Web Inspector: Remove unused Timeline GCEvent Record type
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-10-22  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: Remove unused Timeline GCEvent Record type
4         https://bugs.webkit.org/show_bug.cgi?id=150477
5
6         Reviewed by Timothy Hatcher.
7
8         Garbage Collection events go through the Heap domain, not the
9         Timeline domain (long time ago for Chromium).
10
11         * inspector/protocol/Timeline.json:
12
13 2015-10-22  Michael Saboff  <msaboff@apple.com>
14
15         REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at JavaScriptCore:JSC::ExecState::bytecodeOffset + 174
16         https://bugs.webkit.org/show_bug.cgi?id=150434
17
18         Reviewed by Mark Lam.
19
20         Pass the current frame instead of the caller frame to operationVMHandleException when processing an
21         exception in one of the native thunks.
22
23         * jit/JITExceptions.cpp:
24         (JSC::genericUnwind): Made debug printing of CodeBlock safe for call frames without one.
25         * jit/JITOpcodes32_64.cpp:
26         (JSC::JIT::privateCompileCTINativeCall):
27         * jit/ThunkGenerators.cpp:
28         (JSC::nativeForGenerator):
29
30 2015-10-21  Brian Burg  <bburg@apple.com>
31
32         Restructure generate-js-bindings script to be modular and testable
33         https://bugs.webkit.org/show_bug.cgi?id=149929
34
35         Reviewed by Alex Christensen.
36
37         This is a new code generator, based on the replay inputs code generator and
38         the inspector protocol code generator, which produces various files for JS
39         builtins.
40
41         Relative to the generator it replaces, this one consolidates two scripts in
42         JavaScriptCore and WebCore into a single script with multiple files. Parsed
43         information about the builtins file is stored in backend-independent model
44         objects. Each output file has its own code generator that uses the model to
45         produce resulting code. Generators are additionally parameterized by the target
46         framework (to choose correct macros and includes) and output mode (one
47         header/implementation file per builtin or per framework).
48
49         It includes a few simple tests of the generator's functionality. These result-
50         based tests will become increasingly more important as we start to add support
51         for builtins annotation such as @optional, @internal, etc. to the code generator.
52
53         Some of these complexities, such as having two output modes, will be removed in
54         subsequent patches. This patch is intended to exactly replace the existing
55         functionality with a unified script that makes additional cleanups straightforward.
56
57         Additional cleanup and consolidation between inspector code generator scripts
58         and this script will be pursued in followup patches.
59
60         New tests:
61
62         Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Combined.js
63         Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Separate.js
64         Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js
65         Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js
66         Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Combined.js
67         Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Separate.js
68         Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js
69         Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js
70         Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js
71         Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js
72
73
74         * CMakeLists.txt:
75
76             Copy the scripts that are used by other targets to a staging directory inside
77             ${DERIVED_SOURCES_DIR}/ForwardingHeaders/JavaScriptCore/Scripts.
78             Define JavaScriptCore_SCRIPTS_DIR to point here so that the add_custom_command
79             and shared file lists are identical between JavaScriptCore and WebCore. The staged
80             scripts are a dependency of the main JavaScriptCore target so that they are
81             always staged, even if JavaScriptCore itself does not use a particular script.
82
83             The output files additionally depend on all builtin generator script files
84             and input files that are combined into the single header/implementation file.
85
86         * DerivedSources.make:
87
88             Define JavaScriptCore_SCRIPTS_DIR explicitly so the rule for code generation and
89             shared file lists are identical between JavaScriptCore and WebCore.
90
91             The output files additionally depend on all builtin generator script files
92             and input files that are combined into the single header/implementation file.
93
94         * JavaScriptCore.xcodeproj/project.pbxproj:
95
96             Mark the new builtins generator files as private headers so we can use them from
97             WebCore.
98
99         * Scripts/UpdateContents.py: Renamed from Source/JavaScriptCore/UpdateContents.py.
100         * Scripts/builtins/__init__.py: Added.
101         * Scripts/builtins/builtins.py: Added.
102         * Scripts/builtins/builtins_generator.py: Added. This file contains the base generator.
103         (WK_lcfirst):
104         (WK_ucfirst):
105         (BuiltinsGenerator):
106         (BuiltinsGenerator.__init__):
107         (BuiltinsGenerator.model):
108         (BuiltinsGenerator.generate_license):
109         (BuiltinsGenerator.generate_includes_from_entries):
110         (BuiltinsGenerator.generate_output):
111         (BuiltinsGenerator.output_filename):
112         (BuiltinsGenerator.mangledNameForFunction):
113         (BuiltinsGenerator.mangledNameForFunction.toCamel):
114         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
115         * Scripts/builtins/builtins_model.py: Added. This file contains builtins model objects.
116         (ParseException):
117         (Framework):
118         (Framework.__init__):
119         (Framework.setting):
120         (Framework.fromString):
121         (Frameworks):
122         (BuiltinObject):
123         (BuiltinObject.__init__):
124         (BuiltinFunction):
125         (BuiltinFunction.__init__):
126         (BuiltinFunction.fromString):
127         (BuiltinFunction.__str__):
128         (BuiltinsCollection):
129         (BuiltinsCollection.__init__):
130         (BuiltinsCollection.parse_builtins_file):
131         (BuiltinsCollection.copyrights):
132         (BuiltinsCollection.all_functions):
133         (BuiltinsCollection._parse_copyright_lines):
134         (BuiltinsCollection._parse_functions):
135         * Scripts/builtins/builtins_templates.py: Added.
136         (BuiltinsGeneratorTemplates):
137         * Scripts/builtins/builtins_generate_combined_header.py: Added.
138         (BuiltinsCombinedHeaderGenerator):
139         (BuiltinsCombinedHeaderGenerator.__init__):
140         (BuiltinsCombinedHeaderGenerator.output_filename):
141         (BuiltinsCombinedHeaderGenerator.generate_output):
142         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
143         (FunctionExecutable):
144         (VM):
145         (ConstructAbility):
146         (generate_section_for_object):
147         (generate_externs_for_object):
148         (generate_macros_for_object):
149         (generate_defines_for_object):
150         (generate_section_for_code_table_macro):
151         (generate_section_for_code_name_macro):
152         * Scripts/builtins/builtins_generate_combined_implementation.py: Added.
153         (BuiltinsCombinedImplementationGenerator):
154         (BuiltinsCombinedImplementationGenerator.__init__):
155         (BuiltinsCombinedImplementationGenerator.output_filename):
156         (BuiltinsCombinedImplementationGenerator.generate_output):
157         (BuiltinsCombinedImplementationGenerator.generate_header_includes):
158         * Scripts/builtins/builtins_generate_separate_header.py: Added.
159         (BuiltinsSeparateHeaderGenerator):
160         (BuiltinsSeparateHeaderGenerator.__init__):
161         (BuiltinsSeparateHeaderGenerator.output_filename):
162         (BuiltinsSeparateHeaderGenerator.macro_prefix):
163         (BuiltinsSeparateHeaderGenerator.generate_output):
164         (BuiltinsSeparateHeaderGenerator.generate_forward_declarations):
165         (FunctionExecutable):
166         (generate_header_includes):
167         (generate_section_for_object):
168         (generate_externs_for_object):
169         (generate_macros_for_object):
170         (generate_defines_for_object):
171         (generate_section_for_code_table_macro):
172         (generate_section_for_code_name_macro):
173         * Scripts/builtins/builtins_generate_separate_implementation.py: Added.
174         (BuiltinsSeparateImplementationGenerator):
175         (BuiltinsSeparateImplementationGenerator.__init__):
176         (BuiltinsSeparateImplementationGenerator.output_filename):
177         (BuiltinsSeparateImplementationGenerator.macro_prefix):
178         (BuiltinsSeparateImplementationGenerator.generate_output):
179         (BuiltinsSeparateImplementationGenerator.generate_header_includes):
180         * Scripts/builtins/builtins_generate_separate_wrapper.py: Added.
181         (BuiltinsSeparateWrapperGenerator):
182         (BuiltinsSeparateWrapperGenerator.__init__):
183         (BuiltinsSeparateWrapperGenerator.output_filename):
184         (BuiltinsSeparateWrapperGenerator.macro_prefix):
185         (BuiltinsSeparateWrapperGenerator.generate_output):
186         (BuiltinsSeparateWrapperGenerator.generate_header_includes):
187         * Scripts/generate-js-builtins.py: Added.
188
189             Parse command line options, decide which generators and output modes to use.
190
191         (generate_bindings_for_builtins_files):
192         * Scripts/lazywriter.py: Copied from the inspector protocol generator.
193         (LazyFileWriter):
194         (LazyFileWriter.__init__):
195         (LazyFileWriter.write):
196         (LazyFileWriter.close):
197         * Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Combined.js: Added.
198         * Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Separate.js: Added.
199         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js: Added.
200         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js: Added.
201         * Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Combined.js: Added.
202         * Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Separate.js: Added.
203         * Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js: Added.
204         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js: Added.
205         * Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js: Added.
206         * Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js: Added.
207         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: Added.
208         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result: Added.
209         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result: Added.
210         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result: Added.
211         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: Added.
212         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result: Added.
213         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Added.
214         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Added.
215         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Added.
216         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Added.
217         * builtins/BuiltinExecutables.cpp:
218         (JSC::BuiltinExecutables::BuiltinExecutables):
219         * builtins/BuiltinExecutables.h:
220         * create_hash_table:
221
222             Update the generated builtin macro names.
223
224         * generate-js-builtins: Removed.
225
226 2015-10-21  Benjamin Poulain  <bpoulain@apple.com>
227
228         [JSC] Remove FTL Native Inlining, it is dead code
229         https://bugs.webkit.org/show_bug.cgi?id=150429
230
231         Reviewed by Filip Pizlo.
232
233         The code is not used and it is in the way of other changes.
234
235         * ftl/FTLAbbreviations.h:
236         (JSC::FTL::getFirstInstruction): Deleted.
237         (JSC::FTL::getNextInstruction): Deleted.
238         (JSC::FTL::getFirstBasicBlock): Deleted.
239         (JSC::FTL::getNextBasicBlock): Deleted.
240         * ftl/FTLLowerDFGToLLVM.cpp:
241         (JSC::FTL::DFG::LowerDFGToLLVM::isInlinableSize): Deleted.
242         * runtime/Options.h:
243
244 2015-10-21  Benjamin Poulain  <bpoulain@apple.com>
245
246         [JSC] Remove two useless temporaries from the PutByOffset codegen
247         https://bugs.webkit.org/show_bug.cgi?id=150421
248
249         Reviewed by Geoffrey Garen.
250
251         * dfg/DFGSpeculativeJIT64.cpp:
252         (JSC::DFG::SpeculativeJIT::compile): Deleted.
253         Looks like they were added by accident in r160796.
254
255 2015-10-21  Filip Pizlo  <fpizlo@apple.com>
256
257         Factor out the graph node worklists from DFG into WTF
258         https://bugs.webkit.org/show_bug.cgi?id=150411
259
260         Reviewed by Geoffrey Garen.
261
262         Rewrite the DFGBlockWorklist.h file as a bunch of typedefs and aliases for things in
263         wtf/GraphNodeWorklist.h. Most users won't notice, except that some small things got
264         renamed. For example PreOrder becomes VisitOrder::Pre and item.block becomes item.node.
265
266         * CMakeLists.txt:
267         * JavaScriptCore.xcodeproj/project.pbxproj:
268         * dfg/DFGBlockWorklist.cpp: Removed.
269         * dfg/DFGBlockWorklist.h:
270         (JSC::DFG::BlockWorklist::notEmpty): Deleted.
271         (JSC::DFG::BlockWith::BlockWith): Deleted.
272         (JSC::DFG::BlockWith::operator bool): Deleted.
273         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist): Deleted.
274         (JSC::DFG::ExtendedBlockWorklist::forcePush): Deleted.
275         (JSC::DFG::ExtendedBlockWorklist::push): Deleted.
276         (JSC::DFG::ExtendedBlockWorklist::notEmpty): Deleted.
277         (JSC::DFG::ExtendedBlockWorklist::pop): Deleted.
278         (JSC::DFG::BlockWithOrder::BlockWithOrder): Deleted.
279         (JSC::DFG::BlockWithOrder::operator bool): Deleted.
280         (JSC::DFG::PostOrderBlockWorklist::push): Deleted.
281         (JSC::DFG::PostOrderBlockWorklist::notEmpty): Deleted.
282         * dfg/DFGDominators.cpp:
283         (JSC::DFG::Dominators::compute):
284         * dfg/DFGGraph.cpp:
285         (JSC::DFG::Graph::blocksInPostOrder):
286         * dfg/DFGPrePostNumbering.cpp:
287         (JSC::DFG::PrePostNumbering::compute):
288
289 2015-10-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
290
291         [INTL] Implement Intl.Collator.prototype.resolvedOptions ()
292         https://bugs.webkit.org/show_bug.cgi?id=147601
293
294         Reviewed by Benjamin Poulain.
295
296         This patch implements Intl.Collator.prototype.resolvedOptions() according
297         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
298         It also implements the abstract operations InitializeCollator, ResolveLocale,
299         LookupMatcher, and BestFitMatcher.
300
301         * runtime/CommonIdentifiers.h:
302         * runtime/IntlCollator.h:
303         (JSC::IntlCollator::usage):
304         (JSC::IntlCollator::setUsage):
305         (JSC::IntlCollator::locale):
306         (JSC::IntlCollator::setLocale):
307         (JSC::IntlCollator::collation):
308         (JSC::IntlCollator::setCollation):
309         (JSC::IntlCollator::numeric):
310         (JSC::IntlCollator::setNumeric):
311         (JSC::IntlCollator::sensitivity):
312         (JSC::IntlCollator::setSensitivity):
313         (JSC::IntlCollator::ignorePunctuation):
314         (JSC::IntlCollator::setIgnorePunctuation):
315         * runtime/IntlCollatorConstructor.cpp:
316         (JSC::sortLocaleData):
317         (JSC::searchLocaleData):
318         (JSC::initializeCollator):
319         (JSC::constructIntlCollator):
320         (JSC::callIntlCollator):
321         * runtime/IntlCollatorPrototype.cpp:
322         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
323         * runtime/IntlObject.cpp:
324         (JSC::defaultLocale):
325         (JSC::getIntlBooleanOption):
326         (JSC::getIntlStringOption):
327         (JSC::removeUnicodeLocaleExtension):
328         (JSC::lookupMatcher):
329         (JSC::bestFitMatcher):
330         (JSC::resolveLocale):
331         (JSC::lookupSupportedLocales):
332         * runtime/IntlObject.h:
333
334 2015-10-21  Saam barati  <sbarati@apple.com>
335
336         C calls in PolymorphicAccess shouldn't assume that the top of the stack looks like a JSC JIT frame and enable *ByIdFlush in FTL
337         https://bugs.webkit.org/show_bug.cgi?id=125711
338
339         Reviewed by Filip Pizlo.
340
341         This patch ensures that anytime we need to make a C call inside
342         PolymorphicAccess, we ensure there is enough space on the stack to do so.
343
344         This patch also enables GetByIdFlush/PutByIdFlush inside the FTL.
345         Because PolymorphicAccess now spills the necessary registers
346         before making a JS/C call, any registers that LLVM report as
347         being in use for the patchpoint will be spilled before making
348         a call by PolymorphicAccess.
349
350         * bytecode/PolymorphicAccess.cpp:
351         (JSC::AccessGenerationState::restoreScratch):
352         (JSC::AccessGenerationState::succeed):
353         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
354         (JSC::AccessCase::generate):
355         (JSC::PolymorphicAccess::regenerate):
356         * ftl/FTLCapabilities.cpp:
357         (JSC::FTL::canCompile):
358         * ftl/FTLLowerDFGToLLVM.cpp:
359         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
360         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetById):
361         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
362         * jit/AssemblyHelpers.h:
363         (JSC::AssemblyHelpers::emitTypeOf):
364         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
365         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
366         * jit/RegisterSet.cpp:
367         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
368         (JSC::RegisterSet::registersToNotSaveForJSCall):
369         (JSC::RegisterSet::registersToNotSaveForCCall):
370         (JSC::RegisterSet::allGPRs):
371         (JSC::RegisterSet::registersToNotSaveForCall): Deleted.
372         * jit/RegisterSet.h:
373         (JSC::RegisterSet::set):
374         * jit/ScratchRegisterAllocator.cpp:
375         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
376         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
377         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
378         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
379         These methods now take an extra parameter indicating if they
380         should create space for a C call at the top of the stack if
381         there are any reused registers to spill.
382
383         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
384         * jit/ScratchRegisterAllocator.h:
385         (JSC::ScratchRegisterAllocator::usedRegisters):
386
387 2015-10-21  Joseph Pecoraro  <pecoraro@apple.com>
388
389         Web Inspector: Array previews with Symbol objects have too few preview values
390         https://bugs.webkit.org/show_bug.cgi?id=150404
391
392         Reviewed by Timothy Hatcher.
393
394         * inspector/InjectedScriptSource.js:
395         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
396         We should be continuing inside this loop not returning.
397
398 2015-10-21  Filip Pizlo  <fpizlo@apple.com>
399
400         Failures in PutStackSinkingPhase should be less severe
401         https://bugs.webkit.org/show_bug.cgi?id=150400
402
403         Reviewed by Geoffrey Garen.
404
405         Make the PutStackSinkingPhase abort instead of asserting. To test that it's OK to not have
406         PutStackSinkingPhase run, this adds a test mode where we run without PutStackSinkingPhase.
407
408         * dfg/DFGPlan.cpp: Make it possible to not run PutStackSinkingPhase for tests.
409         (JSC::DFG::Plan::compileInThreadImpl):
410         * dfg/DFGPutStackSinkingPhase.cpp: PutStackSinkingPhase should abort instead of asserting, except when validation is enabled.
411         * runtime/Options.h: Add an option for disabling PutStackSinkingPhase.
412
413 2015-10-21  Saam barati  <sbarati@apple.com>
414
415         The FTL should place the CallSiteIndex on the call frame for JS calls when it fills in the patchpoint
416         https://bugs.webkit.org/show_bug.cgi?id=150104
417
418         Reviewed by Filip Pizlo.
419
420         We lower JS Calls to patchpoints in LLVM. LLVM may decide to duplicate
421         these patchpoints (or remove them). We eagerly store the CallSiteIndex on the 
422         call frame when lowering DFG to LLVM. But, because the patchpoint we lower to may
423         be duplicated, we really don't know the unique CallSiteIndex until we've
424         actually seen the resulting patchpoints after LLVM has completed its transformations.
425         To solve this, we now store the unique CallSiteIndex on the call frame header 
426         when generating code to fill into the patchpoint.
