08597af03d9d117e845435cf25b9bbbc53542326
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL B3 should do BitAnd binary snippets
4         https://bugs.webkit.org/show_bug.cgi?id=152713
5
6         Reviewed by Mark Lam.
7
8         Getting ready to finish up the binary bitop snippets.
9
10         * ftl/FTLLowerDFGToLLVM.cpp:
11         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
12         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
13         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
14         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
15         * tests/stress/object-bit-and.js: Added.
16         (foo):
17         (things.valueOf):
18         * tests/stress/untyped-bit-and.js: Added.
19         (foo):
20         (valueOf):
21
22 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
23
24         FTL B3 should do all of the non-bitop binary snippets
25         https://bugs.webkit.org/show_bug.cgi?id=152709
26
27         Reviewed by Mark Lam.
28
29         * ftl/FTLLowerDFGToLLVM.cpp:
30         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
31         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
32         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
33         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
34         * tests/stress/object-add.js: Added.
35         (foo):
36         (things.valueOf):
37         * tests/stress/object-div.js: Added.
38         (foo):
39         (things.valueOf):
40         * tests/stress/object-mul.js: Added.
41         (foo):
42         (things.valueOf):
43         * tests/stress/untyped-add.js: Added.
44         (foo):
45         (valueOf):
46         * tests/stress/untyped-div.js: Added.
47         (foo):
48         (valueOf):
49         * tests/stress/untyped-mul.js: Added.
50         (foo):
51         (valueOf):
52
53 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
54
55         FTL B3 should do the ArithSub binary snippet
56         https://bugs.webkit.org/show_bug.cgi?id=152705
57
58         Reviewed by Saam Barati.
59
60         This implements the ArithSub binary snippet generator in FTL B3.
61
62         While doing this, I discovered that the DFG type inference logic for ArithSub contains a
63         classic mistake: it causes the snippets to kick in when the type set does not contain numbers
64         rather than kicking in when the type set contains non-numbers. So, the original test that I
65         wrote for this doesn't work right (it runs to completion but OSR exits ad infinitum). I wrote
66         a second test that is simpler, and that one shows that the binary snippets "work". That's
67         sort of a joke though, since the only way to trigger binary snippets is to never pass numbers
68         and the only way to actually cause a binary snippet to do meaninful work is to pass numbers.
69         I filed a bug about this mess: https://bugs.webkit.org/show_bug.cgi?id=152708.
70
71         * ftl/FTLLowerDFGToLLVM.cpp:
72         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
73         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
74         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
75         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
76         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
77         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
78         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
79         * tests/stress/object-sub.js: Added.
80         (foo):
81         (things.valueOf):
82         * tests/stress/untyped-sub.js: Added.
83         (foo):
84         (valueOf):
85
86 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
87
88         Unreviewed, disable FTL B3 for now. I didn't intend to enable it yet.
89
90         * dfg/DFGCommon.h:
91
92 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
93
94         B3 patchpoints should allow requesting scratch registers
95         https://bugs.webkit.org/show_bug.cgi?id=152669
96
97         Reviewed by Benjamin Poulain.
98
99         Scratch registers are something that we often need in many patchpoint use cases. In LLVM's
100         patchpoints, we didn't have a good way to request scratch registers. So, our current FTL code
101         often does crazy scratch register allocation madness even when it would be better to just ask
102         the backend for some registers. This patch adds a mechanism for requesting scratch registers
103         in B3, and wires it all the way to all of our register allocation and liveness
104         infrastructure.
105
106         From the standpoint of a patchpoint, a "scratch register" is an instruction argument that
107         only admits Tmp and is defined early (like an early clobber register) and is used late (like
108         what we previously called LateUse, except that this time it's also a warm use). We already
109         had the beginning of support for early def's because of early clobbers, and we already
110         supported late uses albeit cold ones. I really only needed to add one new role: "Scratch",
111         which means both early def and late use in much the same way as "UseDef" means both early
112         use and late def. But, it feels better to complete the set of roles, so I added LateColdUse
113         to differentiate from LateUse (which is now a warm use) and EarlyDef to differentiate from
114         Def (which is, and always has been, a late def). Forcing the code to deal with the full
115         matrix of possibilities resulted in what is probably a progression in how we handle defs in
116         the register and stack allocators. The new Inst::forEachDef(Inst*, Inst*, callback) fully
117         recognizes that a "def" is something that can come from either the preceding instruction or
118         the succeeding one.
119
120         This doesn't add any new functionality to FTL B3 yet, but the new scratch register mechanism
121         is covered by new testb3 tests.
122
123         * b3/B3CheckSpecial.cpp:
124         (JSC::B3::CheckSpecial::isValid):
125         (JSC::B3::CheckSpecial::admitsStack):
126         (JSC::B3::CheckSpecial::generate):
127         * b3/B3LowerToAir.cpp:
128         (JSC::B3::Air::LowerToAir::lower):
129         * b3/B3PatchpointSpecial.cpp:
130         (JSC::B3::PatchpointSpecial::forEachArg):
131         (JSC::B3::PatchpointSpecial::isValid):
132         (JSC::B3::PatchpointSpecial::admitsStack):
133         (JSC::B3::PatchpointSpecial::generate):
134         * b3/B3PatchpointValue.cpp:
135         (JSC::B3::PatchpointValue::dumpMeta):
136         (JSC::B3::PatchpointValue::PatchpointValue):
137         * b3/B3PatchpointValue.h:
138         * b3/B3StackmapGenerationParams.cpp:
139         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
140         * b3/B3StackmapGenerationParams.h:
141         (JSC::B3::StackmapGenerationParams::gpScratch):
142         (JSC::B3::StackmapGenerationParams::fpScratch):
143         * b3/B3StackmapSpecial.cpp:
144         (JSC::B3::StackmapSpecial::forEachArgImpl):
145         (JSC::B3::StackmapSpecial::isValidImpl):
146         (JSC::B3::StackmapSpecial::admitsStackImpl):
147         (JSC::B3::StackmapSpecial::repsImpl):
148         (JSC::B3::StackmapSpecial::isArgValidForValue):
149         (JSC::B3::StackmapSpecial::appendRepsImpl): Deleted.
150         * b3/B3StackmapSpecial.h:
151         * b3/air/AirAllocateStack.cpp:
152         (JSC::B3::Air::allocateStack):
153         * b3/air/AirArg.cpp:
154         (WTF::printInternal):
155         * b3/air/AirArg.h:
156         (JSC::B3::Air::Arg::isAnyUse):
157         (JSC::B3::Air::Arg::isColdUse):
158         (JSC::B3::Air::Arg::isEarlyUse):
159         (JSC::B3::Air::Arg::isLateUse):
160         (JSC::B3::Air::Arg::isAnyDef):
161         (JSC::B3::Air::Arg::isEarlyDef):
162         (JSC::B3::Air::Arg::isLateDef):
163         (JSC::B3::Air::Arg::isZDef):
164         (JSC::B3::Air::Arg::Arg):
165         (JSC::B3::Air::Arg::imm):
166         (JSC::B3::Air::Arg::isDef): Deleted.
167         * b3/air/AirBasicBlock.h:
168         (JSC::B3::Air::BasicBlock::at):
169         (JSC::B3::Air::BasicBlock::get):
170         (JSC::B3::Air::BasicBlock::last):
171         * b3/air/AirEliminateDeadCode.cpp:
172         (JSC::B3::Air::eliminateDeadCode):
173         * b3/air/AirFixPartialRegisterStalls.cpp:
174         (JSC::B3::Air::fixPartialRegisterStalls):
175         * b3/air/AirInst.cpp:
176         (JSC::B3::Air::Inst::hasArgEffects):
177         * b3/air/AirInst.h:
178         * b3/air/AirInstInlines.h:
179         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
180         (JSC::B3::Air::Inst::forEachDef):
181         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
182         (JSC::B3::Air::Inst::reportUsedRegisters):
183         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs): Deleted.
184         * b3/air/AirIteratedRegisterCoalescing.cpp:
185         * b3/air/AirLiveness.h:
186         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
187         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
188         * b3/air/AirSpillEverything.cpp:
189         (JSC::B3::Air::spillEverything):
190         * b3/air/AirTmpWidth.cpp:
191         (JSC::B3::Air::TmpWidth::recompute):
192         * b3/air/AirUseCounts.h:
193         (JSC::B3::Air::UseCounts::UseCounts):
194         * b3/testb3.cpp:
195         (JSC::B3::testPatchpointAny):
196         (JSC::B3::testPatchpointGPScratch):
197         (JSC::B3::testPatchpointFPScratch):
198         (JSC::B3::testPatchpointLotsOfLateAnys):
199         (JSC::B3::run):
200
201 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
202
203         Fix the !ENABLE(INTL) build after r193493
204         https://bugs.webkit.org/show_bug.cgi?id=152689
205
206         Reviewed by Alex Christensen.
207
208         * runtime/NumberPrototype.cpp:
209         (JSC::NumberPrototype::finishCreation):
210
211 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
212
213         JSC generator scripts shouldn't have verbose output
214         https://bugs.webkit.org/show_bug.cgi?id=152382
215
216         Reviewed by Michael Catanzaro.
217
218         * b3/air/opcode_generator.rb:
219         * generate-bytecode-files:
220         * offlineasm/asm.rb:
221         * offlineasm/generate_offset_extractor.rb:
222         * offlineasm/parser.rb:
223
224 2016-01-04  Benjamin Poulain  <bpoulain@apple.com>
225
226         [JSC] Build B3 by default on iOS ARM64
227         https://bugs.webkit.org/show_bug.cgi?id=152525
228
229         Reviewed by Filip Pizlo.
230
231         Minor changes required to get testb3 to compile.
232
233         * Configurations/ToolExecutable.xcconfig:
234         We need an entitlement to allocate executable memory.
235
236         * assembler/MacroAssemblerARM64.h:
237         (JSC::MacroAssemblerARM64::scratchRegister):
238         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
239         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
240         Expose one of the scratch registers for ValueRep::emitRestore().
241         Guard the use of scratch registers when not allowed.
242
243         * b3/air/AirOpcode.opcodes:
244         ARM addressing is a bit different. Skip Addr to make things build.
245
246         * b3/testb3.cpp:
247         (JSC::B3::testPatchpointWithStackArgumentResult):
248         Add on memory only exists on x86.
249
250         * jit/RegisterSet.cpp:
251         (JSC::RegisterSet::macroScratchRegisters):
252         Add the two scratch registers, useful for patchpoints.
253
254 2016-01-03  Khem Raj  <raj.khem@gmail.com>
255
256         WebKit fails to build with musl libc library
257         https://bugs.webkit.org/show_bug.cgi?id=152625
258
259         Reviewed by Daniel Bates.
260
261         Qualify isnan() calls with std namespace.
262
263         * runtime/Options.cpp:
264         (Option::operator==): Add std namespace qualifier.
265
266 2016-01-03  Andreas Kling  <akling@apple.com>
267
268         Remove redundant StringImpl substring creation function.
269         <https://webkit.org/b/152652>
270
271         Reviewed by Daniel Bates.
272
273         Remove jsSubstring8() and make the only call site use jsSubstring().
274
275         * runtime/JSString.h:
276         (JSC::jsSubstring8): Deleted.
277         * runtime/StringPrototype.cpp:
278         (JSC::replaceUsingRegExpSearch):
279
280 2016-01-02  Khem Raj  <raj.khem@gmail.com>
281
282         Clang's builtin for clear_cache accepts char* and errors out
283         when using void*, using char* work on both gcc and clang
284         since char* is auto-converted to void* in gcc case.
285         https://bugs.webkit.org/show_bug.cgi?id=152654
286
287         Reviewed by Michael Saboff;
288
289         * assembler/ARM64Assembler.h:
290         (linuxPageFlush): Convert arguments to __builtin___clear_cache()
291         to char*.
292
293 2015-12-31  Andy Estes  <aestes@apple.com>
294
295         Replace WTF::move with WTFMove
296         https://bugs.webkit.org/show_bug.cgi?id=152601
297
298         Reviewed by Brady Eidson.
299
300         * API/ObjCCallbackFunction.mm:
301         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
302         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
303         (JSC::ObjCCallbackFunction::create):
304         (objCCallbackFunctionForInvocation):
305         * assembler/AssemblerBuffer.h:
306         (JSC::AssemblerBuffer::releaseAssemblerData):
307         * assembler/LinkBuffer.cpp:
308         (JSC::LinkBuffer::linkCode):
309         * b3/B3BlockInsertionSet.cpp:
310         (JSC::B3::BlockInsertionSet::insert):
311         (JSC::B3::BlockInsertionSet::splitForward):
312         * b3/B3LowerToAir.cpp:
313         (JSC::B3::Air::LowerToAir::run):
314         (JSC::B3::Air::LowerToAir::lower):
315         * b3/B3OpaqueByproducts.cpp:
316         (JSC::B3::OpaqueByproducts::add):
317         * b3/B3Procedure.cpp:
318         (JSC::B3::Procedure::addBlock):
319         (JSC::B3::Procedure::addDataSection):
320         * b3/B3Procedure.h:
321         (JSC::B3::Procedure::releaseByproducts):
322         * b3/B3ProcedureInlines.h:
323         (JSC::B3::Procedure::add):
324         * b3/B3Value.h:
325         * b3/air/AirCode.cpp:
326         (JSC::B3::Air::Code::addBlock):
327         (JSC::B3::Air::Code::addStackSlot):
328         (JSC::B3::Air::Code::addSpecial):
329         * b3/air/AirInst.h:
330         (JSC::B3::Air::Inst::Inst):
331         * b3/air/AirIteratedRegisterCoalescing.cpp:
332         * b3/air/AirSimplifyCFG.cpp:
333         (JSC::B3::Air::simplifyCFG):
334         * bindings/ScriptValue.cpp:
335         (Deprecated::jsToInspectorValue):
336         * builtins/BuiltinExecutables.cpp:
337         (JSC::createExecutableInternal):
338         * bytecode/BytecodeBasicBlock.cpp:
339         (JSC::computeBytecodeBasicBlocks):
340         * bytecode/CodeBlock.cpp:
341         (JSC::CodeBlock::finishCreation):
342         (JSC::CodeBlock::setCalleeSaveRegisters):
343         * bytecode/CodeBlock.h:
344         (JSC::CodeBlock::setJITCodeMap):
345         (JSC::CodeBlock::livenessAnalysis):
346         * bytecode/GetByIdStatus.cpp:
347         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
348         * bytecode/GetByIdVariant.cpp:
349         (JSC::GetByIdVariant::GetByIdVariant):
350         * bytecode/PolymorphicAccess.cpp:
351         (JSC::PolymorphicAccess::regenerateWithCases):
352         (JSC::PolymorphicAccess::regenerateWithCase):
353         (JSC::PolymorphicAccess::regenerate):
354         * bytecode/PutByIdStatus.cpp:
355         (JSC::PutByIdStatus::computeForStubInfo):
356         * bytecode/PutByIdVariant.cpp:
357         (JSC::PutByIdVariant::setter):
358         * bytecode/StructureStubClearingWatchpoint.cpp:
359         (JSC::StructureStubClearingWatchpoint::push):
360         * bytecode/StructureStubClearingWatchpoint.h:
361         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
362         * bytecode/StructureStubInfo.cpp:
363         (JSC::StructureStubInfo::addAccessCase):
364         * bytecode/UnlinkedCodeBlock.cpp:
365         (JSC::UnlinkedCodeBlock::setInstructions):
366         * bytecode/UnlinkedFunctionExecutable.cpp:
367         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
368         * bytecode/UnlinkedFunctionExecutable.h:
369         * bytecompiler/SetForScope.h:
370         (JSC::SetForScope::SetForScope):
371         * dfg/DFGGraph.cpp:
372         (JSC::DFG::Graph::livenessFor):
373         (JSC::DFG::Graph::killsFor):
374         * dfg/DFGJITCompiler.cpp:
375         (JSC::DFG::JITCompiler::link):
376         (JSC::DFG::JITCompiler::compile):
377         (JSC::DFG::JITCompiler::compileFunction):
378         * dfg/DFGJITFinalizer.cpp:
379         (JSC::DFG::JITFinalizer::JITFinalizer):
380         * dfg/DFGLivenessAnalysisPhase.cpp:
381         (JSC::DFG::LivenessAnalysisPhase::process):
382         * dfg/DFGObjectAllocationSinkingPhase.cpp:
383         * dfg/DFGSpeculativeJIT.cpp:
384         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
385         (JSC::DFG::SpeculativeJIT::compileIn):
386         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
387         * dfg/DFGSpeculativeJIT32_64.cpp:
388         (JSC::DFG::SpeculativeJIT::cachedGetById):
389         (JSC::DFG::SpeculativeJIT::cachedPutById):
390         * dfg/DFGSpeculativeJIT64.cpp:
391         (JSC::DFG::SpeculativeJIT::cachedGetById):
392         (JSC::DFG::SpeculativeJIT::cachedPutById):
393         * dfg/DFGWorklist.cpp:
394         (JSC::DFG::Worklist::finishCreation):
395         * disassembler/Disassembler.cpp:
396         (JSC::disassembleAsynchronously):
397         * ftl/FTLB3Compile.cpp:
398         (JSC::FTL::compile):
399         * ftl/FTLCompile.cpp:
400         (JSC::FTL::mmAllocateDataSection):
401         * ftl/FTLJITCode.cpp:
402         (JSC::FTL::JITCode::initializeB3Byproducts):
403         * ftl/FTLJITFinalizer.h:
404         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
405         * ftl/FTLLink.cpp:
406         (JSC::FTL::link):
407         * ftl/FTLLowerDFGToLLVM.cpp:
408         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
409         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
410         * heap/Heap.cpp:
411         (JSC::Heap::releaseDelayedReleasedObjects):
412         (JSC::Heap::markRoots):
413         (JSC::Heap::setIncrementalSweeper):
414         * heap/HeapInlines.h:
415         (JSC::Heap::releaseSoon):
416         (JSC::Heap::registerWeakGCMap):
417         * heap/WeakInlines.h:
418         * inspector/ConsoleMessage.cpp:
419         (Inspector::ConsoleMessage::addToFrontend):
420         * inspector/ContentSearchUtilities.cpp:
421         (Inspector::ContentSearchUtilities::searchInTextByLines):
422         * inspector/InjectedScript.cpp:
423         (Inspector::InjectedScript::getFunctionDetails):
424         (Inspector::InjectedScript::getProperties):
425         (Inspector::InjectedScript::getDisplayableProperties):
426         (Inspector::InjectedScript::getInternalProperties):
427         (Inspector::InjectedScript::getCollectionEntries):
428         (Inspector::InjectedScript::wrapCallFrames):
429         * inspector/InspectorAgentRegistry.cpp:
430         (Inspector::AgentRegistry::append):
431         (Inspector::AgentRegistry::appendExtraAgent):
432         * inspector/InspectorBackendDispatcher.cpp:
433         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
434         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
435         (Inspector::BackendDispatcher::BackendDispatcher):
436         (Inspector::BackendDispatcher::create):
437         (Inspector::BackendDispatcher::sendPendingErrors):
438         * inspector/InspectorProtocolTypes.h:
439         (Inspector::Protocol::Array::addItem):
440         * inspector/InspectorValues.cpp:
441         * inspector/InspectorValues.h:
442         (Inspector::InspectorObjectBase::setValue):
443         (Inspector::InspectorObjectBase::setObject):
444         (Inspector::InspectorObjectBase::setArray):
445         (Inspector::InspectorArrayBase::pushValue):
446         (Inspector::InspectorArrayBase::pushObject):
447         (Inspector::InspectorArrayBase::pushArray):
448         * inspector/JSGlobalObjectConsoleClient.cpp:
449         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
450         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
451         * inspector/JSGlobalObjectInspectorController.cpp:
452         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
453         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
454         * inspector/JSInjectedScriptHost.cpp:
455         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
456         * inspector/JSInjectedScriptHost.h:
457         (Inspector::JSInjectedScriptHost::create):
458         * inspector/agents/InspectorAgent.cpp:
459         (Inspector::InspectorAgent::activateExtraDomain):
460         * inspector/agents/InspectorConsoleAgent.cpp:
461         (Inspector::InspectorConsoleAgent::addMessageToConsole):
462         (Inspector::InspectorConsoleAgent::addConsoleMessage):
463         * inspector/agents/InspectorDebuggerAgent.cpp:
464         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
465         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
466         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
467         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
468         (Inspector::InspectorDebuggerAgent::breakProgram):
469         * inspector/agents/InspectorHeapAgent.cpp:
470         (Inspector::InspectorHeapAgent::didGarbageCollect):
471         * inspector/agents/InspectorRuntimeAgent.cpp:
472         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
473         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
474         * inspector/agents/InspectorScriptProfilerAgent.cpp:
475         (Inspector::InspectorScriptProfilerAgent::addEvent):
476         (Inspector::buildInspectorObject):
477         (Inspector::buildProfileInspectorObject):
478         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
479         * inspector/augmentable/AlternateDispatchableAgent.h:
480         * inspector/scripts/codegen/cpp_generator_templates.py:
481         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
482         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
483         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
484         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
485         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
486         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
487         (_generate_unchecked_setter_for_member):
488         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
489         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
490         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
491         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
492         * inspector/scripts/codegen/objc_generator_templates.py:
493         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
494         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
495         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
496         * inspector/scripts/tests/expected/enum-values.json-result:
497         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
498         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
499         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
500         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
501         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
502         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
503         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
504         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
505         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
506         * jit/CallFrameShuffler.cpp:
507         (JSC::CallFrameShuffler::performSafeWrites):
508         * jit/PolymorphicCallStubRoutine.cpp:
509         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
510         * jit/Repatch.cpp:
511         (JSC::tryCacheGetByID):
512         (JSC::tryCachePutByID):
513         (JSC::tryRepatchIn):
514         (JSC::linkPolymorphicCall):
515         * parser/Nodes.cpp:
516         (JSC::ProgramNode::setClosedVariables):
517         * parser/Parser.cpp:
518         (JSC::Parser<LexerType>::parseInner):
519         (JSC::Parser<LexerType>::parseFunctionInfo):
520         * parser/Parser.h:
521         (JSC::Parser::closedVariables):
522         * parser/SourceProviderCache.cpp:
523         (JSC::SourceProviderCache::add):
524         * profiler/ProfileNode.h:
525         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
526         * replay/EncodedValue.cpp:
527         (JSC::EncodedValue::get<EncodedValue>):
528         * replay/scripts/CodeGeneratorReplayInputs.py:
529         (Generator.generate_member_move_expression):
530         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
531         (Test::HandleWheelEvent::HandleWheelEvent):
532         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
533         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
534         (Test::MapInput::MapInput):
535         (JSC::InputTraits<Test::MapInput>::decode):
536         * runtime/ConsoleClient.cpp:
537         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
538         (JSC::ConsoleClient::logWithLevel):
539         (JSC::ConsoleClient::clear):
540         (JSC::ConsoleClient::dir):
541         (JSC::ConsoleClient::dirXML):
542         (JSC::ConsoleClient::table):
543         (JSC::ConsoleClient::trace):
544         (JSC::ConsoleClient::assertCondition):
545         (JSC::ConsoleClient::group):
546         (JSC::ConsoleClient::groupCollapsed):
547         (JSC::ConsoleClient::groupEnd):
548         * runtime/JSNativeStdFunction.cpp:
549         (JSC::JSNativeStdFunction::create):
550         * runtime/JSString.h:
551         (JSC::jsNontrivialString):
552         * runtime/JSStringJoiner.cpp:
553         (JSC::JSStringJoiner::join):
554         * runtime/JSStringJoiner.h:
555         (JSC::JSStringJoiner::append):
556         * runtime/NativeStdFunctionCell.cpp:
557         (JSC::NativeStdFunctionCell::create):
558         (JSC::NativeStdFunctionCell::NativeStdFunctionCell):
559         * runtime/ScopedArgumentsTable.cpp:
560         (JSC::ScopedArgumentsTable::setLength):
561         * runtime/StructureIDTable.cpp:
562         (JSC::StructureIDTable::resize):
563         * runtime/TypeSet.cpp:
564         (JSC::StructureShape::inspectorRepresentation):
565         * runtime/WeakGCMap.h:
566         (JSC::WeakGCMap::set):
567         * tools/CodeProfile.h:
568         (JSC::CodeProfile::addChild):
569         * yarr/YarrInterpreter.cpp:
570         (JSC::Yarr::ByteCompiler::compile):
571         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
572         * yarr/YarrInterpreter.h:
573         (JSC::Yarr::BytecodePattern::BytecodePattern):
574         * yarr/YarrPattern.cpp:
575         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
576         (JSC::Yarr::YarrPatternConstructor::reset):
577         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
578         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
579         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
580         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
581         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
582
583 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
584
585         Unreviewed, fix copyright dates. It's super annoying when we forget to update these, and I
586         just forgot to do so in the last commit. Also update the date of the last commit in the
