:
2156         * tests/es6.yaml:
2157         * tests/stress/sloppy-mode-function-hoisting.js: Added.
2158         (assert):
2159         (test):
2160         (falsey):
2161         (truthy):
2162         (test.):
2163         (test.a):
2164         (test.f):
2165         (test.let.funcs.f):
2166         (test.catch.f):
2167         (test.foo):
2168         (test.bar):
2169         (test.switch.case.0):
2170         (test.else.f):
2171         (test.b):
2172         (test.c):
2173         (test.d):
2174         (test.e):
2175         (test.g):
2176         (test.h):
2177         (test.i):
2178         (test.j):
2179         (test.k):
2180         (test.l):
2181         (test.m):
2182         (test.n):
2183         (test.o):
2184         (test.p):
2185         (test.q):
2186         (test.r):
2187         (test.s):
2188         (test.t):
2189         (test.u):
2190         (test.v):
2191         (test.w):
2192         (test.x):
2193         (test.y):
2194         (test.z):
2195         (foo):
2196         (bar):
2197         (falsey.bar):
2198         (baz):
2199         (falsey.baz):
2200
2201 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2202
2203         Unreviewed, turn ES6 for-in loop test success
2204         https://bugs.webkit.org/show_bug.cgi?id=155451
2205
2206         * tests/es6.yaml:
2207
2208 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2209
2210         [JSC] Add truncate operation (rounding to zero)
2211         https://bugs.webkit.org/show_bug.cgi?id=156072
2212
2213         Reviewed by Saam Barati.
2214
2215         Add TruncIntrinsic for Math.trunc. DFG handles it as ArithTrunc.
2216         In DFG, ArithTrunc behaves similar to ArithRound, ArithCeil, and ArithFloor.
2217         ArithTrunc rounds the value towards zero.
2218
2219         And we rewrite @toInteger to use @trunc instead of @abs, @floor, negation and branch.
2220         This is completely the same to what we do in JSValue::toInteger.
2221
2222         Since DFG recognize it, DFG can convert ArithTrunc to Identity if the given argument is Int32.
2223         This is useful because almost all the argument is Int32 in @toLength -> @toInteger -> @trunc case.
2224         In such cases, we can eliminate trunc() call.
2225
2226         As a bonus, to speed up Math.trunc operation, we use x86 SSE round and frintz in ARM64 for ArithRound.
2227         In DFG, we emit these instructions. In FTL, we use Patchpoint to emit these instructions to avoid adding a new B3 IR.
2228
2229         * assembler/MacroAssemblerARM64.h:
2230         (JSC::MacroAssemblerARM64::roundTowardZeroDouble):
2231         (JSC::MacroAssemblerARM64::roundTowardZeroFloat):
2232         * assembler/MacroAssemblerARMv7.h:
2233         (JSC::MacroAssemblerARMv7::roundTowardZeroDouble):
2234         * assembler/MacroAssemblerMIPS.h:
2235         (JSC::MacroAssemblerMIPS::roundTowardZeroDouble):
2236         * assembler/MacroAssemblerSH4.h:
2237         (JSC::MacroAssemblerSH4::roundTowardZeroDouble):
2238         * assembler/MacroAssemblerX86Common.h:
2239         (JSC::MacroAssemblerX86Common::roundTowardZeroDouble):
2240         (JSC::MacroAssemblerX86Common::roundTowardZeroFloat):
2241         * builtins/GlobalObject.js:
2242         (toInteger):
2243         * dfg/DFGAbstractInterpreterInlines.h:
2244         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2245         * dfg/DFGByteCodeParser.cpp:
2246         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2247         * dfg/DFGClobberize.h:
2248         (JSC::DFG::clobberize):
2249         * dfg/DFGDoesGC.cpp:
2250         (JSC::DFG::doesGC):
2251         * dfg/DFGFixupPhase.cpp:
2252         (JSC::DFG::FixupPhase::fixupNode):
2253         * dfg/DFGGraph.h:
2254         (JSC::DFG::Graph::roundShouldSpeculateInt32):
2255         * dfg/DFGNode.h:
2256         (JSC::DFG::Node::arithNodeFlags):
2257         (JSC::DFG::Node::hasHeapPrediction):
2258         (JSC::DFG::Node::hasArithRoundingMode):
2259         * dfg/DFGNodeType.h:
2260         * dfg/DFGPredictionPropagationPhase.cpp:
2261         (JSC::DFG::PredictionPropagationPhase::propagate):
2262         * dfg/DFGSafeToExecute.h:
2263         (JSC::DFG::safeToExecute):
2264         * dfg/DFGSpeculativeJIT.cpp:
2265         (JSC::DFG::SpeculativeJIT::compileArithRounding):
2266         * dfg/DFGSpeculativeJIT.h:
2267         * dfg/DFGSpeculativeJIT32_64.cpp:
2268         (JSC::DFG::SpeculativeJIT::compile):
2269         * dfg/DFGSpeculativeJIT64.cpp:
2270         (JSC::DFG::SpeculativeJIT::compile):
2271         * ftl/FTLCapabilities.cpp:
2272         (JSC::FTL::canCompile):
2273         * ftl/FTLLowerDFGToB3.cpp:
2274         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2275         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
2276         * ftl/FTLOutput.cpp:
2277         (JSC::FTL::Output::doubleTrunc):
2278         * ftl/FTLOutput.h:
2279         * jit/ThunkGenerators.cpp:
2280         (JSC::truncThunkGenerator):
2281         * jit/ThunkGenerators.h:
2282         * runtime/CommonIdentifiers.h:
2283         * runtime/Intrinsic.h:
2284         * runtime/JSGlobalObject.cpp:
2285         (JSC::JSGlobalObject::init):
2286         * runtime/MathObject.cpp:
2287         (JSC::MathObject::finishCreation):
2288         * runtime/MathObject.h:
2289         * runtime/VM.cpp:
2290         (JSC::thunkGeneratorForIntrinsic):
2291         * tests/stress/math-rounding-infinity.js:
2292         (testTrunc):
2293         * tests/stress/math-rounding-nan.js:
2294         (testTrunc):
2295         * tests/stress/math-rounding-negative-zero.js:
2296         (testTrunc):
2297         * tests/stress/math-trunc-arith-rounding-mode.js: Added.
2298         (firstCareAboutZeroSecondDoesNot):
2299         (firstDoNotCareAboutZeroSecondDoes):
2300         (warmup):
2301         (verifyNegativeZeroIsPreserved):
2302         * tests/stress/math-trunc-basics.js: Added.
2303         (mathTruncOnIntegers):
2304         (mathTruncOnDoubles):
2305         (mathTruncOnBooleans):
2306         (uselessMathTrunc):
2307         (mathTruncWithOverflow):
2308         (mathTruncConsumedAsDouble):
2309         (mathTruncDoesNotCareAboutMinusZero):
2310         (mathTruncNoArguments):
2311         (mathTruncTooManyArguments):
2312         (testMathTruncOnConstants):
2313         (mathTruncStructTransition):
2314         (Math.trunc):
2315         * tests/stress/math-trunc-should-be-truncate.js: Added.
2316         (mathTrunc):
2317
2318 2016-04-03  Skachkov Oleksandr  <gskachkov@gmail.com>
2319
2320         [ES6] Class syntax. Access to new.target inside of the eval should not lead to SyntaxError
2321         https://bugs.webkit.org/show_bug.cgi?id=155545
2322
2323         Reviewed by Saam Barati.
2324        
2325         Current patch allow to invoke new.target in eval if this eval is executed within function, 
2326         otherwise this will lead to Syntax error 
2327    
2328         * bytecode/EvalCodeCache.h:
2329         (JSC::EvalCodeCache::getSlow):
2330         * bytecode/ExecutableInfo.h:
2331         (JSC::ExecutableInfo::ExecutableInfo):
2332         (JSC::ExecutableInfo::evalContextType):
2333         * bytecode/UnlinkedCodeBlock.cpp:
2334         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2335         * bytecode/UnlinkedCodeBlock.h:
2336         (JSC::UnlinkedCodeBlock::evalContextType):
2337         * bytecode/UnlinkedFunctionExecutable.cpp:
2338         (JSC::generateUnlinkedFunctionCodeBlock):
2339         * debugger/DebuggerCallFrame.cpp:
2340         (JSC::DebuggerCallFrame::evaluate):
2341         * interpreter/Interpreter.cpp:
2342         (JSC::eval):
2343         * parser/Parser.cpp:
2344         (JSC::Parser<LexerType>::Parser):
2345         (JSC::Parser<LexerType>::parseMemberExpression):
2346         * parser/Parser.h:
2347         (JSC::Scope::Scope):
2348         (JSC::Scope::setEvalContextType):
2349         (JSC::Scope::evalContextType):
2350         (JSC::parse):
2351         * runtime/CodeCache.cpp:
2352         (JSC::CodeCache::getGlobalCodeBlock):
2353         (JSC::CodeCache::getProgramCodeBlock):
2354         (JSC::CodeCache::getEvalCodeBlock):
2355         (JSC::CodeCache::getModuleProgramCodeBlock):
2356         * runtime/CodeCache.h:
2357         * runtime/Executable.cpp:
2358         (JSC::ScriptExecutable::ScriptExecutable):
2359         (JSC::EvalExecutable::create):
2360         (JSC::EvalExecutable::EvalExecutable):
2361         (JSC::ProgramExecutable::ProgramExecutable):
2362         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2363         (JSC::FunctionExecutable::FunctionExecutable):
2364         * runtime/Executable.h:
2365         (JSC::ScriptExecutable::evalContextType):
2366         * runtime/JSGlobalObject.cpp:
2367         (JSC::JSGlobalObject::createEvalCodeBlock):
2368         * runtime/JSGlobalObjectFunctions.cpp:
2369         (JSC::globalFuncEval):
2370         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
2371         * tests/stress/new-target.js:
2372
2373 2016-04-02  Commit Queue  <commit-queue@webkit.org>
2374
2375         Unreviewed, rolling out r198976.
2376         https://bugs.webkit.org/show_bug.cgi?id=156140
2377
2378         "Causes js/regress/array-nonarray-polymorhpic-access.html to
2379         crash." (Requested by ddkilzer on #webkit).