427
428         * ftl/FTLCompile.cpp:
429         (JSC::FTL::mmAllocateDataSection):
430         * ftl/FTLJSCall.cpp:
431         (JSC::FTL::JSCall::JSCall):
432         (JSC::FTL::JSCall::emit):
433         * ftl/FTLJSCall.h:
434         (JSC::FTL::JSCall::stackmapID):
435         * ftl/FTLJSCallBase.cpp:
436         (JSC::FTL::JSCallBase::JSCallBase):
437         (JSC::FTL::JSCallBase::emit):
438         (JSC::FTL::JSCallBase::link):
439         * ftl/FTLJSCallBase.h:
440         * ftl/FTLJSCallVarargs.cpp:
441         (JSC::FTL::JSCallVarargs::JSCallVarargs):
442         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
443         (JSC::FTL::JSCallVarargs::emit):
444         * ftl/FTLJSCallVarargs.h:
445         (JSC::FTL::JSCallVarargs::node):
446         (JSC::FTL::JSCallVarargs::stackmapID):
447         * ftl/FTLJSTailCall.cpp:
448         (JSC::FTL::JSTailCall::JSTailCall):
449         (JSC::FTL::m_instructionOffset):
450         (JSC::FTL::JSTailCall::emit):
451         * ftl/FTLLowerDFGToLLVM.cpp:
452         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
453         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
454         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
455         (JSC::FTL::DFG::LowerDFGToLLVM::codeOriginDescriptionOfCallSite):
456         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
457
458 2015-10-21  Geoffrey Garen  <ggaren@apple.com>
459
460         Date creation should share a little code
461         https://bugs.webkit.org/show_bug.cgi?id=150399
462
463         Reviewed by Filip Pizlo.
464
465         I want to fix a bug in this code, but I don't want to fix it in two
466         different places. (See https://bugs.webkit.org/show_bug.cgi?id=150386.)
467
468         * runtime/DateConstructor.cpp:
469         (JSC::DateConstructor::getOwnPropertySlot):
470         (JSC::milliseconds): Factored out a shared helper function. If you look
471         closely, you'll see that one copy of this code previously checked isfinite
472         while the other checked isnan. isnan returning nan was obviously a no-op,
473         so I removed it. isfinite, it turns out, is also a no-op -- but less
474         obviously so, so I kept it for now.
475
476         (JSC::constructDate):
477         (JSC::dateUTC): Use the helper function.
478
479 2015-10-21  Guillaume Emont  <guijemont@igalia.com>
480
481         llint: align stack pointer on mips too
482
483         [MIPS] LLInt: align stack pointer on MIPS too
484         https://bugs.webkit.org/show_bug.cgi?id=150380
485
486         Reviewed by Michael Saboff.
487
488         * llint/LowLevelInterpreter32_64.asm:
489
490 2015-10-20  Mark Lam  <mark.lam@apple.com>
491
492         YarrPatternConstructor::containsCapturingTerms() should not assume that its terms.size() is greater than 0.
493         https://bugs.webkit.org/show_bug.cgi?id=150372
494
495         Reviewed by Geoffrey Garen.
496
497         * yarr/YarrPattern.cpp:
498         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
499         (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
500         (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
501         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
502
503 2015-10-20  Michael Saboff  <msaboff@apple.com>
504
505         REGRESSION (r191175): OSR Exit from an inlined tail callee trashes callee save registers
506         https://bugs.webkit.org/show_bug.cgi?id=150336
507
508         Reviewed by Mark Lam.
509
510         During OSR exit, we need to restore and transform the active stack into what the baseline
511         JIT expects.  Inlined call frames become true call frames.  When we reify an inlined call
512         frame and it is a tail call which we will be continuing from, we need to restore the tag
513         constant callee save registers with what was saved by the outermost caller.
514
515         Re-enabled tail calls and restored tests for tail calls.
516
517         * dfg/DFGOSRExitCompilerCommon.cpp:
518         (JSC::DFG::reifyInlinedCallFrames): Select whether or not we use the callee save tag register
519         contents or what was saved by the inlining caller when populating an inlined callee's
520         callee save registers.
521         * jit/AssemblyHelpers.h:
522         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor): This function no longer needs a stack offset.
523         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor): New helper.
524         * runtime/Options.h: Turned tail calls back on.
525         * tests/es6.yaml:
526         * tests/stress/dfg-tail-calls.js:
527         (nonInlinedTailCall.callee):
528         * tests/stress/mutual-tail-call-no-stack-overflow.js:
529         (shouldThrow):
530         * tests/stress/tail-call-in-inline-cache.js:
531         (tail):
532         * tests/stress/tail-call-no-stack-overflow.js:
533         (shouldThrow):
534         * tests/stress/tail-call-recognize.js:
535         (callerMustBeRun):
536         * tests/stress/tail-call-varargs-no-stack-overflow.js:
537         (shouldThrow):
538
539 2015-10-20  Joseph Pecoraro  <pecoraro@apple.com>
540
541         Web Inspector: JavaScriptCore should parse sourceURL and sourceMappingURL directives
542         https://bugs.webkit.org/show_bug.cgi?id=150096
543
544         Reviewed by Geoffrey Garen.
545
546         * inspector/ContentSearchUtilities.cpp:
547         (Inspector::ContentSearchUtilities::scriptCommentPattern): Deleted.
548         (Inspector::ContentSearchUtilities::findScriptSourceURL): Deleted.
549         (Inspector::ContentSearchUtilities::findScriptSourceMapURL): Deleted.
550         * inspector/ContentSearchUtilities.h:
551         No longer need to search script content.
552
553         * inspector/ScriptDebugServer.cpp:
554         (Inspector::ScriptDebugServer::dispatchDidParseSource):
555         Carry over the sourceURL and sourceMappingURL from the SourceProvider.
556
557         * inspector/agents/InspectorDebuggerAgent.cpp:
558         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
559         (Inspector::InspectorDebuggerAgent::didParseSource):
560         No longer do content searching.
561
562         * parser/Lexer.cpp:
563         (JSC::Lexer<T>::setCode):
564         (JSC::Lexer<T>::skipWhitespace):
565         (JSC::Lexer<T>::parseCommentDirective):
566         (JSC::Lexer<T>::parseCommentDirectiveValue):
567         (JSC::Lexer<T>::consume):
568         (JSC::Lexer<T>::lex):
569         * parser/Lexer.h:
570         (JSC::Lexer::sourceURL):
571         (JSC::Lexer::sourceMappingURL):
572         (JSC::Lexer::sourceProvider): Deleted.
573         Give lexer the ability to detect script comment directives.
574         This just consumes characters in single line comments and
575         ultimately sets the sourceURL or sourceMappingURL found.
576
577         * parser/Parser.h:
578         (JSC::Parser<LexerType>::parse):
579         * parser/SourceProvider.h:
580         (JSC::SourceProvider::url):
581         (JSC::SourceProvider::sourceURL):
582         (JSC::SourceProvider::sourceMappingURL):
583         (JSC::SourceProvider::setSourceURL):
584         (JSC::SourceProvider::setSourceMappingURL):
585         After parsing a script, update the Source Provider with the
586         value of directives that may have been found in the script.
587
588 2015-10-20  Saam barati  <sbarati@apple.com>
589
590         GCAwareJITStubRoutineWithExceptionHandler has a stale CodeBlock pointer in its destructor
591         https://bugs.webkit.org/show_bug.cgi?id=150351
592
593         Reviewed by Mark Lam.
594
595         We may regenerate many GCAwareJITStubRoutineWithExceptionHandler stubs per one PolymorphicAccess.
596         Only the last GCAwareJITStubRoutineWithExceptionHandler stub that was generated will get the CodeBlock's aboutToDie()
597         notification. All other GCAwareJITStubRoutineWithExceptionHandler stubs will still be holding a stale CodeBlock pointer
598         that they will use in their destructor. The solution is to have GCAwareJITStubRoutineWithExceptionHandler remove its
599         exception handler in observeZeroRefCount() instead of its destructor. observeZeroRefCount() will run when a PolymorphicAccess
600         replaces its m_stubRoutine.
601
602         * jit/GCAwareJITStubRoutine.cpp:
603         (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
604         (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
605         (JSC::createJITStubRoutine):
606         (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler): Deleted.
607         * jit/GCAwareJITStubRoutine.h:
608
609 >>>>>>> .r191351
610 2015-10-20  Tim Horton  <timothy_horton@apple.com>
611
612         Try to fix the build by disabling MAC_GESTURE_EVENTS on 10.9 and 10.10
613
614         * Configurations/FeatureDefines.xcconfig:
615
616 2015-10-20  Xabier Rodriguez Calvar  <calvaris@igalia.com>
617
618         [Streams API] Rework some readable stream internals that can be common to writable streams
619         https://bugs.webkit.org/show_bug.cgi?id=150133
620
621         Reviewed by Darin Adler.
622
623         * runtime/CommonIdentifiers.h:
624         * runtime/JSGlobalObject.cpp:
625         (JSC::JSGlobalObject::init): Added RangeError also as native functions.
626
627 2015-10-20  Yoav Weiss  <yoav@yoav.ws>
628
629         Rename the PICTURE_SIZES flag to CURRENTSRC
630         https://bugs.webkit.org/show_bug.cgi?id=150275
631
632         Reviewed by Dean Jackson.
633
634         * Configurations/FeatureDefines.xcconfig:
635
636 2015-10-19  Saam barati  <sbarati@apple.com>
637
638         FTL should generate a unique OSR exit for each duplicated OSR exit stackmap intrinsic.
639         https://bugs.webkit.org/show_bug.cgi?id=149970
640
641         Reviewed by Filip Pizlo.
642
643         When we lower DFG to LLVM, we generate a stackmap intrnsic for OSR 
644         exits. We also recorded the OSR exit inside FTL::JITCode during lowering.
645         This stackmap intrinsic may be duplicated or even removed by LLVM.
646         When the stackmap intrinsic is duplicated, we used to generate just
647         a single OSR exit data structure. Then, when we compiled an OSR exit, we 
648         would look for the first record in the record list that had the same stackmap ID
649         as what the OSR exit data structure had. We did this even when the OSR exit
650         stackmap intrinsic was duplicated. This would lead us to grab the wrong FTL::StackMaps::Record.
651
652         Now, each OSR exit knows exactly which FTL::StackMaps::Record it corresponds to.
653         We accomplish this by having an OSRExitDescriptor that is recorded during
654         lowering. Each descriptor may be referenced my zero, one, or more OSRExits.
655         Now, no more than one stackmap intrinsic corresponds to the same index inside 
656         JITCode's OSRExit Vector. Also, each OSRExit jump now jumps to a code location.
657
658         * ftl/FTLCompile.cpp:
659         (JSC::FTL::mmAllocateDataSection):
660         * ftl/FTLJITCode.cpp:
661         (JSC::FTL::JITCode::validateReferences):
662         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
663         * ftl/FTLJITCode.h:
664         * ftl/FTLJITFinalizer.cpp:
665         (JSC::FTL::JITFinalizer::finalizeFunction):
666         * ftl/FTLLowerDFGToLLVM.cpp:
667         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
668         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
669         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
670         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
671         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
672         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap):
673         * ftl/FTLOSRExit.cpp:
674         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
675         (JSC::FTL::OSRExitDescriptor::validateReferences):
676         (JSC::FTL::OSRExit::OSRExit):
677         (JSC::FTL::OSRExit::codeLocationForRepatch):
678         (JSC::FTL::OSRExit::validateReferences): Deleted.
679         * ftl/FTLOSRExit.h:
680         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
681         * ftl/FTLOSRExitCompilationInfo.h:
682         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
683         * ftl/FTLOSRExitCompiler.cpp:
684         (JSC::FTL::compileStub):
685         (JSC::FTL::compileFTLOSRExit):
686         * ftl/FTLStackMaps.cpp:
687         (JSC::FTL::StackMaps::computeRecordMap):
688         * ftl/FTLStackMaps.h:
689
690 2015-10-16  Brian Burg  <bburg@apple.com>
691
692         Unify handling of JavaScriptCore scripts that are used in WebCore
693         https://bugs.webkit.org/show_bug.cgi?id=150245
694
695         Reviewed by Alex Christensen.
696
697         Move all standalone JavaScriptCore scripts that are used by WebCore into the
698         JavaScriptCore/Scripts directory. Use JavaScriptCore_SCRIPTS_DIR to refer
699         to the path for these scripts.
700
701         * DerivedSources.make:
702
703             Define and use JavaScriptCore_SCRIPTS_DIR.
704
705         * JavaScriptCore.xcodeproj/project.pbxproj:
706
707             Make a new group in the Xcode project and clean up references.
708
709         * PlatformWin.cmake:
710
711             For Windows, copy these scripts over to ForwardingHeaders/Scripts since they
712             cannot be used directly from JAVASCRIPTCORE_DIR in AppleWin builds. Do the same
713             thing for both Windows variants to be consistent about it.
714
715         * Scripts/cssmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/cssmin.py.
716         * Scripts/generate-combined-inspector-json.py: Renamed from Source/JavaScriptCore/inspector/scripts/generate-combined-inspector-json.py.
717         * Scripts/generate-js-builtins: Renamed from Source/JavaScriptCore/generate-js-builtins.
718         * Scripts/inline-and-minify-stylesheets-and-scripts.py: Renamed from Source/JavaScriptCore/inspector/scripts/inline-and-minify-stylesheets-and-scripts.py.
719         * Scripts/jsmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/jsmin.py.
720         * Scripts/xxd.pl: Renamed from Source/JavaScriptCore/inspector/scripts/xxd.pl.
721
722 2015-10-19  Tim Horton  <timothy_horton@apple.com>
723
724         Try to fix the iOS build
725
726         * Configurations/FeatureDefines.xcconfig:
727
728 2015-10-17  Keith Miller  <keith_miller@apple.com>
729
730         Add regression tests for TypedArray.prototype functions' error messages.
731         https://bugs.webkit.org/show_bug.cgi?id=150288
732
733         Reviewed by Darin Adler.
734
735         Fix a typo in the text passed by TypedArrray.prototype.filter type error message.
736         Add tests that check the actual error message text for all the TypeArray.prototype
737         functions that throw.
738
739         * builtins/TypedArray.prototype.js:
740         (filter):
741         * tests/stress/typedarray-every.js:
742         * tests/stress/typedarray-filter.js:
743         * tests/stress/typedarray-find.js:
744         * tests/stress/typedarray-findIndex.js:
745         * tests/stress/typedarray-forEach.js:
746         * tests/stress/typedarray-map.js:
747         * tests/stress/typedarray-reduce.js:
748         * tests/stress/typedarray-reduceRight.js:
749         * tests/stress/typedarray-some.js:
750
751 2015-10-19  Tim Horton  <timothy_horton@apple.com>
752
753         Add magnify and rotate gesture event support for Mac
754         https://bugs.webkit.org/show_bug.cgi?id=150179
755         <rdar://problem/8036240>
756
757         Reviewed by Darin Adler.
758
759         * Configurations/FeatureDefines.xcconfig:
760         New feature flag.
761
762 2015-10-19  Csaba Osztrogon√°c  <ossy@webkit.org>
763
764         Fix the ENABLE(WEBASSEMBLY) build after r190827
765         https://bugs.webkit.org/show_bug.cgi?id=150330
766
767         Reviewed by Geoffrey Garen.
768
769         * bytecode/CodeBlock.cpp:
770         (JSC::CodeBlock::CodeBlock): Removed the duplicated VM argument.
771         * bytecode/CodeBlock.h:
772         (JSC::WebAssemblyCodeBlock::create): Added new parameters to finishCreation() calls.
773         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Change VM parameter to pointer to match *CodeBlock classes.
774         * runtime/Executable.cpp:
775         (JSC::WebAssemblyExecutable::prepareForExecution): Removed extra ")" and pass pointer as it is expected.
776
777 2015-10-19  Mark Lam  <mark.lam@apple.com>
778
779         DoubleRep fails to convert SpecBoolean values.
780         https://bugs.webkit.org/show_bug.cgi?id=150313
781
782         Reviewed by Geoffrey Garen.
783
784         This was uncovered by the op_sub stress test on 32-bit builds.  On 32-bit builds,
785         DoubleRep will erroneously convert 'true' to a 'NaN' instead of a double 1.
786         On 64-bit, the same issue exists but is masked by another bug in DoubleRep where
787         boolean values will always erroneously trigger a BadType OSR exit.
788
789         The erroneous conversion of 'true' to 'NaN' is because the 'true' case in
790         compileDoubleRep() is missing a jump to the "done" destination.  Instead, it
791         fall through to the "isUndefined" case where it produces a NaN.
792
793         The 64-bit erroneous BadType OSR exit is due to the boolean type check being
794         implemented incorrectly.  It was checking if any bits other than bit 0 were set.
795         However, boolean JS values always have TagBitBool (the 3rd bit) set.  Hence, the
796         check will always fail if we have a boolean value.
797
798         This patch fixes both of these issues.
799
800         No new test is needed because these issues are already covered by scenarios in
801         the op_sub.js stress test.  This patch also fixes the op_sub.js test to throw an
802         exception if any failures are encountered (as expected by the stress test
803         harness).  This patch also re-worked the test code to provide more accurate
804         descriptions of each test scenario for error reporting.
805
806         * dfg/DFGSpeculativeJIT.cpp:
807         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
808
809         * tests/stress/op_sub.js:
810         (generateScenarios):
811         (func):
812         (initializeTestCases):
813         (runTest):
814         (stringify): Deleted.
815
816 2015-10-19  Yusuke Suzuki  <utatane.tea@gmail.com>
817
818         Drop !newTarget check since it always becomes true
819         https://bugs.webkit.org/show_bug.cgi?id=150308
820
821         Reviewed by Geoffrey Garen.
822
823         In a context of calling a constructor, `newTarget` should not become JSEmpty.
824         So `!newTarget` always becomes true. This patch drops this unneccessary check.
825         And to ensure the implementation of the constructor is only called under
826         the context of calling it as a constructor, we change these functions to
827         static and only use them for constructor implementations of InternalFunction.
828
829         * runtime/IntlCollatorConstructor.cpp:
830         (JSC::constructIntlCollator):
831         (JSC::callIntlCollator):
832         * runtime/IntlCollatorConstructor.h:
833         * runtime/IntlDateTimeFormatConstructor.cpp:
834         (JSC::constructIntlDateTimeFormat):
835         (JSC::callIntlDateTimeFormat):
836         * runtime/IntlDateTimeFormatConstructor.h:
837         * runtime/IntlNumberFormatConstructor.cpp:
838         (JSC::constructIntlNumberFormat):
839         (JSC::callIntlNumberFormat):
840         * runtime/IntlNumberFormatConstructor.h:
841         * runtime/JSPromiseConstructor.cpp:
842         (JSC::constructPromise):
843
844 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
845
846         Promise constructor should throw when not called with "new"
847         https://bugs.webkit.org/show_bug.cgi?id=149380
848
849         Reviewed by Darin Adler.
850
851         Implement handling new.target in Promise constructor. And
852         prohibiting Promise constructor call without "new".