587         ChangeLog.
588
589         * b3/air/AirIteratedRegisterCoalescing.cpp:
590         * b3/air/AirOpcode.opcodes:
591         * b3/air/AirTmpWidth.cpp:
592         * b3/air/AirTmpWidth.h:
593         * ftl/FTLB3Output.cpp:
594         * ftl/FTLB3Output.h:
595
596 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
597
598         FTL B3 should be able to run all of the old V8v7 tests
599         https://bugs.webkit.org/show_bug.cgi?id=152579
600
601         Reviewed by Saam Barati.
602
603         Fixes some silly bugs that were preventing us from running all of the old V8v7 tests.
604
605         IRC's analysis of when to turn a Move into a Move32 when spilling is based on the premise
606         that if the dst has a 32-bit def width, then the src must also have a 32-bit def width. But
607         that doesn't happen if the src is an immediate.
608
609         This changes that condition in IRC to use the combined use/def width of both src and dst
610         rather than being clever. This is great because it's the combined width that determines the
611         size of the spill slot.
612
613         Also added some more debug support to TmpWidth.
614
615         This also fixes Air's description of DivDouble; previously it claimed to be a 32-bit
616         operation. Also implements Output::unsignedToDouble(), since we already had everything we
617         needed to implement this optimally.
618
619         * b3/air/AirIteratedRegisterCoalescing.cpp:
620         * b3/air/AirOpcode.opcodes:
621         * b3/air/AirTmpWidth.cpp:
622         (JSC::B3::Air::TmpWidth::recompute):
623         (JSC::B3::Air::TmpWidth::Widths::dump):
624         * b3/air/AirTmpWidth.h:
625         (JSC::B3::Air::TmpWidth::Widths::Widths):
626         * ftl/FTLB3Output.cpp:
627         (JSC::FTL::Output::doubleToUInt):
628         (JSC::FTL::Output::unsignedToDouble):
629         * ftl/FTLB3Output.h:
630         (JSC::FTL::Output::zeroExt):
631         (JSC::FTL::Output::zeroExtPtr):
632         (JSC::FTL::Output::intToDouble):
633         (JSC::FTL::Output::castToInt32):
634         (JSC::FTL::Output::unsignedToDouble): Deleted.
635
636 2016-01-01  Jeff Miller  <jeffm@apple.com>
637
638         Update user-visible copyright strings to include 2016
639         https://bugs.webkit.org/show_bug.cgi?id=152531
640
641         Reviewed by Alexey Proskuryakov.
642
643         * Info.plist:
644
645 2015-12-31  Andy Estes  <aestes@apple.com>
646
647         Fix warnings uncovered by migrating to WTF_MOVE
648         https://bugs.webkit.org/show_bug.cgi?id=152601
649
650         Reviewed by Daniel Bates.
651
652         * create_regex_tables: Moving a return value prevented copy elision.
653         * ftl/FTLUnwindInfo.cpp:
654         (JSC::FTL::parseUnwindInfo): Ditto.
655         * replay/EncodedValue.h: Ditto.
656
657 2015-12-30  Aleksandr Skachkov  <gskachkov@gmail.com>
658
659         [ES6] Arrow function syntax. Arrow function specific features. Lexical bind "super"
660         https://bugs.webkit.org/show_bug.cgi?id=149615
661
662         Reviewed by Saam Barati.
663
664         Implemented lexical bind "super" property for arrow function. 'super' property can be accessed 
665         inside of the arrow function in case if arrow function is nested in constructor, method, 
666         getter or setter of class. In current patch using 'super' in arrow function, that declared out of the 
667         class, lead to wrong type of error, should be SyntaxError(https://bugs.webkit.org/show_bug.cgi?id=150893) 
668         and this will be fixed in separete patch.
669
670         * builtins/BuiltinExecutables.cpp:
671         (JSC::createExecutableInternal):
672         * bytecode/EvalCodeCache.h:
673         (JSC::EvalCodeCache::getSlow):
674         * bytecode/ExecutableInfo.h:
675         (JSC::ExecutableInfo::ExecutableInfo):
676         (JSC::ExecutableInfo::derivedContextType):
677         (JSC::ExecutableInfo::isClassContext):
678         * bytecode/UnlinkedCodeBlock.cpp:
679         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
680         * bytecode/UnlinkedCodeBlock.h:
681         (JSC::UnlinkedCodeBlock::derivedContextType):
682         (JSC::UnlinkedCodeBlock::isClassContext):
683         * bytecode/UnlinkedFunctionExecutable.cpp:
684         (JSC::generateUnlinkedFunctionCodeBlock):
685         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
686         * bytecode/UnlinkedFunctionExecutable.h:
687         * bytecompiler/BytecodeGenerator.cpp:
688         (JSC::BytecodeGenerator::BytecodeGenerator):
689         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
690         * bytecompiler/BytecodeGenerator.h:
691         (JSC::BytecodeGenerator::derivedContextType):
692         (JSC::BytecodeGenerator::isDerivedConstructorContext):
693         (JSC::BytecodeGenerator::isDerivedClassContext):
694         (JSC::BytecodeGenerator::isArrowFunction):
695         (JSC::BytecodeGenerator::makeFunction):
696         * bytecompiler/NodesCodegen.cpp:
697         (JSC::emitHomeObjectForCallee):
698         (JSC::FunctionCallValueNode::emitBytecode):
699         * debugger/DebuggerCallFrame.cpp:
700         (JSC::DebuggerCallFrame::evaluate):
701         * interpreter/Interpreter.cpp:
702         (JSC::eval):
703         * runtime/CodeCache.cpp:
704         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
705         * runtime/Executable.cpp:
706         (JSC::ScriptExecutable::ScriptExecutable):
707         (JSC::EvalExecutable::create):
708         (JSC::EvalExecutable::EvalExecutable):
709         (JSC::ProgramExecutable::ProgramExecutable):
710         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
711         (JSC::FunctionExecutable::FunctionExecutable):
712         * runtime/Executable.h:
713         (JSC::ScriptExecutable::derivedContextType):
714         * runtime/JSGlobalObjectFunctions.cpp:
715         (JSC::globalFuncEval):
716         * tests/es6.yaml:
717         * tests/stress/arrowfunction-lexical-bind-superproperty.js: Added.
718
719 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
720
721         Unreviewed, relax limitation in operationCreateThis
722         https://bugs.webkit.org/show_bug.cgi?id=152383
723
724         Unreviewed. operationCreateThis now can be called with non constructible function.
725
726         * dfg/DFGOperations.cpp:
727
728 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
729
730         [ES6][ES7] Drop Constructability of generator function
731         https://bugs.webkit.org/show_bug.cgi?id=152383
732
733         Reviewed by Saam Barati.
734
735         We drop the constructability of generator functions.
736         This functionality is already landed in ES 2016 draft[1].
737         And this simplifies the existing JSC's generator implementation;
738         dropping GeneratorThisMode flag.
739
740         [1]: https://github.com/tc39/ecma262/releases/tag/es2016-draft-20151201
741
742         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
743         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
744         * JavaScriptCore.xcodeproj/project.pbxproj:
745         * builtins/BuiltinExecutables.cpp:
746         (JSC::createExecutableInternal):
747         * bytecode/ExecutableInfo.h:
748         (JSC::ExecutableInfo::ExecutableInfo):
749         (JSC::ExecutableInfo::generatorThisMode): Deleted.
750         * bytecode/UnlinkedCodeBlock.cpp:
751         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
752         * bytecode/UnlinkedCodeBlock.h:
753         (JSC::UnlinkedCodeBlock::generatorThisMode): Deleted.
754         * bytecode/UnlinkedFunctionExecutable.cpp:
755         (JSC::generateUnlinkedFunctionCodeBlock):
756         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
757         * bytecode/UnlinkedFunctionExecutable.h:
758         * bytecompiler/BytecodeGenerator.cpp:
759         (JSC::BytecodeGenerator::BytecodeGenerator): Deleted.
760         * bytecompiler/BytecodeGenerator.h:
761         (JSC::BytecodeGenerator::makeFunction):
762         (JSC::BytecodeGenerator::generatorThisMode): Deleted.
763         * bytecompiler/NodesCodegen.cpp:
764         (JSC::ThisNode::emitBytecode):
765         * interpreter/Interpreter.cpp:
766         (JSC::eval): Deleted.
767         * runtime/CodeCache.cpp:
768         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
769         * runtime/Executable.h:
770         * runtime/GeneratorThisMode.h: Removed.
771         * tests/stress/generator-eval-this.js:
772         (shouldThrow):
773         * tests/stress/generator-is-not-constructible.js: Added.
774         (shouldThrow):
775         (A.staticGen):
776         (A.prototype.gen):
777         (A):
778         (TypeError):
779         * tests/stress/generator-this.js:
780         (shouldBe.g.next):
781         * tests/stress/generator-with-new-target.js:
782         (shouldThrow):
783
784 2015-12-27  Filip Pizlo  <fpizlo@apple.com>
785
786         FTL B3 should know that used registers are not the same thing as used registers. Rename the
787         latter to unavailable registers to avoid future confusion.
788         https://bugs.webkit.org/show_bug.cgi?id=152572
789
790         Reviewed by Saam Barati.
791
792         Prior to this change, we used the term "used registers" in two different senses:
793
794         - The set of registers that are live at some point in the current compilation unit. A
795           register is live at some point if it is read after that point on some path through that
796           point.
797
798         - The set of registers that are not available for scratch register use at some point. A
799           register may not be available if it is live or if it is a callee-save register but it is
800           not being saved by the current compilation.
801
802         In the old FTL LLVM code, we had some translations from the first sense into the second
803         sense. We forgot to do those in FTL B3, and so we get crashes, for example in V8/splay. That
804         benchmark highlighted this issue because it fired some lazy slow paths, and then used an
805         unsaved callee-save for scratch.
806  
807         Curiously, we could merge these two definitions by observing that, in some sense, an unsaved
808         callee save is live at every point in a compilation in the sense that it may contain a value
809         that will be read when the compilation returns. That's pretty cool, but it feels strange to
810         me. This isn't how we would normally define liveness of registers. It's not how the
811         Air::TmpLiveness analysis would do it for any of its other clients.
812
813         So, this changes B3 to have two different concepts:
814
815         - Used registers. These are the registers that are live.
816
817         - Unavailable registers. These are the registers that are not available for scratch. It's
818           always a superset of used registers.
819
820         This also changes FTLLower to use unavailableRegisters() pretty much everywhere that it
821         previously used usedRegisters().
822
823         This makes it possible to run V8/splay.
824
825         * b3/B3StackmapGenerationParams.cpp:
826         (JSC::B3::StackmapGenerationParams::usedRegisters):
827         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
828         (JSC::B3::StackmapGenerationParams::proc):
829         * b3/B3StackmapGenerationParams.h:
830         * ftl/FTLLowerDFGToLLVM.cpp:
831         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
832         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
833         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
834
835 2015-12-25  Andy Estes  <aestes@apple.com>
836
837         Stop moving local objects in return statements
838         https://bugs.webkit.org/show_bug.cgi?id=152557
839
840         Reviewed by Brady Eidson.
841
842         Calling std::move() on a local object in a return statement prevents the compiler from applying the return value optimization.
843
844         Clang can warn about these mistakes with -Wpessimizing-move, although only when std::move() is called directly.
845         I found these issues by temporarily replacing WTF::move with std::move and recompiling.
846
847         * inspector/ScriptCallStack.cpp:
848         (Inspector::ScriptCallStack::buildInspectorArray):
849         * inspector/agents/InspectorScriptProfilerAgent.cpp:
850         (Inspector::buildInspectorObject):
851         * jit/CallFrameShuffler.h:
852         (JSC::CallFrameShuffler::snapshot):
853         * runtime/TypeSet.cpp:
854         (JSC::TypeSet::allStructureRepresentations):
855         (JSC::StructureShape::inspectorRepresentation):
856
857 2015-12-26  Mark Lam  <mark.lam@apple.com>
858
859         Rename NodeMayOverflowInXXX to NodeMayOverflowInt32InXXX.
860         https://bugs.webkit.org/show_bug.cgi?id=152555
861
862         Reviewed by Alex Christensen.
863
864         That's because the NodeMayOverflowInBaseline and NodeMayOverflowInDFG flags only
865         indicates potential overflowing of Int32 values.  We'll be adding overflow
866         profiling for Int52 values later, and we should disambiguate between the 2 types.
867
868         This is purely a renaming patch.  There are no semantic changes.
869
870         * dfg/DFGByteCodeParser.cpp:
871         (JSC::DFG::ByteCodeParser::makeSafe):
872         (JSC::DFG::ByteCodeParser::makeDivSafe):
873         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
874         * dfg/DFGNodeFlags.cpp:
875         (JSC::DFG::dumpNodeFlags):
876         * dfg/DFGNodeFlags.h:
877         (JSC::DFG::nodeMayOverflowInt32):
878         (JSC::DFG::nodeCanSpeculateInt32):
879         (JSC::DFG::nodeMayOverflow): Deleted.
880
881 2015-12-23  Andreas Kling  <akling@apple.com>
882
883         jsc CLI tool crashes on EOF.
884         <https://webkit.org/b/152522>
885
886         Reviewed by Benjamin Poulain.
887
888         SourceProvider should treat String() like the empty string for hashing purposes.
889         This was a subtle behavior change in r194017 due to how zero-length strings are
890         treated by StringImpl::createSubstringSharingImpl().