2380
2381         Reverted changeset:
2382
2383         "[JSC] Initialize SSA's live values at tail lazily"
2384         https://bugs.webkit.org/show_bug.cgi?id=156126
2385         http://trac.webkit.org/changeset/198976
2386
2387 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
2388
2389         [JSC] Initialize SSA's live values at tail lazily
2390         https://bugs.webkit.org/show_bug.cgi?id=156126
2391
2392         Reviewed by Mark Lam.
2393
2394         Setting up the clean state early looks harmless but it is
2395         actually quite expensive.
2396
2397         The problem is AbstractValue is gigantic, you really want
2398         to minimize how much you touch that memory.
2399
2400         By removing the initialization, most blocks only
2401         get 2 or 3 accesses. Once to setup the value, and a few
2402         queries for merging the current block with the successors.
2403
2404         * dfg/DFGInPlaceAbstractState.cpp:
2405         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2406         (JSC::DFG::setLiveValues): Deleted.
2407         (JSC::DFG::InPlaceAbstractState::initialize): Deleted.
2408
2409 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
2410
2411         [JSC] Add an option to avoid disassembling baseline code for the JSC Profiler
2412         https://bugs.webkit.org/show_bug.cgi?id=156127
2413
2414         Reviewed by Mark Lam.
2415
2416         The profiler run out of memory on big programs if you dump
2417         the baseline disassembly.
2418
2419         * jit/JIT.cpp:
2420         (JSC::JIT::privateCompile):
2421         * runtime/Options.h:
2422
2423 2016-04-02  Dan Bernstein  <mitz@apple.com>
2424
2425         jsc binary embedded in relocatable JavaScriptCore.framework links against system JavaScriptCore.framework
2426         https://bugs.webkit.org/show_bug.cgi?id=156134
2427         <rdar://problem/25443824>
2428
2429         Reviewed by Mark Lam.
2430
2431         * Configurations/JSC.xcconfig: Define WK_RELOCATABLE_FRAMEWORKS_LDFLAGS when building
2432           relocatable frameworks to include a -dyld_env option setting DYLD_FRAMEWORK_PATH to point
2433           to the directory containing JavaScript.framework, and add
2434           WK_RELOCATABLE_FRAMEWORKS_LDFLAGS to OTHER_LDFLAGS.
2435
2436 2016-04-01  Benjamin Poulain  <bpoulain@apple.com>
2437
2438         [JSC][x86] Add the 3 operands form of floating point substraction
2439         https://bugs.webkit.org/show_bug.cgi?id=156095
2440
2441         Reviewed by Geoffrey Garen.
2442
2443         Same old, same old. Add the AVX form of subsd and subss.
2444
2445         Unfortunately, we cannot benefit from the 3 register form
2446         in B3 yet because the Air script does not support CPU flags yet.
2447         That can be fixed later.
2448
2449         * assembler/MacroAssemblerX86Common.h:
2450         (JSC::MacroAssemblerX86Common::subDouble):
2451         (JSC::MacroAssemblerX86Common::subFloat):
2452         * assembler/X86Assembler.h:
2453         (JSC::X86Assembler::vsubsd_rr):
2454         (JSC::X86Assembler::subsd_mr):
2455         (JSC::X86Assembler::vsubsd_mr):
2456         (JSC::X86Assembler::vsubss_rr):
2457         (JSC::X86Assembler::subss_mr):
2458         (JSC::X86Assembler::vsubss_mr):
2459         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2460         * b3/air/AirOpcode.opcodes:
2461
2462 2016-04-01  Alberto Garcia  <berto@igalia.com>
2463
2464         [JSC] Missing PATH_MAX definition
2465         https://bugs.webkit.org/show_bug.cgi?id=156102
2466
2467         Reviewed by Yusuke Suzuki.
2468
2469         Not all systems define PATH_MAX, so add a fallback value that is
2470         long enough.
2471
2472         * jsc.cpp:
2473
2474 2016-03-31  Benjamin Poulain  <bpoulain@apple.com>
2475
2476         [JSC] CFA's valuesAtHead should be a list, not a map
2477         https://bugs.webkit.org/show_bug.cgi?id=156087
2478
2479         Reviewed by Mark Lam.
2480
2481         One more step toward moving to the Air-style of liveness analysis:
2482
2483         Make DFG's valuesAtHead a list of Node*-AbstractValue.
2484         This patch alone is already a speedup because our many CFAs
2485         spend an unreasonable amount of time updating at block boundaries.
2486
2487         * dfg/DFGBasicBlock.h:
2488         * dfg/DFGCFAPhase.cpp:
2489         (JSC::DFG::CFAPhase::performBlockCFA):
2490         * dfg/DFGGraph.cpp:
2491         (JSC::DFG::Graph::dump):
2492         * dfg/DFGInPlaceAbstractState.cpp:
2493         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2494         (JSC::DFG::setLiveValues):
2495         (JSC::DFG::InPlaceAbstractState::merge):
2496         * dfg/DFGNode.h:
2497         (JSC::DFG::nodeValuePairComparator):
2498         (JSC::DFG::nodeValuePairListDump):
2499
2500 2016-03-31  Saam barati  <sbarati@apple.com>
2501
2502         Revert rewrite const as var workaround
2503         https://bugs.webkit.org/show_bug.cgi?id=155393
2504
2505         Reviewed by Mark Lam.
2506
2507         * parser/Parser.h:
2508         (JSC::Parser::next):
2509         (JSC::Parser::nextExpectIdentifier):
2510         * runtime/VM.h:
2511         (JSC::VM::setShouldRewriteConstAsVar): Deleted.
2512         (JSC::VM::shouldRewriteConstAsVar): Deleted.
2513
2514 2016-03-31  Saam barati  <sbarati@apple.com>
2515
2516         [ES6] Disallow var assignments in for-in loops
2517         https://bugs.webkit.org/show_bug.cgi?id=155451
2518
2519         Reviewed by Mark Lam.
2520
2521         We're doing this in its own patch instead of the patch for https://bugs.webkit.org/show_bug.cgi?id=155384
2522         because last time we made this change it broke some websites. Lets try making
2523         it again because it's what the ES6 mandates. If it still breaks things we will
2524         roll it out.
2525
2526         * parser/Parser.cpp:
2527         (JSC::Parser<LexerType>::parseForStatement):
2528
2529 2016-03-31  Saam barati  <sbarati@apple.com>
2530
2531         parsing arrow function expressions slows down the parser by 8% lets recoup some loss
2532         https://bugs.webkit.org/show_bug.cgi?id=155988
2533
2534         Reviewed by Benjamin Poulain.
2535
2536         We used to eagerly check if we're parsing an arrow function.
2537         We did this inside parseAssignmentExpression(), and it was
2538         very costly. The reason it was costly is that arrow functions
2539         might start with an identifier. This means anytime we saw an
2540         identifier we would have to do a lookahead, and then most likely
2541         backtrack because more often than not, we wouldn't see "=>"
2542         as the next token.
2543
2544         In this patch I implement a new approach. We just parse
2545         the lhs of an assignment expression eagerly without doing any
2546         lookahead. Retroactively, if we see that we might have started
2547         with an arrow function, and we don't have a valid lhs or the
2548         next token is a "=>", we try to parse as an arrow function.
2549
2550         Here are a few examples motivating why this is valid:
2551
2552         `x => x`
2553         In this example:
2554         - "x" is a valid arrow function starting point.
2555         - "x" also happens to be a valid lhs
2556         - because we see "=>" as the next token, we parse as an arrow function and succeed.
2557
2558         `(x) => x`
2559         In this example:
2560         - "(" is a valid arrow function starting point.
2561         - "(x)" also happens to be a valid lhs
2562         - because we see "=>" as the next token, we parse as an arrow function and succeed.
2563
2564         `({x = 30}) => x;`
2565         In this example:
2566         - "(" is a valid arrow function starting point.
2567         - "({x = 30})" is NOT a valid lhs. Because of this, we try to parse it as an arrow function and succeed.
2568
2569         There is one interesting implementation detail where we might
2570         parse something that is both a valid LHS but happens
2571         to actually be the arrow function parameters. The valid LHS
2572         parsing might declare such variables as "uses" which would cause 
2573         weird capture analysis. This patch also introduces a mechanism
2574         to backtrack on used variable analysis.