853
854         * runtime/JSPromiseConstructor.cpp:
855         (JSC::constructPromise):
856         (JSC::callPromise):
857         (JSC::JSPromiseConstructor::getCallData):
858         * tests/es6.yaml:
859         * tests/stress/promise-cannot-be-called.js: Added.
860         (shouldBe):
861         (shouldThrow):
862         (Deferred):
863         (super):
864
865 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
866
867         [ES6] Handle asynchronous tests in tests/es6
868         https://bugs.webkit.org/show_bug.cgi?id=150293
869
870         Reviewed by Darin Adler.
871
872         Since JSC can handle microtasks, some of ES6 Promise tests can be executed under the JSC shell.
873         Some of them still fail because it uses setTimeout that invokes macrotasks with explicit delay.
874
875         * tests/es6.yaml:
876         * tests/es6/Promise_Promise.all.js:
877         (test.asyncTestPassed):
878         (test):
879         * tests/es6/Promise_Promise.all_generic_iterables.js:
880         (test.asyncTestPassed):
881         (test):
882         * tests/es6/Promise_Promise.race.js:
883         (test.asyncTestPassed):
884         (test):
885         * tests/es6/Promise_Promise.race_generic_iterables.js:
886         (test.asyncTestPassed):
887         (test):
888         * tests/es6/Promise_basic_functionality.js:
889         (test.asyncTestPassed):
890         (test):
891         * tests/es6/Promise_is_subclassable_Promise.all.js:
892         (test.asyncTestPassed):
893         (test):
894         * tests/es6/Promise_is_subclassable_Promise.race.js:
895         (test.asyncTestPassed):
896         (test):
897         * tests/es6/Promise_is_subclassable_basic_functionality.js:
898         (test.asyncTestPassed):
899         (test):
900
901 2015-10-18  Sungmann Cho  <sungmann.cho@navercorp.com>
902
903         [Win] Fix the Windows builds.
904         https://bugs.webkit.org/show_bug.cgi?id=150300
905
906         Reviewed by Darin Adler.
907
908         Add missing files to JavaScriptCore.vcxproj.
909
910         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
911         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
912
913 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
914
915         Fix some generational heap growth pathologies
916         https://bugs.webkit.org/show_bug.cgi?id=150270
917
918         Reviewed by Andreas Kling.
919
920         When doing generational copying, we would pretend that the size of old space was increased
921         just by the amount of bytes we copied. In reality, it would be increased by the number of
922         bytes used by the copied blocks we created. This is a larger number, and in some simple
923         pathological programs, the difference can be huge.
924
925         Fixing this bug was relatively easy, and the only really meaningful change here is in
926         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
927         add some debugging code and I had to refactor some stuff so that it made more sense.
928
929         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
930         release builds to decide how much heap we are using at the end of collection. But I added a
931         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
932         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
933
934         Relanding with build fix.
935
936         * CMakeLists.txt:
937         * JavaScriptCore.xcodeproj/project.pbxproj:
938         * heap/CopiedBlock.cpp: Added.
939         (JSC::CopiedBlock::createNoZeroFill):
940         (JSC::CopiedBlock::destroy):
941         (JSC::CopiedBlock::create):
942         (JSC::CopiedBlock::zeroFillWilderness):
943         (JSC::CopiedBlock::CopiedBlock):
944         * heap/CopiedBlock.h:
945         (JSC::CopiedBlock::didSurviveGC):
946         (JSC::CopiedBlock::createNoZeroFill): Deleted.
947         (JSC::CopiedBlock::destroy): Deleted.
948         (JSC::CopiedBlock::create): Deleted.
949         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
950         (JSC::CopiedBlock::CopiedBlock): Deleted.
951         * heap/CopiedSpaceInlines.h:
952         (JSC::CopiedSpace::startedCopying):
953         * heap/Heap.cpp:
954         (JSC::Heap::updateObjectCounts):
955         (JSC::Heap::resetVisitors):
956         (JSC::Heap::capacity):
957         (JSC::Heap::protectedGlobalObjectCount):
958         (JSC::Heap::collectImpl):
959         (JSC::Heap::willStartCollection):
960         (JSC::Heap::updateAllocationLimits):
961         (JSC::Heap::didFinishCollection):
962         (JSC::Heap::sizeAfterCollect): Deleted.
963         * heap/Heap.h:
964         * heap/HeapInlines.h:
965         (JSC::Heap::shouldCollect):
966         (JSC::Heap::isBusy):
967         (JSC::Heap::collectIfNecessaryOrDefer):
968         * heap/MarkedBlock.cpp:
969         (JSC::MarkedBlock::create):
970         (JSC::MarkedBlock::destroy):
971
972 2015-10-17  Commit Queue  <commit-queue@webkit.org>
973
974         Unreviewed, rolling out r191240.
975         https://bugs.webkit.org/show_bug.cgi?id=150281
976
977         Broke 32-bit builds (Requested by smfr on #webkit).
978
979         Reverted changeset:
980
981         "Fix some generational heap growth pathologies"
982         https://bugs.webkit.org/show_bug.cgi?id=150270
983         http://trac.webkit.org/changeset/191240
984
985 2015-10-17  Sungmann Cho  <sungmann.cho@navercorp.com>
986
987         [Win] Fix the Windows build.
988         https://bugs.webkit.org/show_bug.cgi?id=150278
989
990         Reviewed by Brent Fulgham.
991
992         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
993         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
994
995 2015-10-17  Mark Lam  <mark.lam@apple.com>
996
997         Fixed typos from r191224.
998
999         Not reviewed.
1000
1001         * jit/JITSubGenerator.h:
1002         (JSC::JITSubGenerator::generateFastPath):
1003
1004 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
1005
1006         Fix some generational heap growth pathologies
1007         https://bugs.webkit.org/show_bug.cgi?id=150270
1008
1009         Reviewed by Andreas Kling.
1010
1011         When doing generational copying, we would pretend that the size of old space was increased
1012         just by the amount of bytes we copied. In reality, it would be increased by the number of
1013         bytes used by the copied blocks we created. This is a larger number, and in some simple
1014         pathological programs, the difference can be huge.
1015
1016         Fixing this bug was relatively easy, and the only really meaningful change here is in
1017         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
1018         add some debugging code and I had to refactor some stuff so that it made more sense.
1019
1020         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
1021         release builds to decide how much heap we are using at the end of collection. But I added a
1022         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
1023         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
1024
1025         * CMakeLists.txt:
1026         * JavaScriptCore.xcodeproj/project.pbxproj:
1027         * heap/CopiedBlock.cpp: Added.
1028         (JSC::CopiedBlock::createNoZeroFill):
1029         (JSC::CopiedBlock::destroy):
1030         (JSC::CopiedBlock::create):
1031         (JSC::CopiedBlock::zeroFillWilderness):
1032         (JSC::CopiedBlock::CopiedBlock):
1033         * heap/CopiedBlock.h:
1034         (JSC::CopiedBlock::didSurviveGC):
1035         (JSC::CopiedBlock::createNoZeroFill): Deleted.
1036         (JSC::CopiedBlock::destroy): Deleted.
1037         (JSC::CopiedBlock::create): Deleted.
1038         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
1039         (JSC::CopiedBlock::CopiedBlock): Deleted.
1040         * heap/CopiedSpaceInlines.h:
1041         (JSC::CopiedSpace::startedCopying):
1042         * heap/Heap.cpp:
1043         (JSC::Heap::updateObjectCounts):
1044         (JSC::Heap::resetVisitors):
1045         (JSC::Heap::capacity):
1046         (JSC::Heap::protectedGlobalObjectCount):
1047         (JSC::Heap::collectImpl):
1048         (JSC::Heap::willStartCollection):
1049         (JSC::Heap::updateAllocationLimits):
1050         (JSC::Heap::didFinishCollection):
1051         (JSC::Heap::sizeAfterCollect): Deleted.
1052         * heap/Heap.h:
1053         * heap/HeapInlines.h:
1054         (JSC::Heap::shouldCollect):
1055         (JSC::Heap::isBusy):
1056         (JSC::Heap::collectIfNecessaryOrDefer):
1057         * heap/MarkedBlock.cpp:
1058         (JSC::MarkedBlock::create):
1059         (JSC::MarkedBlock::destroy):
1060
1061 2015-10-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1062
1063         [ES6] Implement String.prototype.normalize
1064         https://bugs.webkit.org/show_bug.cgi?id=150094
1065
1066         Reviewed by Geoffrey Garen.
1067
1068         This patch implements String.prototype.normalize leveraging ICU.
1069         It can provide the feature applying {NFC, NFD, NFKC, NFKD} normalization to a given string.
1070
1071         * runtime/StringPrototype.cpp:
1072         (JSC::StringPrototype::finishCreation):
1073         (JSC::normalize):
1074         (JSC::stringProtoFuncNormalize):
1075         * tests/es6.yaml:
1076         * tests/stress/string-normalize.js: Added.
1077         (unicode):
1078         (shouldBe):
1079         (shouldThrow):
1080         (normalizeTest):
1081
1082 2015-10-16  Geoffrey Garen  <ggaren@apple.com>
1083
1084         Update JavaScriptCore API docs
1085         https://bugs.webkit.org/show_bug.cgi?id=150262
1086
1087         Reviewed by Mark Lam.
1088
1089         Apply some edits for clarity. These came out of a docs review.
1090
1091         * API/JSContext.h:
1092         * API/JSExport.h:
1093         * API/JSManagedValue.h:
1094         * API/JSValue.h:
1095
1096 2015-10-16  Keith Miller  <keith_miller@apple.com>
1097
1098         Unreviewed. Fix typo in TypeError messages in TypedArray.prototype.forEach/filter.
1099
1100         * builtins/TypedArray.prototype.js:
1101         (forEach):
1102         (filter):
1103
1104 2015-10-16  Mark Lam  <mark.lam@apple.com>
1105
1106         Use JITSubGenerator to support UntypedUse operands for op_sub in the DFG.
1107         https://bugs.webkit.org/show_bug.cgi?id=150038
1108
1109         Reviewed by Geoffrey Garen.
1110
1111         * bytecode/SpeculatedType.h:
1112         (JSC::isUntypedSpeculationForArithmetic): Added
1113         - Also fixed some comments.
1114         
1115         * dfg/DFGAbstractInterpreterInlines.h:
1116         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1117
1118         * dfg/DFGAbstractValue.cpp:
1119         (JSC::DFG::AbstractValue::resultType):
1120         * dfg/DFGAbstractValue.h:
1121         - Added function to compute the ResultType of an operand from its SpeculatedType.
1122
1123         * dfg/DFGFixupPhase.cpp:
1124         (JSC::DFG::FixupPhase::fixupNode):
1125         - Fix up ArithSub to speculate its operands to be numbers.  But if an OSR exit
1126           due to a BadType was seen at this node, we'll fix it up to expect UntypedUse
1127           operands.  This gives the generated code a change to run fast if it only
1128           receives numeric operands.
1129
1130         * dfg/DFGNode.h:
1131         (JSC::DFG::Node::shouldSpeculateUntypedForArithmetic):
1132
1133         * dfg/DFGOperations.cpp:
1134         * dfg/DFGOperations.h:
1135         - Add the C++ runtime function to implement op_sub when we really encounter the
1136           hard types in the operands.
1137
1138         * dfg/DFGSpeculativeJIT.cpp:
1139         (JSC::DFG::SpeculativeJIT::compileArithSub):
1140         - Added support for UntypedUse operands using the JITSubGenerator.
1141
1142         * dfg/DFGSpeculativeJIT.h:
1143         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1144         (JSC::DFG::SpeculativeJIT::pickCanTrample):
1145         (JSC::DFG::SpeculativeJIT::callOperation):
1146
1147         * ftl/FTLCapabilities.cpp:
1148         (JSC::FTL::canCompile):
1149         - Just refuse to FTL compile functions with UntypedUse op_sub operands for now.
1150
1151         * jit/AssemblyHelpers.h:
1152         (JSC::AssemblyHelpers::boxDouble):
1153         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
1154         (JSC::AssemblyHelpers::unboxDouble):
1155         (JSC::AssemblyHelpers::boxBooleanPayload):
1156         * jit/JITArithmetic.cpp:
1157         (JSC::JIT::emit_op_sub):
1158
1159         * jit/JITSubGenerator.h:
1160         (JSC::JITSubGenerator::generateFastPath):
1161         (JSC::JITSubGenerator::endJumpList):
1162         - Added some asserts to document the contract that this generator expects in
1163           terms of its incoming registers.
1164
1165           Also fixed the generated code to not be destructive with regards to incoming
1166           registers.  The DFG expects this.
1167
1168           Also added an endJumpList so that we don't have to jump twice for the fast
1169           path where both operands are ints.
1170
1171         * parser/ResultType.h:
1172         (JSC::ResultType::ResultType):
1173         - Make the internal Type bits and the constructor private.  Clients should only
1174           create ResultType values using one of the provided factory methods.
1175
1176         * tests/stress/op_sub.js: Added.
1177         (o1.valueOf):
1178         (stringify):
1179         (generateScenarios):
1180         (printScenarios):
1181         (testCases.func):
1182         (func):
1183         (initializeTestCases):
1184         (runTest):
1185         - test op_sub results by comparing one LLINT result against the output of
1186           multiple LLINT, and JIT runs.  This test assume that we'll at least get the
1187           right result some of the time (if not all the time), and confirms that the
1188           various engines produce consistent results for all the various value pairs
1189           being tested.
1190
1191 2015-10-15  Filip Pizlo  <fpizlo@apple.com>
1192
1193         CopyBarrier must be avoided for slow TypedArrays
1194         https://bugs.webkit.org/show_bug.cgi?id=150217
1195         rdar://problem/23128791
1196
1197         Reviewed by Michael Saboff.
1198
1199         Change how we access array buffer views so that we don't fire the barrier slow path, and
1200         don't mask off the spaceBits, if the view is not FastTypedArray. That's because in that case
1201         m_vector could be misaligned and so have meaningful non-space data in the spaceBits. Also in
1202         that case, m_vector does not point into copied space.
1203
1204         * dfg/DFGSpeculativeJIT.cpp:
1205         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1206         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1207         * ftl/FTLLowerDFGToLLVM.cpp:
1208         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
1209         (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
1210         (JSC::FTL::DFG::LowerDFGToLLVM::isInToSpace):
1211         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
1212         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
1213         (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
1214         (JSC::FTL::DFG::LowerDFGToLLVM::isFastTypedArray):
1215         (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
1216         * heap/CopyBarrier.h:
1217         (JSC::CopyBarrierBase::getWithoutBarrier):
1218         (JSC::CopyBarrierBase::getPredicated):
1219         (JSC::CopyBarrierBase::get):
1220         (JSC::CopyBarrierBase::copyState):
1221         (JSC::CopyBarrier::get):
1222         (JSC::CopyBarrier::getPredicated):
1223         (JSC::CopyBarrier::set):
1224         * heap/Heap.cpp:
1225         (JSC::Heap::copyBarrier):
1226         * jit/AssemblyHelpers.cpp:
1227         (JSC::AssemblyHelpers::branchIfNotType):
1228         (JSC::AssemblyHelpers::branchIfFastTypedArray):
1229         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
1230         (JSC::AssemblyHelpers::loadTypedArrayVector):
1231         (JSC::AssemblyHelpers::purifyNaN):
1232         * jit/AssemblyHelpers.h:
1233         (JSC::AssemblyHelpers::branchStructure):
1234         (JSC::AssemblyHelpers::branchIfToSpace):
1235         (JSC::AssemblyHelpers::branchIfNotToSpace):
1236         (JSC::AssemblyHelpers::removeSpaceBits):
1237         (JSC::AssemblyHelpers::addressForByteOffset):
1238         * jit/JITPropertyAccess.cpp:
1239         (JSC::JIT::emitIntTypedArrayGetByVal):
1240         (JSC::JIT::emitFloatTypedArrayGetByVal):
1241         (JSC::JIT::emitIntTypedArrayPutByVal):
1242         (JSC::JIT::emitFloatTypedArrayPutByVal):
1243         * runtime/JSArrayBufferView.h:
1244         (JSC::JSArrayBufferView::vector):
1245         (JSC::JSArrayBufferView::length):
1246         * runtime/JSArrayBufferViewInlines.h:
1247         (JSC::JSArrayBufferView::byteOffset):
1248         * runtime/JSGenericTypedArrayView.h:
1249         (JSC::JSGenericTypedArrayView::typedVector):
1250         * runtime/JSGenericTypedArrayViewInlines.h:
1251         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
1252         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1253         * tests/stress/misaligned-int8-view-byte-offset.js: Added.
1254         * tests/stress/misaligned-int8-view-read.js: Added.
1255         * tests/stress/misaligned-int8-view-write.js: Added.
1256
1257 2015-10-16  Keith Miller  <keith_miller@apple.com>
1258
1259         Unreviewed. Build fix for 191215.
1260
1261         * jit/IntrinsicEmitter.cpp:
1262
1263 2015-10-16  Keith Miller  <keith@Keiths-MacBook-Pro-5.local>
1264
1265         Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties.
1266         https://bugs.webkit.org/show_bug.cgi?id=149687
1267
1268         Reviewed by Geoffrey Garen.
1269
1270         Add the ability to create intrinsic getters in both the inline cache and the DFG/FTL. When the
1271         getter fetched by a GetById has an intrinsic we know about we add a new intrinsic access case.
1272         Once we get to the DFG, we observe that the access case was an intrinsic and add an appropriate
1273         GetByIdVariant. We then parse the intrinsic into an appropriate DFG node.
1274
1275         The first intrinsics are the new TypedArray prototype getters length, byteLength, and byteOffset.
1276
1277         * CMakeLists.txt:
1278         * JavaScriptCore.xcodeproj/project.pbxproj:
1279         * bytecode/GetByIdStatus.cpp:
1280         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1281         (JSC::GetByIdStatus::computeFor):
1282         * bytecode/GetByIdVariant.cpp:
1283         (JSC::GetByIdVariant::GetByIdVariant):
1284         (JSC::GetByIdVariant::operator=):
1285         (JSC::GetByIdVariant::canMergeIntrinsicStructures):
1286         (JSC::GetByIdVariant::attemptToMerge):
1287         (JSC::GetByIdVariant::dumpInContext):
1288         * bytecode/GetByIdVariant.h:
1289         (JSC::GetByIdVariant::intrinsicFunction):
1290         (JSC::GetByIdVariant::intrinsic):
1291         (JSC::GetByIdVariant::callLinkStatus): Deleted.
1292         * bytecode/PolymorphicAccess.cpp:
1293         (JSC::AccessGenerationState::addWatchpoint):
1294         (JSC::AccessGenerationState::restoreScratch):
1295         (JSC::AccessGenerationState::succeed):
1296         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
1297         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
1298         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
1299         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
1300         (JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
1301         (JSC::AccessGenerationState::originalExceptionHandler):
1302         (JSC::AccessGenerationState::originalCallSiteIndex):
1303         (JSC::AccessCase::getIntrinsic):
1304         (JSC::AccessCase::clone):
1305         (JSC::AccessCase::visitWeak):
1306         (JSC::AccessCase::generate):
1307         (WTF::printInternal):
1308         (JSC::AccessCase::AccessCase): Deleted.