891
892         I made these SourceProviders store a Ref<StringImpl> internally instead of a
893         String, to codify the fact that these strings can't be null strings.
894
895         I couldn't find a way to cause this crash through the API.
896
897         * API/JSScriptRef.cpp:
898         (OpaqueJSScript::OpaqueJSScript):
899         * parser/SourceProvider.h:
900         (JSC::StringSourceProvider::StringSourceProvider):
901
902 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
903
904         FTL B3 should be able to run crypto-sha1 in eager mode
905         https://bugs.webkit.org/show_bug.cgi?id=152539
906
907         Reviewed by Saam Barati.
908
909         This patch contains one real bug fix and some other fixes that are primarily there for sanity
910         because I don't believe they are symptomatic.
911
912         The real fix is the instruction selector's handling of Phi. It was assuming that the correct
913         lowering of Phi is to do nothing and the correct lowering of Upsilon is to store into the tmp
914         that the Phi uses. But this fails for code patterns like:
915
916             @a = Phi()
917             Upsilon(@x, ^a)
918             use(@a) // this should see the value that @a had at the point that "@a = Phi()" executed.
919
920         This arises when we have a lot of Upsilons in a row and they are trying to perform a
921         shuffling. Prior to this change, "use(@a)" would see the new value of @a, i.e. @x. That's
922         wrong. So, this changes the lowering to make each Phi have a special shadow Tmp, and Upsilon
923         stores to it while Phi loads from it. Most of these assignments get copy-propagated by IRC,
924         so it doesn't really hurt us. I couldn't find any benchmarks that slowed down because of
925         this. In fact, I believe that the only time that this would lead to extra interference or
926         extra assignments is when it's actually needed to be correct.
927
928         This also contains other fixes, which are probably not for real bugs, but they make me feel
929         all warm and fuzzy:
930
931         - spillEverything() works again.  Previously, it didn't have all of IRC's smarts for handling
932           a spill of a ZDef.  I fixed this by creating a helper phase that finds all subwidth ZDefs
933           to spill slots and amends them with zero-fills of the top bits.
934
935         - IRC no longer requires precise TmpWidth analysis.  Previously, if TmpWidth gave pessimistic
936           results, the subwidth ZDef bug would return.  That probably means that it was never fixed
937           to begin with, since it's totally cool for just a single def or use of a tmp to cause it
938           to become pessimistic. But there may still have been some subwidth ZDefs.  The way that I
939           fixed this bug is to have IRC also run the ZDef fixup code that spillEverything() uses.
940           This is abstracted behind the beautifully named Air::fixSpillSlotZDef().
941
942         - B3::validate() does dominance checks!  So, if you shoot yourself in the foot by using
943           something before defining it, validate() will tell you.
944
945         - Air::TmpWidth is now easy to "turn off" - i.e. to make it go fully conservative. It's not
946           an Option; you have to hack code. But that's better than nothing, and it's consistent with
947           what we do for other super-internal compiler options that we use rarely.
948
949         - You can now run spillEverything() without hacking code.  Just use
950           Options::airSpillSeverything().
951
952         * JavaScriptCore.xcodeproj/project.pbxproj:
953         * b3/B3LowerToAir.cpp:
954         (JSC::B3::Air::LowerToAir::LowerToAir):
955         (JSC::B3::Air::LowerToAir::run):
956         (JSC::B3::Air::LowerToAir::lower):
957         * b3/B3Validate.cpp:
958         * b3/air/AirCode.h:
959         (JSC::B3::Air::Code::specials):
960         (JSC::B3::Air::Code::forAllTmps):
961         (JSC::B3::Air::Code::isFastTmp):
962         * b3/air/AirFixSpillSlotZDef.h: Added.
963         (JSC::B3::Air::fixSpillSlotZDef):
964         * b3/air/AirGenerate.cpp:
965         (JSC::B3::Air::prepareForGeneration):
966         * b3/air/AirIteratedRegisterCoalescing.cpp:
967         * b3/air/AirSpillEverything.cpp:
968         (JSC::B3::Air::spillEverything):
969         * b3/air/AirTmpWidth.cpp:
970         (JSC::B3::Air::TmpWidth::recompute):
971         * jit/JITOperations.cpp:
972         * runtime/Options.h:
973
974 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
975
976         Need a story for platform-specific Args
977         https://bugs.webkit.org/show_bug.cgi?id=152529
978
979         Reviewed by Michael Saboff.
980
981         This teaches Arg that some Arg forms are not valid on some targets. The instruction selector now
982         uses this to avoid immediates and addresses that the target wouldn't like.
983
984         This shouldn't change code generation on X86, but is meant as a step towards ARM64 support.
985
986         * b3/B3LowerToAir.cpp:
987         (JSC::B3::Air::LowerToAir::crossesInterference):
988         (JSC::B3::Air::LowerToAir::effectiveAddr):
989         (JSC::B3::Air::LowerToAir::addr):
990         (JSC::B3::Air::LowerToAir::loadPromise):
991         (JSC::B3::Air::LowerToAir::imm):
992         (JSC::B3::Air::LowerToAir::lower):
993         * b3/air/AirAllocateStack.cpp:
994         (JSC::B3::Air::allocateStack):
995         * b3/air/AirArg.h:
996         (JSC::B3::Air::Arg::Arg):
997         (JSC::B3::Air::Arg::imm):
998         (JSC::B3::Air::Arg::imm64):
999         (JSC::B3::Air::Arg::callArg):
1000         (JSC::B3::Air::Arg::isValidScale):
1001         (JSC::B3::Air::Arg::tmpIndex):
1002         (JSC::B3::Air::Arg::withOffset):
1003         (JSC::B3::Air::Arg::isValidImmForm):
1004         (JSC::B3::Air::Arg::isValidAddrForm):
1005         (JSC::B3::Air::Arg::isValidIndexForm):
1006         (JSC::B3::Air::Arg::isValidForm):
1007         (JSC::B3::Air::Arg::forEachTmpFast):
1008         * b3/air/opcode_generator.rb:
1009
1010 2015-12-23  Keith Miller  <keith_miller@apple.com>
1011
1012         [JSC] Bugfix for intrinsic getters with dictionary structures.
1013         https://bugs.webkit.org/show_bug.cgi?id=152538
1014
1015         Reviewed by Mark Lam.
1016
1017         Intrinsic getters did not check if an object was a dictionary. This meant, if a property on
1018         the prototype chain of a dictionary was an intrinsic getter we would IC it. Later, if a
1019         property is added to the dictionary the IC would still return the result of the intrinsic.
1020         The fix is to no longer IC intrinsic getters if the base object is a dictionary.
1021
1022         * jit/Repatch.cpp:
1023         (JSC::tryCacheGetByID):
1024         * tests/stress/typedarray-length-dictionary.js: Added.
1025         (len):
1026
1027 2015-12-23  Andy VanWagoner  <andy@instructure.com>
1028
1029         [INTL] Implement DateTime Format Functions
1030         https://bugs.webkit.org/show_bug.cgi?id=147606
1031
1032         Reviewed by Benjamin Poulain.
1033
1034         Initialize a UDateFormat from the generated pattern. Use udat_format()
1035         to format the value. Make sure that the UDateFormat is cleaned up when
1036         the DateTimeFormat is deconstructed.
1037
1038         * runtime/IntlDateTimeFormat.cpp:
1039         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat):
1040         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1041         (JSC::IntlDateTimeFormat::format):
1042         * runtime/IntlDateTimeFormat.h:
1043
1044 2015-12-23  Andy VanWagoner  <thetalecrafter@gmail.com>
1045
1046         [INTL] Implement String.prototype.localeCompare in ECMA-402
1047         https://bugs.webkit.org/show_bug.cgi?id=147607
1048
1049         Reviewed by Benjamin Poulain.
1050
1051         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
1052         Keep existing native implementation for use if INTL flag is disabled.
1053         For the common case where no locale or options are specified, avoid creating
1054         a new collator and just use the prototype which is initialized with the defaults.
1055
1056         * CMakeLists.txt:
1057         * DerivedSources.make:
1058         * JavaScriptCore.xcodeproj/project.pbxproj:
1059         * builtins/StringPrototype.js: Added.
1060         (localeCompare):
1061         * runtime/StringPrototype.cpp:
1062         (JSC::StringPrototype::finishCreation):
1063
1064 2015-12-23  Benjamin Poulain  <benjamin@webkit.org>
1065
1066         Fix x86_64 after r194388
1067
1068         * b3/B3LowerToAir.cpp:
1069         (JSC::B3::Air::LowerToAir::appendShift):
1070         (JSC::B3::Air::LowerToAir::lower):
1071         (JSC::B3::Air::LowerToAir::lowerX86Div):
1072
1073 2015-12-23  Benjamin Poulain  <bpoulain@apple.com>
1074
1075         [JSC] Get the JavaScriptCore framework to build on ARM64 with B3 enabled
1076         https://bugs.webkit.org/show_bug.cgi?id=152503
1077
1078         Reviewed by Filip Pizlo.
1079
1080         It is not working but it builds.
1081
1082         * assembler/ARM64Assembler.h:
1083         (JSC::ARM64Assembler::vand):
1084         (JSC::ARM64Assembler::vectorDataProcessing2Source):
1085         * assembler/MacroAssemblerARM64.h:
1086         (JSC::MacroAssemblerARM64::add32):
1087         (JSC::MacroAssemblerARM64::add64):
1088         (JSC::MacroAssemblerARM64::countLeadingZeros64):
1089         (JSC::MacroAssemblerARM64::not32):
1090         (JSC::MacroAssemblerARM64::not64):
1091         (JSC::MacroAssemblerARM64::zeroExtend16To32):
1092         (JSC::MacroAssemblerARM64::signExtend16To32):
1093         (JSC::MacroAssemblerARM64::zeroExtend8To32):
1094         (JSC::MacroAssemblerARM64::signExtend8To32):
1095         (JSC::MacroAssemblerARM64::addFloat):
1096         (JSC::MacroAssemblerARM64::ceilFloat):
1097         (JSC::MacroAssemblerARM64::branchDouble):
1098         (JSC::MacroAssemblerARM64::branchFloat):
1099         (JSC::MacroAssemblerARM64::divFloat):
1100         (JSC::MacroAssemblerARM64::moveZeroToDouble):
1101         (JSC::MacroAssemblerARM64::moveFloatTo32):
1102         (JSC::MacroAssemblerARM64::move32ToFloat):
1103         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
1104         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
1105         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1106         (JSC::MacroAssemblerARM64::mulFloat):
1107         (JSC::MacroAssemblerARM64::andDouble):
1108         (JSC::MacroAssemblerARM64::andFloat):
1109         (JSC::MacroAssemblerARM64::sqrtFloat):
1110         (JSC::MacroAssemblerARM64::subFloat):
1111         (JSC::MacroAssemblerARM64::signExtend32ToPtr):
1112         (JSC::MacroAssemblerARM64::moveConditionally32):
1113         (JSC::MacroAssemblerARM64::moveConditionally64):
1114         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
1115         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
1116         (JSC::MacroAssemblerARM64::test32):
1117         (JSC::MacroAssemblerARM64::setCarry):
1118         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
1119         * assembler/MacroAssemblerX86.h:
1120         (JSC::MacroAssemblerX86::moveDoubleToInts):
1121         (JSC::MacroAssemblerX86::moveIntsToDouble):
1122         * assembler/MacroAssemblerX86Common.h:
1123         (JSC::MacroAssemblerX86Common::move32ToFloat):
1124         (JSC::MacroAssemblerX86Common::moveFloatTo32):
1125         (JSC::MacroAssemblerX86Common::moveInt32ToPacked): Deleted.
1126         (JSC::MacroAssemblerX86Common::movePackedToInt32): Deleted.
1127         * b3/B3LowerToAir.cpp:
1128         (JSC::B3::Air::LowerToAir::appendShift):
1129         (JSC::B3::Air::LowerToAir::lower):
1130         * b3/air/AirInstInlines.h:
1131         (JSC::B3::Air::isX86DivHelperValid):
1132         * b3/air/AirOpcode.opcodes:
1133         * jit/AssemblyHelpers.h:
1134         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
1135         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1136         * jit/FPRInfo.h:
1137         (JSC::FPRInfo::toArgumentRegister):
1138
1139 2015-12-23  Andy VanWagoner  <andy@instructure.com>
1140
1141         [INTL] Implement Intl.DateTimeFormat.prototype.resolvedOptions ()
1142         https://bugs.webkit.org/show_bug.cgi?id=147603
1143
1144         Reviewed by Benjamin Poulain.
1145
1146         Implements InitializeDateTimeFormat and related abstract operations
1147         using ICU. Lazy initialization is used for DateTimeFormat.prototype.
1148         Refactor to align with Collator work.
1149
1150         * icu/unicode/udatpg.h: Added.
1151         * icu/unicode/unumsys.h: Added.
1152         * runtime/CommonIdentifiers.h:
1153         * runtime/IntlDateTimeFormat.cpp:
1154         (JSC::defaultTimeZone):
1155         (JSC::canonicalizeTimeZoneName):
1156         (JSC::localeData):
1157         (JSC::toDateTimeOptions):
1158         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
1159         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1160         (JSC::IntlDateTimeFormat::weekdayString):
1161         (JSC::IntlDateTimeFormat::eraString):
1162         (JSC::IntlDateTimeFormat::yearString):
1163         (JSC::IntlDateTimeFormat::monthString):
1164         (JSC::IntlDateTimeFormat::dayString):
1165         (JSC::IntlDateTimeFormat::hourString):
1166         (JSC::IntlDateTimeFormat::minuteString):
1167         (JSC::IntlDateTimeFormat::secondString):
1168         (JSC::IntlDateTimeFormat::timeZoneNameString):
1169         (JSC::IntlDateTimeFormat::resolvedOptions):
1170         (JSC::IntlDateTimeFormat::format):
1171         (JSC::IntlDateTimeFormatFuncFormatDateTime): Deleted.
1172         * runtime/IntlDateTimeFormat.h:
1173         * runtime/IntlDateTimeFormatConstructor.cpp:
1174         (JSC::constructIntlDateTimeFormat):
1175         (JSC::callIntlDateTimeFormat):
1176         * runtime/IntlDateTimeFormatPrototype.cpp:
1177         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1178         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1179         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1180         * runtime/IntlObject.cpp:
1181         (JSC::resolveLocale):
1182         (JSC::getNumberingSystemsForLocale):
1183         * runtime/IntlObject.h:
1184
1185 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1186
1187         REGRESSION(194382): FTL B3 no longer runs V8/encrypt
1188         https://bugs.webkit.org/show_bug.cgi?id=152519
1189
1190         Reviewed by Saam Barati.
1191
1192         A "Move Imm, Tmp" instruction should turn into "Move32 Imm, Tmp" if the Tmp is spilled to a
1193         32-bit slot. Changing where we check isTmp() achieves this. Since all of the logic is only
1194         relevant to when we spill without introducing a Tmp, and since a Move does not have a "Move Addr,
1195         Addr" form, this code ensures that the logic only happens for "Tmp, Tmp" and "Imm, Tmp".
1196
1197         * b3/air/AirIteratedRegisterCoalescing.cpp:
1198         * dfg/DFGOperations.cpp:
1199
1200 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1201
1202         FTL B3 should use the right type for comparison slow paths
1203         https://bugs.webkit.org/show_bug.cgi?id=152521
1204
1205         Reviewed by Saam Barati.
1206
1207         Fixes a small goof that was leading to B3 validation failures.
1208
1209         * ftl/FTLLowerDFGToLLVM.cpp:
1210         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
1211
1212 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1213
1214         FTL B3 should be able to run richards
1215         https://bugs.webkit.org/show_bug.cgi?id=152514
1216
1217         Reviewed by Michael Saboff.
1218
1219         This came down to a liveness bug and a register allocation bug.
1220
1221         The liveness bug was that the code that determined whether we should go around the fixpoint
1222         assumed that BitVector::quickSet() would return true if the bit changed state from false to
1223         true. That's not how it works. It returns the old value of the bit, so it will return false
1224         if the bit changed from false to true. Since there is already a lot of code that relies on
1225         this behavior, I fixed Liveness instead of changing BitVector.
1226
1227         The register allocation bug was that we weren't guarding some checks of tmp()'s with checks
1228         that the Arg isTmp().
1229
1230         The liveness took a long time to track down, and I needed to add a lot of dumping to do it.
1231         It's now possible to dump more of the liveness states, including liveAtHead. I found this
1232         extremely helpful, so I removed the code that cleared liveAtHead.
1233
1234         * b3/air/AirIteratedRegisterCoalescing.cpp:
1235         * b3/air/AirLiveness.h:
1236         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1237         (JSC::B3::Air::AbstractLiveness::Iterable::Iterable):
1238         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator):
1239         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*):
1240         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++):
1241         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==):
1242         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=):
1243         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
1244         (JSC::B3::Air::AbstractLiveness::Iterable::end):
1245         (JSC::B3::Air::AbstractLiveness::liveAtHead):
1246         (JSC::B3::Air::AbstractLiveness::liveAtTail):
1247         * b3/air/AirStackSlot.h:
1248         (WTF::printInternal):
1249         * ftl/FTLOSRExitCompiler.cpp:
1250         (JSC::FTL::compileFTLOSRExit):
1251
1252 2015-12-22  Saam barati  <sbarati@apple.com>
1253
1254         Cloop build fix after https://bugs.webkit.org/show_bug.cgi?id=152511.
1255
1256         Unreviewed build fix.
1257
1258         * runtime/Options.cpp:
1259         (JSC::recomputeDependentOptions):
1260
1261 2015-12-22  Saam barati  <sbarati@apple.com>
1262
1263         Work around issue in bug #152510
1264         https://bugs.webkit.org/show_bug.cgi?id=152511
1265
1266         Reviewed by Filip Pizlo.
1267
1268         * runtime/Options.cpp:
1269         (JSC::recomputeDependentOptions):
1270
1271 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1272
1273         FTL B3 does not logicalNot correctly
1274         https://bugs.webkit.org/show_bug.cgi?id=152512
1275
1276         Reviewed by Saam Barati.
1277
1278         I'm working on a bug where V8/richards does not run correctly. I noticed that the codegen was
1279         doing a log of Not32's followed by branches, which smelled like badness. To debug this, I
1280         needed B3's origins to dump as something other than a hexed pointer to a node. The node index
1281         would be better. So, I added the notion of an origin printer to Procedure.
1282
1283         The bug was easy enough to fix. This introduces Output::logicalNot(). In LLVM, it's the same
1284         as bitNot(). In B3, it's compiled to Equal(value, 0). We could have also compiled it to
1285         BitXor(value, 1), except that B3 will strength-reduce to that anyway whenever it's safe. It's
1286         sort of nice that right now, you could use logicalNot() on non-bool values and get C-like
1287         behavior.
1288
1289         Richards still doesn't run, though. There are more bugs!
1290
1291         * JavaScriptCore.xcodeproj/project.pbxproj:
1292         * b3/B3BasicBlock.cpp:
1293         (JSC::B3::BasicBlock::dump):
1294         (JSC::B3::BasicBlock::deepDump):
1295         * b3/B3BasicBlock.h:
1296         (JSC::B3::BasicBlock::frequency):
1297         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
1298         (JSC::B3::DeepBasicBlockDump::dump):
1299         (JSC::B3::deepDump):
1300         * b3/B3LowerToAir.cpp:
1301         (JSC::B3::Air::LowerToAir::run):
1302         (JSC::B3::Air::LowerToAir::lower):
1303         * b3/B3Origin.h:
1304         (JSC::B3::Origin::data):
1305         * b3/B3OriginDump.h: Added.