2575
2576         This is a 3.5%-4.5% octane code load speedup.
2577
2578         * parser/Lexer.h:
2579         (JSC::Lexer::sawError):
2580         (JSC::Lexer::setSawError):
2581         (JSC::Lexer::getErrorMessage):
2582         (JSC::Lexer::setErrorMessage):
2583         (JSC::Lexer::sourceURL):
2584         (JSC::Lexer::sourceMappingURL):
2585         * parser/Parser.cpp:
2586         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2587         (JSC::Parser<LexerType>::parseAssignmentExpression):
2588         (JSC::Parser<LexerType>::parsePrimaryExpression):
2589         * parser/Parser.h:
2590         (JSC::Scope::Scope):
2591         (JSC::Scope::startSwitch):
2592         (JSC::Scope::declareParameter):
2593         (JSC::Scope::usedVariablesContains):
2594         (JSC::Scope::useVariable):
2595         (JSC::Scope::pushUsedVariableSet):
2596         (JSC::Scope::currentUsedVariablesSize):
2597         (JSC::Scope::revertToPreviousUsedVariables):
2598         (JSC::Scope::setNeedsFullActivation):
2599         (JSC::Scope::needsFullActivation):
2600         (JSC::Scope::isArrowFunctionBoundary):
2601         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
2602         (JSC::Scope::collectFreeVariables):
2603         (JSC::Scope::fillParametersForSourceProviderCache):
2604         (JSC::Scope::restoreFromSourceProviderCache):
2605         (JSC::Scope::setIsModule):
2606
2607 2016-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2608
2609         Fails to build in Linux / PowerPC due to different ucontext_t definition
2610         https://bugs.webkit.org/show_bug.cgi?id=156015
2611
2612         Reviewed by Michael Catanzaro.
2613
2614         PPC does not have mcontext_t in ucontext_t::uc_mcontext.
2615         So we take the special way to retrieve mcontext_t in PPC.
2616
2617         * heap/MachineStackMarker.cpp:
2618         (pthreadSignalHandlerSuspendResume):
2619
2620 2016-03-31  Benjamin Poulain  <benjamin@webkit.org>
2621
2622         [JSC][x86] Add the indexed forms of floating point addition and multiplication
2623         https://bugs.webkit.org/show_bug.cgi?id=156058
2624
2625         Reviewed by Geoffrey Garen.
2626
2627         B3 supports lowering [base, index] addresses into
2628         arbitrary instructions but we were not using that feature.
2629
2630         This patch adds the missing support for the lowering
2631         of Add and Mul.
2632
2633         * assembler/MacroAssemblerX86Common.h:
2634         (JSC::MacroAssemblerX86Common::addDouble):
2635         (JSC::MacroAssemblerX86Common::addFloat):
2636         (JSC::MacroAssemblerX86Common::mulDouble):
2637         (JSC::MacroAssemblerX86Common::mulFloat):
2638         * assembler/X86Assembler.h:
2639         (JSC::X86Assembler::addsd_mr):
2640         (JSC::X86Assembler::vaddsd_mr):
2641         (JSC::X86Assembler::addss_mr):
2642         (JSC::X86Assembler::vaddss_mr):
2643         (JSC::X86Assembler::mulsd_mr):
2644         (JSC::X86Assembler::vmulsd_mr):
2645         (JSC::X86Assembler::mulss_mr):
2646         (JSC::X86Assembler::vmulss_mr):
2647         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2648         * b3/B3LowerToAir.cpp:
2649         (JSC::B3::Air::LowerToAir::appendBinOp):
2650         Unlike the Addr form, we never need to transform a Tmp
2651         into an Index for spilling.
2652
2653         Instead of duplicating all the code in MacroAssembler, I can
2654         just have the lowering phase try using addresses for the first
2655         argument when possible.
2656
2657         * b3/air/AirOpcode.opcodes:
2658         * b3/air/testair.cpp:
2659         (JSC::B3::Air::testX86VMULSDBaseNeedsRex):
2660         (JSC::B3::Air::testX86VMULSDIndexNeedsRex):
2661         (JSC::B3::Air::testX86VMULSDBaseIndexNeedRex):
2662         (JSC::B3::Air::run):
2663
2664 2016-03-31  Saam barati  <sbarati@apple.com>
2665
2666         DFG JIT bug in typeof constant folding where the input to typeof is an object or function
2667         https://bugs.webkit.org/show_bug.cgi?id=156034
2668         <rdar://problem/25446785>
2669
2670         Reviewed by Ryosuke Niwa.
2671
2672         AI would constant fold TypeOf to the string "object" if it saw that
2673         its input type didn't expand past the types contained in the set 
2674         "SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
2675         And typeof of a function should return "function". This patch fixes
2676         this bug by making sure we constant fold to object iff the type
2677         doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".
2678
2679         * dfg/DFGAbstractInterpreterInlines.h:
2680         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2681         * tests/stress/typeof-dfg-function-or-object.js: Added.
2682         (assert):
2683         (foo.else.o):
2684         (foo):
2685
2686 2016-03-31  Mark Lam  <mark.lam@apple.com>
2687
2688         Gardening: Build and logic fix after r198873.
2689         https://bugs.webkit.org/show_bug.cgi?id=156043
2690
2691         Not reviewed.
2692
2693         * assembler/MacroAssemblerX86Common.h:
2694         (JSC::MacroAssemblerX86Common::addFloat):
2695         - 2 args were meant to be ordered differently in order to call the other addFloat.
2696           Instead, there was an infinite recursion bug.  This is now fixed.
2697
2698 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
2699
2700         [JSC][x86] Add the 3 operands forms of floating point addition and multiplication
2701         https://bugs.webkit.org/show_bug.cgi?id=156043
2702
2703         Reviewed by Geoffrey Garen.
2704
2705         When they are available, VADD and VMUL are better options to lower
2706         floating point addition and multiplication.
2707
2708         In the simple cases when one of the operands is aliased to the destination,
2709         those forms have the same size or 1 byte shorter depending on the registers.
2710
2711         In the more advanced cases, we gain nice advantages with the new forms:
2712         -We can get rid of the MoveDouble in front the instruction when we cannot
2713          alias.
2714         -We can disable aliasing entirely in Air. That is useful for latency
2715          since computing coalescing is not exactly cheap.
2716
2717         * assembler/MacroAssemblerX86Common.cpp:
2718         * assembler/MacroAssemblerX86Common.h:
2719         (JSC::MacroAssemblerX86Common::and32):
2720         (JSC::MacroAssemblerX86Common::mul32):
2721         (JSC::MacroAssemblerX86Common::or32):
2722         (JSC::MacroAssemblerX86Common::xor32):
2723         (JSC::MacroAssemblerX86Common::branchAdd32):
2724         The change in B3LowerToAir exposed a bug in the fake 3 operands
2725         forms of those instructions. If the address is equal to
2726         the destination, we were nuking the address.
2727
2728         For example,
2729             Add32([%r11], %eax, %r11)
2730         would generate:
2731             move %eax, %r11
2732             add32 [%r11], %r11
2733         which crashes.
2734
2735         I updated codegen of those cases to support that case through
2736             load32 [%r11], %r11
2737             add32 %eax, %r11
2738
2739         The weird case were all arguments have the same registers
2740         is handled too.
2741
2742         (JSC::MacroAssemblerX86Common::addDouble):
2743         (JSC::MacroAssemblerX86Common::addFloat):
2744         (JSC::MacroAssemblerX86Common::mulDouble):
2745         (JSC::MacroAssemblerX86Common::mulFloat):
2746         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
2747         (JSC::MacroAssemblerX86Common::supportsAVX):
2748         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
2749         * assembler/MacroAssemblerX86_64.h:
2750         (JSC::MacroAssemblerX86_64::branchAdd64):
2751         * assembler/X86Assembler.h:
2752         (JSC::X86Assembler::vaddsd_rr):
2753         (JSC::X86Assembler::vaddsd_mr):
2754         (JSC::X86Assembler::vaddss_rr):
2755         (JSC::X86Assembler::vaddss_mr):
2756         (JSC::X86Assembler::vmulsd_rr):
2757         (JSC::X86Assembler::vmulsd_mr):
2758         (JSC::X86Assembler::vmulss_rr):
2759         (JSC::X86Assembler::vmulss_mr):
2760         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2761         * b3/B3LowerToAir.cpp:
2762         (JSC::B3::Air::LowerToAir::appendBinOp):
2763         Add the 3 operand forms so that we lower Add and Mul
2764         to the best form directly.
2765
2766         I will change how we lower the fake 3 operands instructions
2767         but the codegen should end up the same in most cases.
2768         The new codegen is the load32 + op above.
2769
2770         * b3/air/AirInstInlines.h:
2771         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2772         * b3/air/testair.cpp:
2773         (JSC::B3::Air::testX86VMULSD):
2774         (JSC::B3::Air::testX86VMULSDDestRex):
2775         (JSC::B3::Air::testX86VMULSDOp1DestRex):
2776         (JSC::B3::Air::testX86VMULSDOp2DestRex):
2777         (JSC::B3::Air::testX86VMULSDOpsDestRex):
2778         (JSC::B3::Air::testX86VMULSDAddr):
2779         (JSC::B3::Air::testX86VMULSDAddrOpRexAddr):
2780         (JSC::B3::Air::testX86VMULSDDestRexAddr):
2781         (JSC::B3::Air::testX86VMULSDRegOpDestRexAddr):
2782         (JSC::B3::Air::testX86VMULSDAddrOpDestRexAddr):
2783         Make sure we have some coverage for AVX encoding of instructions.
2784
2785 2016-03-30  Saam Barati  <sbarati@apple.com>
2786
2787         Change some release asserts in CodeBlock linking into debug asserts
2788         https://bugs.webkit.org/show_bug.cgi?id=155500
2789
2790         Reviewed by Filip Pizlo.
2791
2792         * bytecode/CodeBlock.cpp:
2793         (JSC::CodeBlock::finishCreation):
2794
2795 2016-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2796
2797         Remove unused ScriptProfiler.Samples.totalTime
2798         https://bugs.webkit.org/show_bug.cgi?id=156002
2799
2800         Reviewed by Saam Barati.
2801
2802         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2803         (Inspector::buildSamples):
2804         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2805         * inspector/protocol/ScriptProfiler.json:
2806         Remove totalTime.
2807
2808         * runtime/SamplingProfiler.cpp:
2809         (JSC::SamplingProfiler::SamplingProfiler): Deleted.