1309         (JSC::AccessCase::get): Deleted.
1310         (JSC::AccessCase::replace): Deleted.
1311         (JSC::AccessCase::transition): Deleted.
1312         * bytecode/PolymorphicAccess.h:
1313         (JSC::AccessCase::isGet):
1314         (JSC::AccessCase::isPut):
1315         (JSC::AccessCase::isIn):
1316         (JSC::AccessCase::intrinsicFunction):
1317         (JSC::AccessCase::intrinsic):
1318         (JSC::AccessGenerationState::AccessGenerationState):
1319         (JSC::AccessGenerationState::liveRegistersForCall):
1320         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
1321         (JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation):
1322         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
1323         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
1324         * bytecode/PutByIdVariant.h:
1325         (JSC::PutByIdVariant::intrinsic):
1326         * dfg/DFGAbstractInterpreterInlines.h:
1327         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1328         * dfg/DFGArrayMode.cpp:
1329         (JSC::DFG::ArrayMode::alreadyChecked):
1330         (JSC::DFG::arrayTypeToString):
1331         (JSC::DFG::toTypedArrayType):
1332         (JSC::DFG::refineTypedArrayType):
1333         (JSC::DFG::permitsBoundsCheckLowering):
1334         * dfg/DFGArrayMode.h:
1335         (JSC::DFG::ArrayMode::supportsLength):
1336         (JSC::DFG::ArrayMode::isSomeTypedArrayView):
1337         * dfg/DFGByteCodeParser.cpp:
1338         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1339         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1340         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1341         (JSC::DFG::ByteCodeParser::load):
1342         (JSC::DFG::ByteCodeParser::handleGetById):
1343         (JSC::DFG::ByteCodeParser::presenceLike): Deleted.
1344         (JSC::DFG::ByteCodeParser::store): Deleted.
1345         * dfg/DFGClobberize.h:
1346         (JSC::DFG::clobberize):
1347         * dfg/DFGFixupPhase.cpp:
1348         (JSC::DFG::FixupPhase::fixupNode):
1349         (JSC::DFG::FixupPhase::convertToGetArrayLength): Deleted.
1350         (JSC::DFG::FixupPhase::prependGetArrayLength): Deleted.
1351         (JSC::DFG::FixupPhase::fixupChecksInBlock): Deleted.
1352         * dfg/DFGGraph.cpp:
1353         (JSC::DFG::Graph::tryGetFoldableView):
1354         * dfg/DFGPredictionPropagationPhase.cpp:
1355         (JSC::DFG::PredictionPropagationPhase::propagate):
1356         * dfg/DFGSpeculativeJIT.cpp:
1357         (JSC::DFG::SpeculativeJIT::checkArray):
1358         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1359         * ftl/FTLCapabilities.cpp:
1360         (JSC::FTL::canCompile):
1361         * ftl/FTLLowerDFGToLLVM.cpp:
1362         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetArrayLength):
1363         * jit/IntrinsicEmitter.cpp: Added.
1364         (JSC::AccessCase::canEmitIntrinsicGetter):
1365         (JSC::AccessCase::emitIntrinsicGetter):
1366         * jit/Repatch.cpp:
1367         (JSC::tryCacheGetByID):
1368         * runtime/Intrinsic.h:
1369         * runtime/JSArrayBufferView.cpp:
1370         (JSC::JSArrayBufferView::put):
1371         (JSC::JSArrayBufferView::defineOwnProperty):
1372         (JSC::JSArrayBufferView::deleteProperty):
1373         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1374         (JSC::JSArrayBufferView::getOwnPropertySlot): Deleted.
1375         (JSC::JSArrayBufferView::finalize): Deleted.
1376         * runtime/JSDataView.cpp:
1377         (JSC::JSDataView::getOwnPropertySlot):
1378         (JSC::JSDataView::put):
1379         (JSC::JSDataView::defineOwnProperty):
1380         (JSC::JSDataView::deleteProperty):
1381         (JSC::JSDataView::getOwnNonIndexPropertyNames):
1382         * runtime/JSDataView.h:
1383         * runtime/JSFunction.h:
1384         * runtime/JSFunctionInlines.h:
1385         (JSC::JSFunction::intrinsic):
1386         * runtime/JSGenericTypedArrayView.h:
1387         * runtime/JSGenericTypedArrayViewInlines.h:
1388         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1389         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1390         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1391         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex): Deleted.
1392         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
1393         * runtime/JSObject.cpp:
1394         (JSC::JSObject::putDirectNativeIntrinsicGetter):
1395         * runtime/JSObject.h:
1396         * runtime/JSTypedArrayViewPrototype.cpp:
1397         (JSC::JSTypedArrayViewPrototype::finishCreation):
1398         * tests/stress/typedarray-add-property-to-base-object.js: Added.
1399         (body.foo):
1400         (body):
1401         * tests/stress/typedarray-bad-getter.js: Added.
1402         (body.foo):
1403         (body.get Bar):
1404         (body):
1405         * tests/stress/typedarray-getter-on-self.js: Added.
1406         (body.foo):
1407         (body.bar):
1408         (body.baz):
1409         (body.get for):
1410         (body):
1411         * tests/stress/typedarray-intrinsic-getters-change-prototype.js: Added.
1412         (body.foo):
1413         (body.bar):
1414         (body.baz):
1415         (body):
1416
1417 2015-10-16  Keith Miller  <keith_miller@apple.com>
1418
1419         Fix some issues with TypedArrays
1420         https://bugs.webkit.org/show_bug.cgi?id=150216
1421
1422         Reviewed by Geoffrey Garen.
1423
1424         This fixes a couple of issues:
1425         1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
1426            Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
1427            the two cases have been merged.
1428         2) If the length property on an object was unset then the construction could crash.
1429         3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
1430            length of the source object when the source object is a TypedArray.
1431         4) The conditions that were used to decide if the iterator could be skipped were incorrect.
1432            Instead of checking for have a bad time we should have checked the Indexing type did not allow for
1433            indexed accessors.
1434
1435         * dfg/DFGOperations.cpp:
1436         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1437         (JSC::constructGenericTypedArrayViewWithArguments):
1438         (JSC::constructGenericTypedArrayView):
1439         (JSC::constructGenericTypedArrayViewWithFirstArgument): Deleted.
1440
1441 2015-10-16  Anders Carlsson  <andersca@apple.com>
1442
1443         Fix Windows build.
1444
1445         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1446         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1447
1448 2015-10-16  Michael Saboff  <msaboff@apple.com>
1449
1450         REGRESSION (r191175): Still crashing when clicking back button on netflix.com
1451         https://bugs.webkit.org/show_bug.cgi?id=150251
1452
1453         Rubber stamped by Filip Pizlo.
1454
1455         Turning off Tail Calls and disabling tests until the crash is fixed.
1456
1457         * runtime/Options.h:
1458         * tests/es6.yaml:
1459         * tests/stress/dfg-tail-calls.js:
1460         (nonInlinedTailCall.callee):
1461         * tests/stress/mutual-tail-call-no-stack-overflow.js:
1462         (shouldThrow):
1463         * tests/stress/tail-call-in-inline-cache.js:
1464         (tail):
1465         * tests/stress/tail-call-no-stack-overflow.js:
1466         (shouldThrow):
1467         * tests/stress/tail-call-recognize.js:
1468         (callerMustBeRun):
1469         * tests/stress/tail-call-varargs-no-stack-overflow.js:
1470         (shouldThrow):
1471
1472 2015-10-16  Mark Lam  <mark.lam@apple.com>
1473
1474         Add MacroAssembler::callProbe() for supporting lambda JIT probes.
1475         https://bugs.webkit.org/show_bug.cgi?id=150186
1476
1477         Reviewed by Geoffrey Garen.
1478
1479         With callProbe(), we can now make probes that are lambdas.  For example, we can
1480         now conveniently add probes like so: 
1481
1482             // When you know exactly which register you want to inspect:
1483             jit.callProbe([] (MacroAssembler::ProbeContext* context) {
1484                 intptr_t value = reinterpret_cast<intptr_t>(context->cpu.eax);
1485                 dataLogF("eax %p\n", context->cpu.eax); // Inspect the register.
1486                 ASSERT(value > 10); // Add test code for debugging.
1487             });
1488
1489             // When you want to inspect whichever register the JIT allocated:
1490             auto reg = op1.gpr();
1491             jit.callProbe([reg] (MacroAssembler::ProbeContext* context) {
1492                 intptr_t value = reinterpret_cast<intptr_t>(context->gpr(reg));
1493                 dataLogF("reg %s: %ld\n", context->gprName(reg), value);
1494                 ASSERT(value > 10);
1495             });
1496
1497         callProbe() is only meant to be used for debugging sessions.  It is not
1498         appropriate to use it in permanent code (even for debug builds).
1499         This is because:
1500         1. The probe mechanism saves and restores all (and I really mean "all")
1501            registers, and is inherently slow.
1502         2. callProbe() currently works by allocating (via new) a std::function to
1503            guarantee that it is persisted for the duration that the JIT generated code is
1504            live.  We don't currently delete it ever i.e. it leaks a bit of memory each
1505            time the JIT generates code that contains such a lambda probe.
1506
1507         These limitations are acceptable for a debugging session (assuming you're not
1508         debugging a memory leak), but not for deployment code.  If there's a need, we can
1509         plug that leak in another patch.
1510
1511         * assembler/AbstractMacroAssembler.h:
1512         (JSC::AbstractMacroAssembler::CPUState::fpr):
1513         - Removed an unnecessary empty line.
1514         (JSC::AbstractMacroAssembler::ProbeContext::gpr):
1515         (JSC::AbstractMacroAssembler::ProbeContext::fpr):
1516         (JSC::AbstractMacroAssembler::ProbeContext::gprName):
1517         (JSC::AbstractMacroAssembler::ProbeContext::fprName):
1518         - Added some convenience functions that will make using the probe mechanism
1519           easier.
1520
1521         * assembler/MacroAssembler.cpp:
1522         (JSC::StdFunctionData::StdFunctionData):
1523         (JSC::stdFunctionCallback):
1524         (JSC::MacroAssembler::callProbe):
1525         * assembler/MacroAssembler.h:
1526
1527 2015-10-16  Andreas Kling  <akling@apple.com>
1528
1529         Remove unused StructureRareData::m_cachedGenericPropertyNameEnumerator.
1530         <https://webkit.org/b/150244>
1531
1532         Reviewed by Geoffrey Garen.
1533
1534         Remove an unused field from StructureRareData.
1535
1536         * runtime/StructureRareData.cpp:
1537         (JSC::StructureRareData::visitChildren): Deleted.
1538         * runtime/StructureRareData.h:
1539
1540 2015-10-16  Keith Miller  <keith_miller@apple.com>
1541
1542         Unreviewed, rolling out r191190.
1543
1544         Patch needs some design changes.
1545
1546         Reverted changeset:
1547
1548         "Fix some issues with TypedArrays"
1549         https://bugs.webkit.org/show_bug.cgi?id=150216
1550         http://trac.webkit.org/changeset/191190
1551
1552 2015-10-16  Mark Lam  <mark.lam@apple.com>
1553
1554         Move all the probe trampolines into their respective MacroAssembler files.
1555         https://bugs.webkit.org/show_bug.cgi?id=150239
1556
1557         Reviewed by Saam Barati.
1558
1559         This patch does not introduce any behavior changes.  It only moves the
1560         ctiMasmProbeTrampoline implementations from the respective JITStubs<CPU>.h
1561         files to the corresponding MacroAssembler<CPU>.cpp files. 
1562
1563         I also had to make some minor changes to get the code to build after this move:
1564         1. Added #include <wtf/InlineASM.h> in the MacroAssembler<CPU>.cpp files
1565            because the ctiMasmProbeTrampoline is an inline assembly blob.
1566         2. In the moved code, convert MacroAssembler:: qualifiers to the CPU specific
1567            MacroAssembler equivalent.  The referenced entities were always defined in
1568            the CPU specific MacroAssembler anyway, and indirectly referenced through
1569            the generic MacroAssembler.
1570
1571         With this, we can get rid of all the JITStubs<CPU>.cpp files.  There is one
1572         exception: JITStubsMSVC64.asm.  However, that one is unrelated to the probe
1573         mechanism.  So, I'll leave it as is.
1574
1575         We can also remove JITStubs.cpp and JITStubs.h which are now empty except for
1576         some stale unused code.
1577
1578         This patch has been build tested for x86, x86_64, armv7, and arm64.
1579
1580         * CMakeLists.txt:
1581         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1582         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1583         * JavaScriptCore.xcodeproj/project.pbxproj:
1584         * assembler/MacroAssemblerARM.cpp:
1585         (JSC::MacroAssemblerARM::probe):
1586         * assembler/MacroAssemblerARM64.cpp:
1587         (JSC::arm64ProbeTrampoline):
1588         (JSC::MacroAssemblerARM64::probe):
1589         * assembler/MacroAssemblerARMv7.cpp:
1590         (JSC::MacroAssemblerARMv7::probe):
1591         * assembler/MacroAssemblerX86Common.cpp:
1592         * bytecode/CodeBlock.cpp:
1593         * ftl/FTLCompile.cpp:
1594         * ftl/FTLLink.cpp:
1595         * jit/JITArithmetic.cpp:
1596         * jit/JITArithmetic32_64.cpp:
1597         * jit/JITCode.h:
1598         * jit/JITExceptions.cpp:
1599         * jit/JITStubs.cpp: Removed.
1600         * jit/JITStubs.h: Removed.
1601         * jit/JITStubsARM.h: Removed.
1602         * jit/JITStubsARM64.h: Removed.
1603         * jit/JITStubsARMv7.h: Removed.
1604         * jit/JITStubsX86.h: Removed.
1605         * jit/JITStubsX86Common.h: Removed.
1606         * jit/JITStubsX86_64.h: Removed.
1607         * jit/JSInterfaceJIT.h:
1608         * llint/LLIntOffsetsExtractor.cpp:
1609         * runtime/CommonSlowPaths.cpp:
1610
1611 2015-10-16  Keith Miller  <keith_miller@apple.com>
1612
1613         Fix some issues with TypedArrays
1614         https://bugs.webkit.org/show_bug.cgi?id=150216
1615
1616         Reviewed by Michael Saboff.
1617
1618         This fixes a couple of issues:
1619         1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
1620            Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
1621            the two cases have been merged.
1622         2) If the length property on an object was unset then the construction could crash.
1623         3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
1624            length of the source object when the source object is a TypedArray.
1625         4) The conditions that were used to decide if the iterator could be skipped were incorrect.
1626            Instead of checking for have a bad time we should have checked the Indexing type did not allow for
1627            indexed accessors.
1628
1629         * dfg/DFGOperations.cpp:
1630         (JSC::DFG::newTypedArrayWithOneArgument): Deleted.
1631         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1632         (JSC::constructGenericTypedArrayViewFromIterator):
1633         (JSC::constructGenericTypedArrayViewWithFirstArgument):
1634         (JSC::constructGenericTypedArrayView):
1635         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1636         (JSC::genericTypedArrayViewProtoFuncSet):
1637         * tests/stress/typedarray-construct-iterator.js: Added.
1638         (iterator.return.next):
1639         (iterator):
1640         (body):
1641
1642 2015-10-15  Michael Saboff  <msaboff@apple.com>
1643
1644         REGRESSION (r190289): Repro crash clicking back button on netflix.com
1645         https://bugs.webkit.org/show_bug.cgi?id=150220
1646
1647         Reviewed by Geoffrey Garen.
1648
1649         Since constructors check for a valid new "this" object and return it, we can't make
1650         a tail call to another function from within a constructor.
1651
1652         Re-enabled the tail calls and the related tail call tests.
1653
1654         Did some other miscellaneous clean up in the tail call code as part of the debugging.
1655
1656         * bytecompiler/BytecodeGenerator.cpp:
1657         (JSC::BytecodeGenerator::BytecodeGenerator):
1658         * ftl/FTLLowerDFGToLLVM.cpp:
1659         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
1660         * interpreter/Interpreter.h:
1661         (JSC::calleeFrameForVarargs):
1662         * runtime/Options.h:
1663         * tests/es6.yaml:
1664         * tests/stress/dfg-tail-calls.js:
1665         (nonInlinedTailCall.callee):
1666         * tests/stress/mutual-tail-call-no-stack-overflow.js:
1667         (shouldThrow):
1668         * tests/stress/tail-call-in-inline-cache.js:
1669         (tail):
1670         * tests/stress/tail-call-no-stack-overflow.js:
1671         (shouldThrow):
1672         * tests/stress/tail-call-recognize.js:
1673         (callerMustBeRun):
1674         * tests/stress/tail-call-varargs-no-stack-overflow.js:
1675         (shouldThrow):
1676
1677 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1678
1679         Unreviewed. Attempted EFL build fix 2 after r191159.
1680
1681         * PlatformEfl.cmake:
1682
1683 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1684
1685         Unreviewed. Attempted EFL build fix after r191159.
1686
1687         * PlatformEfl.cmake:
1688
1689 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1690
1691         Unreviewed. Build fix after r191160.
1692
1693         * inspector/agents/InspectorHeapAgent.cpp:
1694         (Inspector::InspectorHeapAgent::didGarbageCollect):
1695
1696 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1697
1698         Unreviewed. Revert part of r191159 which caused ASSERTs.
1699
1700         A review comment suggested using WeakPtr. It is not suitable
1701         here and causes ASSERTs across threads. Will address separately.
1702
1703         * inspector/agents/InspectorHeapAgent.h:
1704         * inspector/agents/InspectorHeapAgent.cpp:
1705         (Inspector::InspectorHeapAgent::didGarbageCollect):
1706         (Inspector::InspectorHeapAgent::InspectorHeapAgent): Deleted.
1707
1708 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
1709
1710         Web Inspector: Include Garbage Collection Event in Timeline
1711         https://bugs.webkit.org/show_bug.cgi?id=142510
1712
1713         Reviewed by Geoffrey Garen and Brian Burg.
1714
1715         * CMakeLists.txt:
1716         * DerivedSources.make:
1717         * JavaScriptCore.xcodeproj/project.pbxproj:
1718         Include new files in the build.
1719
1720         * heap/HeapObserver.h:
1721         (JSC::HeapObserver::~HeapObserver):
1722         * heap/Heap.cpp:
1723         (JSC::Heap::willStartCollection):
1724         (JSC::Heap::didFinishCollection):
1725         * heap/Heap.h:
1726         (JSC::Heap::addObserver):
1727         (JSC::Heap::removeObserver):
1728         Allow observers on heap to add hooks for starting / ending garbage collection.
1729
1730         * inspector/InspectorEnvironment.h:
1731         * inspector/JSGlobalObjectInspectorController.cpp:
1732         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1733         (Inspector::JSGlobalObjectInspectorController::vm):
1734         * inspector/JSGlobalObjectInspectorController.h:
1735         Access the VM through the InspectorEnvironment as it won't change.
1736
1737         * inspector/agents/InspectorHeapAgent.cpp: Added.