1306         (JSC::B3::OriginDump::OriginDump):
1307         (JSC::B3::OriginDump::dump):
1308         * b3/B3Procedure.cpp:
1309         (JSC::B3::Procedure::~Procedure):
1310         (JSC::B3::Procedure::printOrigin):
1311         (JSC::B3::Procedure::addBlock):
1312         (JSC::B3::Procedure::dump):
1313         * b3/B3Procedure.h:
1314         (JSC::B3::Procedure::setOriginPrinter):
1315         * b3/B3Value.cpp:
1316         (JSC::B3::Value::dumpChildren):
1317         (JSC::B3::Value::deepDump):
1318         * b3/B3Value.h:
1319         (JSC::B3::DeepValueDump::DeepValueDump):
1320         (JSC::B3::DeepValueDump::dump):
1321         (JSC::B3::deepDump):
1322         * ftl/FTLB3Output.cpp:
1323         (JSC::FTL::Output::lockedStackSlot):
1324         (JSC::FTL::Output::bitNot):
1325         (JSC::FTL::Output::logicalNot):
1326         (JSC::FTL::Output::load):
1327         * ftl/FTLB3Output.h:
1328         (JSC::FTL::Output::aShr):
1329         (JSC::FTL::Output::lShr):
1330         (JSC::FTL::Output::ctlz32):
1331         (JSC::FTL::Output::addWithOverflow32):
1332         (JSC::FTL::Output::lessThanOrEqual):
1333         (JSC::FTL::Output::doubleEqual):
1334         (JSC::FTL::Output::doubleEqualOrUnordered):
1335         (JSC::FTL::Output::doubleNotEqualOrUnordered):
1336         (JSC::FTL::Output::doubleLessThan):
1337         (JSC::FTL::Output::doubleLessThanOrEqual):
1338         (JSC::FTL::Output::doubleGreaterThan):
1339         (JSC::FTL::Output::doubleGreaterThanOrEqual):
1340         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1341         (JSC::FTL::Output::doubleLessThanOrUnordered):
1342         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
1343         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
1344         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
1345         (JSC::FTL::Output::isZero32):
1346         (JSC::FTL::Output::notZero32):
1347         (JSC::FTL::Output::addIncomingToPhi):
1348         (JSC::FTL::Output::bitCast):
1349         (JSC::FTL::Output::bitNot): Deleted.
1350         * ftl/FTLLowerDFGToLLVM.cpp:
1351         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
1352         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
1353         (JSC::FTL::DFG::LowerDFGToLLVM::compileLogicalNot):
1354         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1355         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
1356         (JSC::FTL::DFG::LowerDFGToLLVM::compileCountExecution):
1357         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1358         (JSC::FTL::DFG::LowerDFGToLLVM::isMisc):
1359         (JSC::FTL::DFG::LowerDFGToLLVM::isNotBoolean):
1360         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean):
1361         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean):
1362         (JSC::FTL::DFG::LowerDFGToLLVM::isNotType):
1363         (JSC::FTL::DFG::LowerDFGToLLVM::speculateObject):
1364         * ftl/FTLOutput.h:
1365         (JSC::FTL::Output::aShr):
1366         (JSC::FTL::Output::lShr):
1367         (JSC::FTL::Output::bitNot):
1368         (JSC::FTL::Output::logicalNot):
1369         (JSC::FTL::Output::insertElement):
1370         * ftl/FTLState.cpp:
1371         (JSC::FTL::State::State):
1372
1373 2015-12-22  Keith Miller  <keith_miller@apple.com>
1374
1375         Remove OverridesHasInstance from TypeInfoFlags
1376         https://bugs.webkit.org/show_bug.cgi?id=152005
1377
1378         Reviewed by Saam Barati.
1379
1380         Currently, we have three TypeInfo flags associated with instanceof behavior,
1381         ImplementsHasInstance, ImplementDefaultHasInstance, and OverridesHasInstance. This patch
1382         removes the third and moves the first to the out of line flags. In theory, we should only
1383         need one flag but removing ImplementsHasInstance is more involved and should be done in a
1384         separate patch.
1385
1386         * API/JSCallbackConstructor.h:
1387         * API/JSCallbackObject.h:
1388         * jit/JITOpcodes.cpp:
1389         (JSC::JIT::emit_op_overrides_has_instance):
1390         * jit/JITOpcodes32_64.cpp:
1391         (JSC::JIT::emit_op_overrides_has_instance):
1392         * llint/LLIntData.cpp:
1393         (JSC::LLInt::Data::performAssertions):
1394         * llint/LowLevelInterpreter.asm:
1395         * runtime/InternalFunction.h:
1396         * runtime/JSBoundFunction.h:
1397         * runtime/JSCallee.h:
1398         * runtime/JSTypeInfo.h:
1399         (JSC::TypeInfo::implementsHasInstance):
1400         (JSC::TypeInfo::TypeInfo): Deleted.
1401         (JSC::TypeInfo::overridesHasInstance): Deleted.
1402         * runtime/NumberConstructor.h:
1403
1404 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1405
1406         FTL B3 should do tail calls
1407         https://bugs.webkit.org/show_bug.cgi?id=152494
1408
1409         Reviewed by Michael Saboff.
1410
1411         OMG this was so easy.
1412
1413         The only shady part is that I broke a layering rule that we had so far been following: B3 was
1414         sitting below the JSC runtime, and did not use JS-specific types. No more, since B3::ValueRep
1415         can now turn itself into a ValueRecovery for a JSValue. This small feature makes a huge
1416         difference for the readability of tail call code: it makes it plain that the call frame
1417         shuffler is basically just directly consuming the stackmap generation params, and insofar as
1418         there is any data transformation, it's just because it uses different classes to say the same
1419         thing.
1420
1421         I think we should avoid adding too many JS-specific things to B3. But, so long as it's still
1422         possible to use B3 to compile things that aren't JS, I think we'll be fine.
1423
1424         * b3/B3ValueRep.cpp:
1425         (JSC::B3::ValueRep::dump):
1426         (JSC::B3::ValueRep::emitRestore):
1427         (JSC::B3::ValueRep::recoveryForJSValue):
1428         * b3/B3ValueRep.h:
1429         * ftl/FTLLowerDFGToLLVM.cpp:
1430         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1431         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1432         * test/stress/ftl-tail-call.js: Added.
1433
1434 2015-12-21  Mark Lam  <mark.lam@apple.com>
1435
1436         Snippefy op_negate for the baseline JIT.
1437         https://bugs.webkit.org/show_bug.cgi?id=152447
1438
1439         Reviewed by Benjamin Poulain.
1440
1441         * CMakeLists.txt:
1442         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1443         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1444         * JavaScriptCore.xcodeproj/project.pbxproj:
1445         * jit/JITArithmetic.cpp:
1446         (JSC::JIT::emit_op_unsigned):
1447         (JSC::JIT::emit_op_negate):
1448         (JSC::JIT::emitSlow_op_negate):
1449         (JSC::JIT::emitBitBinaryOpFastPath):
1450         * jit/JITArithmetic32_64.cpp:
1451         (JSC::JIT::emit_compareAndJump):
1452         (JSC::JIT::emit_op_negate): Deleted.
1453         (JSC::JIT::emitSlow_op_negate): Deleted.
1454         * jit/JITNegGenerator.cpp: Added.
1455         (JSC::JITNegGenerator::generateFastPath):
1456         * jit/JITNegGenerator.h: Added.
1457         (JSC::JITNegGenerator::JITNegGenerator):
1458         (JSC::JITNegGenerator::didEmitFastPath):
1459         (JSC::JITNegGenerator::endJumpList):
1460         (JSC::JITNegGenerator::slowPathJumpList):
1461
1462 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1463
1464         Address review feedback from Saam.  I should have landed it in r194354.
1465
1466         * b3/testb3.cpp:
1467         (JSC::B3::testStore16Arg):
1468
1469 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1470
1471         B3 should be able to compile Store16
1472         https://bugs.webkit.org/show_bug.cgi?id=152493
1473
1474         Reviewed by Saam Barati.
1475
1476         This adds comprehensive Store16 support to our assembler, Air, and B3->Air lowering.
1477
1478         * assembler/MacroAssemblerX86Common.h:
1479         (JSC::MacroAssemblerX86Common::store16):
1480         * assembler/X86Assembler.h:
1481         (JSC::X86Assembler::movb_rm):
1482         (JSC::X86Assembler::movw_rm):
1483         * b3/B3LowerToAir.cpp:
1484         (JSC::B3::Air::LowerToAir::lower):
1485         * b3/air/AirOpcode.opcodes:
1486         * b3/testb3.cpp:
1487         (JSC::B3::testStorePartial8BitRegisterOnX86):
1488         (JSC::B3::testStore16Arg):
1489         (JSC::B3::testStore16Imm):
1490         (JSC::B3::testTrunc):
1491         (JSC::B3::run):
1492
1493 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1494
1495         Unreviewed, remove highBitsAreZero(), it's unused.
1496
1497         * b3/B3LowerToAir.cpp:
1498         (JSC::B3::Air::LowerToAir::run):
1499         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1500         (JSC::B3::Air::LowerToAir::highBitsAreZero): Deleted.
1501
1502 2015-12-21  Csaba Osztrogonác  <ossy@webkit.org>
1503
1504         Unreviewed, fix the !FTL_USES_B3 build after r194334.
1505
1506         * ftl/FTLLowerDFGToLLVM.cpp: Mark forwarding unused variable.
1507         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1508
1509 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1510
1511         FTL B3 should do doubleToInt32
1512         https://bugs.webkit.org/show_bug.cgi?id=152484
1513
1514         Reviewed by Saam Barati.
1515
1516         We used to have a DToI32 opcode in B3 that we never implemented. This removes that opcode,
1517         since double-to-int conversion has dramatically different semantics on different
1518         architectures. We let FTL get the conversion instruction it wants by using a patchpoint.
1519
1520         * b3/B3Opcode.cpp:
1521         (WTF::printInternal):
1522         * b3/B3Opcode.h:
1523         * b3/B3Validate.cpp:
1524         * b3/B3Value.cpp:
1525         (JSC::B3::Value::effects):
1526         (JSC::B3::Value::key):
1527         (JSC::B3::Value::typeFor):
1528         * b3/B3ValueKey.cpp:
1529         (JSC::B3::ValueKey::materialize):
1530         * ftl/FTLB3Output.cpp:
1531         (JSC::FTL::Output::Output):
1532         (JSC::FTL::Output::appendTo):
1533         (JSC::FTL::Output::lockedStackSlot):
1534         (JSC::FTL::Output::load):
1535         (JSC::FTL::Output::doublePowi):
1536         (JSC::FTL::Output::hasSensibleDoubleToInt):
1537         (JSC::FTL::Output::doubleToInt):
1538         (JSC::FTL::Output::doubleToUInt):
1539         (JSC::FTL::Output::load8SignExt32):
1540         (JSC::FTL::Output::load8ZeroExt32):
1541         (JSC::FTL::Output::load16SignExt32):
1542         (JSC::FTL::Output::load16ZeroExt32):
1543         (JSC::FTL::Output::store):
1544         (JSC::FTL::Output::store32As8):
1545         (JSC::FTL::Output::store32As16):
1546         (JSC::FTL::Output::branch):
1547         * ftl/FTLB3Output.h:
1548         (JSC::FTL::Output::doubleLog):
1549         (JSC::FTL::Output::signExt32To64):
1550         (JSC::FTL::Output::zeroExt):
1551         (JSC::FTL::Output::zeroExtPtr):
1552         (JSC::FTL::Output::intToDouble):
1553         (JSC::FTL::Output::unsignedToDouble):
1554         (JSC::FTL::Output::castToInt32):
1555         (JSC::FTL::Output::hasSensibleDoubleToInt): Deleted.
1556         (JSC::FTL::Output::sensibleDoubleToInt): Deleted.
1557         (JSC::FTL::Output::fpToInt32): Deleted.
1558         (JSC::FTL::Output::fpToUInt32): Deleted.
1559         * ftl/FTLLowerDFGToLLVM.cpp:
1560         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithPow):
1561         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
1562         (JSC::FTL::DFG::LowerDFGToLLVM::compileSwitch):
1563         (JSC::FTL::DFG::LowerDFGToLLVM::doubleToInt32):
1564         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
1565         (JSC::FTL::DFG::LowerDFGToLLVM::convertDoubleToInt32):
1566         * ftl/FTLOutput.h:
1567         (JSC::FTL::Output::hasSensibleDoubleToInt):
1568         (JSC::FTL::Output::doubleToInt):
1569         (JSC::FTL::Output::doubleToUInt):
1570         (JSC::FTL::Output::signExt32To64):
1571         (JSC::FTL::Output::zeroExt):
1572
1573 2015-12-21  Skachkov Oleksandr  <gskachkov@gmail.com>
1574
1575         Unexpected exception assigning to this._property inside arrow function
1576         https://bugs.webkit.org/show_bug.cgi?id=152028
1577
1578         Reviewed by Saam Barati.
1579
1580         The issue appeared in case if in arrow function created base-level lexical envioronment, and in this case 
1581         |this| value was loaded from wrong scope. The problem was that loading of the |this| happened too early when
1582         compiling bytecode because the bytecode generators's scope stack wasn't in sync with runtime scope stack.
1583         To fix issue loading of |this| was moved after initializeDefaultParameterValuesAndSetupFunctionScopeStack 
1584         in BytecodeGenerator.cpp   
1585
1586         * bytecompiler/BytecodeGenerator.cpp:
1587         (JSC::BytecodeGenerator::BytecodeGenerator):
1588         * tests/stress/arrowfunction-lexical-bind-this-2.js:
1589
1590 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1591
1592         FTL B3 should do vararg calls
1593         https://bugs.webkit.org/show_bug.cgi?id=152468
1594
1595         Reviewed by Benjamin Poulain.
1596
1597         This adds FTL->B3 lowering of all kinds of varargs calls - forwarding or not, tail or not,
1598         and construct or not. Like all other such lowerings, all of the code is in one place in
1599         FTLLower.
1600
1601         I removed code for varargs and exception spill slots from the B3 path, since it won't need
1602         it. The plan is to rely on B3 doing the spilling for us by using some combination of early
1603         clobber and late use.
1604
1605         This adds ValueRep::emitRestore(), a helpful method for emitting code to restore any ValueRep
1606         into any 64-bit Reg (FPR or GPR).
1607
1608         I wrote new tests for vararg calls, because I wasn't sure which of the existing ones we can
1609         run. These are short-running tests, so I'm not worried about bloating our test suite.
1610
1611         * b3/B3ValueRep.cpp:
1612         (JSC::B3::ValueRep::dump):
1613         (JSC::B3::ValueRep::emitRestore):
1614         * b3/B3ValueRep.h:
1615         * ftl/FTLLowerDFGToLLVM.cpp:
1616         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1617         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1618         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
1619         * ftl/FTLState.h:
1620         * tests/stress/varargs-no-forward.js: Added.
1621         * tests/stress/varargs-simple.js: Added.
1622         * tests/stress/varargs-two-level.js: Added.
1623
1624 2015-12-18  Mark Lam  <mark.lam@apple.com>
1625
1626         Add unary operator tests to compare JIT and LLINT results.
1627         https://bugs.webkit.org/show_bug.cgi?id=152453
1628
1629         Reviewed by Benjamin Poulain.
1630
1631         Also fixed a few things in the binary-op-test.js.
1632
1633         * tests/stress/op_negate.js: Added.
1634         (o1.valueOf):
1635         * tests/stress/op_postdec.js: Added.
1636         (o1.valueOf):
1637         * tests/stress/op_postinc.js: Added.
1638         (o1.valueOf):
1639         * tests/stress/op_predec.js: Added.
1640         (o1.valueOf):
1641         * tests/stress/op_preinc.js: Added.
1642         (o1.valueOf):
1643         * tests/stress/resources/binary-op-test.js:
1644         (stringifyIfNeeded):
1645         (isIdentical):
1646         (run):
1647         * tests/stress/resources/unary-op-test.js: Added.
1648         (stringifyIfNeeded):
1649         (generateBinaryTests):
1650         (isIdentical):
1651         (runTest):
1652         (run):
1653
1654 2015-12-21  Ryan Haddad  <ryanhaddad@apple.com>
1655
1656         Unreviewed, rolling out r194328.
1657
1658         This change appears to have caused failures in JSC tests
1659
1660         Reverted changeset:
1661
1662         "[INTL] Implement String.prototype.localeCompare in ECMA-402"
1663         https://bugs.webkit.org/show_bug.cgi?id=147607
1664         http://trac.webkit.org/changeset/194328
1665
1666 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1667
1668         B3->Air lowering incorrectly copy-propagates over ZExt32's
1669         https://bugs.webkit.org/show_bug.cgi?id=152365
1670
1671         Reviewed by Benjamin Poulain.
1672
1673         The instruction selector thinks that Value's that return Int32's are going to always be lowered
1674         to instructions that zero-extend the destination. But this isn't actually true. If you have an
1675         Add32 with a destination on the stack (i.e. spilled) then it only writes 4 bytes. Then, the
1676         filler will load 8 bytes from the stack at the point of use. So, the use of the Add32 will see
1677         garbage in the high bits.
1678
1679         The fact that the spiller chose to use 8 bytes for a Tmp that gets defined by an Add32 is a
1680         pretty sad bug, but:
1681
1682         - It's entirely up to the spiller to decide how many bytes to use for a Tmp, since we do not
1683           ascribe a type to Tmps. We could ascribe types to Tmps, but then coalescing would become
1684           harder. Our goal is to fix the bug while still enabling coalescing in cases like "a[i]" where
1685           "i" is a 32-bit integer that is computed using operations that already do zero-extension.
1686
1687         - More broadly, it's strange that the instruction selector decides whether a Value will be
1688           lowered to something that zero-extends. That's too constraining, since the most optimal
1689           instruction selection might involve something that doesn't zero-extend in cases of spilling, so
1690           the zero-extension should only happen if it's actually needed. This means that we need to
1691           understand which Air instructions cause zero-extensions.
1692
1693         - If we know which Air instructions cause zero-extensions, then we don't need the instruction
1694           selector to copy-propagate ZExt32's. We have copy-propagation in Air thanks to the register
1695           allocator.
1696
1697         In fact, the register allocator is exactly where all of the pieces come together. It's there that
1698         we want to know which operations zero-extend and which don't. It also wants to know how many bits
1699         of a Tmp each instruction reads. Armed with that information, the register allocator can emit
1700         more optimal spill code, use less stack space for spill slots, and coalesce Move32's. As a bonus,
1701         on X86, it replaces Move's with Move32's whenever it can. On X86, Move32 is cheaper.
1702
1703         This fixes a crash bug in V8/encrypt. After fixing this, I only needed two minor fixes to get
1704         V8/encrypt to run. We're about 10% behind LLVM on steady state throughput on this test. It
1705         appears to be mostly due to excessive spilling caused by CCall slow paths. That's fixable: we
1706         could make CCalls on slow paths use a variant of CCallSpecial that promises not to clobber any
1707         registers, and then have it emit spill code around the call itself. LLVM probably gets this
1708         optimization from its live range splitting.