2810         * runtime/SamplingProfiler.h:
2811         (JSC::SamplingProfiler::totalTime): Deleted.
2812         Remove now unused m_totalTime.
2813
2814 2016-03-30  Michael Saboff  <msaboff@apple.com>
2815
2816         [ES6] Quantified unicode regular expressions do not work for counts greater than 1
2817         https://bugs.webkit.org/show_bug.cgi?id=156044
2818
2819         Reviewed by Mark Lam.
2820
2821         Fixed incorrect indexing of non-BMP characters in fixed patterns.  The old code
2822         was indexing by character units, a single JS character, instead of code points
2823         which is 2 JS characters.
2824
2825         * yarr/YarrInterpreter.cpp:
2826         (JSC::Yarr::Interpreter::matchDisjunction):
2827
2828 2016-03-30  Mark Lam  <mark.lam@apple.com>
2829
2830         Make the $vm debugging tools available to builtins as @$vm.
2831         https://bugs.webkit.org/show_bug.cgi?id=156012
2832
2833         Reviewed by Saam Barati.
2834
2835         We also need some debugging tools for builtin development.  The $vm object will
2836         be made available to builtins as @$vm, which gives us, amongst many goodies,
2837         @$vm.print() (which prints the toString() values of its args) and
2838         @$vm.printValue() (which dataLogs its arg as a JSValue).  @$vm will only be
2839         available if we run with JSC_useDollarVM=true.
2840
2841         Also changed @$vm.print() to not automatically insert a space between the
2842         printing of each of its args.  This makes it clearer as to what will be printed
2843         i.e. it will only print what is passed to it.
2844
2845         * builtins/BuiltinNames.h:
2846         (JSC::BuiltinNames::BuiltinNames):
2847         (JSC::BuiltinNames::dollarVMPublicName):
2848         (JSC::BuiltinNames::dollarVMPrivateName):
2849         * runtime/JSGlobalObject.cpp:
2850         (JSC::JSGlobalObject::init):
2851         * tools/JSDollarVMPrototype.cpp:
2852         (JSC::functionPrint):
2853
2854 2016-03-30  Keith Miller  <keith_miller@apple.com>
2855
2856         Unreviewed, buildfix.
2857
2858         * bytecode/BytecodeIntrinsicRegistry.h:
2859
2860 2016-03-30  Keith Miller <keith_miller@apple.com>
2861
2862         Unreviewed, rollout r198808. The patch causes crashes on 32-bit and appears to be a JSBench regression.
2863
2864 2016-03-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2865
2866         [JSC] Implement String.prototype.repeat in builtins JS
2867         https://bugs.webkit.org/show_bug.cgi?id=155974
2868
2869         Reviewed by Darin Adler.
2870
2871         This patch converts C++ String.prototype.repeat implementation into JS builtins.
2872         |this| in strict mode is correctly inferred as String[1]. This fact encourages us
2873         to write PrimitiveTypes.prototype.XXX methods in builtin JS.
2874
2875         LayoutTests/js/string-repeat.html already covers the tests for this change.
2876
2877         Note: String.prototype.repeat functionality is similar to Harmony's
2878         String.prototype.{padStart, padEnd}. It's nice to port them to builtin JS in
2879         the other patch.
2880
2881         The existing C++ code has the fast path for singleCharacterString repeating.
2882         Since this use is important (e.g. generating N length spaces: ' '.repeat(N)),
2883         we keep this fast path as @repeatCharacter().
2884
2885         The performance results show that, while the performance of the single character fast path
2886         is neutral, other string repeating has significant speed up.
2887         There are two reasons.
2888
2889         1. Not resolving string rope.
2890
2891         We added several tests postfixed "not-resolving". In that tests, we do not touch the content
2892         of the generated string. As a result, the generated rope is not resolved.
2893
2894         2. O(log N) intermediate JSRopeStrings.
2895
2896         In the existing C++ implementation, we use JSString::RopeBuilder. We iterate N times and append
2897         the given string to the builder.
2898         In this case, the intermediate rope strings generated in JSString::RopeBuilder is O(N).
2899         In JS builtin implementation, we only iterate log N times. As a result, the number of the
2900         intermediate rope strings becomes O(log N).
2901
2902         [1]: http://trac.webkit.org/changeset/195938
2903
2904         * builtins/StringPrototype.js:
2905         (repeatSlowPath):
2906         (repeat):
2907         * bytecode/BytecodeIntrinsicRegistry.cpp:
2908         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2909         * bytecode/BytecodeIntrinsicRegistry.h:
2910         * runtime/CommonIdentifiers.h:
2911         * runtime/JSGlobalObject.cpp:
2912         (JSC::JSGlobalObject::init):
2913         * runtime/StringPrototype.cpp:
2914         (JSC::stringProtoFuncRepeatCharacter):
2915         (JSC::StringPrototype::finishCreation): Deleted.
2916         (JSC::stringProtoFuncRepeat): Deleted.
2917         * runtime/StringPrototype.h:
2918         * tests/stress/string-repeat-edge-cases.js: Added.
2919         (shouldBe):
2920         (let.object.toString):
2921         (valueOf):
2922         (shouldThrow):
2923
2924 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
2925
2926         [JSC] Update udis86
2927         https://bugs.webkit.org/show_bug.cgi?id=156005
2928
2929         Reviewed by Geoffrey Garen.
2930
2931         * CMakeLists.txt:
2932         * DerivedSources.make:
2933         * JavaScriptCore.xcodeproj/project.pbxproj:
2934         * disassembler/udis86/differences.txt:
2935         * disassembler/udis86/itab.py: Removed.
2936         * disassembler/udis86/optable.xml:
2937         * disassembler/udis86/ud_itab.py: Added.
2938         * disassembler/udis86/ud_opcode.py:
2939         * disassembler/udis86/ud_optable.py: Removed.
2940         * disassembler/udis86/udis86.c:
2941         * disassembler/udis86/udis86_decode.c:
2942         * disassembler/udis86/udis86_decode.h:
2943         * disassembler/udis86/udis86_extern.h:
2944         * disassembler/udis86/udis86_input.c: Removed.
2945         * disassembler/udis86/udis86_input.h: Removed.
2946         * disassembler/udis86/udis86_syn-att.c:
2947         * disassembler/udis86/udis86_syn.h:
2948         * disassembler/udis86/udis86_types.h:
2949         * disassembler/udis86/udis86_udint.h:
2950
2951 2016-03-30  Benjamin Poulain  <bpoulain@apple.com>
2952
2953         [JSC] Get rid of operationInitGlobalConst(), it is useless
2954         https://bugs.webkit.org/show_bug.cgi?id=156010
2955
2956         Reviewed by Geoffrey Garen.
2957
2958         * jit/JITOperations.cpp:
2959         * jit/JITOperations.h:
2960
2961 2016-03-29  Saam barati  <sbarati@apple.com>
2962
2963         Fix typos in our error messages and remove some trailing periods
2964         https://bugs.webkit.org/show_bug.cgi?id=155985
2965
2966         Reviewed by Mark Lam.
2967
2968         * bytecompiler/BytecodeGenerator.cpp:
2969         (JSC::BytecodeGenerator::BytecodeGenerator):
2970         * runtime/ArrayConstructor.h:
2971         (JSC::isArray):
2972         * runtime/ProxyConstructor.cpp:
2973         (JSC::makeRevocableProxy):
2974         (JSC::proxyRevocableConstructorThrowError):
2975         (JSC::ProxyConstructor::finishCreation):
2976         (JSC::constructProxyObject):
2977         * runtime/ProxyObject.cpp:
2978         (JSC::ProxyObject::finishCreation):
2979         (JSC::performProxyGet):
2980         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2981         (JSC::ProxyObject::performHasProperty):
2982         (JSC::ProxyObject::performPut):
2983         (JSC::performProxyCall):
2984         (JSC::performProxyConstruct):
2985         (JSC::ProxyObject::performDelete):
2986         (JSC::ProxyObject::performPreventExtensions):
2987         (JSC::ProxyObject::performIsExtensible):
2988         (JSC::ProxyObject::performDefineOwnProperty):
2989         (JSC::ProxyObject::performGetOwnPropertyNames):
2990         (JSC::ProxyObject::performSetPrototype):
2991         (JSC::ProxyObject::performGetPrototype):
2992         * runtime/StringPrototype.cpp:
2993         (JSC::stringProtoFuncStartsWith):
2994         (JSC::stringProtoFuncEndsWith):
2995         (JSC::stringProtoFuncIncludes):
2996         * runtime/Structure.cpp:
2997         (JSC::Structure::preventExtensionsTransition):
2998         * tests/stress/proxy-basic.js:
2999         * tests/stress/proxy-construct.js:
3000         (throw.new.Error):
3001         (assert):
3002         * tests/stress/proxy-define-own-property.js:
3003         (assert):
3004         (throw.new.Error):
3005         (i.catch):
3006         (assert.set get catch):
3007         * tests/stress/proxy-delete.js:
3008         (assert):
3009         * tests/stress/proxy-get-own-property.js:
3010         (assert):
3011         (i.catch):
3012         (set get let):
3013         * tests/stress/proxy-get-prototype-of.js:
3014         (assert):
3015         (assert.get let):
3016         (assert.get catch):
3017         * tests/stress/proxy-has-property.js:
3018         (assert):
3019         * tests/stress/proxy-is-array.js:
3020         (test):
3021         * tests/stress/proxy-is-extensible.js:
3022         (assert):
3023         * tests/stress/proxy-json.js:
3024         (assert):
3025         (test):
3026         * tests/stress/proxy-own-keys.js:
3027         (assert):
3028         (i.catch):
3029         * tests/stress/proxy-prevent-extensions.js:
3030         (assert):
3031         * tests/stress/proxy-property-descriptor.js:
3032         * tests/stress/proxy-revoke.js:
3033         (assert):
3034         (throw.new.Error.):
3035         (throw.new.Error):
3036         (shouldThrowNullHandler):
3037         * tests/stress/proxy-set-prototype-of.js:
3038         (assert.set let):
3039         (assert.set catch):
3040         (assert):
3041         (set catch):
3042         * tests/stress/proxy-set.js:
3043         (throw.new.Error.let.handler.set 45):
3044         (throw.new.Error):
3045         * tests/stress/proxy-with-private-symbols.js:
3046         (assert):
3047         * tests/stress/proxy-with-unbalanced-getter-setter.js:
3048         (assert):
3049         * tests/stress/reflect-set-proxy-set.js:
3050         (throw.new.Error.let.handler.set 45):
3051         (throw.new.Error):
3052         * tests/stress/reflect-set-receiver-proxy-set.js:
3053         (let.handler.set 45):
3054         (catch):
3055         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
3056         (test):
3057         (test.get let):
3058
3059 2016-03-29  Keith Miller  <keith_miller@apple.com>
3060
3061         [ES6] Add support for Symbol.isConcatSpreadable.
3062         https://bugs.webkit.org/show_bug.cgi?id=155351
3063
3064         Reviewed by Saam Barati.
3065
3066         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
3067         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
3068         a builtin performant. First, four new DFG intrinsics were added.
3069
3070         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
3071            the Array.isArray function.
3072         2) IsJSArray: checks the first child is a JSArray object.
3073         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
3074         4) CallObjectConstructor: an intrinsic of the Object constructor.
3075
3076         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
3077         we are able to prove that the first child is an Array or for ToObject an Object.
3078
3079         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
3080         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
3081         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
3082         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
3083         into a contiguous array).
3084
3085         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
3086         values onto the result array. This works roughly the same as the two array fast path using the same methodology
3087         to decide if we can memcpy the other butterfly into the result butterfly.
3088
3089         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
3090         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
3091         dataLog function on it.
3092
3093         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
3094         JSValueOperand if the operand's use count is one.
3095
3096         * JavaScriptCore.xcodeproj/project.pbxproj:
3097         * builtins/ArrayPrototype.js:
3098         (concatSlowPath):
3099         (concat):
3100         * bytecode/BytecodeIntrinsicRegistry.cpp:
3101         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3102         * bytecode/BytecodeIntrinsicRegistry.h:
3103         * dfg/DFGAbstractInterpreterInlines.h:
3104         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3105         * dfg/DFGByteCodeParser.cpp:
3106         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3107         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3108         * dfg/DFGClobberize.h:
3109         (JSC::DFG::clobberize):
3110         * dfg/DFGDoesGC.cpp:
3111         (JSC::DFG::doesGC):
3112         * dfg/DFGFixupPhase.cpp:
3113         (JSC::DFG::FixupPhase::fixupNode):
3114         * dfg/DFGNodeType.h:
3115         * dfg/DFGOperations.cpp:
3116         * dfg/DFGOperations.h:
3117         * dfg/DFGPredictionPropagationPhase.cpp:
3118         (JSC::DFG::PredictionPropagationPhase::propagate):
3119         * dfg/DFGSafeToExecute.h:
3120         (JSC::DFG::safeToExecute):
3121         * dfg/DFGSpeculativeJIT.cpp:
3122         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3123         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
3124         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
3125         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
3126         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
3127         * dfg/DFGSpeculativeJIT.h:
3128         (JSC::DFG::SpeculativeJIT::callOperation):
3129         * dfg/DFGSpeculativeJIT32_64.cpp:
3130         (JSC::DFG::SpeculativeJIT::compile):
3131         * dfg/DFGSpeculativeJIT64.cpp:
3132         (JSC::DFG::SpeculativeJIT::compile):
3133         * ftl/FTLCapabilities.cpp:
3134         (JSC::FTL::canCompile):
3135         * ftl/FTLLowerDFGToB3.cpp:
3136         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3137         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
3138         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
3139         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
3140         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
3141         (JSC::FTL::DFG::LowerDFGToB3::isArray):
3142         * jit/JITOperations.h:
3143         * jsc.cpp:
3144         (WTF::RuntimeArray::createStructure):
3145         (GlobalObject::finishCreation):
3146         (functionDebug):
3147         (functionDataLogValue):
3148         * runtime/ArrayConstructor.cpp:
3149         (JSC::ArrayConstructor::finishCreation):
3150         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
3151         * runtime/ArrayConstructor.h:
3152         (JSC::isArrayConstructor):
3153         * runtime/ArrayPrototype.cpp:
3154         (JSC::ArrayPrototype::finishCreation):
3155         (JSC::arrayProtoPrivateFuncIsJSArray):
3156         (JSC::moveElements):
3157         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3158         (JSC::arrayProtoPrivateFuncAppendMemcpy):
3159         (JSC::arrayProtoFuncConcat): Deleted.
3160         * runtime/ArrayPrototype.h:
3161         (JSC::ArrayPrototype::createStructure):
3162         * runtime/CommonIdentifiers.h:
3163         * runtime/Intrinsic.h:
3164         * runtime/JSArray.cpp:
3165         (JSC::JSArray::appendMemcpy):
3166         (JSC::JSArray::fastConcatWith): Deleted.
3167         * runtime/JSArray.h:
3168         (JSC::JSArray::createStructure):
3169         (JSC::JSArray::fastConcatType): Deleted.
3170         * runtime/JSArrayInlines.h: Added.
3171         (JSC::JSArray::memCopyWithIndexingType):
3172         (JSC::JSArray::canFastCopy):
3173         * runtime/JSGlobalObject.cpp:
3174         (JSC::JSGlobalObject::init):
3175         * runtime/JSType.h:
3176         * runtime/ObjectConstructor.h:
3177         (JSC::constructObject):
3178         * tests/es6.yaml:
3179         * tests/stress/array-concat-spread-object.js: Added.
3180         (arrayEq):
3181         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
3182         (arrayEq):
3183         * tests/stress/array-concat-spread-proxy.js: Added.
3184         (arrayEq):
3185         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
3186         (arrayEq):
3187         * tests/stress/array-species-config-array-constructor.js:
3188
3189 2016-03-29  Saam barati  <sbarati@apple.com>
3190
3191         We don't properly optimize TDZ checks when we declare a let variable without an initializer
3192         https://bugs.webkit.org/show_bug.cgi?id=150453
3193
3194         Reviewed by Mark Lam.
3195
3196         * bytecompiler/NodesCodegen.cpp:
3197         (JSC::EmptyLetExpression::emitBytecode):
3198
3199 2016-03-29  Saam barati  <sbarati@apple.com>
3200
3201         Allow builtin JS functions to be intrinsics
3202         https://bugs.webkit.org/show_bug.cgi?id=155960
3203
3204         Reviewed by Mark Lam.
3205
3206         Builtin functions can now be recognized as intrinsics inside
3207         the DFG. This gives us the flexibility to either lower a builtin
3208         as an intrinsic in the DFG or as a normal function call.
3209         Because we may decide to not lower it as an intrinsic, the DFG
3210         inliner could still inline the function call.
3211
3212         You can annotate a builtin function like so to make
3213         it be recognized as an intrinsic.
3214         ```
3215         [intrinsic=FooIntrinsic] function foo() { ... }
3216         ```
3217         where FooIntrinsic is an enum value of the Intrinsic enum.
3218
3219         So in the future if we write RegExp.prototype.test as a builtin, we would do:
3220         ``` RegExpPrototype.js
3221         [intrinsic=RegExpTestIntrinsic] function test() { ... }
3222         ```
3223
3224         * Scripts/builtins/builtins_generate_combined_implementation.py:
3225         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3226         * Scripts/builtins/builtins_generate_separate_implementation.py:
3227         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3228         * Scripts/builtins/builtins_generator.py:
3229         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
3230         * Scripts/builtins/builtins_model.py:
3231         (BuiltinObject.__init__):
3232         (BuiltinFunction):
3233         (BuiltinFunction.__init__):
3234         (BuiltinFunction.fromString):
3235         (BuiltinFunction.__str__):
3236         * Scripts/builtins/builtins_templates.py:
3237         * bytecode/UnlinkedFunctionExecutable.cpp:
3238         (JSC::UnlinkedFunctionExecutable::visitChildren):
3239         (JSC::UnlinkedFunctionExecutable::link):
3240         * bytecode/UnlinkedFunctionExecutable.h:
3241         * dfg/DFGByteCodeParser.cpp:
3242         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3243         * runtime/Executable.cpp:
3244         (JSC::ExecutableBase::clearCode):
3245         (JSC::NativeExecutable::destroy):
3246         (JSC::ScriptExecutable::ScriptExecutable):
3247         (JSC::EvalExecutable::create):
3248         (JSC::EvalExecutable::EvalExecutable):
3249         (JSC::ProgramExecutable::ProgramExecutable):
3250         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
3251         (JSC::FunctionExecutable::FunctionExecutable):
3252         (JSC::ExecutableBase::intrinsic): Deleted.