1738         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1739         (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
1740         (Inspector::InspectorHeapAgent::didCreateFrontendAndBackend):
1741         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
1742         (Inspector::InspectorHeapAgent::enable):
1743         (Inspector::InspectorHeapAgent::disable):
1744         (Inspector::InspectorHeapAgent::gc):
1745         (Inspector::protocolTypeForHeapOperation):
1746         (Inspector::InspectorHeapAgent::willGarbageCollect):
1747         (Inspector::InspectorHeapAgent::didGarbageCollect):
1748         * inspector/agents/InspectorHeapAgent.h: Added.
1749         * inspector/protocol/Heap.json: Added.
1750         New domain and agent to handle tasks related to the JavaScriptCore heap.
1751
1752 2015-10-15  Commit Queue  <commit-queue@webkit.org>
1753
1754         Unreviewed, rolling out r191135.
1755         https://bugs.webkit.org/show_bug.cgi?id=150197
1756
1757         This patch causes 50+ LayoutTest crashes related to the
1758         inspector (Requested by ryanhaddad on #webkit).
1759
1760         Reverted changeset:
1761
1762         "Web Inspector: JavaScriptCore should parse sourceURL and
1763         sourceMappingURL directives"
1764         https://bugs.webkit.org/show_bug.cgi?id=150096
1765         http://trac.webkit.org/changeset/191135
1766
1767 2015-10-15  Geoffrey Garen  <ggaren@apple.com>
1768
1769         Unreviewed, rolling out r191003.
1770         https://bugs.webkit.org/show_bug.cgi?id=150042
1771
1772         We're seeing some crashes in GC beneath speculationFromCell. Maybe this
1773         patch caused them?
1774
1775         Reverted changeset:
1776
1777         CodeBlock write barriers should be precise
1778         https://bugs.webkit.org/show_bug.cgi?id=150042
1779         http://trac.webkit.org/changeset/191003
1780
1781 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1782
1783         Web Inspector: JavaScriptCore should parse sourceURL and sourceMappingURL directives
1784         https://bugs.webkit.org/show_bug.cgi?id=150096
1785
1786         Reviewed by Geoffrey Garen.
1787
1788         * inspector/ContentSearchUtilities.cpp:
1789         (Inspector::ContentSearchUtilities::scriptCommentPattern): Deleted.
1790         (Inspector::ContentSearchUtilities::findScriptSourceURL): Deleted.
1791         (Inspector::ContentSearchUtilities::findScriptSourceMapURL): Deleted.
1792         * inspector/ContentSearchUtilities.h:
1793         No longer need to search script content.
1794
1795         * inspector/ScriptDebugServer.cpp:
1796         (Inspector::ScriptDebugServer::dispatchDidParseSource):
1797         Carry over the sourceURL and sourceMappingURL from the SourceProvider.
1798
1799         * inspector/agents/InspectorDebuggerAgent.cpp:
1800         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
1801         (Inspector::InspectorDebuggerAgent::didParseSource):
1802         No longer do content searching.
1803
1804         * parser/Lexer.cpp:
1805         (JSC::Lexer<T>::setCode):
1806         (JSC::Lexer<T>::skipWhitespace):
1807         (JSC::Lexer<T>::parseCommentDirective):
1808         (JSC::Lexer<T>::parseCommentDirectiveValue):
1809         (JSC::Lexer<T>::consume):
1810         (JSC::Lexer<T>::lex):
1811         * parser/Lexer.h:
1812         (JSC::Lexer::sourceURL):
1813         (JSC::Lexer::sourceMappingURL):
1814         (JSC::Lexer::sourceProvider): Deleted.
1815         Give lexer the ability to detect script comment directives.
1816         This just consumes characters in single line comments and
1817         ultimately sets the sourceURL or sourceMappingURL found.
1818
1819         * parser/Parser.h:
1820         (JSC::Parser<LexerType>::parse):
1821         * parser/SourceProvider.h:
1822         (JSC::SourceProvider::url):
1823         (JSC::SourceProvider::sourceURL):
1824         (JSC::SourceProvider::sourceMappingURL):
1825         (JSC::SourceProvider::setSourceURL):
1826         (JSC::SourceProvider::setSourceMappingURL):
1827         After parsing a script, update the Source Provider with the
1828         value of directives that may have been found in the script.
1829
1830 2015-10-15  Filip Pizlo  <fpizlo@apple.com>
1831
1832         InferredTypeTable should ref its keys
1833         https://bugs.webkit.org/show_bug.cgi?id=150138
1834         rdar://problem/23080555
1835
1836         Reviewed by Michael Saboff.
1837
1838         InferredTypeTable was incorrectly using a key hash traits that caused the underlying HashTable to
1839         store keys as UniquedStringImpl* rather than RefPtr<UniquedStringImpl>, even though the HashMap's
1840         nominal key type was RefPtr<UniquedStringImpl>. This arose because I copy-pasted the HashMap type
1841         instantiation from other places and then made random changes to adapt it to my needs, rather than
1842         actually thinking about what I was doing. The solution is to remove the key hash traits argument,
1843         since all it accomplishes is to produce this bug.
1844
1845         The way this bug manifested is probably best described in http://webkit.org/b/150008. After a while
1846         the InferredTypeTable would have dangling references to its strings, if some recompilation or other
1847         thing caused us to drop all other references to those strings. InferredTypeTable is particularly
1848         susceptible to this because it is designed to know about a superset of the property names that its
1849         client Structures know about. The debug assert would then happen when we rehashed the
1850         InferredTypeTable's HashMap, because we'd try to get the hashes of strings that were already
1851         deleted. AFAICT, we didn't have release crashes arising from those strings' memory being returned
1852         to the OS - but it's totally possible that this could have happened. So, we definitely should treat
1853         this bug as more than just a debug issue.
1854
1855         Interestingly, we could have also solved this problem by changing the hash function to use PtrHash.
1856         In all other ways, it's OK for InferredTypeTable to hold dangling references, since it uses the
1857         address of the UniquedStringImpl as a way to name an abstract heap. It's fine if the name of an
1858         abstract heap is a bogus memory address, and it's also fine if that name referred to an entirely
1859         different UniquedStringImpl at some point in the past. That's a nice benefit of any data structure
1860         that keys by abstract heap - if two of them get unified then it's no big deal. I've filed another
1861         bug, http://webkit.org/b/150137 about changing all of our UniquedStringImpl* hashing to use
1862         PtrHash.
1863
1864         * runtime/Identifier.h: Add a comment about http://webkit.org/b/150137.
1865         * runtime/InferredTypeTable.h: Fix the bug.
1866         * tests/stress/inferred-type-table-stale-identifiers.js: Added. I couldn't get this to cause a crash before my change, but it's an interesting test nonetheless.
1867
1868 2015-10-15  Mark Lam  <mark.lam@apple.com>
1869
1870         Add MASM_PROBE support for ARM64.
1871         https://bugs.webkit.org/show_bug.cgi?id=150128
1872
1873         Reviewed by Michael Saboff.
1874
1875         * JavaScriptCore.xcodeproj/project.pbxproj:
1876         * assembler/ARM64Assembler.h:
1877         - Convert the ARM64 registers enum list into a macro list so that we can use
1878           it elsewhere e.g. to declare fields in the probe CPUState.
1879           Also de-tabbed the contents of the ARM64Registers namespace since the enum
1880           list change touches almost all of it anyway. This reduces the amount of
1881           complaints from the style checker.
1882
1883         * assembler/AbstractMacroAssembler.h:
1884         (JSC::AbstractMacroAssembler::CPUState::registerName):
1885         (JSC::AbstractMacroAssembler::CPUState::registerValue):
1886         - Change CPUState methods to allow for registers ID that do not map to one of
1887           its fields. This is needed because ARM64's registers include aliases for some
1888           register names. The CPUState will not allocate separate storage for the
1889           aliases. 
1890
1891         * assembler/MacroAssemblerARM64.cpp: Added.
1892         (JSC::arm64ProbeTrampoline):
1893         - Unlike the probe mechanism for other CPUs, the ARM64 implementation does not
1894           allow the probe function to modify the sp and pc registers.  We insert this
1895           wrapper function between ctiMasmProbeTrampoline() and the user's probe function
1896           so that we can check if the user tried to modify sp and pc.  If so, we will
1897           print an error message so that we can alert the user that we don't support
1898           that on ARM64.
1899
1900           See the comment in ctiMasmProbeTrampoline() in JITStubsARM64.h for details
1901           on why we cannot support sp and pc modifications by the probe function.
1902
1903         (JSC::MacroAssemblerARM64::probe):
1904
1905         * assembler/MacroAssemblerARM64.h:
1906         (JSC::MacroAssemblerARM64::repatchCall):
1907         (JSC::MacroAssemblerARM64::makeBranch):
1908         * jit/JITStubs.cpp:
1909         * jit/JITStubsARM64.h: Added.
1910
1911 2015-10-15  Mark Lam  <mark.lam@apple.com>
1912
1913         Fix some typos in comments.
1914         https://bugs.webkit.org/show_bug.cgi?id=150181
1915
1916         Rubber stamped by Michael Saboff.
1917
1918         * jit/JITStubsARM.h:
1919         * jit/JITStubsARMv7.h:
1920
1921 2015-10-15  Mark Lam  <mark.lam@apple.com>
1922
1923         Refactoring: give the MASM probe CPUState methods shorter names.
1924         https://bugs.webkit.org/show_bug.cgi?id=150177
1925
1926         Reviewed by Michael Saboff.
1927
1928         The existing names are longer than they need to be.  Renaming them as follows:
1929             For GPR, registerName ==> gprName
1930             For GPR, registerValue ==> gpr
1931             For FPR, registerName ==> fprName
1932             For FPR, registerValue ==> fpr
1933
1934         * assembler/AbstractMacroAssembler.h:
1935         (JSC::AbstractMacroAssembler::CPUState::gprName):
1936         (JSC::AbstractMacroAssembler::CPUState::fprName):
1937         (JSC::AbstractMacroAssembler::CPUState::gpr):
1938         (JSC::AbstractMacroAssembler::CPUState::fpr):
1939         (JSC::AbstractMacroAssembler::CPUState::registerName): Deleted.
1940         (JSC::AbstractMacroAssembler::CPUState::registerValue): Deleted.
1941
1942         * assembler/MacroAssemblerPrinter.cpp:
1943         (JSC::printRegister):
1944         (JSC::printMemory):
1945         - Updated to use the new names.
1946
1947 2015-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1948
1949         [ES6] Class expression should have lexical environment that has itself as an imutable binding
1950         https://bugs.webkit.org/show_bug.cgi?id=150089
1951
1952         Reviewed by Geoffrey Garen.
1953
1954         According to ES6 spec, class expression has its own lexical environment that holds itself
1955         as an immutable binding[1] (section 14.5.14 step 2, 3, 4, 23)
1956
1957         As a result, even if the binding declared in the outer scope is overridden, methods inside
1958         class expression can refer its class by the class name.
1959
1960         [1]: http://ecma-international.org/ecma-262/6.0/#sec-runtime-semantics-classdefinitionevaluation
1961
1962         * bytecompiler/NodesCodegen.cpp:
1963         (JSC::ClassExprNode::emitBytecode):
1964         * parser/ASTBuilder.h:
1965         (JSC::ASTBuilder::createClassExpr):
1966         * parser/NodeConstructors.h:
1967         (JSC::ClassExprNode::ClassExprNode):
1968         * parser/Nodes.h:
1969         * parser/Parser.cpp:
1970         (JSC::Parser<LexerType>::parseClass):
1971         * parser/SyntaxChecker.h:
1972         (JSC::SyntaxChecker::createClassExpr):
1973         * tests/es6.yaml:
1974         * tests/stress/class-expression-generates-environment.js: Added.
1975         (shouldBe):
1976         (shouldThrow):
1977         (prototype.method):
1978         (staticMethod):
1979         (A.prototype.method):
1980         (A.staticMethod):
1981         (A):
1982         * tests/stress/class-expression-should-be-tdz-in-heritage.js: Added.
1983         (shouldThrow):
1984         (shouldThrow.A):
1985
1986 2015-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1987
1988         [ES6] Class method should not declare any variables to upper scope.
1989         https://bugs.webkit.org/show_bug.cgi?id=150115
1990
1991         Reviewed by Geoffrey Garen.
1992
1993         In the current implementation, class methods attempt to declare variables to an upper scope with their method names.
1994         But this is not specified behavior in the ES6 spec.
1995
1996         And as a result, previously, we attempted to declare variables with invalid identifiers.
1997         For example, `class A { 1() { } }` attempt to declare a variable with name `1`.
1998         This (declaring variables with incorrect names) is not allowed in the lexical environment.
1999         And it fires assertions in https://bugs.webkit.org/show_bug.cgi?id=150089.
2000
2001         * parser/Parser.cpp:
2002         (JSC::Parser<LexerType>::parseClass): Deleted.
2003         * tests/stress/class-method-does-not-declare-variable-to-upper-scope.js: Added.
2004         (shouldBe):
2005         (A.prototype.method):
2006         (A.staticMethod):
2007         (A):
2008
2009 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
2010
2011         REGRESSION: Web Inspector hangs for many seconds when trying to reload page
2012         https://bugs.webkit.org/show_bug.cgi?id=150065
2013
2014         Reviewed by Mark Lam.
2015
2016         When debugging Web Pages, the same Debugger (PageScriptDebugServer) is
2017         attached to each of the different JSGlobalObjects on the page. This could
2018         mean multiple frames or isolated scripting contexts. Therefore we should
2019         only need to send sourceParsed events to the frontend for scripts within
2020         this new JSGlobalObject, not any JSGlobalObject that has this debugger.
2021
2022         * debugger/Debugger.cpp:
2023         (JSC::Debugger::attach):
2024         Only send sourceParsed events for Scripts in this JSGlobalObject.
2025
2026 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
2027
2028         Remove unimplemented methods in CopiedSpace
2029         https://bugs.webkit.org/show_bug.cgi?id=150143
2030
2031         Reviewed by Andreas Kling.
2032
2033         * heap/CopiedSpace.h:
2034
2035 2015-10-14  Brent Fulgham  <bfulgham@apple.com>
2036
2037         [Win] Enforce launcher/library naming scheme
2038         https://bugs.webkit.org/show_bug.cgi?id=150124
2039
2040         Reviewed by Alex Christensen.
2041
2042         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Look for
2043         {name}Lib.dll instead of {name}.dll.
2044         (wWinMain):
2045         * shell/PlatformWin.cmake: Add 'Lib' suffix to DLLs.
2046
2047 2015-10-14  Keith Miller  <keith_miller@apple.com>
2048
2049         ES6 Fix TypedArray constructors.
2050         https://bugs.webkit.org/show_bug.cgi?id=149975
2051
2052         Reviewed by Geoffrey Garen.
2053
2054         The ES6 spec requires that any object argument passed to a TypedArray constructor that is not a TypedArray
2055         and has an iterator should use the iterator to construct the TypedArray. To avoid performance regressions related
2056         to iterating we check if the iterator attached to the object points to the generic array iterator and length is a value.
2057         If so, we do not use the iterator since there should be no observable difference. Another other interesting note is
2058         that the ES6 spec has the of and from functions on a shared constructor between all the TypedArray constructors.
2059         When the TypedArray is constructed the expectation is to crawl the prototype chain of the this value
2060         passed to the function. If the function finds a known TypedArray constructor (Int32Array, Float64Array,...) then
2061         it creates a TypedArray of that type. This is implemented by adding a private function (@allocateTypedArray) to each
2062         of the constructors that can be called in order to construct the array. By using the private functions the JIT should
2063         hopefully be able to optimize this to a direct call.
2064
2065         * CMakeLists.txt:
2066         * JavaScriptCore.xcodeproj/project.pbxproj:
2067         * builtins/TypedArrayConstructor.js: Added.
2068         (of):
2069         (from):
2070         (allocateInt8Array):
2071         (allocateInt16Array):
2072         (allocateInt32Array):
2073         (allocateUint32Array):
2074         (allocateUint16Array):
2075         (allocateUint8Array):
2076         (allocateUint8ClampedArray):
2077         (allocateFloat32Array):
2078         (allocateFloat64Array):
2079         * runtime/CommonIdentifiers.h:
2080         * runtime/JSDataView.cpp:
2081         (JSC::JSDataView::setIndex):
2082         * runtime/JSDataView.h:
2083         * runtime/JSGenericTypedArrayView.h:
2084         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue):
2085         * runtime/JSGenericTypedArrayViewConstructor.h:
2086         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2087         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
2088         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::create):
2089         (JSC::constructGenericTypedArrayViewFromIterator):
2090         (JSC::constructGenericTypedArrayView):
2091         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2092         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2093         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2094         * runtime/JSGlobalObject.cpp:
2095         (JSC::JSGlobalObject::init):
2096         * runtime/JSTypedArrayViewConstructor.cpp: Added.
2097         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
2098         (JSC::JSTypedArrayViewConstructor::finishCreation):
2099         (JSC::JSTypedArrayViewConstructor::create):
2100         (JSC::JSTypedArrayViewConstructor::createStructure):
2101         (JSC::constructTypedArrayView):
2102         (JSC::JSTypedArrayViewConstructor::getConstructData):
2103         (JSC::JSTypedArrayViewConstructor::getCallData):
2104         * runtime/JSTypedArrayViewConstructor.h: Copied from Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructor.h.
2105         * runtime/JSTypedArrayViewPrototype.cpp:
2106         (JSC::JSTypedArrayViewPrototype::create):
2107         * tests/es6.yaml:
2108         * tests/stress/resources/typedarray-constructor-helper-functions.js: Added.
2109         (forEachTypedArray):
2110         (hasSameValues):
2111         (foo):
2112         (testConstructorFunction):
2113         (testConstructor):
2114         * tests/stress/typedarray-constructor.js: Added.
2115         (A):
2116         (iterator.return.next):
2117         (iterator):
2118         (obj.valueOf):
2119         (iterator2.return.next):
2120         (iterator2):
2121         * tests/stress/typedarray-from.js: Added.
2122         (even):
2123         (isBigEnoughAndException):
2124         * tests/stress/typedarray-of.js: Added.