1709
1710         I tried writing a regression test. The problem is that you need garbage on the stack for this to
1711         work, and I didn't feel like writing a flaky test. It appears that running V8/encrypt will cover
1712         this, so we do have coverage.
1713
1714         * CMakeLists.txt:
1715         * JavaScriptCore.xcodeproj/project.pbxproj:
1716         * assembler/AbstractMacroAssembler.h:
1717         (JSC::isX86):
1718         (JSC::isX86_64):
1719         (JSC::optimizeForARMv7IDIVSupported):
1720         (JSC::optimizeForX86):
1721         (JSC::optimizeForX86_64):
1722         * b3/B3LowerToAir.cpp:
1723         (JSC::B3::Air::LowerToAir::highBitsAreZero):
1724         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1725         (JSC::B3::Air::LowerToAir::lower):
1726         * b3/B3PatchpointSpecial.cpp:
1727         (JSC::B3::PatchpointSpecial::forEachArg):
1728         * b3/B3StackmapSpecial.cpp:
1729         (JSC::B3::StackmapSpecial::forEachArgImpl):
1730         * b3/B3Value.h:
1731         * b3/air/AirAllocateStack.cpp:
1732         (JSC::B3::Air::allocateStack):
1733         * b3/air/AirArg.cpp:
1734         (WTF::printInternal):
1735         * b3/air/AirArg.h:
1736         (JSC::B3::Air::Arg::pointerWidth):
1737         (JSC::B3::Air::Arg::isAnyUse):
1738         (JSC::B3::Air::Arg::isColdUse):
1739         (JSC::B3::Air::Arg::isEarlyUse):
1740         (JSC::B3::Air::Arg::isDef):
1741         (JSC::B3::Air::Arg::isZDef):
1742         (JSC::B3::Air::Arg::widthForB3Type):
1743         (JSC::B3::Air::Arg::conservativeWidth):
1744         (JSC::B3::Air::Arg::minimumWidth):
1745         (JSC::B3::Air::Arg::bytes):
1746         (JSC::B3::Air::Arg::widthForBytes):
1747         (JSC::B3::Air::Arg::Arg):
1748         (JSC::B3::Air::Arg::forEachTmp):
1749         * b3/air/AirCCallSpecial.cpp:
1750         (JSC::B3::Air::CCallSpecial::forEachArg):
1751         * b3/air/AirEliminateDeadCode.cpp:
1752         (JSC::B3::Air::eliminateDeadCode):
1753         * b3/air/AirFixPartialRegisterStalls.cpp:
1754         (JSC::B3::Air::fixPartialRegisterStalls):
1755         * b3/air/AirInst.cpp:
1756         (JSC::B3::Air::Inst::hasArgEffects):
1757         * b3/air/AirInst.h:
1758         (JSC::B3::Air::Inst::forEachTmpFast):
1759         (JSC::B3::Air::Inst::forEachTmp):
1760         * b3/air/AirInstInlines.h:
1761         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs):
1762         * b3/air/AirIteratedRegisterCoalescing.cpp:
1763         * b3/air/AirLiveness.h:
1764         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1765         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
1766         * b3/air/AirOpcode.opcodes:
1767         * b3/air/AirSpillEverything.cpp:
1768         (JSC::B3::Air::spillEverything):
1769         * b3/air/AirTmpWidth.cpp: Added.
1770         (JSC::B3::Air::TmpWidth::TmpWidth):
1771         (JSC::B3::Air::TmpWidth::~TmpWidth):
1772         * b3/air/AirTmpWidth.h: Added.
1773         (JSC::B3::Air::TmpWidth::width):
1774         (JSC::B3::Air::TmpWidth::defWidth):
1775         (JSC::B3::Air::TmpWidth::useWidth):
1776         (JSC::B3::Air::TmpWidth::Widths::Widths):
1777         * b3/air/AirUseCounts.h:
1778         (JSC::B3::Air::UseCounts::UseCounts):
1779         * b3/air/opcode_generator.rb:
1780         * b3/testb3.cpp:
1781         (JSC::B3::testCheckMegaCombo):
1782         (JSC::B3::testCheckTrickyMegaCombo):
1783         (JSC::B3::testCheckTwoMegaCombos):
1784         (JSC::B3::run):
1785
1786 2015-12-21  Andy VanWagoner  <thetalecrafter@gmail.com>
1787
1788         [INTL] Implement String.prototype.localeCompare in ECMA-402
1789         https://bugs.webkit.org/show_bug.cgi?id=147607
1790
1791         Reviewed by Darin Adler.
1792
1793         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
1794         Keep existing native implementation for use if INTL flag is disabled.
1795
1796         * CMakeLists.txt:
1797         * DerivedSources.make:
1798         * JavaScriptCore.xcodeproj/project.pbxproj:
1799         * builtins/StringPrototype.js: Added.
1800         (localeCompare):
1801         * runtime/StringPrototype.cpp:
1802         (JSC::StringPrototype::finishCreation):
1803
1804 2015-12-18  Filip Pizlo  <fpizlo@apple.com>
1805
1806         Implement compareDouble in B3/Air
1807         https://bugs.webkit.org/show_bug.cgi?id=150903
1808
1809         Reviewed by Benjamin Poulain.
1810
1811         A hole in our coverage is that we don't fuse a double comparison into a branch, then we will
1812         crash in the instruction selector. Obviously, we *really* want to fuse double comparisons,
1813         but we can't guarantee that this will always happen.
1814
1815         This also removes all uses of WTF::Dominators verification, since it's extremely slow even in
1816         a release build. This speeds up testb3 with validateGraphAtEachPhase=true by an order of
1817         magnitude.
1818
1819         * assembler/MacroAssembler.h:
1820         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
1821         (JSC::MacroAssembler::compareDouble):
1822         (JSC::MacroAssembler::compareFloat):
1823         (JSC::MacroAssembler::lea):
1824         * b3/B3Dominators.h:
1825         (JSC::B3::Dominators::Dominators):
1826         * b3/B3LowerToAir.cpp:
1827         (JSC::B3::Air::LowerToAir::createCompare):
1828         (JSC::B3::Air::LowerToAir::lower):
1829         * b3/air/AirOpcode.opcodes:
1830         * b3/testb3.cpp:
1831         (JSC::B3::testCompare):
1832         (JSC::B3::testEqualDouble):
1833         (JSC::B3::simpleFunction):
1834         (JSC::B3::run):
1835         * dfg/DFGDominators.h:
1836         (JSC::DFG::Dominators::Dominators):
1837
1838 2015-12-19  Dan Bernstein  <mitz@apple.com>
1839
1840         [Mac] WebKit contains dead source code for OS X Mavericks and earlier
1841         https://bugs.webkit.org/show_bug.cgi?id=152462
1842
1843         Reviewed by Alexey Proskuryakov.
1844
1845         - Removed build setting definitions for OS X 10.9 and earlier, and simplified defintions
1846           that became uniform across all OS X versions as a result:
1847
1848         * Configurations/DebugRelease.xcconfig:
1849         * Configurations/FeatureDefines.xcconfig:
1850         * Configurations/Version.xcconfig:
1851
1852         * API/JSBase.h: Removed check against __MAC_OS_X_VERSION_MIN_REQUIRED that was always true.
1853
1854 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1855
1856         [JSC] Streamline Tmp indexing inside the register allocator
1857         https://bugs.webkit.org/show_bug.cgi?id=152420
1858
1859         Reviewed by Filip Pizlo.
1860
1861         AirIteratedRegisterCoalescing has been accumulating a bit of mess over time.
1862
1863         When it started, every map addressed by Tmp was using Tmp hashing.
1864         That caused massive performance problems. Everything perf sensitive was moved
1865         to direct array addressing by the absolute Tmp index. This left the code
1866         with half of the function using Tmp, the other half using indices.
1867
1868         With this patch, almost everything is moved to absolute indexing.
1869         There are a few advantages to this:
1870         -No more conversion churn for Floating Point registers.
1871         -Most of the functions can now be shared between GP and FP.
1872         -A bit of clean up since the core algorithm only deals with integers now.
1873
1874         This patch also changes the index type to be a template argument.
1875         That will allow future specialization of "m_interferenceEdges" based
1876         on the expected problem size.
1877
1878         Finally, the code related to the program modification (register assignment
1879         and spilling) was moved to the wrapper "IteratedRegisterCoalescing".
1880
1881         The current split is:
1882         -AbstractColoringAllocator: common core. Share as much as possible between
1883          GP and FP.
1884         -ColoringAllocator: the remaining parts of the algorithm, everything that
1885          is specific to GP, FP.
1886         -IteratedRegisterCoalescing: the "iterated" part of the algorithm.
1887          Try to allocate and modify the code as needed.
1888
1889         The long term plan is:
1890         -Move selectSpill() and the coloring loop to AbstractColoringAllocator.
1891         -Specialize m_interferenceEdges to make it faster.
1892
1893         * b3/air/AirIteratedRegisterCoalescing.cpp:
1894         * b3/air/AirTmpInlines.h:
1895         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::lastMachineRegisterIndex):
1896         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::lastMachineRegisterIndex):
1897
1898 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1899
1900         [JSC] FTLB3Output generates some invalid ZExt32
1901         https://bugs.webkit.org/show_bug.cgi?id=151905
1902
1903         Reviewed by Filip Pizlo.
1904
1905         FTLLowerDFGToLLVM calls zeroExt() to int32 in some cases.
1906         We were generating ZExt32 with Int32 as return type :(
1907
1908         * ftl/FTLB3Output.h:
1909         (JSC::FTL::Output::zeroExt):
1910
1911 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1912
1913         [JSC] Add EqualOrUnordered to B3
1914         https://bugs.webkit.org/show_bug.cgi?id=152425
1915
1916         Reviewed by Mark Lam.
1917
1918         Add EqualOrUnordered to B3 and use it to implements
1919         FTL::Output's NotEqualAndOrdered.
1920
1921         * b3/B3ConstDoubleValue.cpp:
1922         (JSC::B3::ConstDoubleValue::equalOrUnordered):
1923         * b3/B3ConstDoubleValue.h:
1924         * b3/B3LowerToAir.cpp:
1925         (JSC::B3::Air::LowerToAir::createGenericCompare):
1926         (JSC::B3::Air::LowerToAir::lower):
1927         * b3/B3Opcode.cpp:
1928         (WTF::printInternal):
1929         * b3/B3Opcode.h:
1930         * b3/B3ReduceDoubleToFloat.cpp:
1931         (JSC::B3::reduceDoubleToFloat):
1932         * b3/B3ReduceStrength.cpp:
1933         * b3/B3Validate.cpp:
1934         * b3/B3Value.cpp:
1935         (JSC::B3::Value::equalOrUnordered):
1936         (JSC::B3::Value::returnsBool):
1937         (JSC::B3::Value::effects):
1938         (JSC::B3::Value::key):
1939         (JSC::B3::Value::typeFor):
1940         * b3/B3Value.h:
1941         * b3/testb3.cpp:
1942         (JSC::B3::testBranchEqualOrUnorderedArgs):
1943         (JSC::B3::testBranchNotEqualAndOrderedArgs):
1944         (JSC::B3::testBranchEqualOrUnorderedDoubleArgImm):
1945         (JSC::B3::testBranchEqualOrUnorderedFloatArgImm):
1946         (JSC::B3::testBranchEqualOrUnorderedDoubleImms):
1947         (JSC::B3::testBranchEqualOrUnorderedFloatImms):
1948         (JSC::B3::testBranchEqualOrUnorderedFloatWithUselessDoubleConversion):
1949         (JSC::B3::run):
1950         * ftl/FTLB3Output.h:
1951         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1952         (JSC::FTL::Output::doubleNotEqual): Deleted.
1953         * ftl/FTLLowerDFGToLLVM.cpp:
1954         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1955         * ftl/FTLOutput.h:
1956         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1957         (JSC::FTL::Output::doubleNotEqual): Deleted.
1958
1959 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1960
1961         [JSC] B3: Add indexed addressing when lowering BitwiseCast
1962         https://bugs.webkit.org/show_bug.cgi?id=152432
1963
1964         Reviewed by Geoffrey Garen.
1965
1966         The MacroAssembler supports it, we should use it.
1967
1968         * b3/air/AirOpcode.opcodes:
1969         * b3/testb3.cpp:
1970         (JSC::B3::testBitwiseCastOnDoubleInMemoryIndexed):
1971         (JSC::B3::testBitwiseCastOnInt64InMemoryIndexed):
1972
1973 2015-12-18  Andreas Kling  <akling@apple.com>
1974
1975         Make JSString::SafeView less of a footgun.
1976         <https://webkit.org/b/152376>
1977
1978         Reviewed by Darin Adler.
1979
1980         Remove the "operator StringView()" convenience helper on JSString::SafeString since that
1981         made it possible to casually turn the return value from JSString::view() into an unsafe
1982         StringView local on the stack with this pattern:
1983
1984             StringView view = someJSValue.toString(exec)->view(exec);
1985
1986         The JSString* returned by toString() above will go out of scope by the end of the statement
1987         and does not stick around to protect itself from garbage collection.
1988
1989         It will now look like this instead:
1990
1991             JSString::SafeView view = someJSValue.toString(exec)->view(exec);
1992
1993         To be extra clear, the following is not safe:
1994
1995             StringView view = someJSValue.toString(exec)->view(exec).get();
1996
1997         By the end of that statement, the JSString::SafeView goes out of scope, and the JSString*
1998         is no longer protected from GC.
1999
2000         I added a couple of forwarding helpers to the SafeView class, and if you need a StringView
2001         object from it, you can call .get() just like before.
2002
2003         Finally I also removed the JSString::SafeView() constructor, since nobody was instantiating
2004         empty SafeView objects anyway. This way we don't have to worry about null members.
2005
2006         * runtime/ArrayPrototype.cpp:
2007         (JSC::arrayProtoFuncJoin):
2008         * runtime/FunctionConstructor.cpp:
2009         (JSC::constructFunctionSkippingEvalEnabledCheck):
2010         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2011         (JSC::genericTypedArrayViewProtoFuncJoin):
2012         * runtime/JSGlobalObjectFunctions.cpp:
2013         (JSC::decode):
2014         (JSC::globalFuncParseInt):
2015         (JSC::globalFuncParseFloat):
2016         (JSC::globalFuncEscape):
2017         (JSC::globalFuncUnescape):
2018         * runtime/JSONObject.cpp:
2019         (JSC::JSONProtoFuncParse):
2020         * runtime/JSString.cpp:
2021         (JSC::JSString::getPrimitiveNumber):
2022         (JSC::JSString::toNumber):
2023         * runtime/JSString.h:
2024         (JSC::JSString::SafeView::is8Bit):
2025         (JSC::JSString::SafeView::length):
2026         (JSC::JSString::SafeView::characters8):
2027         (JSC::JSString::SafeView::characters16):
2028         (JSC::JSString::SafeView::operator[]):
2029         (JSC::JSString::SafeView::SafeView):
2030         (JSC::JSString::SafeView::get):
2031         (JSC::JSString::SafeView::operator StringView): Deleted.
2032         * runtime/StringPrototype.cpp:
2033         (JSC::stringProtoFuncCharAt):
2034         (JSC::stringProtoFuncCharCodeAt):
2035         (JSC::stringProtoFuncIndexOf):
2036         (JSC::stringProtoFuncNormalize):
2037
2038 2015-12-18  Saam barati  <sbarati@apple.com>
2039
2040         BytecodeGenerator::pushLexicalScopeInternal and pushLexicalScope should use enums instead of bools
2041         https://bugs.webkit.org/show_bug.cgi?id=152450
2042
2043         Reviewed by Geoffrey Garen and Joseph Pecoraro.
2044
2045         This makes comprehending the call sites of these functions
2046         easier without looking up the header of the function.
2047
2048         * bytecompiler/BytecodeGenerator.cpp:
2049         (JSC::BytecodeGenerator::BytecodeGenerator):
2050         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2051         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2052         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
2053         (JSC::BytecodeGenerator::pushLexicalScope):
2054         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2055         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2056         (JSC::BytecodeGenerator::emitPushCatchScope):
2057         * bytecompiler/BytecodeGenerator.h:
2058         (JSC::BytecodeGenerator::lastOpcodeID):
2059         * bytecompiler/NodesCodegen.cpp:
2060         (JSC::BlockNode::emitBytecode):
2061         (JSC::ForNode::emitBytecode):
2062         (JSC::ForInNode::emitMultiLoopBytecode):
2063         (JSC::ForOfNode::emitBytecode):
2064         (JSC::SwitchNode::emitBytecode):
2065         (JSC::ClassExprNode::emitBytecode):
2066
2067 2015-12-18  Michael Catanzaro  <mcatanzaro@igalia.com>
2068
2069         Avoid triggering clang's -Wundefined-bool-conversion
2070         https://bugs.webkit.org/show_bug.cgi?id=152408
2071
2072         Reviewed by Mark Lam.
2073
2074         Add ASSERT_THIS_GC_OBJECT_LOOKS_VALID and ASSERT_THIS_GC_OBJECT_INHERITS to avoid use of
2075         ASSERT(this) by ASSERT_GC_OBJECT_LOOKS_VALID and ASSERT_GC_OBJECT_INHERITS.
2076
2077         * heap/GCAssertions.h:
2078
2079 2015-12-18  Mark Lam  <mark.lam@apple.com>
2080
2081         Replace SpecialFastCase profiles with ResultProfiles.
2082         https://bugs.webkit.org/show_bug.cgi?id=152433
2083
2084         Reviewed by Saam Barati.
2085
2086         This is in preparation for upcoming work to enhance the DFG predictions to deal
2087         with untyped operands.
2088
2089         This patch also enhances some of the arithmetic slow paths (for the LLINT and
2090         baseline JIT) to collect result profiling info.  This profiling info is not put
2091         to use yet. 
2092
2093         * CMakeLists.txt:
2094         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2095         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2096         * JavaScriptCore.xcodeproj/project.pbxproj:
2097         * bytecode/CodeBlock.cpp:
2098         (JSC::CodeBlock::dumpRareCaseProfile):
2099         (JSC::CodeBlock::dumpResultProfile):
2100         (JSC::CodeBlock::printLocationAndOp):
2101         (JSC::CodeBlock::dumpBytecode):
2102         (JSC::CodeBlock::shrinkToFit):
2103         (JSC::CodeBlock::dumpValueProfiles):
2104         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2105         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2106         (JSC::CodeBlock::updateResultProfileForBytecodeOffset):
2107         (JSC::CodeBlock::capabilityLevel):
2108         * bytecode/CodeBlock.h:
2109         (JSC::CodeBlock::couldTakeSlowCase):
2110         (JSC::CodeBlock::addResultProfile):
2111         (JSC::CodeBlock::numberOfResultProfiles):
2112         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
2113         (JSC::CodeBlock::couldTakeSpecialFastCase):
2114         (JSC::CodeBlock::addSpecialFastCaseProfile): Deleted.
2115         (JSC::CodeBlock::numberOfSpecialFastCaseProfiles): Deleted.
2116         (JSC::CodeBlock::specialFastCaseProfile): Deleted.
2117         (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset): Deleted.
2118         * bytecode/ValueProfile.cpp: Added.