3253         (JSC::NativeExecutable::intrinsic): Deleted.
3254         * runtime/Executable.h:
3255         (JSC::ExecutableBase::ExecutableBase):
3256         (JSC::ExecutableBase::hasJITCodeFor):
3257         (JSC::ExecutableBase::intrinsic):
3258         (JSC::ExecutableBase::intrinsicFor):
3259         (JSC::ScriptExecutable::finishCreation):
3260         * runtime/Intrinsic.h:
3261
3262 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
3263
3264         JSC::Debugger cleanup after recent changes
3265         https://bugs.webkit.org/show_bug.cgi?id=155982
3266
3267         Reviewed by Mark Lam.
3268
3269         * debugger/Debugger.cpp:
3270         (JSC::Debugger::Debugger):
3271         Initialize with breakpoints disabled. Web Inspector always informs
3272         the backend if it should enable or disable breakpoints on startup.
3273
3274         (JSC::Debugger::setProfilingClient):
3275         When using the Sampling profiler we do not need to recompile.
3276
3277 2016-03-29  Saam barati  <sbarati@apple.com>
3278
3279         "Can not" => "cannot" in String.prototype error messages
3280         https://bugs.webkit.org/show_bug.cgi?id=155895
3281
3282         Reviewed by Mark Lam.
3283
3284         * runtime/StringPrototype.cpp:
3285         (JSC::stringProtoFuncStartsWith):
3286         (JSC::stringProtoFuncEndsWith):
3287         (JSC::stringProtoFuncIncludes):
3288         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
3289         (test):
3290         (test.get let):
3291
3292 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
3293
3294         Web Inspector: We should have a way to capture heap snapshots programatically.
3295         https://bugs.webkit.org/show_bug.cgi?id=154407
3296         <rdar://problem/24726292>
3297
3298         Reviewed by Timothy Hatcher.
3299
3300         * inspector/protocol/Console.json:
3301         Add a new Console.heapSnapshot event for when a heap snapshot is taken.
3302
3303         * runtime/ConsolePrototype.cpp:
3304         (JSC::ConsolePrototype::finishCreation):
3305         (JSC::consoleProtoFuncProfile):
3306         (JSC::consoleProtoFuncProfileEnd):
3307         (JSC::consoleProtoFuncTakeHeapSnapshot):
3308         * runtime/ConsoleClient.h:
3309         Add the console.takeHeapSnapshot method and dispatch to the ConsoleClient.
3310
3311         * inspector/JSGlobalObjectConsoleClient.cpp:
3312         (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot):
3313         * inspector/JSGlobalObjectConsoleClient.h:
3314         Have the InspectorConsoleAgent handle this.
3315
3316         * inspector/JSGlobalObjectInspectorController.cpp:
3317         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3318         * inspector/agents/InspectorConsoleAgent.cpp:
3319         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3320         (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
3321         * inspector/agents/InspectorConsoleAgent.h:
3322         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
3323         (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
3324         * inspector/agents/JSGlobalObjectConsoleAgent.h:
3325         Give the ConsoleAgent a HeapAgent pointer so that it can have the HeapAgent
3326         perform the snapshot building work like it normally does.
3327
3328 2016-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3329
3330         REGRESSION(r192914): 10% regression on Sunspider's date-format-tofte
3331         https://bugs.webkit.org/show_bug.cgi?id=155559
3332
3333         Reviewed by Saam Barati.
3334
3335         The fast path of the eval function is the super hot path in date-format-tofte.
3336         Any performance regression is not allowed here.
3337         Before this patch, we allocated SourceCode in the fast path.
3338         This allocation incurs 10% performance regression.
3339
3340         This patch removes this allocation in the fast path.
3341         And change the key of the EvalCodeCache to EvalCodeCache::CacheKey.
3342         It combines RefPtr<StringImpl> and isArrowFunctionContext.
3343         Since EvalCodeCache does not cache any eval code evaluated under the strict mode,
3344         it is unnecessary to include several options (ThisTDZMode, and DerivedContextType) in the cache map's key.
3345         But isArrowFunctionContext is necessary since the sloppy mode arrow function exists.
3346
3347         To validate this change, we add a new test that evaluates the same code
3348         under the non-arrow function context and the arrow function context.
3349
3350         After introducing CacheKey, we observed 1% regression compared to the RefPtr<StringImpl> keyed case.
3351         This is because HashMap<RefPtr<T>, ...>::get(T*) is specially optimized; this path is inlined while the normal ::get() is not inlined.
3352         To avoid this performance regression, we introduce HashMap::fastGet, that aggressively encourages inlining.
3353         The relationship between fastGet() and get() is similar to fastAdd() and add().
3354         After applying this change, the evaluation shows no performance regression in comparison with the RefPtr<StringImpl> keyed case.
3355
3356         * bytecode/EvalCodeCache.h:
3357         (JSC::EvalCodeCache::CacheKey::CacheKey):
3358         (JSC::EvalCodeCache::CacheKey::hash):
3359         (JSC::EvalCodeCache::CacheKey::isEmptyValue):
3360         (JSC::EvalCodeCache::CacheKey::operator==):
3361         (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue):
3362         (JSC::EvalCodeCache::CacheKey::Hash::hash):
3363         (JSC::EvalCodeCache::CacheKey::Hash::equal):
3364         (JSC::EvalCodeCache::tryGet):
3365         (JSC::EvalCodeCache::getSlow):
3366         (JSC::EvalCodeCache::isCacheable):
3367         * interpreter/Interpreter.cpp:
3368         (JSC::eval):
3369         * tests/stress/eval-in-arrow-function.js: Added.
3370         (shouldBe):
3371         (i):
3372
3373 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
3374
3375         Audit WebCore builtins for user overridable code
3376         https://bugs.webkit.org/show_bug.cgi?id=155923
3377
3378         Reviewed by Youenn Fablet.
3379
3380         * runtime/CommonIdentifiers.h:
3381         * runtime/ObjectConstructor.cpp:
3382         (JSC::ObjectConstructor::finishCreation):
3383         Expose @Object.@defineProperty to built-ins.
3384
3385 2016-03-28  Benjamin Poulain  <bpoulain@apple.com>
3386
3387         [JSC] ArithSub should not propagate "UsesAsOther"
3388         https://bugs.webkit.org/show_bug.cgi?id=155932
3389
3390         Reviewed by Mark Lam.
3391
3392         The node ArithSub was backpropagating UsesAsOther.
3393         This causes any GetByVal on a Double Array to have an extra
3394         hole check if it flows into an ArithSub.
3395
3396         The definition of ArithSub (12.8.4.1) has both operands go
3397         through ToNumber(). ToNumber() on "undefined" always produces
3398         NaN. It is safe to ignore the NaN marker from hole when
3399         the DAG flows into ArithSub.
3400
3401         This patch also adds this change and test coverage to ArithAdd.
3402         ArithAdd was not a problem in practice because it is only
3403         generated before Fixup if both operands are known to be numerical.
3404         The change to ArithAdd is there to protect us of the ArithSub-like
3405         problems if we ever improve our support of arithmetic operators.
3406
3407         * dfg/DFGBackwardsPropagationPhase.cpp:
3408         (JSC::DFG::BackwardsPropagationPhase::propagate):
3409         * tests/stress/arith-add-on-double-array-with-holes.js: Added.
3410         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
3411         (let.testCase.of.testCases.observableHoleOnLhs):
3412         (let.testCase.of.testCases.nonObservableHoleOnRhs):
3413         (let.testCase.of.testCases.observableHoleOnRhs):
3414         * tests/stress/arith-sub-on-double-array-with-holes.js: Added.
3415         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
3416         (let.testCase.of.testCases.observableHoleOnLhs):
3417         (let.testCase.of.testCases.nonObservableHoleOnRhs):
3418         (let.testCase.of.testCases.observableHoleOnRhs):
3419         * tests/stress/value-add-on-double-array-with-holes.js: Added.
3420         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
3421         (let.testCase.of.testCases.observableHoleOnLhs):
3422         (let.testCase.of.testCases.nonObservableHoleOnRhs):
3423         (let.testCase.of.testCases.observableHoleOnRhs):
3424
3425 2016-03-28  Brian Burg  <bburg@apple.com>
3426
3427         Web Inspector: protocol generator should generate C++ string-to-enum helper functions
3428         https://bugs.webkit.org/show_bug.cgi?id=155691
3429         <rdar://problem/25258078>
3430
3431         Reviewed by Timothy Hatcher.
3432
3433         There's a lot of code throughout the Inspector agents and automation code
3434         that needs to convert a raw string into a typed protocol enum. Generate
3435         some helpers that do this conversion so clients can move over to using it.
3436
3437         These helpers are necessary for when we eventually switch to calling backend
3438         dispatcher handlers with typed arguments instead of untyped JSON objects.
3439
3440         To correctly generate a conversion function for an anonymous enum, the
3441         generator needs to be able to get the containing object type's declaration.