2125
2126 2015-10-14  Mark Lam  <mark.lam@apple.com>
2127
2128         Rename some JSC option names to be more uniform.
2129         https://bugs.webkit.org/show_bug.cgi?id=150127
2130
2131         Reviewed by Geoffrey Garen.
2132
2133         Renaming JSC_enableXXX options to JSC_useXXX, and JSC_showXXX options to JSC_dumpXXX.
2134         Also will renaming a few other miscellaneous to options, to abide by this scheme.
2135
2136         Also renaming some functions to match the option names where relevant.
2137
2138         * API/tests/ExecutionTimeLimitTest.cpp:
2139         (testExecutionTimeLimit):
2140         * assembler/AbstractMacroAssembler.h:
2141         (JSC::optimizeForARMv7IDIVSupported):
2142         (JSC::optimizeForARM64):
2143         (JSC::optimizeForX86):
2144         * assembler/LinkBuffer.cpp:
2145         (JSC::shouldDumpDisassemblyFor):
2146         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
2147         (JSC::shouldShowDisassemblyFor): Deleted.
2148         * assembler/LinkBuffer.h:
2149         * bytecode/CodeBlock.cpp:
2150         (JSC::CodeBlock::jettison):
2151         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2152         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2153         * bytecompiler/BytecodeGenerator.cpp:
2154         (JSC::BytecodeGenerator::BytecodeGenerator):
2155         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2156         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire):
2157         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2158         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2159         * dfg/DFGByteCodeParser.cpp:
2160         (JSC::DFG::ByteCodeParser::handleInlining):
2161         (JSC::DFG::ByteCodeParser::handleGetById):
2162         (JSC::DFG::ByteCodeParser::handlePutById):
2163         (JSC::DFG::ByteCodeParser::parse):
2164         * dfg/DFGCommon.h:
2165         (JSC::DFG::leastUpperBound):
2166         (JSC::DFG::shouldDumpDisassembly):
2167         (JSC::DFG::shouldShowDisassembly): Deleted.
2168         * dfg/DFGDriver.cpp:
2169         (JSC::DFG::compileImpl):
2170         * dfg/DFGJITCompiler.cpp:
2171         (JSC::DFG::JITCompiler::JITCompiler):
2172         (JSC::DFG::JITCompiler::disassemble):
2173         * dfg/DFGJumpReplacement.cpp:
2174         (JSC::DFG::JumpReplacement::fire):
2175         * dfg/DFGOSREntry.cpp:
2176         (JSC::DFG::prepareOSREntry):
2177         * dfg/DFGOSRExitCompiler.cpp:
2178         * dfg/DFGOSRExitFuzz.h:
2179         (JSC::DFG::doOSRExitFuzzing):
2180         * dfg/DFGPlan.cpp:
2181         (JSC::DFG::Plan::compileInThreadImpl):
2182         * dfg/DFGSpeculativeJIT.cpp:
2183         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
2184         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2185         (JSC::DFG::TierUpCheckInjectionPhase::run):
2186         * ftl/FTLCompile.cpp:
2187         (JSC::FTL::mmAllocateDataSection):
2188         * ftl/FTLJITCode.cpp:
2189         (JSC::FTL::JITCode::~JITCode):
2190         * ftl/FTLLowerDFGToLLVM.cpp:
2191         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2192         * ftl/FTLOSRExitCompiler.cpp:
2193         (JSC::FTL::compileStub):
2194         (JSC::FTL::compileFTLOSRExit):
2195         * ftl/FTLState.h:
2196         (JSC::FTL::verboseCompilationEnabled):
2197         (JSC::FTL::shouldDumpDisassembly):
2198         (JSC::FTL::shouldShowDisassembly): Deleted.
2199         * heap/Heap.cpp:
2200         (JSC::Heap::addToRememberedSet):
2201         (JSC::Heap::didFinishCollection):
2202         (JSC::Heap::shouldDoFullCollection):
2203         * heap/Heap.h:
2204         (JSC::Heap::isDeferred):
2205         (JSC::Heap::structureIDTable):
2206         * heap/HeapStatistics.cpp:
2207         (JSC::StorageStatistics::storageCapacity):
2208         (JSC::HeapStatistics::dumpObjectStatistics):
2209         (JSC::HeapStatistics::showObjectStatistics): Deleted.
2210         * heap/HeapStatistics.h:
2211         * interpreter/StackVisitor.cpp:
2212         (JSC::StackVisitor::Frame::createArguments):
2213         * jit/AssemblyHelpers.cpp:
2214         (JSC::AssemblyHelpers::callExceptionFuzz):
2215         * jit/ExecutableAllocationFuzz.cpp:
2216         (JSC::doExecutableAllocationFuzzing):
2217         * jit/ExecutableAllocationFuzz.h:
2218         (JSC::doExecutableAllocationFuzzingIfEnabled):
2219         * jit/JIT.cpp:
2220         (JSC::JIT::privateCompile):
2221         * jit/JITCode.cpp:
2222         (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef):
2223         * jit/PolymorphicCallStubRoutine.cpp:
2224         (JSC::PolymorphicCallNode::unlink):
2225         (JSC::PolymorphicCallNode::clearCallLinkInfo):
2226         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2227         * jit/Repatch.cpp:
2228         (JSC::linkFor):
2229         (JSC::unlinkFor):
2230         (JSC::linkVirtualFor):
2231         * jsc.cpp:
2232         (functionEnableExceptionFuzz):
2233         (jscmain):
2234         * llvm/InitializeLLVM.cpp:
2235         (JSC::initializeLLVMImpl):
2236         * runtime/ExceptionFuzz.cpp:
2237         (JSC::doExceptionFuzzing):
2238         * runtime/ExceptionFuzz.h:
2239         (JSC::doExceptionFuzzingIfEnabled):
2240         * runtime/JSGlobalObject.cpp:
2241         (JSC::JSGlobalObject::init):
2242         * runtime/Options.cpp:
2243         (JSC::recomputeDependentOptions):
2244         (JSC::Options::initialize):
2245         (JSC::Options::dumpOptionsIfNeeded):
2246         (JSC::Options::setOption):
2247         (JSC::Options::dumpAllOptions):
2248         (JSC::Options::dumpAllOptionsInALine):
2249         (JSC::Options::dumpOption):
2250         * runtime/Options.h:
2251         * runtime/VM.cpp:
2252         (JSC::VM::VM):
2253         * runtime/VM.h:
2254         (JSC::VM::exceptionFuzzingBuffer):
2255         * runtime/WriteBarrierInlines.h:
2256         (JSC::WriteBarrierBase<T>::set):
2257         (JSC::WriteBarrierBase<Unknown>::set):
2258         * tests/executableAllocationFuzz.yaml:
2259         * tests/stress/arrowfunction-typeof.js:
2260         * tests/stress/disable-function-dot-arguments.js:
2261         (foo):
2262         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js:
2263         (sqrtOnInteger):
2264         * tests/stress/regress-148564.js:
2265
2266 2015-10-14  Mark Lam  <mark.lam@apple.com>
2267
2268         Speculative build fix: the CallSiteIndex constructor is explicit and requires an uint32_t.
2269
2270         Not Reviewed.
2271
2272         * bytecode/CodeBlock.cpp:
2273         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
2274
2275 2015-10-14  Commit Queue  <commit-queue@webkit.org>
2276
2277         Unreviewed, rolling out r191030.
2278         https://bugs.webkit.org/show_bug.cgi?id=150116
2279
2280         caused js/class-syntax-method-names.html to crash on debug
2281         builds (Requested by alexchristensen_ on #webkit).
2282
2283         Reverted changeset:
2284
2285         "[ES6] Class expression should have lexical environment that
2286         has itself as an imutable binding"
2287         https://bugs.webkit.org/show_bug.cgi?id=150089
2288         http://trac.webkit.org/changeset/191030
2289
2290 2015-10-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2291
2292         [ES6] Class expression should have lexical environment that has itself as an imutable binding
2293         https://bugs.webkit.org/show_bug.cgi?id=150089
2294
2295         Reviewed by Geoffrey Garen.
2296
2297         According to ES6 spec, class expression has its own lexical environment that holds itself
2298         as an immutable binding[1] (section 14.5.14 step 2, 3, 4, 23)
2299
2300         As a result, even if the binding declared in the outer scope is overridden, methods inside
2301         class expression can refer its class by the class name.
2302
2303         [1]: http://ecma-international.org/ecma-262/6.0/#sec-runtime-semantics-classdefinitionevaluation
2304
2305         * bytecompiler/NodesCodegen.cpp:
2306         (JSC::ClassExprNode::emitBytecode):
2307         * parser/ASTBuilder.h:
2308         (JSC::ASTBuilder::createClassExpr):
2309         * parser/NodeConstructors.h:
2310         (JSC::ClassExprNode::ClassExprNode):
2311         * parser/Nodes.h:
2312         * parser/Parser.cpp:
2313         (JSC::Parser<LexerType>::parseClass):
2314         * parser/SyntaxChecker.h:
2315         (JSC::SyntaxChecker::createClassExpr):
2316         * tests/es6.yaml:
2317         * tests/stress/class-expression-generates-environment.js: Added.
2318         (shouldBe):
2319         (shouldThrow):
2320         (prototype.method):
2321         (staticMethod):
2322         (A.prototype.method):
2323         (A.staticMethod):
2324         (A):
2325         * tests/stress/class-expression-should-be-tdz-in-heritage.js: Added.
2326         (shouldThrow):
2327         (shouldThrow.A):
2328
2329 2015-10-13  Saam barati  <sbarati@apple.com>
2330
2331         We were creating a GCAwareJITStubRoutineWithExceptionHandler when we didn't actually have an exception handler in the CodeBlock's exception handler table
2332         https://bugs.webkit.org/show_bug.cgi?id=150016
2333
2334         Reviewed by Geoffrey Garen.
2335
2336         There was a bug where we created a GCAwareJITStubRoutineWithExceptionHandler
2337         for inline caches that were custom setters/getters (but not JS getters/setters).
2338         This is wrong; we only create GCAwareJITStubRoutineWithExceptionHandler when we have
2339         an inline cache with a JS getter/setter call which causes the inline cache to add itself
2340         to the CodeBlock's exception handling table. The problem was that we created
2341         a GCAwareJITStubRoutineWithExceptionHandler that tried to remove itself from
2342         the exception handler table only to find out that it didn't have an entry in the table.
2343
2344         * bytecode/PolymorphicAccess.cpp:
2345         (JSC::PolymorphicAccess::regenerate):
2346
2347 2015-10-13  Joseph Pecoraro  <pecoraro@apple.com>
2348
2349         Simplify WeakBlock visit and reap phases
2350         https://bugs.webkit.org/show_bug.cgi?id=150045
2351
2352         Reviewed by Geoffrey Garen.
2353
2354         WeakBlock visiting and reaping both happen after MarkedBlock marking.
2355         All the MarkedBlocks we encounter should be either Marked or Retired.
2356
2357         * heap/MarkedBlock.h:
2358         (JSC::MarkedBlock::isMarkedOrRetired):
2359         * heap/WeakBlock.cpp:
2360         (JSC::WeakBlock::visit):
2361         (JSC::WeakBlock::reap):
2362         * heap/WeakBlock.h:
2363
2364 2015-10-12  Geoffrey Garen  <ggaren@apple.com>
2365
2366         CodeBlock write barriers should be precise
2367         https://bugs.webkit.org/show_bug.cgi?id=150042
2368
2369         Reviewed by Saam Barati.
2370
2371         CodeBlock performs lots of unnecessary write barriers. This wastes
2372         performance and makes the code a bit harder to follow, and it might mask
2373         important bugs. Now is a good time to unmask important bugs.
2374
2375         * bytecode/CodeBlock.h:
2376         (JSC::CodeBlockSet::mark): Don't write barrier all CodeBlocks on the
2377         stack. Only CodeBlocks that do value profiling need write barriers, and
2378         they do those themselves.
2379
2380         In steady state, when most of our CodeBlocks are old and FTL-compiled,
2381         and we're doing eden GC's, we should almost never visit a CodeBlock.
2382
2383         * dfg/DFGOSRExitCompilerCommon.cpp:
2384         (JSC::DFG::osrWriteBarrier):
2385         (JSC::DFG::adjustAndJumpToTarget): Don't write barrier all inlined
2386         CodeBlocks on exit. That's not necessary. Instead, write barrier the 
2387         CodeBlock(s) we will exit to, along with the one we will write a value
2388         profile to.
2389
2390 2015-10-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2391
2392         REGRESSION: ASSERT (impl->isAtomic()) @ facebook.com
2393         https://bugs.webkit.org/show_bug.cgi?id=149965
2394
2395         Reviewed by Geoffrey Garen.
2396
2397         Edge filtering for CheckIdent ensures that a given value is either Symbol or StringIdent.
2398         However, this filtering is not applied to CheckIdent when propagating a constant value in
2399         the constant folding phase. As a result, it is not guaranteeed that a constant value
2400         propagated in constant folding is Symbol or StringIdent.
2401
2402         * dfg/DFGConstantFoldingPhase.cpp:
2403         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2404
2405 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2406
2407         Unreviewed, register symbol structure to fix Debug build
2408         https://bugs.webkit.org/show_bug.cgi?id=149622
2409
2410         Since InferredTypes for String or Symbol claim that they don't have any structure,
2411         `registerInferredType` does not register the structure for Symbol.
2412         We take the similar way to String to fix this issue; Registering Symbol structure
2413         explicitly in DFGStructureRegisterationPhase. Because,
2414
2415         1. InferredType::structure is only allowed for ObjectWithStructure / ObjectWithStructureOrOther.
2416            It looks clear to me that only ObjectWithStructure has structure.
2417         2. Symbol is similar primitive value to String. So handling its structure in similar way to String is nice.
2418
2419         * dfg/DFGStructureRegistrationPhase.cpp:
2420         (JSC::DFG::StructureRegistrationPhase::run):
2421
2422 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2423
2424         Iterator loops over key twice after delete
2425         https://bugs.webkit.org/show_bug.cgi?id=149811
2426
2427         Reviewed by Geoffrey Garen.
2428
2429         When an object is the dictionary mode, JSPropertyNameEnumerator collects property names through generic property name enumeration `getPropertyNames`.
2430         The result vector contains indexed property names. But in this case, `publicLength()` may not be 0.
2431         So without disabling indexed names enumeration phase explicitly, JSPropertyNameEnumerator produces indexed property names twice.
2432         One in indexed name enumeration phase, and another in generic property name enumeration phase.
2433         This patch disables indexed names enumeration by setting `indexedLength` to 0 when collecting names through generic property name enumeration.
2434
2435         * runtime/JSPropertyNameEnumerator.h:
2436         (JSC::propertyNameEnumerator):
2437         * tests/stress/property-name-enumerator-should-not-look-into-indexed-values-when-it-is-a-dictionary.js: Added.
2438         (shouldBe):
2439         (col2.of.Reflect.enumerate):
2440
2441 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2442
2443         Introduce Symbol type for property type inference
2444         https://bugs.webkit.org/show_bug.cgi?id=149622
2445
2446         Reviewed by Geoffrey Garen.
2447
2448         This patch introduces Symbol type into property type inference.
2449         One of the use cases of ES6 Symbol is enum value. In this case,
2450         we may hold different symbols as the same property of the same structure.
2451         Current property type inference does not support Symbol type, so in the
2452         above case, the property will be inferred as Top type.
2453
2454         * bytecode/PutByIdFlags.h:
2455         * dfg/DFGAbstractValue.cpp:
2456         (JSC::DFG::AbstractValue::set):
2457         * dfg/DFGInferredTypeCheck.cpp:
2458         (JSC::DFG::insertInferredTypeCheck):
2459         * ftl/FTLLowerDFGToLLVM.cpp:
2460         (JSC::FTL::DFG::LowerDFGToLLVM::checkInferredType):
2461         * jit/AssemblyHelpers.cpp:
2462         (JSC::AssemblyHelpers::branchIfNotType):
2463         * llint/LLIntData.cpp:
2464         (JSC::LLInt::Data::performAssertions):
2465         * llint/LowLevelInterpreter.asm:
2466         * llint/LowLevelInterpreter32_64.asm:
2467         * llint/LowLevelInterpreter64.asm:
2468         * runtime/InferredType.cpp:
2469         (JSC::InferredType::kindForFlags):
2470         (JSC::InferredType::Descriptor::forValue):
2471         (JSC::InferredType::Descriptor::putByIdFlags):
2472         (JSC::InferredType::Descriptor::merge):
2473         (WTF::printInternal):
2474         * runtime/InferredType.h:
2475         * tests/stress/prop-type-symbol-then-object.js: Added.
2476         (foo):
2477         (bar):
2478         (toString):
2479         * tests/stress/prop-type-symbol-then-string.js: Added.
2480         (foo):
2481         (bar):
2482
2483 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2484
2485         Web Inspector: Rebaseline Inspector generator tests and make better use of RWIProtocol constant
2486         https://bugs.webkit.org/show_bug.cgi?id=150044
2487
2488         Reviewed by Brian Burg.
2489
2490         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2491         (ObjCConfigurationHeaderGenerator.generate_output):
2492         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
2493         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2494         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
2495         * inspector/scripts/codegen/generate_objc_header.py:
2496         (ObjCHeaderGenerator.generate_output):
2497         * inspector/scripts/codegen/generate_objc_internal_header.py:
2498         (ObjCInternalHeaderGenerator.generate_output):
2499         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2500         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2501         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2502         * inspector/scripts/tests/expected/enum-values.json-result:
2503         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2504         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2505         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2506         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2507         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2508         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2509         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2510         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2511         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2512
2513 2015-10-12  Myles C. Maxfield  <mmaxfield@apple.com>
2514
2515         Unreviewed build fix
2516
2517         * runtime/JSObject.cpp:
2518         (JSC::JSObject::reallocateAndShrinkButterfly):
2519
2520 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
2521
2522         GC should have a Baker barrier for concurrent copying
2523         https://bugs.webkit.org/show_bug.cgi?id=149852
2524
2525         Reviewed by Geoffrey Garen.
2526
2527         This adds a Baker-style read barrier [1] to copied space accesses. This barrier incurs some
2528         overhead (0%-2% depending on benchmark suite), but what it buys is the ability to make the GC copy
2529         phase concurrent.
2530
2531         The barrier relies on copied space pointers having two "space bits" in the low pointer bits. The
2532         space bits indicate whether the backing store is being copied right now or not, and if it is being
2533         copied, what stage of copying it's in. Two barrier variants are supported:
2534
2535         Read only barrier: if you load a backing store and immediately load from it without doing anything
2536         else, you can just mask off the bits. In the worst case, you'll get the old backing store while
2537         some copying thread is already allocating and populating the new version of the backing store. But
2538         in that case, forwarding to the new backing store will not enable you to load a more up-to-date
2539         value from the backing store. So, just masking the bits is enough. The read-only barrier is only
2540         used in ICs where we know that we are only reading, and opportunistically within the DFG and FTL
2541         thanks to the CopyBarrierOptimizationPhase. We never explicitly emit a read-only barrier in those
2542         compilers; instead the phase will turn a GetButterfly into GetButterflyReadOnly if it proves that a
2543         bunch of requirements are met.