2119         (WTF::printInternal):
2120         * bytecode/ValueProfile.h:
2121         (JSC::getRareCaseProfileBytecodeOffset):
2122         (JSC::ResultProfile::ResultProfile):
2123         (JSC::ResultProfile::bytecodeOffset):
2124         (JSC::ResultProfile::specialFastPathCount):
2125         (JSC::ResultProfile::didObserveNonInt32):
2126         (JSC::ResultProfile::didObserveDouble):
2127         (JSC::ResultProfile::didObserveNonNegZeroDouble):
2128         (JSC::ResultProfile::didObserveNegZeroDouble):
2129         (JSC::ResultProfile::didObserveNonNumber):
2130         (JSC::ResultProfile::didObserveInt32Overflow):
2131         (JSC::ResultProfile::setObservedNonNegZeroDouble):
2132         (JSC::ResultProfile::setObservedNegZeroDouble):
2133         (JSC::ResultProfile::setObservedNonNumber):
2134         (JSC::ResultProfile::setObservedInt32Overflow):
2135         (JSC::ResultProfile::addressOfFlags):
2136         (JSC::ResultProfile::addressOfSpecialFastPathCount):
2137         (JSC::ResultProfile::hasBits):
2138         (JSC::ResultProfile::setBit):
2139         (JSC::getResultProfileBytecodeOffset):
2140         * jit/JITArithmetic.cpp:
2141         (JSC::JIT::emit_op_div):
2142         (JSC::JIT::emit_op_mul):
2143         * jit/JITDivGenerator.cpp:
2144         (JSC::JITDivGenerator::generateFastPath):
2145         * jit/JITDivGenerator.h:
2146         (JSC::JITDivGenerator::JITDivGenerator):
2147         * jit/JITMulGenerator.cpp:
2148         (JSC::JITMulGenerator::generateFastPath):
2149         * jit/JITMulGenerator.h:
2150         (JSC::JITMulGenerator::JITMulGenerator):
2151         * runtime/CommonSlowPaths.cpp:
2152         (JSC::SLOW_PATH_DECL):
2153
2154 2015-12-18  Keith Miller  <keith_miller@apple.com>
2155
2156         verboseDFGByteCodeParsing option should show the bytecode it is parsing.
2157         https://bugs.webkit.org/show_bug.cgi?id=152434
2158
2159         Reviewed by Michael Saboff.
2160
2161         * dfg/DFGByteCodeParser.cpp:
2162         (JSC::DFG::ByteCodeParser::parseBlock):
2163
2164 2015-12-18  Csaba Osztrogonác  <ossy@webkit.org>
2165
2166         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
2167         https://bugs.webkit.org/show_bug.cgi?id=152214
2168
2169         Reviewed by Mark Lam.
2170
2171         Relanding r194007 after r194248.
2172
2173         * jit/CCallHelpers.h:
2174         (JSC::CCallHelpers::setupArgumentsWithExecState):
2175
2176 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2177
2178         Web Inspector: Remove "local" scope type from the protocol
2179         https://bugs.webkit.org/show_bug.cgi?id=152409
2180
2181         Reviewed by Timothy Hatcher.
2182
2183         After r194251 the backend no longer sends this scope type.
2184         So remove it from the protocol.
2185
2186         The concept of a Local Scope should be calculatable by the
2187         frontend. In fact the way the backend used to do this could
2188         easily be done by the frontend. To be done in a follow-up.
2189
2190         * inspector/InjectedScriptSource.js:
2191         * inspector/JSJavaScriptCallFrame.h:
2192         * inspector/protocol/Debugger.json:
2193
2194 2015-12-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2195
2196         [INTL] Implement Collator Compare Functions
2197         https://bugs.webkit.org/show_bug.cgi?id=147604
2198
2199         Reviewed by Darin Adler.
2200
2201         This patch implements Intl.Collator.prototype.compare() according
2202         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2203
2204         * runtime/IntlCollator.cpp:
2205         (JSC::IntlCollator::~IntlCollator):
2206         (JSC::sortLocaleData):
2207         (JSC::searchLocaleData):
2208         (JSC::IntlCollator::initializeCollator):
2209         (JSC::IntlCollator::createCollator):
2210         (JSC::IntlCollator::compareStrings):
2211         (JSC::IntlCollator::usageString):
2212         (JSC::IntlCollator::sensitivityString):
2213         (JSC::IntlCollator::resolvedOptions):
2214         (JSC::IntlCollator::setBoundCompare):
2215         (JSC::IntlCollatorFuncCompare): Deleted.
2216         * runtime/IntlCollator.h:
2217         (JSC::IntlCollator::usage): Deleted.
2218         (JSC::IntlCollator::setUsage): Deleted.
2219         (JSC::IntlCollator::locale): Deleted.
2220         (JSC::IntlCollator::setLocale): Deleted.
2221         (JSC::IntlCollator::collation): Deleted.
2222         (JSC::IntlCollator::setCollation): Deleted.
2223         (JSC::IntlCollator::numeric): Deleted.
2224         (JSC::IntlCollator::setNumeric): Deleted.
2225         (JSC::IntlCollator::sensitivity): Deleted.
2226         (JSC::IntlCollator::setSensitivity): Deleted.
2227         (JSC::IntlCollator::ignorePunctuation): Deleted.
2228         (JSC::IntlCollator::setIgnorePunctuation): Deleted.
2229         * runtime/IntlCollatorConstructor.cpp:
2230         (JSC::constructIntlCollator):
2231         (JSC::callIntlCollator):
2232         (JSC::sortLocaleData): Deleted.
2233         (JSC::searchLocaleData): Deleted.
2234         (JSC::initializeCollator): Deleted.
2235         * runtime/IntlCollatorPrototype.cpp:
2236         (JSC::IntlCollatorFuncCompare):
2237         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2238         * runtime/IntlObject.cpp:
2239         (JSC::defaultLocale):
2240         (JSC::convertICULocaleToBCP47LanguageTag):
2241         (JSC::intlStringOption):
2242         (JSC::resolveLocale):
2243         (JSC::supportedLocales):
2244         * runtime/IntlObject.h:
2245         * runtime/JSGlobalObject.cpp:
2246         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2247         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2248         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2249
2250 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2251
2252         Provide a way to distinguish a nested lexical block from a function's lexical block
2253         https://bugs.webkit.org/show_bug.cgi?id=152361
2254
2255         Reviewed by Saam Barati.
2256
2257         * bytecompiler/BytecodeGenerator.h:
2258         * bytecompiler/BytecodeGenerator.cpp:
2259         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2260         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2261         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2262         (JSC::BytecodeGenerator::emitPushCatchScope):
2263         Each of these are specialized scopes. They are not nested lexical scopes.
2264         
2265         (JSC::BytecodeGenerator::pushLexicalScope):
2266         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2267         Include an extra parameter to mark the SymbolTable as a nested lexical or not.
2268
2269         * bytecompiler/NodesCodegen.cpp:
2270         (JSC::BlockNode::emitBytecode):
2271         (JSC::ForNode::emitBytecode):
2272         (JSC::ForInNode::emitMultiLoopBytecode):
2273         (JSC::ForOfNode::emitBytecode):
2274         (JSC::SwitchNode::emitBytecode):
2275         (JSC::ClassExprNode::emitBytecode):
2276         Each of these are cases of non-function nested lexical scopes.
2277         So mark the SymbolTable as nested.
2278
2279         * inspector/protocol/Debugger.json:
2280         * inspector/InjectedScriptSource.js:
2281         Include a new scope type.
2282
2283         * inspector/JSJavaScriptCallFrame.h:
2284         * inspector/JSJavaScriptCallFrame.cpp:
2285         (Inspector::JSJavaScriptCallFrame::scopeType):
2286         Use the new "NestedLexical" scope type for nested, non-function,
2287         lexical scopes. The Inspector can use this to better describe
2288         this scope in the frontend.
2289
2290         * debugger/DebuggerScope.cpp:
2291         (JSC::DebuggerScope::isNestedLexicalScope):
2292         * debugger/DebuggerScope.h:
2293         * runtime/JSScope.cpp:
2294         (JSC::JSScope::isNestedLexicalScope):
2295         * runtime/JSScope.h:
2296         * runtime/SymbolTable.cpp:
2297         (JSC::SymbolTable::SymbolTable):
2298         (JSC::SymbolTable::cloneScopePart):
2299         * runtime/SymbolTable.h:
2300         Access the isNestedLexicalScope bit.
2301
2302 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2303
2304         Unreviewed EFL Build Fix after r194247.
2305
2306         * interpreter/CallFrame.cpp:
2307         (JSC::CallFrame::friendlyFunctionName):
2308         Handle compilers that don't realize the switch handles all cases.
2309
2310 2015-12-17  Keith Miller  <keith_miller@apple.com>
2311
2312         [ES6] Add support for Symbol.hasInstance
2313         https://bugs.webkit.org/show_bug.cgi?id=151839
2314
2315         Reviewed by Saam Barati.
2316
2317         Fixed version of r193986, r193983, and r193974.
2318
2319         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
2320         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
2321         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
2322         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
2323         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
2324         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
2325         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
2326         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
2327         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
2328         emits a call to slow path code that computes the result.
2329
2330         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
2331         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
2332         it into a CheckTypeInfoFlags followed by a JSConstant.
2333
2334         * API/JSCallbackObject.h:
2335         * builtins/FunctionPrototype.js:
2336         (symbolHasInstance):
2337         * bytecode/BytecodeBasicBlock.cpp:
2338         (JSC::isBranch): Deleted.
2339         * bytecode/BytecodeList.json:
2340         * bytecode/BytecodeUseDef.h:
2341         (JSC::computeUsesForBytecodeOffset):
2342         (JSC::computeDefsForBytecodeOffset):
2343         * bytecode/CodeBlock.cpp:
2344         (JSC::CodeBlock::dumpBytecode):
2345         * bytecode/ExitKind.cpp:
2346         (JSC::exitKindToString):
2347         * bytecode/ExitKind.h:
2348         * bytecode/PreciseJumpTargets.cpp:
2349         (JSC::getJumpTargetsForBytecodeOffset): Deleted.
2350         * bytecompiler/BytecodeGenerator.cpp:
2351         (JSC::BytecodeGenerator::emitOverridesHasInstance):
2352         (JSC::BytecodeGenerator::emitInstanceOfCustom):
2353         (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
2354         * bytecompiler/BytecodeGenerator.h:
2355         * bytecompiler/NodesCodegen.cpp:
2356         (JSC::InstanceOfNode::emitBytecode):
2357         * dfg/DFGAbstractInterpreterInlines.h:
2358         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2359         * dfg/DFGByteCodeParser.cpp:
2360         (JSC::DFG::ByteCodeParser::parseBlock):
2361         * dfg/DFGCapabilities.cpp:
2362         (JSC::DFG::capabilityLevel):
2363         * dfg/DFGClobberize.h:
2364         (JSC::DFG::clobberize):
2365         * dfg/DFGDoesGC.cpp:
2366         (JSC::DFG::doesGC):
2367         * dfg/DFGFixupPhase.cpp:
2368         (JSC::DFG::FixupPhase::fixupNode):
2369         * dfg/DFGHeapLocation.cpp:
2370         (WTF::printInternal):
2371         * dfg/DFGHeapLocation.h:
2372         * dfg/DFGNode.h:
2373         (JSC::DFG::Node::hasCellOperand):
2374         (JSC::DFG::Node::hasTypeInfoOperand):
2375         (JSC::DFG::Node::typeInfoOperand):
2376         * dfg/DFGNodeType.h:
2377         * dfg/DFGPredictionPropagationPhase.cpp:
2378         (JSC::DFG::PredictionPropagationPhase::propagate):
2379         * dfg/DFGSafeToExecute.h:
2380         (JSC::DFG::safeToExecute):
2381         * dfg/DFGSpeculativeJIT.cpp:
2382         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
2383         (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
2384         * dfg/DFGSpeculativeJIT.h:
2385         (JSC::DFG::SpeculativeJIT::callOperation):
2386         * dfg/DFGSpeculativeJIT32_64.cpp:
2387         (JSC::DFG::SpeculativeJIT::compile):
2388         * dfg/DFGSpeculativeJIT64.cpp:
2389         (JSC::DFG::SpeculativeJIT::compile):
2390         * ftl/FTLCapabilities.cpp:
2391         (JSC::FTL::canCompile):
2392         * ftl/FTLIntrinsicRepository.h:
2393         * ftl/FTLLowerDFGToLLVM.cpp:
2394         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2395         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
2396         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
2397         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
2398         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
2399         * jit/JIT.cpp:
2400         (JSC::JIT::privateCompileMainPass):
2401         (JSC::JIT::privateCompileSlowCases):
2402         * jit/JIT.h:
2403         * jit/JITInlines.h:
2404         (JSC::JIT::callOperation):
2405         * jit/JITOpcodes.cpp:
2406         (JSC::JIT::emit_op_overrides_has_instance):
2407         (JSC::JIT::emit_op_instanceof):
2408         (JSC::JIT::emit_op_instanceof_custom):
2409         (JSC::JIT::emitSlow_op_instanceof):
2410         (JSC::JIT::emitSlow_op_instanceof_custom):
2411         (JSC::JIT::emit_op_check_has_instance): Deleted.
2412         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
2413         * jit/JITOpcodes32_64.cpp:
2414         (JSC::JIT::emit_op_overrides_has_instance):
2415         (JSC::JIT::emit_op_instanceof):
2416         (JSC::JIT::emit_op_instanceof_custom):
2417         (JSC::JIT::emitSlow_op_instanceof_custom):
2418         (JSC::JIT::emit_op_check_has_instance): Deleted.
2419         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
2420         * jit/JITOperations.cpp:
2421         * jit/JITOperations.h:
2422         * llint/LLIntData.cpp:
2423         (JSC::LLInt::Data::performAssertions):
2424         * llint/LLIntSlowPaths.cpp:
2425         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2426         * llint/LLIntSlowPaths.h:
2427         * llint/LowLevelInterpreter32_64.asm:
2428         * llint/LowLevelInterpreter64.asm:
2429         * runtime/CommonIdentifiers.h:
2430         * runtime/ExceptionHelpers.cpp:
2431         (JSC::invalidParameterInstanceofSourceAppender):
2432         (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
2433         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
2434         (JSC::createInvalidInstanceofParameterErrorNotFunction):
2435         (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
2436         (JSC::createInvalidInstanceofParameterError): Deleted.
2437         * runtime/ExceptionHelpers.h:
2438         * runtime/FunctionPrototype.cpp:
2439         (JSC::FunctionPrototype::addFunctionProperties):
2440         * runtime/FunctionPrototype.h:
2441         * runtime/JSBoundFunction.cpp:
2442         (JSC::isBoundFunction):
2443         (JSC::hasInstanceBoundFunction):
2444         * runtime/JSBoundFunction.h:
2445         * runtime/JSGlobalObject.cpp:
2446         (JSC::JSGlobalObject::init):
2447         (JSC::JSGlobalObject::visitChildren):
2448         * runtime/JSGlobalObject.h:
2449         (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
2450         * runtime/JSObject.cpp:
2451         (JSC::JSObject::hasInstance):
2452         (JSC::objectPrivateFuncInstanceOf):
2453         * runtime/JSObject.h:
2454         * runtime/JSTypeInfo.h:
2455         (JSC::TypeInfo::TypeInfo):
2456         (JSC::TypeInfo::overridesHasInstance):
2457         * runtime/WriteBarrier.h:
2458         (JSC::WriteBarrierBase<Unknown>::slot):
2459         * tests/es6.yaml:
2460         * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
2461         (Constructor):
2462         (value):
2463         (instanceOf):
2464         (body):
2465         * tests/stress/symbol-hasInstance.js: Added.
2466         (Constructor):
2467         (value):
2468         (ObjectClass.Symbol.hasInstance):
2469         (NumberClass.Symbol.hasInstance):
2470
2471 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2472
2473         Web Inspector: Improve names in Debugger Call Stack section when paused
2474         https://bugs.webkit.org/show_bug.cgi?id=152398
2475
2476         Reviewed by Brian Burg.
2477
2478         * debugger/DebuggerCallFrame.cpp:
2479         (JSC::DebuggerCallFrame::functionName):
2480         Provide a better name from the underlying CallFrame.
2481
2482         * inspector/InjectedScriptSource.js:
2483         (InjectedScript.CallFrameProxy):
2484         Just call functionName, it will provide a better
2485         than nothing function name.
2486
2487         * runtime/JSFunction.cpp:
2488         (JSC::getCalculatedDisplayName):
2489         Use emptyString().
2490
2491         * interpreter/CallFrame.h:
2492         * interpreter/CallFrame.cpp:
2493         (JSC::CallFrame::friendlyFunctionName):
2494         This is the third similiar implementation of this,
2495         but all other cases use other "StackFrame" objects.
2496         Use the expected names for program code.
2497
2498 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
2499
2500         Web Inspector: Add JSContext Script Profiling
2501         https://bugs.webkit.org/show_bug.cgi?id=151899
2502
2503         Reviewed by Brian Burg.
2504
2505         Extend JSC::Debugger to include a profiling client interface
2506         that the Inspector can implement to be told about script execution
2507         entry and exit points. Add new profiledCall/Evaluate/Construct
2508         methods that are entry points that will notify the profiling
2509         client if it exists.
2510
2511         By putting the profiling client on Debugger it avoids having
2512         special code paths for a JSGlobalObject being JSContext inspected
2513         or a JSGlobalObject in a Page being Web inspected. In either case
2514         the JSGlobalObject can go through its debugger() which always
2515         reaches the correct inspector instance.
2516
2517         * CMakeLists.txt:
2518         * DerivedSources.make:
2519         * JavaScriptCore.xcodeproj/project.pbxproj:
2520         Handle new files.
2521
2522         * runtime/CallData.cpp:
2523         (JSC::profiledCall):
2524         * runtime/CallData.h:
2525         * runtime/Completion.cpp:
2526         (JSC::profiledEvaluate):
2527         * runtime/Completion.h:
2528         (JSC::profiledEvaluate):
2529         * runtime/ConstructData.cpp:
2530         (JSC::profiledConstruct):
2531         * runtime/ConstructData.h:
2532         (JSC::profiledConstruct):
2533         Create profiled versions of interpreter entry points. If a profiler client is
2534         available, this will automatically inform it of entry/exit. Include a reason
2535         why this is being profiled. Currently all reasons in JavaScriptCore are enumerated
2536         (API, Microtask) and Other is to be used by WebCore or future clients.
2537
2538         * debugger/ScriptProfilingScope.h: Added.
2539         (JSC::ScriptProfilingScope::ScriptProfilingScope):
2540         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
2541         (JSC::ScriptProfilingScope::shouldStartProfile):
2542         (JSC::ScriptProfilingScope::shouldEndProfile):
2543         At profiled entry points inform the profiling client if needed.
2544
2545         * API/JSBase.cpp:
2546         (JSEvaluateScript):
2547         * API/JSObjectRef.cpp:
2548         (JSObjectCallAsFunction):
2549         (JSObjectCallAsConstructor):
2550         * runtime/JSJob.cpp:
2551         (JSC::JSJobMicrotask::run):
2552         Use the profiled functions for API and Microtask execution entry points.
2553
2554         * runtime/JSGlobalObject.cpp:
2555         (JSC::JSGlobalObject::hasProfiler):
2556         * runtime/JSGlobalObject.h:
2557         (JSC::JSGlobalObject::hasProfiler):
2558         Extend hasProfiler to also check the new Debugger script profiler.
2559
2560         * debugger/Debugger.cpp:
2561         (JSC::Debugger::setProfilingClient):
2562         (JSC::Debugger::willEvaluateScript):
2563         (JSC::Debugger::didEvaluateScript):
2564         * debugger/Debugger.h:
2565         Pass through to the profiling client.
2566
2567         * inspector/protocol/ScriptProfiler.json: Added.