3442         Since the model's Type object each have only one instance, there is a
3443         one-to-one association between type and its declaration.
3444
3445         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3446         (CppProtocolTypesHeaderGenerator.generate_output):
3447         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
3448         Clean up this method to use methodcaller to sort types by raw name.
3449
3450         (_generate_declarations_for_enum_conversion_methods):
3451         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
3452         (_generate_declarations_for_enum_conversion_methods.type_member_is_anonymous_enum_type):
3453         Added. Generates a new section with an unfilled template and specializations of
3454         the template for every named and anonymous enum in every domain. Guards for
3455         domains wrap the forward declarations. This is added to the end of the header
3456         file so that specializations for both types of enums are in the same place.
3457
3458         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3459         (CppProtocolTypesImplementationGenerator.generate_output):
3460         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
3461         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.type_member_is_anonymous_enum_type):
3462         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
3463         Added. Generate a static array of offsets into the enum constant value array.
3464         Then, loop over this array of offsets and do string comparisons against the
3465         provided string and enum constant values at the relevant offsets for this enum.
3466
3467         * inspector/scripts/codegen/generator_templates.py:
3468         (GeneratorTemplates): Update copyright year in generated files.
3469
3470         * inspector/scripts/codegen/models.py:
3471         (AliasedType.__init__):
3472         (EnumType.__init__):
3473         (EnumType.enum_values):
3474         (EnumType.declaration):
3475         (ArrayType.__init__):
3476         (ArrayType.declaration):
3477         (ObjectType.__init__):
3478         (ObjectType.declaration):
3479         (Protocol.resolve_types):
3480         (Protocol.lookup_type_reference):
3481         Pass the type declaration to Type constructors if available. If not,
3482         fill in a placeholder name for the type in the constructor instead of caller.
3483
3484         Rebaseline all the things, mostly for copyright block changes.
3485
3486         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3487         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3488         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3489         * inspector/scripts/tests/expected/enum-values.json-result:
3490         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3491         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3492         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3493         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3494         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3495         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3496         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3497         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3498         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3499
3500 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3501
3502         Misc. JavaScriptCore built-ins cleanups
3503         https://bugs.webkit.org/show_bug.cgi?id=155920
3504
3505         Reviewed by Mark Lam.
3506
3507         * builtins/RegExpPrototype.js:
3508         (match):
3509         No need for an else after an if that always returns.
3510
3511         * builtins/TypedArrayConstructor.js:
3512         (of):
3513         Fix error message to use the correct function name.
3514
3515         (allocateInt8Array):
3516         (allocateInt16Array):
3517         (allocateInt32Array):
3518         (allocateUint32Array):
3519         (allocateUint16Array):
3520         (allocateUint8Array):
3521         (allocateUint8ClampedArray):
3522         (allocateFloat32Array):
3523         (allocateFloat64Array):
3524         Cleanup style to be like all the other code.
3525
3526         * tests/stress/typedarray-of.js:
3527         Test the exception message.
3528
3529 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3530
3531         Date.prototype.toLocaleDateString uses overridable Object.create
3532         https://bugs.webkit.org/show_bug.cgi?id=155917
3533
3534         Reviewed by Mark Lam.
3535
3536         * builtins/DatePrototype.js:
3537         (toLocaleString.toDateTimeOptionsAnyAll):
3538         (toLocaleDateString.toDateTimeOptionsDateDate):
3539         (toLocaleTimeString.toDateTimeOptionsTimeTime):
3540         Switch from @Object.create to @Object.@create to guarentee we are
3541         using the built-in create method and not user defined code.
3542
3543         * runtime/CommonIdentifiers.h:
3544         * runtime/ObjectConstructor.cpp:
3545         (JSC::ObjectConstructor::finishCreation):
3546         Setup the @create private symbol.
3547
3548 2016-03-25  Benjamin Poulain  <bpoulain@apple.com>
3549
3550         [JSC] Put the x86 Assembler on a binary diet
3551         https://bugs.webkit.org/show_bug.cgi?id=155683
3552
3553         Reviewed by Darin Adler.
3554
3555         The MacroAssemblers are heavily inlined. This is unfortunately
3556         important for baseline JIT where many branches can be eliminated
3557         at compile time.
3558
3559         This inlining causes a lot of binary bloat. The phases
3560         lowering to ASM are massively large.
3561
3562         This patch improves the situation a bit for x86 through
3563         many small improvements:
3564
3565         -Every instruction starts with ensureSpace(). The slow
3566          path realloc the buffer.
3567          From that slow path, only fastRealloc() was a function
3568          call. What is around does not need to be fast, I moved
3569          the whole grow() function out of line for those cases.
3570
3571         -When testing multiple registers for REX requirements,
3572          we had something like this:
3573              byteRegRequiresRex(reg) || byteRegRequiresRex(rm)
3574              regRequiresRex(index) || regRequiresRex(base)
3575          Those were producing multiple test-and-branch. Those branches
3576          are effectively random so we don't have to care about individual
3577          branches being predictable.
3578
3579          The new code effectively does:
3580              byteRegRequiresRex(reg | rm)
3581              regRequiresRex(index | base)
3582
3583         -Change "ModRmMode" to have the value we can OR directly
3584          to the generated ModRm.
3585          This is important because some ModRM code is so large
3586          that is goes out of line;
3587
3588         -Finally, a big change on how we write to the AssemblerBuffer.
3589
3590          Previously, instructions were written byte by byte into
3591          the assembler buffer of the MacroAssembler.
3592
3593          The problem with that is the compiler cannot prove that
3594          the buffer pointer and the AssemblerBuffer are not pointing
3595          to the same memory.
3596
3597          Because of that, before any write, all the local register
3598          were pushed back to the AssemblerBuffer memory, then everything
3599          was read back after the write to compute the next write.
3600
3601          I attempted to use the "restrict" keyword and wrapper types
3602          to help Clang with that but nothing worked.
3603
3604          The current solution is to keep a local copy of the index
3605          and the buffer pointer in the scope of each instruction.
3606          That is done by AssemblerBuffer::LocalWriter.
3607
3608          Since LocalWriter only exists locally, it stays in
3609          register and we don't have all the memory churn between
3610          each byte writing. This also allows clang to combine
3611          obvious cases since there are no longer observable side
3612          effects between bytes.
3613
3614         This patch reduces the binary size by 66k. It is a small
3615         speed-up on Sunspider.
3616
3617         * assembler/AssemblerBuffer.h:
3618         (JSC::AssemblerBuffer::ensureSpace):
3619         (JSC::AssemblerBuffer::LocalWriter::LocalWriter):
3620         (JSC::AssemblerBuffer::LocalWriter::~LocalWriter):
3621         (JSC::AssemblerBuffer::LocalWriter::putByteUnchecked):
3622         (JSC::AssemblerBuffer::LocalWriter::putShortUnchecked):
3623         (JSC::AssemblerBuffer::LocalWriter::putIntUnchecked):
3624         (JSC::AssemblerBuffer::LocalWriter::putInt64Unchecked):
3625         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
3626         (JSC::AssemblerBuffer::putIntegral):
3627         (JSC::AssemblerBuffer::outOfLineGrow):
3628         * assembler/MacroAssemblerX86Common.h:
3629         * assembler/X86Assembler.h:
3630         (JSC::X86Assembler::X86InstructionFormatter::byteRegRequiresRex):
3631         (JSC::X86Assembler::X86InstructionFormatter::regRequiresRex):
3632         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::LocalBufferWriter):
3633         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRex):
3634         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexW):
3635         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIf):
3636         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIfNeeded):
3637         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRm):
3638         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRmSib):
3639         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::registerModRM):
3640         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::memoryModRM):
3641         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp): Deleted.
3642         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp32): Deleted.
3643         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp8): Deleted.
3644         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp): Deleted.
3645         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp): Deleted.
3646         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64): Deleted.
3647         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp32): Deleted.
3648         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp8): Deleted.
3649         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp64): Deleted.
3650         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8): Deleted.
3651         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp8): Deleted.
3652         (JSC::X86Assembler::X86InstructionFormatter::emitRex): Deleted.
3653         (JSC::X86Assembler::X86InstructionFormatter::emitRexW): Deleted.
3654         (JSC::X86Assembler::X86InstructionFormatter::emitRexIf): Deleted.
3655         (JSC::X86Assembler::X86InstructionFormatter::emitRexIfNeeded): Deleted.
3656         (JSC::X86Assembler::X86InstructionFormatter::putModRm): Deleted.
3657         (JSC::X86Assembler::X86InstructionFormatter::putModRmSib): Deleted.
3658         (JSC::X86Assembler::X86InstructionFormatter::registerModRM): Deleted.
3659         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM): Deleted.
3660
3661 2016-03-25  Saam barati  <sbarati@apple.com>
3662
3663         RegExp.prototype.test should be an intrinsic again
3664         https://bugs.webkit.org/show_bug.cgi?id=155861
3665
3666         Reviewed by Yusuke Suzuki.
3667
3668         * runtime/RegExpPrototype.cpp:
3669         (JSC::RegExpPrototype::finishCreation):
3670
3671 2016-03-25  Mark Lam  <mark.lam@apple.com>
3672
3673         ES6's throwing of TypeErrors on access of RegExp.prototype flag properties breaks websites.
3674         https://bugs.webkit.org/show_bug.cgi?id=155904
3675
3676         Reviewed by Geoffrey Garen.
3677
3678         There exists a JS library XRegExp (see http://xregexp.com) that extends the regexp
3679         implementation.  XRegExp does feature testing by comparing RegExp.prototype.sticky
3680         to undefined.  See:
3681
3682         Example 1. https://github.com/slevithan/xregexp/blob/28a2b033c5951477bed8c7c867ddf7e89c431cd4/tests/perf/index.html
3683             ...