2544
2545         Normal barrier: if the space bits are non-zero, call a slow path. The slow path will either do
2546         nothing (if the copy phase hasn't started yet), or it will copy the backing store and update the
2547         pointer (if the copy phase hasn't gotten around to copying this particular backing store), or it
2548         will wait for the copying thread to finish (if some thread is copying this backing store right
2549         now), or it will do nothing (if by the time we called into the slow path the backing store was
2550         already copied). This is just like Baker's CAR/CDR barrier, but with a lock thrown in to handle
2551         concurrent execution.
2552
2553         This is a 1% slow-down on SunSpider, a 1.5% slow-down on Octane, a 1.5% slow-down on Kraken, and a
2554         0% slow-down on AsmBench. Note that the Octane slow-down is excluding the SplayLatency benchmark.
2555         That benchmark will eventually speed up a lot once we finish doing all of this stuff. Probably, the
2556         JetStream splay-latency will see an even larger speed-up, since our version of the latency tests do
2557         a better job of punishing bad worst-case behavior.
2558
2559         [1] http://dspace.mit.edu/bitstream/handle/1721.1/41976/AI_WP_139.pdf, look for the CAR and CDR
2560         procedures on page 9.
2561
2562         * CMakeLists.txt:
2563         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2564         * JavaScriptCore.xcodeproj/project.pbxproj:
2565         * bytecode/PolymorphicAccess.cpp:
2566         (JSC::AccessCase::generate):
2567         * dfg/DFGAbstractInterpreterInlines.h:
2568         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2569         * dfg/DFGArgumentsEliminationPhase.cpp:
2570         * dfg/DFGClobberize.h:
2571         (JSC::DFG::clobberize):
2572         * dfg/DFGCopyBarrierOptimizationPhase.cpp: Added.
2573         (JSC::DFG::performCopyBarrierOptimization):
2574         * dfg/DFGCopyBarrierOptimizationPhase.h: Added.
2575         * dfg/DFGDoesGC.cpp:
2576         (JSC::DFG::doesGC):
2577         * dfg/DFGFixupPhase.cpp:
2578         (JSC::DFG::FixupPhase::fixupNode):
2579         * dfg/DFGHeapLocation.cpp:
2580         (WTF::printInternal):
2581         * dfg/DFGHeapLocation.h:
2582         * dfg/DFGLICMPhase.cpp:
2583         (JSC::DFG::LICMPhase::run):
2584         * dfg/DFGNodeType.h:
2585         * dfg/DFGOperations.cpp:
2586         * dfg/DFGOperations.h:
2587         * dfg/DFGPlan.cpp:
2588         (JSC::DFG::Plan::compileInThreadImpl):
2589         * dfg/DFGPredictionPropagationPhase.cpp:
2590         (JSC::DFG::PredictionPropagationPhase::propagate):
2591         * dfg/DFGSafeToExecute.h:
2592         (JSC::DFG::safeToExecute):
2593         * dfg/DFGSpeculativeJIT.cpp:
2594         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2595         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2596         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2597         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2598         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
2599         * dfg/DFGSpeculativeJIT.h:
2600         * dfg/DFGSpeculativeJIT32_64.cpp:
2601         (JSC::DFG::SpeculativeJIT::compile):
2602         * dfg/DFGSpeculativeJIT64.cpp:
2603         (JSC::DFG::SpeculativeJIT::compile):
2604         * dfg/DFGTypeCheckHoistingPhase.cpp:
2605         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2606         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2607         * ftl/FTLCapabilities.cpp:
2608         (JSC::FTL::canCompile):
2609         * ftl/FTLLowerDFGToLLVM.cpp:
2610         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2611         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
2612         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterflyReadOnly):
2613         (JSC::FTL::DFG::LowerDFGToLLVM::compileConstantStoragePointer):
2614         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2615         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
2616         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
2617         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
2618         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiPutByOffset):
2619         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetDirectPname):
2620         (JSC::FTL::DFG::LowerDFGToLLVM::storageForTransition):
2621         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2622         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
2623         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
2624         (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
2625         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
2626         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
2627         (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
2628         (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
2629         * ftl/FTLOperations.cpp:
2630         (JSC::FTL::operationNewObjectWithButterfly):
2631         (JSC::FTL::operationPopulateObjectInOSR):
2632         * ftl/FTLOutput.h:
2633         (JSC::FTL::Output::testNonZero32):
2634         (JSC::FTL::Output::testIsZero64):
2635         (JSC::FTL::Output::testNonZero64):
2636         (JSC::FTL::Output::testIsZeroPtr):
2637         (JSC::FTL::Output::testNonZeroPtr):
2638         (JSC::FTL::Output::select):
2639         (JSC::FTL::Output::extractValue):
2640         * heap/CopyBarrier.h: Copied from Source/JavaScriptCore/heap/CopyWriteBarrier.h.
2641         (JSC::CopyBarrierBase::CopyBarrierBase):
2642         (JSC::CopyBarrierBase::operator!):
2643         (JSC::CopyBarrierBase::operator bool):
2644         (JSC::CopyBarrierBase::getWithoutBarrier):
2645         (JSC::CopyBarrierBase::get):
2646         (JSC::CopyBarrierBase::copyState):
2647         (JSC::CopyBarrierBase::setCopyState):
2648         (JSC::CopyBarrierBase::clear):
2649         (JSC::CopyBarrierBase::set):
2650         (JSC::CopyBarrierBase::setWithoutBarrier):
2651         (JSC::CopyBarrierBase::weakCASWithoutBarrier):
2652         (JSC::CopyBarrier::CopyBarrier):
2653         (JSC::CopyBarrier::getWithoutBarrier):
2654         (JSC::CopyBarrier::get):
2655         (JSC::CopyBarrier::set):
2656         (JSC::CopyBarrier::setWithoutBarrier):
2657         (JSC::CopyBarrier::weakCASWithoutBarrier):
2658         (JSC::CopyWriteBarrier::CopyWriteBarrier): Deleted.
2659         (JSC::CopyWriteBarrier::operator!): Deleted.
2660         (JSC::CopyWriteBarrier::operator bool): Deleted.
2661         (JSC::CopyWriteBarrier::get): Deleted.
2662         (JSC::CopyWriteBarrier::operator*): Deleted.
2663         (JSC::CopyWriteBarrier::operator->): Deleted.
2664         (JSC::CopyWriteBarrier::set): Deleted.
2665         (JSC::CopyWriteBarrier::setWithoutWriteBarrier): Deleted.
2666         (JSC::CopyWriteBarrier::clear): Deleted.
2667         * heap/CopyVisitorInlines.h:
2668         (JSC::CopyVisitor::checkIfShouldCopy):
2669         * heap/CopyWriteBarrier.h: Removed.
2670         * heap/Heap.cpp:
2671         (JSC::Heap::addToRememberedSet):
2672         (JSC::Heap::copyBarrier):
2673         (JSC::Heap::collectAndSweep):
2674         * heap/Heap.h:
2675         (JSC::Heap::writeBarrierBuffer):
2676         * heap/HeapInlines.h:
2677         * jit/AssemblyHelpers.h:
2678         (JSC::AssemblyHelpers::branchStructure):
2679         (JSC::AssemblyHelpers::branchIfNotToSpace):
2680         (JSC::AssemblyHelpers::removeSpaceBits):
2681         (JSC::AssemblyHelpers::addressForByteOffset):
2682         * jit/JIT.cpp:
2683         (JSC::JIT::privateCompileMainPass):
2684         (JSC::JIT::privateCompileSlowCases):
2685         * jit/JITOpcodes.cpp:
2686         (JSC::JIT::emitSlow_op_has_indexed_property):
2687         (JSC::JIT::emit_op_get_direct_pname):
2688         (JSC::JIT::emitSlow_op_get_direct_pname):
2689         * jit/JITOpcodes32_64.cpp:
2690         (JSC::JIT::emit_op_get_direct_pname):
2691         (JSC::JIT::emitSlow_op_get_direct_pname):
2692         * jit/JITPropertyAccess.cpp:
2693         (JSC::JIT::emitDoubleLoad):
2694         (JSC::JIT::emitContiguousLoad):
2695         (JSC::JIT::emitArrayStorageLoad):
2696         (JSC::JIT::emitSlow_op_get_by_val):
2697         (JSC::JIT::emitGenericContiguousPutByVal):
2698         (JSC::JIT::emitArrayStoragePutByVal):
2699         (JSC::JIT::emitSlow_op_put_by_val):
2700         (JSC::JIT::emit_op_get_from_scope):
2701         (JSC::JIT::emitSlow_op_get_from_scope):
2702         (JSC::JIT::emit_op_put_to_scope):
2703         (JSC::JIT::emitSlow_op_put_to_scope):
2704         (JSC::JIT::emitIntTypedArrayGetByVal):
2705         (JSC::JIT::emitFloatTypedArrayGetByVal):
2706         (JSC::JIT::emitIntTypedArrayPutByVal):
2707         (JSC::JIT::emitFloatTypedArrayPutByVal):
2708         * llint/LowLevelInterpreter.asm:
2709         * llint/LowLevelInterpreter64.asm:
2710         * runtime/DirectArguments.cpp:
2711         (JSC::DirectArguments::visitChildren):
2712         (JSC::DirectArguments::copyBackingStore):
2713         (JSC::DirectArguments::overrideThings):
2714         (JSC::DirectArguments::overrideThingsIfNecessary):
2715         (JSC::DirectArguments::overrideArgument):
2716         (JSC::DirectArguments::copyToArguments):
2717         * runtime/DirectArguments.h:
2718         (JSC::DirectArguments::canAccessIndexQuickly):
2719         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG):
2720         * runtime/JSArray.cpp:
2721         (JSC::JSArray::setLength):
2722         (JSC::JSArray::pop):
2723         (JSC::JSArray::push):
2724         (JSC::JSArray::fastSlice):
2725         (JSC::JSArray::fastConcatWith):
2726         (JSC::JSArray::shiftCountWithArrayStorage):
2727         (JSC::JSArray::shiftCountWithAnyIndexingType):
2728         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2729         (JSC::JSArray::fillArgList):
2730         (JSC::JSArray::copyToArguments):
2731         * runtime/JSArrayBufferView.cpp:
2732         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2733         (JSC::JSArrayBufferView::JSArrayBufferView):
2734         (JSC::JSArrayBufferView::finishCreation):
2735         (JSC::JSArrayBufferView::finalize):
2736         * runtime/JSArrayBufferView.h:
2737         (JSC::JSArrayBufferView::vector):
2738         (JSC::JSArrayBufferView::length):
2739         * runtime/JSArrayBufferViewInlines.h:
2740         (JSC::JSArrayBufferView::neuter):
2741         (JSC::JSArrayBufferView::byteOffset):
2742         * runtime/JSGenericTypedArrayView.h:
2743         (JSC::JSGenericTypedArrayView::typedVector):
2744         * runtime/JSGenericTypedArrayViewInlines.h:
2745         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2746         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
2747         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2748         * runtime/JSMap.h:
2749         (JSC::JSMap::JSMap):
2750         * runtime/JSObject.cpp:
2751         (JSC::JSObject::copyButterfly):
2752         (JSC::JSObject::visitChildren):
2753         (JSC::JSObject::copyBackingStore):
2754         (JSC::JSObject::getOwnPropertySlotByIndex):
2755         (JSC::JSObject::putByIndex):
2756         (JSC::JSObject::enterDictionaryIndexingMode):
2757         (JSC::JSObject::createInitialIndexedStorage):
2758         (JSC::JSObject::createArrayStorage):
2759         (JSC::JSObject::convertUndecidedToInt32):
2760         (JSC::JSObject::convertUndecidedToDouble):
2761         (JSC::JSObject::convertUndecidedToContiguous):
2762         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2763         (JSC::JSObject::convertUndecidedToArrayStorage):
2764         (JSC::JSObject::convertInt32ToDouble):
2765         (JSC::JSObject::convertInt32ToContiguous):
2766         (JSC::JSObject::convertInt32ToArrayStorage):
2767         (JSC::JSObject::convertDoubleToContiguous):
2768         (JSC::JSObject::convertDoubleToArrayStorage):
2769         (JSC::JSObject::convertContiguousToArrayStorage):
2770         (JSC::JSObject::setIndexQuicklyToUndecided):
2771         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2772         (JSC::JSObject::deletePropertyByIndex):
2773         (JSC::JSObject::getOwnPropertyNames):
2774         (JSC::JSObject::putIndexedDescriptor):
2775         (JSC::JSObject::defineOwnIndexedProperty):
2776         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2777         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2778         (JSC::JSObject::getNewVectorLength):
2779         (JSC::JSObject::ensureLengthSlow):
2780         (JSC::JSObject::reallocateAndShrinkButterfly):
2781         (JSC::JSObject::growOutOfLineStorage):
2782         (JSC::JSObject::getOwnPropertyDescriptor):
2783         (JSC::JSObject::getEnumerableLength):
2784         * runtime/JSObject.h:
2785         (JSC::JSObject::getArrayLength):
2786         (JSC::JSObject::getVectorLength):
2787         (JSC::JSObject::canGetIndexQuickly):
2788         (JSC::JSObject::getIndexQuickly):
2789         (JSC::JSObject::tryGetIndexQuickly):
2790         (JSC::JSObject::canSetIndexQuickly):
2791         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2792         (JSC::JSObject::setIndexQuickly):
2793         (JSC::JSObject::initializeIndex):
2794         (JSC::JSObject::hasSparseMap):
2795         (JSC::JSObject::inSparseIndexingMode):
2796         (JSC::JSObject::inlineStorage):
2797         (JSC::JSObject::butterfly):
2798         (JSC::JSObject::outOfLineStorage):
2799         (JSC::JSObject::locationForOffset):
2800         (JSC::JSObject::ensureInt32):
2801         (JSC::JSObject::ensureDouble):
2802         (JSC::JSObject::ensureContiguous):
2803         (JSC::JSObject::ensureArrayStorage):
2804         (JSC::JSObject::arrayStorage):
2805         (JSC::JSObject::arrayStorageOrNull):
2806         (JSC::JSObject::ensureLength):
2807         (JSC::JSObject::putDirectWithoutTransition):
2808         * runtime/JSSet.h:
2809         (JSC::JSSet::JSSet):
2810         * runtime/MapData.h:
2811         (JSC::JSIterator>::MapDataImpl):
2812         (JSC::JSIterator>::IteratorData::next):
2813         (JSC::JSIterator>::IteratorData::refreshCursor):
2814         * runtime/MapDataInlines.h:
2815         (JSC::JSIterator>::clear):
2816         (JSC::JSIterator>::find):
2817         (JSC::JSIterator>::add):
2818         (JSC::JSIterator>::remove):
2819         (JSC::JSIterator>::replaceAndPackBackingStore):
2820         (JSC::JSIterator>::replaceBackingStore):
2821         (JSC::JSIterator>::ensureSpaceForAppend):
2822         (JSC::JSIterator>::visitChildren):
2823         (JSC::JSIterator>::copyBackingStore):
2824         * runtime/Options.h:
2825
2826 2015-10-12  Saam barati  <sbarati@apple.com>
2827
2828         Update JSC features.json
2829         https://bugs.webkit.org/show_bug.cgi?id=150043
2830
2831         Reviewed by Mark Lam.
2832
2833         There were a lot of things implemented that weren't in
2834         the list. We should be better about updating the list
2835         as we land patches for new ES6 features.
2836
2837         * features.json:
2838
2839 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2840
2841         Cleanup Heap.h and some related headers
2842         https://bugs.webkit.org/show_bug.cgi?id=149981
2843
2844         Reviewed by Geoffrey Garen.
2845
2846         * heap/Heap.h:
2847         - Some functions did not need export.
2848         - threadDupStrings never had an implementation.
2849
2850         * heap/ConservativeRoots.cpp:
2851         * heap/ConservativeRoots.h:
2852         * heap/Heap.cpp:
2853         * heap/ListableHandler.h:
2854         * heap/WeakReferenceHarvester.h:
2855         * jit/Repatch.cpp:
2856         * runtime/JSONObject.h:
2857         * runtime/VM.h:
2858         - Stale forward declarations / includes.
2859
2860 2015-10-12  Saam barati  <sbarati@apple.com>
2861
2862         Each *ById inline cache in the FTL must have its own CallSiteIndex
2863         https://bugs.webkit.org/show_bug.cgi?id=150039
2864
2865         Reviewed by Geoffrey Garen and Filip Pizlo.
2866
2867         When lowering to LLVM, we create a patchpoint intrinsic for each
2868         *ById in DFG IR. LLVM may choose to duplicate these patchpoints.
2869         Therefore, we want each resulting inline cache to have a unique
2870         CallSiteIndex because each inline cache will have its own set of 
2871         used registers. This change is necessary when we implement try/catch 
2872         in the FTL because an inline cache will ask for the set of used 
2873         registers it will need to restore in the event of an exception 
2874         being thrown. It asks for this set of registers by giving JITCode
2875         a CallSiteIndex. Because each corresponding inline cache that results
2876         from a duplicated patchpoint may all ask this for this set of registers, 
2877         we must assign each inline cache a unique CallSiteIndex.
2878
2879         * bytecode/CodeBlock.cpp:
2880         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
2881         * dfg/DFGCommonData.cpp:
2882         (JSC::DFG::CommonData::addCodeOrigin):
2883         (JSC::DFG::CommonData::addUniqueCallSiteIndex):
2884         (JSC::DFG::CommonData::addCodeOriginUnconditionally): Deleted.
2885         * dfg/DFGCommonData.h:
2886         * ftl/FTLCompile.cpp:
2887         (JSC::FTL::mmAllocateDataSection):
2888         * ftl/FTLInlineCacheDescriptor.h:
2889         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
2890         (JSC::FTL::InlineCacheDescriptor::stackmapID):
2891         (JSC::FTL::InlineCacheDescriptor::codeOrigin):
2892         (JSC::FTL::InlineCacheDescriptor::uid):
2893         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
2894         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
2895         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
2896         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
2897         (JSC::FTL::InlineCacheDescriptor::callSiteIndex): Deleted.
2898         * ftl/FTLLowerDFGToLLVM.cpp:
2899         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2900         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2901         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2902         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2903
2904 2015-10-12  Andreas Kling  <akling@apple.com>
2905
2906         "A + B" with strings shouldn't copy if A or B is empty.