2568         * inspector/agents/InspectorScriptProfilerAgent.cpp: Added.
2569         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
2570         (Inspector::InspectorScriptProfilerAgent::~InspectorScriptProfilerAgent):
2571         (Inspector::InspectorScriptProfilerAgent::didCreateFrontendAndBackend):
2572         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
2573         (Inspector::InspectorScriptProfilerAgent::startTracking):
2574         (Inspector::InspectorScriptProfilerAgent::stopTracking):
2575         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
2576         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
2577         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
2578         (Inspector::toProtocol):
2579         (Inspector::InspectorScriptProfilerAgent::addEvent):
2580         (Inspector::buildAggregateCallInfoInspectorObject):
2581         (Inspector::buildInspectorObject):
2582         (Inspector::buildProfileInspectorObject):
2583         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2584         * inspector/agents/InspectorScriptProfilerAgent.h: Added.
2585         New ScriptProfiler domain to just turn on / off script profiling.
2586         It introduces a start/update/complete event model which we want
2587         to include in new domains.
2588
2589         * inspector/InspectorEnvironment.h:
2590         * inspector/InjectedScriptBase.cpp:
2591         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2592         Simplify this now that we want it to be the same for all clients.
2593
2594         * inspector/JSGlobalObjectInspectorController.h:
2595         * inspector/JSGlobalObjectInspectorController.cpp:
2596         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2597         Create the new agent.
2598
2599         * inspector/InspectorProtocolTypes.h:
2600         (Inspector::Protocol::Array::addItem):
2601         Allow pushing a double onto a Protocol::Array.
2602
2603 2015-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2604
2605         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
2606         https://bugs.webkit.org/show_bug.cgi?id=152227
2607
2608         Reviewed by Saam Barati.
2609
2610         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
2611         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
2612         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
2613
2614         Instead of extending NewFunction / PhantomNewFunction, we just added new DFG nodes, NewGeneratorFunction and PhantomNewGeneratorFunction.
2615         This is because NewGeneratorFunction will generate an object that has different class info from JSFunction (And if JSGeneratorFunction is extended, its size will become different from JSFunction).
2616         So, rather than extending NewFunction with generator flag, just adding new DFG nodes seems cleaner.
2617
2618         Object allocation sinking phase will change NewGeneratorFunction to PhantomNewGeneratorFunction and defer or eliminate its actual materialization.
2619         It is completely the same to NewFunction and PhantomNewFunction.
2620         And when OSR exit occurs, we need to execute deferred NewGeneratorFunction since Baseline JIT does not consider it.
2621         So in FTL operation, we should create JSGeneratorFunction if we see PhantomNewGeneratorFunction materialization.
2622
2623         * dfg/DFGAbstractInterpreterInlines.h:
2624         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2625         * dfg/DFGByteCodeParser.cpp:
2626         (JSC::DFG::ByteCodeParser::parseBlock):
2627         * dfg/DFGCapabilities.cpp:
2628         (JSC::DFG::capabilityLevel):
2629         * dfg/DFGClobberize.h:
2630         (JSC::DFG::clobberize):
2631         * dfg/DFGClobbersExitState.cpp:
2632         (JSC::DFG::clobbersExitState):
2633         * dfg/DFGDoesGC.cpp:
2634         (JSC::DFG::doesGC):
2635         * dfg/DFGFixupPhase.cpp:
2636         (JSC::DFG::FixupPhase::fixupNode):
2637         * dfg/DFGMayExit.cpp:
2638         (JSC::DFG::mayExit):
2639         * dfg/DFGNode.h:
2640         (JSC::DFG::Node::convertToPhantomNewFunction):
2641         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
2642         (JSC::DFG::Node::hasCellOperand):
2643         (JSC::DFG::Node::isFunctionAllocation):
2644         (JSC::DFG::Node::isPhantomFunctionAllocation):
2645         (JSC::DFG::Node::isPhantomAllocation):
2646         * dfg/DFGNodeType.h:
2647         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2648         * dfg/DFGPredictionPropagationPhase.cpp:
2649         (JSC::DFG::PredictionPropagationPhase::propagate):
2650         * dfg/DFGSafeToExecute.h:
2651         (JSC::DFG::safeToExecute):
2652         * dfg/DFGSpeculativeJIT.cpp:
2653         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2654         * dfg/DFGSpeculativeJIT32_64.cpp:
2655         (JSC::DFG::SpeculativeJIT::compile):
2656         * dfg/DFGSpeculativeJIT64.cpp:
2657         (JSC::DFG::SpeculativeJIT::compile):
2658         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2659         * dfg/DFGStructureRegistrationPhase.cpp:
2660         (JSC::DFG::StructureRegistrationPhase::run):
2661         * dfg/DFGValidate.cpp:
2662         (JSC::DFG::Validate::validateCPS):
2663         (JSC::DFG::Validate::validateSSA):
2664         * ftl/FTLCapabilities.cpp:
2665         (JSC::FTL::canCompile):
2666         * ftl/FTLLowerDFGToLLVM.cpp:
2667         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2668         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2669         * ftl/FTLOperations.cpp:
2670         (JSC::FTL::operationPopulateObjectInOSR):
2671         (JSC::FTL::operationMaterializeObjectInOSR):
2672         * tests/stress/generator-function-create-optimized.js: Added.
2673         (shouldBe):
2674         (g):
2675         (test.return.gen):
2676         (test):
2677         (test2.gen):
2678         (test2):
2679         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
2680         (shouldBe):
2681         (GeneratorFunctionPrototype):
2682         (call):
2683         (f):
2684         (sink):
2685         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
2686         (shouldBe):
2687         (GeneratorFunctionPrototype):
2688         (g):
2689         (f):
2690         (sink):
2691         * tests/stress/generator-function-declaration-sinking-put.js: Added.
2692         (shouldBe):
2693         (GeneratorFunctionPrototype):
2694         (g):
2695         (f):
2696         (sink):
2697         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
2698         (shouldBe):
2699         (GeneratorFunctionPrototype):
2700         (call):
2701         (f):
2702         (sink):
2703         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
2704         (shouldBe):
2705         (GeneratorFunctionPrototype):
2706         (g):
2707         (sink):
2708         * tests/stress/generator-function-expression-sinking-put.js: Added.
2709         (shouldBe):
2710         (GeneratorFunctionPrototype):
2711         (g):
2712         (sink):
2713
2714 2015-12-16  Michael Saboff  <msaboff@apple.com>
2715
2716         ARM64 MacroAssembler improperly reuses data temp register in test32() and test8() calls
2717         https://bugs.webkit.org/show_bug.cgi?id=152370
2718
2719         Reviewed by Benjamin Poulain.
2720
2721         Changed the test8/32(Address, Register) flavors to use the memoryTempRegister for loading the value
2722         att Address so that it doesn't collide with the subsequent use of dataTempRegister by the
2723         test32(Register, Register) function.
2724
2725         * assembler/MacroAssemblerARM64.h:
2726         (JSC::MacroAssemblerARM64::test32):
2727         (JSC::MacroAssemblerARM64::test8):
2728
2729 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
2730
2731         FTL B3 should support switches
2732         https://bugs.webkit.org/show_bug.cgi?id=152360
2733
2734         Reviewed by Geoffrey Garen.
2735
2736         I implemented this because I was hoping it would less us run V8/crypto, but instead it just led
2737         me to file a fun bug: https://bugs.webkit.org/show_bug.cgi?id=152365.
2738
2739         * ftl/FTLB3Output.h:
2740         (JSC::FTL::Output::check):
2741         (JSC::FTL::Output::switchInstruction):
2742         (JSC::FTL::Output::ret):
2743         * ftl/FTLLowerDFGToLLVM.cpp:
2744         (JSC::FTL::DFG::ftlUnreachable):
2745         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
2746
2747 2015-12-16  Alex Christensen  <achristensen@webkit.org>
2748
2749         Fix internal Windows build
2750         https://bugs.webkit.org/show_bug.cgi?id=152364
2751
2752         Reviewed by Tim Horton.
2753
2754         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2755
2756 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
2757
2758         Improve JSObject::put performance
2759         https://bugs.webkit.org/show_bug.cgi?id=152347
2760
2761         Reviewed by Geoffrey Garen.
2762
2763         This adds a new benchmark called dynbench, which just uses the C++ API to create, modify, and
2764         query objects. This also adds some optimizations to make the JSObject::put code faster by making
2765         it inlinable in places that really need the performance, like JITOperations and LLIntSlowPaths.
2766         Inlining it is optional because the put() method is large. If you want it inlined, call
2767         putInline(). There's a putInline() variant of both JSObject::put() and JSValue::put().
2768
2769         This is up to a 20% improvement for JSObject::put calls that get inlined all the way (like from
2770         JITOperations and the new benchmark) and it's also a speed-up, albeit a smaller one, for
2771         JSObject::put calls that don't get inlined (i.e. those from the DOM and the JSC C++ library code).
2772         Specific speed-ups are as follows. Note that "dynamic context" means that we told PutPropertySlot
2773         that we're not a static put_by_id, which turns off some type inference.
2774
2775         Get By Id: 2% faster
2776         Put By Id Replace: 23% faster
2777         Put By Id Transition + object allocation: 11% faster
2778         Get By Id w/ dynamic context: 5% faster
2779         Put By Id Replace w/ dynamic context: 25% faster
2780         Put By Id Transition + object allocation w/ dynamic context: 10% faster
2781
2782         * JavaScriptCore.xcodeproj/project.pbxproj:
2783         * dynbench.cpp: Added.
2784         (JSC::benchmarkImpl):
2785         (main):
2786         * jit/CallFrameShuffler32_64.cpp:
2787         * jit/CallFrameShuffler64.cpp:
2788         * jit/JITOperations.cpp:
2789         * llint/LLIntSlowPaths.cpp:
2790         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2791         * runtime/ClassInfo.h:
2792         (JSC::ClassInfo::hasStaticProperties):
2793         * runtime/ConsoleClient.cpp:
2794         * runtime/CustomGetterSetter.h:
2795         * runtime/ErrorInstance.cpp:
2796         (JSC::ErrorInstance::finishCreation):
2797         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
2798         * runtime/GetterSetter.h:
2799         (JSC::asGetterSetter):
2800         * runtime/JSCInlines.h:
2801         * runtime/JSCJSValue.h:
2802         * runtime/JSCJSValueInlines.h:
2803         (JSC::JSValue::put):
2804         (JSC::JSValue::putInternal):
2805         (JSC::JSValue::putByIndex):
2806         * runtime/JSObject.cpp:
2807         (JSC::JSObject::put):
2808         (JSC::JSObject::putByIndex):
2809         * runtime/JSObject.h:
2810         (JSC::JSObject::getVectorLength):
2811         (JSC::JSObject::inlineGetOwnPropertySlot):
2812         (JSC::JSObject::get):
2813         (JSC::JSObject::putDirectInternal):
2814
2815 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
2816
2817         Work around a bug in LLVM by flipping the unification order
2818         https://bugs.webkit.org/show_bug.cgi?id=152341
2819         rdar://problem/23920749
2820
2821         Reviewed by Mark Lam.
2822
2823         * dfg/DFGUnificationPhase.cpp:
2824         (JSC::DFG::UnificationPhase::run):
2825
2826 2015-12-16  Saam barati  <sbarati@apple.com>
2827
2828         Add "explicit operator bool" to ScratchRegisterAllocator::PreservedState
2829         https://bugs.webkit.org/show_bug.cgi?id=152337
2830
2831         Reviewed by Mark Lam.
2832
2833         If we have a default constructor, we should also have a way
2834         to tell if a PreservedState is invalid.
2835
2836         * jit/ScratchRegisterAllocator.cpp:
2837         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2838         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2839         * jit/ScratchRegisterAllocator.h:
2840         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
2841         (JSC::ScratchRegisterAllocator::PreservedState::operator bool):
2842
2843 2015-12-16  Caitlin Potter  <caitp@igalia.com>
2844
2845         [JSC] fix error message for eval/arguments CoverInitializedName in strict code
2846         https://bugs.webkit.org/show_bug.cgi?id=152304
2847
2848         Reviewed by Darin Adler.
2849
2850         Because the error was originally classified as indicating a Pattern, the
2851         error in AssignmentPattern parsing causes the reported message to revert to
2852         the original Expression error message, which in this case is incorrect.
2853
2854         This change modifies the implementation of the strict code
2855         error slightly, and reclassifies the error to prevent the message revert,
2856         which improves the clarity of the message overall.
2857
2858         * parser/Parser.cpp:
2859         (JSC::Parser<LexerType>::parseAssignmentElement):
2860         (JSC::Parser<LexerType>::parseDestructuringPattern):
2861         * parser/Parser.h:
2862         (JSC::Parser::ExpressionErrorClassifier::reclassifyExpressionError):
2863         (JSC::Parser::reclassifyExpressionError):
2864         * tests/stress/destructuring-assignment-syntax.js:
2865
2866 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
2867
2868         Builtin source should be minified more
2869         https://bugs.webkit.org/show_bug.cgi?id=152290
2870
2871         Reviewed by Darin Adler.
2872
2873         * Scripts/builtins/builtins_model.py:
2874         (BuiltinFunction.fromString):
2875         Remove primarily empty lines that would just introduce clutter.
2876         We only do the minification in non-Debug configurations, which
2877         is determined by the CONFIGURATION environment variable. You can
2878         see how tests would generate differently, like so:
2879         shell> CONFIGURATION=Release ./Tools/Scripts/run-builtins-generator-tests
2880
2881 2015-12-16  Commit Queue  <commit-queue@webkit.org>
2882
2883         Unreviewed, rolling out r194135.
2884         https://bugs.webkit.org/show_bug.cgi?id=152333
2885
2886         due to missing OSR exit materialization support in FTL
2887         (Requested by yusukesuzuki on #webkit).
2888
2889         Reverted changeset:
2890
2891         "[ES6] Handle new_generator_func / new_generator_func_exp in
2892         DFG / FTL"
2893         https://bugs.webkit.org/show_bug.cgi?id=152227
2894         http://trac.webkit.org/changeset/194135
2895
2896 2015-12-16  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2897
2898         [Fetch API] Add fetch API compile time flag
2899         https://bugs.webkit.org/show_bug.cgi?id=152254
2900
2901         Reviewed by Darin Adler.
2902
2903         * Configurations/FeatureDefines.xcconfig:
2904
2905 2015-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2906
2907         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
2908         https://bugs.webkit.org/show_bug.cgi?id=152227
2909
2910         Reviewed by Saam Barati.
2911
2912         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
2913         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
2914         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
2915
2916         * dfg/DFGAbstractInterpreterInlines.h:
2917         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2918         * dfg/DFGByteCodeParser.cpp:
2919         (JSC::DFG::ByteCodeParser::parseBlock):
2920         * dfg/DFGCapabilities.cpp:
2921         (JSC::DFG::capabilityLevel):
2922         * dfg/DFGClobberize.h:
2923         (JSC::DFG::clobberize):
2924         * dfg/DFGClobbersExitState.cpp:
2925         (JSC::DFG::clobbersExitState):
2926         * dfg/DFGDoesGC.cpp:
2927         (JSC::DFG::doesGC):
2928         * dfg/DFGFixupPhase.cpp:
2929         (JSC::DFG::FixupPhase::fixupNode):
2930         * dfg/DFGMayExit.cpp:
2931         (JSC::DFG::mayExit):
2932         * dfg/DFGNode.h:
2933         (JSC::DFG::Node::convertToPhantomNewFunction):
2934         (JSC::DFG::Node::hasCellOperand):
2935         (JSC::DFG::Node::isFunctionAllocation):
2936         * dfg/DFGNodeType.h:
2937         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2938         * dfg/DFGPredictionPropagationPhase.cpp:
2939         (JSC::DFG::PredictionPropagationPhase::propagate):
2940         * dfg/DFGSafeToExecute.h:
2941         (JSC::DFG::safeToExecute):
2942         * dfg/DFGSpeculativeJIT.cpp:
2943         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2944         * dfg/DFGSpeculativeJIT32_64.cpp:
2945         (JSC::DFG::SpeculativeJIT::compile):
2946         * dfg/DFGSpeculativeJIT64.cpp:
2947         (JSC::DFG::SpeculativeJIT::compile):
2948         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2949         * dfg/DFGStructureRegistrationPhase.cpp:
2950         (JSC::DFG::StructureRegistrationPhase::run):
2951         * ftl/FTLCapabilities.cpp:
2952         (JSC::FTL::canCompile):
2953         * ftl/FTLLowerDFGToLLVM.cpp:
2954         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2955         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2956         * tests/stress/generator-function-create-optimized.js: Added.
2957         (shouldBe):
2958         (g):
2959         (test.return.gen):
2960         (test):
2961         (test2.gen):
2962         (test2):
2963         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
2964         (shouldBe):
2965         (GeneratorFunctionPrototype):
2966         (call):
2967         (f):
2968         (sink):
2969         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
2970         (shouldBe):
2971         (GeneratorFunctionPrototype):
2972         (g):
2973         (f):
2974         (sink):
2975         * tests/stress/generator-function-declaration-sinking-put.js: Added.
2976         (shouldBe):
2977         (GeneratorFunctionPrototype):
2978         (g):
2979         (f):
2980         (sink):
2981         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
2982         (shouldBe):
2983         (GeneratorFunctionPrototype):
2984         (call):
2985         (f):
2986         (sink):
2987         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
2988         (shouldBe):
2989         (GeneratorFunctionPrototype):
2990         (g):
2991         (sink):
2992         * tests/stress/generator-function-expression-sinking-put.js: Added.
2993         (shouldBe):
2994         (GeneratorFunctionPrototype):
2995         (g):
2996         (sink):
2997
2998 2015-12-15  Mark Lam  <mark.lam@apple.com>
2999
3000         Gardening: fix broken 32-bit JSC tests.  Just need to assign a scratch register.
3001         https://bugs.webkit.org/show_bug.cgi?id=152191 
3002
3003         Not reviewed.
3004
3005         * jit/JITArithmetic.cpp:
3006         (JSC::JIT::emitBitBinaryOpFastPath):
3007
3008 2015-12-15  Mark Lam  <mark.lam@apple.com>
3009
3010         Introducing ScratchRegisterAllocator::PreservedState.
3011         https://bugs.webkit.org/show_bug.cgi?id=152315
3012
3013         Reviewed by Geoffrey Garen.
3014
3015         restoreReusedRegistersByPopping() should always be called with 2 values that
3016         matches the expectation of preserveReusedRegistersByPushing().  Those 2 values
3017         are the number of bytes preserved and the ExtraStackSpace requirement.  By
3018         encapsulating them in a ScratchRegisterAllocator::PreservedState, we can make
3019         it less error prone when calling restoreReusedRegistersByPopping().  Now, we only
3020         need to pass it the appropriate PreservedState that its matching
3021         preserveReusedRegistersByPushing() returned.