3684             } else if (knownVersion[version]) {
3685                 // Hack around ES6 incompatibility in XRegExp versions prior to 3.0.0
3686                 if (parseInt(version, 10) < 3) {
3687                     delete RegExp.prototype.sticky;
3688             }
3689             ...
3690
3691         Example 2. https://github.com/slevithan/xregexp/blob/d0e665d4068cec4d15919215b098b2373f1f12e9/tests/perf/versions/xregexp-all-v2.0.0.js
3692             ...
3693             // Check for flag y support (Firefox 3+)
3694                 hasNativeY = RegExp.prototype.sticky !== undef,
3695             ...
3696
3697         The ES6 spec states that we should throw a TypeError here because RegExp.prototype
3698         is not a RegExp object, and the sticky getter is only allowed to be called on
3699         RegExp objects.  See https://tc39.github.io/ecma262/2016/#sec-get-regexp.prototype.sticky.
3700         As a result, websites that uses XRegExp can break (e.g. some Atlassian tools).
3701
3702         As a workaround, we'll return undefined instead of throwing on access of these
3703         flag properties that may be used for feature testing.
3704
3705         * runtime/RegExpPrototype.cpp:
3706         (JSC::regExpProtoGetterGlobal):
3707         (JSC::regExpProtoGetterIgnoreCase):
3708         (JSC::regExpProtoGetterMultiline):
3709         (JSC::regExpProtoGetterSticky):
3710         (JSC::regExpProtoGetterUnicode):
3711
3712 2016-03-25  Caitlin Potter  <caitp@igalia.com>
3713
3714         [JSC] fix divide-by-zero in String.prototype.padStart/padEnd
3715         https://bugs.webkit.org/show_bug.cgi?id=155903
3716
3717         Reviewed by Filip Pizlo.
3718
3719         * runtime/StringPrototype.cpp:
3720         (JSC::padString):
3721
3722 2016-03-25  Benjamin Poulain  <benjamin@webkit.org>
3723
3724         [JSC] materialize-past-butterfly-allocation.js time out in debug
3725
3726         * tests/stress/materialize-past-butterfly-allocation.js:
3727         The test times out on the debug bots. We suspect there is nothing
3728         wrong, just overkill loops.
3729
3730 2016-03-25  Brian Burg  <bburg@apple.com>
3731
3732         Web Inspector: protocol generator should prefix C++ filenames with the protocol group
3733         https://bugs.webkit.org/show_bug.cgi?id=155859
3734         <rdar://problem/25349859>
3735
3736         Reviewed by Alex Christensen and Joseph Pecoraro.
3737
3738         Like for generated Objective-C files, we should use the 'protocol group' name
3739         as the prefix for generated C++ files so that headers from different protocol
3740         groups have unambiguous names.
3741
3742         * inspector/scripts/codegen/cpp_generator.py:
3743         (CppGenerator):
3744         (CppGenerator.__init__):
3745         (CppGenerator.protocol_name):
3746         Make all C++ code generators extend the CppGenerator python class and use the
3747         protocol_name() instance method. This matches a recent change to the ObjC generator.
3748
3749         * inspector/scripts/codegen/cpp_generator_templates.py:
3750         (CppGeneratorTemplates):
3751         Drive-by cleanup to use #pragma once instead of header guards.
3752
3753         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
3754         (CppAlternateBackendDispatcherHeaderGenerator):
3755         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
3756         (CppAlternateBackendDispatcherHeaderGenerator.output_filename):
3757         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
3758         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3759         (CppBackendDispatcherHeaderGenerator):
3760         (CppBackendDispatcherHeaderGenerator.__init__):
3761         (CppBackendDispatcherHeaderGenerator.output_filename):
3762         (CppBackendDispatcherHeaderGenerator.generate_output):
3763         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3764         (CppBackendDispatcherImplementationGenerator):
3765         (CppBackendDispatcherImplementationGenerator.__init__):
3766         (CppBackendDispatcherImplementationGenerator.output_filename):
3767         (CppBackendDispatcherImplementationGenerator.generate_output):
3768         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3769         (CppFrontendDispatcherHeaderGenerator):
3770         (CppFrontendDispatcherHeaderGenerator.__init__):
3771         (CppFrontendDispatcherHeaderGenerator.output_filename):
3772         (CppFrontendDispatcherHeaderGenerator.generate_output):
3773         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3774         (CppFrontendDispatcherImplementationGenerator):
3775         (CppFrontendDispatcherImplementationGenerator.__init__):
3776         (CppFrontendDispatcherImplementationGenerator.output_filename):
3777         (CppFrontendDispatcherImplementationGenerator.generate_output):
3778         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3779         (CppProtocolTypesHeaderGenerator):
3780         (CppProtocolTypesHeaderGenerator.__init__):
3781         (CppProtocolTypesHeaderGenerator.output_filename):
3782         (CppProtocolTypesHeaderGenerator.generate_output):
3783         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3784         (CppProtocolTypesImplementationGenerator):
3785         (CppProtocolTypesImplementationGenerator.__init__):
3786         (CppProtocolTypesImplementationGenerator.output_filename):
3787         (CppProtocolTypesImplementationGenerator.generate_output):
3788         Use the protocol_name() instance method to compute generated protocol file names.
3789
3790         * inspector/scripts/codegen/models.py:
3791         Explicitly set the 'protocol_group' for the Inspector protocol.
3792
3793         Rebaseline generator test results.
3794
3795         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3796         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3797         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3798         * inspector/scripts/tests/expected/enum-values.json-result:
3799         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3800         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3801         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3802         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3803         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3804         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3805         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3806         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3807         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3808
3809 2016-03-25  Keith Miller  <keith_miller@apple.com>
3810
3811         putByIndexBeyondVectorLengthWithoutAttributes should not crash if it can't ensureLength
3812         https://bugs.webkit.org/show_bug.cgi?id=155730
3813
3814         Reviewed by Saam Barati.
3815
3816         This patch makes ensureLength return a boolean indicating if it was able to set the length.
3817         ensureLength also no longer sets the butterfly to null if the allocation of the butterfly
3818         fails. All of ensureLengths callers including putByIndexBeyondVectorLengthWithoutAttributes
3819         have been adapted to throw an out of memory error if ensureLength fails.
3820
3821         * runtime/JSArray.cpp:
3822         (JSC::JSArray::setLength):
3823         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3824         * runtime/JSObject.cpp:
3825         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3826         (JSC::JSObject::ensureLengthSlow):
3827         * runtime/JSObject.h:
3828         (JSC::JSObject::ensureLength):
3829
3830 2016-03-25  Caitlin Potter  <caitp@igalia.com>
3831
3832         [JSC] implement String.prototype.padStart() and String.prototype.padEnd() proposal
3833         https://bugs.webkit.org/show_bug.cgi?id=155795
3834
3835         Reviewed by Darin Adler.
3836
3837         Implements ECMAScript proposal http://tc39.github.io/proposal-string-pad-start-end/
3838         Currently at Stage 3.
3839
3840         * runtime/JSString.h:
3841         * runtime/StringPrototype.cpp:
3842         (JSC::StringPrototype::finishCreation):
3843         (JSC::repeatCharacter):
3844         (JSC::repeatStringPattern):
3845         (JSC::padString):
3846         (JSC::stringProtoFuncPadEnd):
3847         (JSC::stringProtoFuncPadStart):
3848         * tests/es6.yaml:
3849         * tests/es6/String.prototype_methods_String.prototype.padEnd.js: Added.
3850         * tests/es6/String.prototype_methods_String.prototype.padStart.js: Added.
3851
3852 2016-03-24  Alex Christensen  <achristensen@webkit.org>
3853
3854         Fix Mac CMake build.
3855
3856         * PlatformMac.cmake:
3857         Link to Security framework.
3858
3859 2016-03-24  Saam barati  <sbarati@apple.com>
3860
3861         ES6: Implement IsRegExp function and use where needed in String.prototype.* methods
3862         https://bugs.webkit.org/show_bug.cgi?id=155854
3863
3864         Reviewed by Mark Lam.
3865
3866         This patch is a straight forward implementation of IsRegExp
3867         in the ES6 spec:
3868         https://tc39.github.io/ecma262/#sec-isregexp
3869         We now use this IsRegExp function inside String.prototype.(startsWith | endsWith | includes)
3870         as is dictated by the spec.
3871
3872         * runtime/RegExpConstructor.h:
3873         (JSC::RegExpConstructor::recordMatch):
3874         (JSC::isRegExp):
3875         * runtime/StringPrototype.cpp:
3876         (JSC::stringProtoFuncStartsWith):
3877         (JSC::stringProtoFuncEndsWith):
3878         (JSC::stringProtoFuncIncludes):
3879         * tests/es6.yaml:
3880         * tests/es6/well-known_symbols_Symbol.match_String.prototype.endsWith.js: Added.
3881         (test):
3882         * tests/es6/well-known_symbols_Symbol.match_String.prototype.includes.js: Added.
3883         (test):
3884         * tests/es6/well-known_symbols_Symbol.match_String.prototype.startsWith.js: Added.
3885         (test):
3886         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js: Added.
3887         (assert):