2907         <https://webkit.org/b/150034>
2908
2909         Reviewed by Anders Carlsson.
2910
2911         * runtime/JSStringBuilder.h:
2912         (JSC::jsMakeNontrivialString):
2913         * runtime/Lookup.cpp:
2914         (JSC::reifyStaticAccessor):
2915         * runtime/ObjectPrototype.cpp:
2916         (JSC::objectProtoFuncToString):
2917
2918 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2919
2920         VisitedValueCount GC Counter misses parallel SlotVisitors
2921         https://bugs.webkit.org/show_bug.cgi?id=149980
2922
2923         Reviewed by Geoffrey Garen.
2924
2925         * heap/Heap.cpp:
2926         (JSC::Heap::updateObjectCounts):
2927         Include threaded slot visitor's object counts in the debugging value.
2928
2929 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2930
2931         Unreviewed, fix non-FTL build for real.
2932
2933         * ftl/FTLLazySlowPath.h:
2934
2935 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2936
2937         Unreviewed, clarify a comment. The example code had a bug.
2938
2939         * ftl/FTLLowerDFGToLLVM.cpp:
2940
2941 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2942
2943         Unreviewed, fix no-FTL build.
2944
2945         * ftl/FTLLazySlowPath.cpp:
2946
2947 2015-10-12  Philip Chimento  <philip.chimento@gmail.com>
2948
2949         webkit-gtk 2.3.3 fails to build on OS X - Conflicting type "Fixed"
2950         https://bugs.webkit.org/show_bug.cgi?id=126433
2951
2952         Reviewed by Philippe Normand
2953
2954         Don't include CoreFoundation.h when building the GTK port.
2955
2956         * Source/JavaScriptCore/API/WebKitAvailability.h: Add !defined(BUILDING_GTK__) to defined(__APPLE__).
2957
2958 2015-10-10  Filip Pizlo  <fpizlo@apple.com>
2959
2960         FTL should generate code to call slow paths lazily
2961         https://bugs.webkit.org/show_bug.cgi?id=149936
2962
2963         Reviewed by Saam Barati.
2964
2965         We often have complex slow paths in FTL-generated code. Those slow paths may never run. Even
2966         if they do run, they don't need stellar performance. So, it doesn't make sense to have LLVM
2967         worry about compiling such slow path code.
2968
2969         This patch enables us to use our own MacroAssembler for compiling the slow path inside FTL
2970         code. It does this by using a crazy lambda thingy (see FTLLowerDFGToLLVM.cpp's lazySlowPath()
2971         and its documentation). The result is quite natural to use.
2972
2973         Even for straight slow path calls via something like vmCall(), the lazySlowPath offers the
2974         benefit that the call marshalling and the exception checking are not expressed using LLVM IR
2975         and do not require LLVM to think about it. It also has the benefit that we never generate the
2976         code if it never runs. That's great, since function calls usually involve ~10 instructions
2977         total (move arguments to argument registers, make the call, check exception, etc.).
2978
2979         This patch adds the lazy slow path abstraction and uses it for some slow paths in the FTL.
2980         The code we generate with lazy slow paths is worse than the code that LLVM would have
2981         generated. Therefore, a lazy slow path only makes sense when we have strong evidence that
2982         the slow path will execute infrequently relative to the fast path. This completely precludes
2983         the use of lazy slow paths for out-of-line Nodes that unconditionally call a C++ function.
2984         It also precludes their use for the GetByVal out-of-bounds handler, since when we generate
2985         a GetByVal with an out-of-bounds handler it means that we only know that the out-of-bounds
2986         case executed at least once. So, for all we know, it may actually be the common case. So,
2987         this patch just deployed the lazy slow path for GC slow paths and masquerades-as-undefined
2988         slow paths. It makes sense for GC slow paths because those have a statistical guarantee of
2989         slow path frequency - probably bounded at less than 1/10. It makes sense for masquerades-as-
2990         undefined because we can say quite confidently that this is an uncommon scenario on the
2991         modern Web.
2992
2993         Something that's always been challenging about abstractions involving the MacroAssembler is
2994         that linking is a separate phase, and there is no way for someone who is just given access to
2995         the MacroAssembler& to emit code that requires linking, since linking happens once we have
2996         emitted all code and we are creating the LinkBuffer. Moreover, the FTL requires that the
2997         final parts of linking happen on the main thread. This patch ran into this issue, and solved
2998         it comprehensively, by introducing MacroAssembler::addLinkTask(). This takes a lambda and
2999         runs it at the bitter end of linking - when performFinalization() is called. This ensure that
3000         the task added by addLinkTask() runs on the main thread. This patch doesn't replace all of
3001         the previously existing idioms for dealing with this issue; we can do that later.
3002
3003         This shows small speed-ups on a bunch of things. No big win on any benchmark aggregate. But
3004         mainly this is done for https://bugs.webkit.org/show_bug.cgi?id=149852, where we found that
3005         outlining the slow path in this way was a significant speed boost.
3006
3007         * CMakeLists.txt:
3008         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3009         * JavaScriptCore.xcodeproj/project.pbxproj:
3010         * assembler/AbstractMacroAssembler.h:
3011         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
3012         (JSC::AbstractMacroAssembler::addLinkTask):
3013         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
3014         * assembler/LinkBuffer.cpp:
3015         (JSC::LinkBuffer::linkCode):
3016         (JSC::LinkBuffer::allocate):
3017         (JSC::LinkBuffer::performFinalization):
3018         * assembler/LinkBuffer.h:
3019         (JSC::LinkBuffer::wasAlreadyDisassembled):
3020         (JSC::LinkBuffer::didAlreadyDisassemble):
3021         (JSC::LinkBuffer::vm):
3022         (JSC::LinkBuffer::executableOffsetFor):
3023         * bytecode/CodeOrigin.h:
3024         (JSC::CodeOrigin::CodeOrigin):
3025         (JSC::CodeOrigin::isSet):
3026         (JSC::CodeOrigin::operator bool):
3027         (JSC::CodeOrigin::isHashTableDeletedValue):
3028         (JSC::CodeOrigin::operator!): Deleted.
3029         * ftl/FTLCompile.cpp:
3030         (JSC::FTL::mmAllocateDataSection):
3031         * ftl/FTLInlineCacheDescriptor.h:
3032         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
3033         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
3034         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
3035         * ftl/FTLJITCode.h:
3036         * ftl/FTLJITFinalizer.cpp:
3037         (JSC::FTL::JITFinalizer::finalizeFunction):
3038         * ftl/FTLJITFinalizer.h:
3039         * ftl/FTLLazySlowPath.cpp: Added.
3040         (JSC::FTL::LazySlowPath::LazySlowPath):
3041         (JSC::FTL::LazySlowPath::~LazySlowPath):
3042         (JSC::FTL::LazySlowPath::generate):
3043         * ftl/FTLLazySlowPath.h: Added.
3044         (JSC::FTL::LazySlowPath::createGenerator):
3045         (JSC::FTL::LazySlowPath::patchpoint):
3046         (JSC::FTL::LazySlowPath::usedRegisters):
3047         (JSC::FTL::LazySlowPath::callSiteIndex):
3048         (JSC::FTL::LazySlowPath::stub):
3049         * ftl/FTLLazySlowPathCall.h: Added.
3050         (JSC::FTL::createLazyCallGenerator):
3051         * ftl/FTLLowerDFGToLLVM.cpp:
3052         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
3053         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
3054         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
3055         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3056         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
3057         (JSC::FTL::DFG::LowerDFGToLLVM::compileNotifyWrite):
3058         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsObjectOrNull):
3059         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsFunction):
3060         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
3061         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject):
3062         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
3063         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
3064         (JSC::FTL::DFG::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
3065         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3066         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
3067         (JSC::FTL::DFG::LowerDFGToLLVM::buildTypeOf):
3068         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
3069         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3070         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
3071         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
3072         * ftl/FTLOperations.cpp:
3073         (JSC::FTL::operationMaterializeObjectInOSR):
3074         (JSC::FTL::compileFTLLazySlowPath):
3075         * ftl/FTLOperations.h:
3076         * ftl/FTLSlowPathCall.cpp:
3077         (JSC::FTL::SlowPathCallContext::SlowPathCallContext):
3078         (JSC::FTL::SlowPathCallContext::~SlowPathCallContext):
3079         (JSC::FTL::SlowPathCallContext::keyWithTarget):
3080         (JSC::FTL::SlowPathCallContext::makeCall):
3081         (JSC::FTL::callSiteIndexForCodeOrigin):
3082         (JSC::FTL::storeCodeOrigin): Deleted.
3083         (JSC::FTL::callOperation): Deleted.
3084         * ftl/FTLSlowPathCall.h:
3085         (JSC::FTL::callOperation):
3086         * ftl/FTLState.h:
3087         * ftl/FTLThunks.cpp:
3088         (JSC::FTL::genericGenerationThunkGenerator):
3089         (JSC::FTL::osrExitGenerationThunkGenerator):
3090         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3091         (JSC::FTL::registerClobberCheck):
3092         * ftl/FTLThunks.h:
3093         * interpreter/CallFrame.h:
3094         (JSC::CallSiteIndex::CallSiteIndex):
3095         (JSC::CallSiteIndex::operator bool):
3096         (JSC::CallSiteIndex::bits):
3097         * jit/CCallHelpers.h:
3098         (JSC::CCallHelpers::setupArgument):
3099         (JSC::CCallHelpers::setupArgumentsWithExecState):
3100         * jit/JITOperations.cpp:
3101
3102 2015-10-12  Philip Chimento  <philip.chimento@gmail.com>
3103
3104         webkit-gtk-2.3.4 fails to link JavaScriptCore, missing symbols add_history and readline
3105         https://bugs.webkit.org/show_bug.cgi?id=127059
3106
3107         Reviewed by Philippe Normand.
3108
3109         * shell/CMakeLists.txt: Link JSC with -ledit on Mac OSX.
3110
3111 2015-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3112
3113         ES6 classes: When a class extends B, super() invokes B.prototype.constructor() instead of B()
3114         https://bugs.webkit.org/show_bug.cgi?id=149001
3115
3116         Reviewed by Saam Barati.
3117
3118         This patch matches the `super()` call in the constructor to the latest spec.
3119         Before this patch, when calling `super()`, it loads `callee.[[HomeObject]].__proto__.constructor`
3120         as a super constructor. But after this patch, it loads `callee.__proto__` as a super constructor.
3121         This behavior corresponds to the section 12.3.5.2[1].
3122
3123         [1]: http://www.ecma-international.org/ecma-262/6.0/#sec-getsuperconstructor
3124
3125         * bytecompiler/NodesCodegen.cpp:
3126         (JSC::SuperNode::emitBytecode):
3127         * tests/stress/super-call-does-not-look-up-constructor.js: Added.
3128         (shouldBe):
3129         (B):
3130         (C):
3131         (B.prototype):
3132
3133 2015-10-10  Andreas Kling  <akling@apple.com>
3134
3135         Reduce pointless malloc traffic in CodeBlock construction.
3136         <https://webkit.org/b/149999>
3137
3138         Reviewed by Antti Koivisto.
3139
3140         Create the RefCountedArray<Instruction> for CodeBlock's m_instructions directly
3141         instead of first creating a Vector<Instruction> and then creating a RefCountedArray
3142         from that. None of the Vector functionality is needed here anyway.
3143
3144         * bytecode/CodeBlock.cpp:
3145         (JSC::CodeBlock::finishCreation):
3146         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3147         * bytecode/CodeBlock.h:
3148
3149 2015-10-10  Dan Bernstein  <mitz@apple.com>
3150
3151         [iOS] Remove unnecessary iOS version checks
3152         https://bugs.webkit.org/show_bug.cgi?id=150002
3153
3154         Reviewed by Alexey Proskuryakov.
3155
3156         * llvm/library/LLVMExports.cpp:
3157         (initializeAndGetJSCLLVMAPI):
3158
3159 2015-10-10  Dan Bernstein  <mitz@apple.com>
3160
3161         [iOS] Remove project support for iOS 8
3162         https://bugs.webkit.org/show_bug.cgi?id=149993
3163
3164         Reviewed by Alexey Proskuryakov.
3165
3166         * Configurations/Base.xcconfig:
3167         * Configurations/JSC.xcconfig:
3168         * Configurations/JavaScriptCore.xcconfig:
3169         * Configurations/LLVMForJSC.xcconfig:
3170         * Configurations/ToolExecutable.xcconfig:
3171
3172 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
3173
3174         Modernize and cleanup an NSNumber constant
3175         https://bugs.webkit.org/show_bug.cgi?id=149962
3176
3177         Reviewed by Andreas Kling.
3178
3179         * API/JSVirtualMachine.mm:
3180         (-[JSVirtualMachine addExternalRememberedObject:]):
3181
3182 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
3183
3184         No need to keep setting needsVisit flag in SmallStrings
3185         https://bugs.webkit.org/show_bug.cgi?id=149961
3186
3187         Reviewed by Andreas Kling.
3188
3189         SmallStrings are all initialized at once privately before the VM
3190         enables Garbage Collection. There is no need to keep updating
3191         this flag, as it couldn't have changed.
3192
3193         * runtime/SmallStrings.cpp:
3194         (JSC::SmallStrings::createEmptyString):
3195         (JSC::SmallStrings::createSingleCharacterString):
3196         (JSC::SmallStrings::initialize):
3197         * runtime/SmallStrings.h:
3198
3199 2015-10-09  Geoffrey Garen  <ggaren@apple.com>
3200
3201         Unreviewed, rolling back in r190694
3202         https://bugs.webkit.org/show_bug.cgi?id=149727
3203
3204         This time for double sure?
3205
3206         The cause of the crash was an incorrect write barrier.
3207
3208         OSR exit was barriering the baseline codeblock for the top of the stack
3209         twice, missing the baseline codeblock for the bottom of the stack.
3210
3211         Restored changesets:
3212
3213         "CodeBlock should be a GC object"
3214         https://bugs.webkit.org/show_bug.cgi?id=149727
3215         http://trac.webkit.org/changeset/r190694
3216
3217 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
3218
3219         Remove unused RecursiveAllocationScope
3220         https://bugs.webkit.org/show_bug.cgi?id=149967
3221
3222         Reviewed by Csaba Osztrogon√°c.
3223
3224         RecursiveAllocationScope has been unused since r163691.
3225
3226         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3227         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3228         * JavaScriptCore.xcodeproj/project.pbxproj:
3229         * heap/Heap.cpp:
3230         * heap/Heap.h:
3231         * heap/RecursiveAllocationScope.h: Removed.
3232         * runtime/VM.h:
3233
3234 2015-10-09  Geoffrey Garen  <ggaren@apple.com>
3235
3236         Unreviewed, rolling out r190694
3237         https://bugs.webkit.org/show_bug.cgi?id=148560
3238
3239         Crashes seen on PLT bots and facebook.com.
3240
3241         Reverted changesets:
3242
3243         "CodeBlock should be a GC object"
3244         https://bugs.webkit.org/show_bug.cgi?id=149727
3245         http://trac.webkit.org/changeset/190694
3246
3247 2015-10-09  Xabier Rodriguez Calvar  <calvaris@igalia.com> and Youenn Fablet  <youenn.fablet@crf.canon.fr>
3248
3249         Automate WebCore JS builtins generation and build system
3250         https://bugs.webkit.org/show_bug.cgi?id=149751
3251
3252         Reviewed by Darin Adler.
3253
3254         * generate-js-builtins: updating the part related to WebCore JS binding.
3255
3256 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
3257
3258         DFG SSA should remove unreachable code
3259         https://bugs.webkit.org/show_bug.cgi?id=149931
3260
3261         Reviewed by Geoffrey Garen.
3262
3263         Rolled back in with a call to m_state.reset(), which fixes the debug asserts.
3264
3265         * dfg/DFGConstantFoldingPhase.cpp:
3266         (JSC::DFG::ConstantFoldingPhase::run): Remove unreachable code.
3267         * dfg/DFGObjectAllocationSinkingPhase.cpp: Deal with the CFG changing.
3268         * dfg/DFGPutStackSinkingPhase.cpp: Deal with the CFG changing.
3269
3270 2015-10-08  Daniel Bates  <dabates@apple.com>
3271
3272         Add LLVM binaries for iOS 9 device
3273         https://bugs.webkit.org/show_bug.cgi?id=149913
3274
3275         Reviewed by Filip Pizlo.
3276
3277         Look for locally built/binary dropped LLVM headers and libraries when building for iOS device
3278         in WebKitBuild/usr/local.
3279
3280         Currently Mac and iOS look for the locally built/binary dropped LLVM in different directories:
3281         WebKitBuild/usr/local and /usr/local/LLVMForJavaScriptCore, respectively. This difference is
3282         due to dependencies with the Apple internal build system. We should look to resolve the
3283         Apple internal dependencies and standardize on one location for both platforms.
3284
3285         * Configurations/Base.xcconfig:
3286
3287 2015-10-08  Commit Queue  <commit-queue@webkit.org>
3288
3289         Unreviewed, rolling out r190749.
3290         https://bugs.webkit.org/show_bug.cgi?id=149938
3291
3292         Caused 50+ layout test failures
3293         https://build.webkit.org/results/Apple%20El%20Capitan%20Debug%20WK1%20(Tests)/r190749%20(213)/results.html
3294         (Requested by litherum1 on #webkit).
3295
3296         Reverted changeset:
3297
3298         "DFG SSA should remove unreachable code"
3299         https://bugs.webkit.org/show_bug.cgi?id=149931
3300         http://trac.webkit.org/changeset/190749
3301
3302 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
3303
3304         DFG SSA should remove unreachable code
3305         https://bugs.webkit.org/show_bug.cgi?id=149931
3306
3307         Reviewed by Geoffrey Garen.
3308
3309         * dfg/DFGConstantFoldingPhase.cpp:
3310         (JSC::DFG::ConstantFoldingPhase::run): Remove unreachable code.
3311         * dfg/DFGObjectAllocationSinkingPhase.cpp: Deal with the CFG changing.
3312         * dfg/DFGPutStackSinkingPhase.cpp: Deal with the CFG changing.
3313
3314 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
3315
3316         Unreviewed build fix. Missing forward declaration.
3317
3318         * heap/Heap.h:
3319
3320 2015-10-08  Saam barati  <sbarati@apple.com>
3321
3322         Unreviewed Cloop build fix after bug: https://bugs.webkit.org/show_bug.cgi?id=149601
3323
3324         * bytecode/CodeBlock.cpp:
3325         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
3326         * jit/JITCode.cpp:
3327         (JSC::NativeJITCode::addressForCall):
3328         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3329         * jit/JITCode.h:
3330
3331 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
3332
3333         Clean up Marked classes
3334         https://bugs.webkit.org/show_bug.cgi?id=149853
3335
3336         Reviewed by Darin Adler.
3337
3338         * heap/Heap.h:
3339         Move include here where it is really needed.
3340
3341         * heap/HeapStatistics.cpp:
3342         * heap/HeapStatistics.h:
3343         Simplify includes.
3344
3345         * heap/MarkedAllocator.h:
3346         Add missing copyright header.
3347
3348         * heap/MarkedBlock.cpp:
3349         * heap/MarkedBlock.h:
3350         (JSC::MarkedBlock::needsSweeping):
3351         Remove unused constants. Add some static asserts. Add some `const` ness.
3352
3353         * heap/MarkedSpace.h:
3354         (JSC::MarkedSpace::isIterating):
3355         Update comments to better reflect actual values.
3356         Remove unimplemented method (moved to Heap).
3357
3358