3022
3023         * bytecode/PolymorphicAccess.cpp:
3024         (JSC::AccessGenerationState::restoreScratch):
3025         (JSC::AccessCase::generate):
3026         (JSC::PolymorphicAccess::regenerate):
3027         * bytecode/PolymorphicAccess.h:
3028         (JSC::AccessGenerationState::AccessGenerationState):
3029         * ftl/FTLCompileBinaryOp.cpp:
3030         (JSC::FTL::generateBinaryBitOpFastPath):
3031         (JSC::FTL::generateRightShiftFastPath):
3032         (JSC::FTL::generateBinaryArithOpFastPath):
3033         * ftl/FTLLazySlowPath.cpp:
3034         (JSC::FTL::LazySlowPath::generate):
3035         * ftl/FTLLowerDFGToLLVM.cpp:
3036         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
3037         * jit/ScratchRegisterAllocator.cpp:
3038         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
3039         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
3040         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3041         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3042         * jit/ScratchRegisterAllocator.h:
3043         (JSC::ScratchRegisterAllocator::usedRegisters):
3044         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
3045
3046 2015-12-15  Mark Lam  <mark.lam@apple.com>
3047
3048         Polymorphic operand types for DFG and FTL bit operators.
3049         https://bugs.webkit.org/show_bug.cgi?id=152191
3050
3051         Reviewed by Saam Barati.
3052
3053         * bytecode/SpeculatedType.h:
3054         (JSC::isUntypedSpeculationForBitOps):
3055         * dfg/DFGAbstractInterpreterInlines.h:
3056         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3057         * dfg/DFGNode.h:
3058         (JSC::DFG::Node::shouldSpeculateUntypedForBitOps):
3059         - Added check for types not supported by ValueToInt32, and therefore should be
3060           treated as untyped for bitops.
3061
3062         * dfg/DFGClobberize.h:
3063         (JSC::DFG::clobberize):
3064         * dfg/DFGFixupPhase.cpp:
3065         (JSC::DFG::FixupPhase::fixupNode):
3066         - Handled untyped operands.
3067
3068         * dfg/DFGOperations.cpp:
3069         * dfg/DFGOperations.h:
3070         - Added DFG slow path functions for bitops.
3071
3072         * dfg/DFGSpeculativeJIT.cpp:
3073         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
3074         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
3075         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
3076         (JSC::DFG::SpeculativeJIT::compileShiftOp):
3077         * dfg/DFGSpeculativeJIT.h:
3078         - Added DFG backend support untyped operands for bitops.
3079
3080         * dfg/DFGStrengthReductionPhase.cpp:
3081         (JSC::DFG::StrengthReductionPhase::handleNode):
3082         - Limit bitops strength reduction only to when we don't have untyped operands.
3083           This is because values that are not int32s need to be converted to int32.
3084           Without untyped operands, the ValueToInt32 node takes care of this.
3085           With untyped operands, we cannot use ValueToInt32, and need to do the conversion
3086           in the code emitted for the bitop node itself.  For example:
3087
3088               5.5 | 0; // yields 5 because ValueToInt32 converts the 5.5 to a 5.
3089               "abc" | 0; // would yield "abc" instead of the expected 0 if we let
3090                          // strength reduction do its thing.
3091
3092         * ftl/FTLCompileBinaryOp.cpp:
3093         (JSC::FTL::generateBinaryBitOpFastPath):
3094         (JSC::FTL::generateRightShiftFastPath):
3095         (JSC::FTL::generateBinaryOpFastPath):
3096
3097         * ftl/FTLInlineCacheDescriptor.h:
3098         (JSC::FTL::BitAndDescriptor::BitAndDescriptor):
3099         (JSC::FTL::BitAndDescriptor::icSize):
3100         (JSC::FTL::BitAndDescriptor::nodeType):
3101         (JSC::FTL::BitAndDescriptor::opName):
3102         (JSC::FTL::BitAndDescriptor::slowPathFunction):
3103         (JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
3104         (JSC::FTL::BitOrDescriptor::BitOrDescriptor):
3105         (JSC::FTL::BitOrDescriptor::icSize):
3106         (JSC::FTL::BitOrDescriptor::nodeType):
3107         (JSC::FTL::BitOrDescriptor::opName):
3108         (JSC::FTL::BitOrDescriptor::slowPathFunction):
3109         (JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
3110         (JSC::FTL::BitXorDescriptor::BitXorDescriptor):
3111         (JSC::FTL::BitXorDescriptor::icSize):
3112         (JSC::FTL::BitXorDescriptor::nodeType):
3113         (JSC::FTL::BitXorDescriptor::opName):
3114         (JSC::FTL::BitXorDescriptor::slowPathFunction):
3115         (JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
3116         (JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
3117         (JSC::FTL::BitLShiftDescriptor::icSize):
3118         (JSC::FTL::BitLShiftDescriptor::nodeType):
3119         (JSC::FTL::BitLShiftDescriptor::opName):
3120         (JSC::FTL::BitLShiftDescriptor::slowPathFunction):
3121         (JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
3122         (JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
3123         (JSC::FTL::BitRShiftDescriptor::icSize):
3124         (JSC::FTL::BitRShiftDescriptor::nodeType):
3125         (JSC::FTL::BitRShiftDescriptor::opName):
3126         (JSC::FTL::BitRShiftDescriptor::slowPathFunction):
3127         (JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
3128         (JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
3129         (JSC::FTL::BitURShiftDescriptor::icSize):
3130         (JSC::FTL::BitURShiftDescriptor::nodeType):
3131         (JSC::FTL::BitURShiftDescriptor::opName):
3132         (JSC::FTL::BitURShiftDescriptor::slowPathFunction):
3133         (JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):
3134         - Added support for bitop ICs.
3135
3136         * ftl/FTLInlineCacheSize.cpp:
3137         (JSC::FTL::sizeOfBitAnd):
3138         (JSC::FTL::sizeOfBitOr):
3139         (JSC::FTL::sizeOfBitXor):
3140         (JSC::FTL::sizeOfBitLShift):
3141         (JSC::FTL::sizeOfBitRShift):
3142         (JSC::FTL::sizeOfBitURShift):
3143         * ftl/FTLInlineCacheSize.h:
3144         - Added new bitop IC sizes.  These are just estimates for now that work adequately,
3145           and are shown to not impact performance on benchmarks.  We will re-tune these
3146           sizes values later in another patch once all snippet ICs have been added.
3147
3148         * ftl/FTLLowerDFGToLLVM.cpp:
3149         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
3150         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
3151         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
3152         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
3153         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
3154         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
3155         - Added support for bitop ICs.
3156
3157         * jit/JITLeftShiftGenerator.cpp:
3158         (JSC::JITLeftShiftGenerator::generateFastPath):
3159         * jit/JITLeftShiftGenerator.h:
3160         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
3161         * jit/JITRightShiftGenerator.cpp:
3162         (JSC::JITRightShiftGenerator::generateFastPath):
3163         - The shift MASM operatons need to ensure that the shiftAmount is not in the same
3164           register as the destination register.  With the baselineJIT and DFG, this is
3165           ensured in how we allocate these registers, and hence, the bug does not manifest.
3166           With the FTL, these registers are not guaranteed to be unique.  Hence, we need
3167           to fix the shift op snippet code to compensate for this. 
3168
3169 2015-12-15  Caitlin Potter  <caitp@igalia.com>
3170
3171         [JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code
3172         https://bugs.webkit.org/show_bug.cgi?id=152302
3173
3174         Reviewed by Mark Lam.
3175
3176         `eval` and `arguments` must not be assigned to in strict code. This
3177         change fixes `language/expressions/assignment/destructuring/obj-id-simple-strict.js`
3178         in Test262, as well as a variety of other similar tests.
3179
3180         * parser/Parser.cpp:
3181         (JSC::Parser<LexerType>::parseAssignmentElement):
3182         (JSC::Parser<LexerType>::parseDestructuringPattern):
3183         * tests/stress/destructuring-assignment-syntax.js:
3184
3185 2015-12-15  Csaba Osztrogonác  <ossy@webkit.org>
3186
3187         URTBF after 194062.
3188
3189         * assembler/MacroAssemblerARM.h:
3190         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Added.
3191         (JSC::MacroAssemblerARM::ceilDouble): Added.
3192
3193 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3194
3195         FTL B3 should account for localsOffset
3196         https://bugs.webkit.org/show_bug.cgi?id=152288
3197
3198         Reviewed by Saam Barati.
3199
3200         The DFG will build up some data structures that expect to know about offsets from FP. Those data
3201         structures may slide by some offset when the low-level compiler (either LLVM or B3) does stack
3202         allocation. So, the LLVM FTL modifies those data structures based on the real offset that it gets
3203         from LLVM's stackmaps. The B3 code needs to do the same.
3204
3205         I had previously vowed to never put more stuff into FTLB3Compile.cpp, because I didn't want it to
3206         look like FTLCompile.cpp. Up until now, I was successful because I used lambdas installed by
3207         FTLLower. But in this case, I actually think that having code that just does this explicitly in
3208         FTLB3Compile.cpp is least confusing. There is no particular place in FTLLower that would want to
3209         care about this, and we need to ensure that we do this fixup before we run any of the stackmap
3210         generators. In other words, it needs to happen before we call B3::generate(). The ordering
3211         constraints seem like a good reason to have this done explicitly rather than through lambdas.
3212
3213         I wrote a test. The test was failing in trunk because the B3 meaning of anchor().value() is
3214         different from the LLVM meaning. This caused breakage when we used this idiom:
3215
3216             ValueFromBlock foo = m_out.anchor(things);
3217             ...(foo.value()) // we were expecting that foo.value() == things
3218
3219         I never liked this idiom to begin with, so instead of trying to change B3's anchor(), I changed
3220         the idiom to:
3221
3222             LValue fooValue = things;
3223             ValueFromBlock foo = m_out.anchor(fooValue);
3224             ...(fooValue)
3225
3226         This is probably a good idea, since eventually we want B3's anchor() to just return the
3227         UpsilonValue*. To get there, we want to eliminate any situations where code assumes that
3228         ValueFromBlock is an actual object and not just a typedef for a pointer.
3229
3230         * ftl/FTLB3Compile.cpp:
3231         (JSC::FTL::compile):
3232         * ftl/FTLB3Output.cpp:
3233         (JSC::FTL::Output::appendTo):
3234         (JSC::FTL::Output::lockedStackSlot):
3235         * ftl/FTLB3Output.h:
3236         (JSC::FTL::Output::framePointer):
3237         (JSC::FTL::Output::constBool):
3238         (JSC::FTL::Output::constInt32):
3239         * ftl/FTLLowerDFGToLLVM.cpp:
3240         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3241         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
3242         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
3243         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
3244         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringCharAt):
3245         (JSC::FTL::DFG::LowerDFGToLLVM::compileForwardVarargs):
3246         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty):
3247         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
3248         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
3249         * ftl/FTLState.h:
3250         (JSC::FTL::verboseCompilationEnabled):
3251         * tests/stress/ftl-function-dot-arguments-with-callee-saves.js: Added.
3252
3253 2015-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3254
3255         Math.random should have an intrinsic thunk and it should be later handled as a DFG Node
3256         https://bugs.webkit.org/show_bug.cgi?id=152133
3257
3258         Reviewed by Geoffrey Garen.
3259
3260         In this patch, we implement new RandomIntrinsic. It emits a machine code to generate random numbers efficiently.
3261         And later it will be recognized by DFG and converted to ArithRandom node.
3262         It provides type information SpecDoubleReal since Math.random only generates a number within [0, 1.0).
3263
3264         Currently, only 64bit version is supported. On 32bit environment, ArithRandom will be converted to callOperation.
3265         While it emits a function call, ArithRandom node on 32bit still represents SpecDoubleReal as a result type.
3266
3267         * dfg/DFGAbstractHeap.h:
3268         * dfg/DFGAbstractInterpreterInlines.h:
3269         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3270         * dfg/DFGByteCodeParser.cpp:
3271         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3272         * dfg/DFGClobberize.h:
3273         (JSC::DFG::clobberize):
3274         * dfg/DFGDoesGC.cpp:
3275         (JSC::DFG::doesGC):
3276         * dfg/DFGFixupPhase.cpp:
3277         (JSC::DFG::FixupPhase::fixupNode):
3278         * dfg/DFGNodeType.h:
3279         * dfg/DFGOperations.cpp:
3280         * dfg/DFGOperations.h:
3281         * dfg/DFGPredictionPropagationPhase.cpp:
3282         (JSC::DFG::PredictionPropagationPhase::propagate):
3283         * dfg/DFGSafeToExecute.h:
3284         (JSC::DFG::safeToExecute):
3285         * dfg/DFGSpeculativeJIT.h:
3286         (JSC::DFG::SpeculativeJIT::callOperation):
3287         * dfg/DFGSpeculativeJIT32_64.cpp:
3288         (JSC::DFG::SpeculativeJIT::compile):
3289         (JSC::DFG::SpeculativeJIT::compileArithRandom):
3290         * dfg/DFGSpeculativeJIT64.cpp:
3291         (JSC::DFG::SpeculativeJIT::compile):
3292         (JSC::DFG::SpeculativeJIT::compileArithRandom):
3293         * ftl/FTLCapabilities.cpp:
3294         (JSC::FTL::canCompile):
3295         * ftl/FTLLowerDFGToLLVM.cpp:
3296         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3297         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRandom):
3298         * jit/AssemblyHelpers.cpp:
3299         (JSC::emitRandomThunkImpl):
3300         (JSC::AssemblyHelpers::emitRandomThunk):
3301         * jit/AssemblyHelpers.h:
3302         * jit/JITOperations.h:
3303         * jit/ThunkGenerators.cpp:
3304         (JSC::randomThunkGenerator):
3305         * jit/ThunkGenerators.h:
3306         * runtime/Intrinsic.h:
3307         * runtime/JSGlobalObject.h:
3308         (JSC::JSGlobalObject::weakRandomOffset):
3309         * runtime/MathObject.cpp:
3310         (JSC::MathObject::finishCreation):
3311         * runtime/VM.cpp:
3312         (JSC::thunkGeneratorForIntrinsic):
3313         * tests/stress/random-53bit.js: Added.
3314         (test):
3315         * tests/stress/random-in-range.js: Added.
3316         (test):
3317
3318 2015-12-14  Benjamin Poulain  <benjamin@webkit.org>
3319
3320         Rename FTL::Output's ceil64() to doubleCeil()
3321
3322         Rubber-stamped by Filip Pizlo.
3323
3324         ceil64() was a bad name, that's the name convention we use for integers.
3325
3326         * ftl/FTLB3Output.h:
3327         (JSC::FTL::Output::doubleCeil):
3328         (JSC::FTL::Output::ceil64): Deleted.
3329         * ftl/FTLLowerDFGToLLVM.cpp:
3330         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRound):
3331
3332 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3333
3334         FTL B3 should be able to run n-body.js
3335         https://bugs.webkit.org/show_bug.cgi?id=152281
3336
3337         Reviewed by Benjamin Poulain.
3338
3339         Fix a bug where m_captured was pointing to the start of the captured vars slot rather than the
3340         end, like the rest of the FTL expected.
3341
3342         * ftl/FTLLowerDFGToLLVM.cpp:
3343         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3344
3345 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
3346
3347         Fix bad copy-paste in r194062
3348
3349         * ftl/FTLB3Output.h:
3350         (JSC::FTL::Output::ceil64):
3351
3352 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3353
3354         Unreviewed, fix cloop build.
3355
3356         * jit/GPRInfo.cpp:
3357
3358 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3359
3360         FTL B3 should do PutById
3361         https://bugs.webkit.org/show_bug.cgi?id=152268
3362
3363         Reviewed by Saam Barati.
3364
3365         * CMakeLists.txt:
3366         * JavaScriptCore.xcodeproj/project.pbxproj:
3367         * b3/B3LowerToAir.cpp:
3368         (JSC::B3::Air::LowerToAir::createGenericCompare): I realized that we were missing some useful matching rules.
3369         * b3/testb3.cpp: Added a bunch of tests.
3370         * ftl/FTLLowerDFGToLLVM.cpp:
3371         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById): Do the things.
3372         * jit/GPRInfo.cpp: Added. I had to do this yucky thing because clang was having issues compiling references to this from deeply nested lambdas.
3373         * jit/GPRInfo.h: Added a comment about how patchpointScratchRegister is bizarre and should probably die.
3374
3375 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
3376
3377         [JSC] Add ceil() support for x86 and expose it to B3
3378         https://bugs.webkit.org/show_bug.cgi?id=152231
3379
3380         Reviewed by Geoffrey Garen.
3381
3382         Most x86 CPUs we care about support ceil() natively
3383         with the round instruction.
3384
3385         This patch expose that behind a runtime flag, use it
3386         in the Math.ceil() thunk and expose it to B3.
3387
3388         * assembler/MacroAssemblerARM64.h:
3389         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil):
3390         * assembler/MacroAssemblerARMv7.h:
3391         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil):
3392         * assembler/MacroAssemblerMIPS.h:
3393         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil):
3394         * assembler/MacroAssemblerSH4.h:
3395         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil):
3396         * assembler/MacroAssemblerX86Common.cpp:
3397         * assembler/MacroAssemblerX86Common.h:
3398         (JSC::MacroAssemblerX86Common::ceilDouble):
3399         (JSC::MacroAssemblerX86Common::ceilFloat):
3400         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil):
3401         (JSC::MacroAssemblerX86Common::supportsLZCNT):
3402         * assembler/X86Assembler.h:
3403         (JSC::X86Assembler::roundss_rr):
3404         (JSC::X86Assembler::roundss_mr):
3405         (JSC::X86Assembler::roundsd_rr):
3406         (JSC::X86Assembler::roundsd_mr):
3407         (JSC::X86Assembler::mfence):
3408         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
3409         * b3/B3ConstDoubleValue.cpp:
3410         (JSC::B3::ConstDoubleValue::ceilConstant):
3411         * b3/B3ConstDoubleValue.h:
3412         * b3/B3ConstFloatValue.cpp:
3413         (JSC::B3::ConstFloatValue::ceilConstant):
3414         * b3/B3ConstFloatValue.h:
3415         * b3/B3LowerMacrosAfterOptimizations.cpp:
3416         * b3/B3LowerToAir.cpp:
3417         (JSC::B3::Air::LowerToAir::lower):
3418         * b3/B3Opcode.cpp:
3419         (WTF::printInternal):
3420         * b3/B3Opcode.h:
3421         * b3/B3ReduceDoubleToFloat.cpp:
3422         * b3/B3ReduceStrength.cpp:
3423         * b3/B3Validate.cpp:
3424         * b3/B3Value.cpp:
3425         (JSC::B3::Value::ceilConstant):
3426         (JSC::B3::Value::effects):
3427         (JSC::B3::Value::key):
3428         (JSC::B3::Value::typeFor):
3429         * b3/B3Value.h:
3430         * b3/air/AirOpcode.opcodes:
3431         * b3/testb3.cpp:
3432         (JSC::B3::testCeilArg):
3433         (JSC::B3::testCeilImm):
3434         (JSC::B3::testCeilMem):
3435         (JSC::B3::testCeilCeilArg):
3436         (JSC::B3::testCeilIToD64):
3437         (JSC::B3::testCeilIToD32):
3438         (JSC::B3::testCeilArgWithUselessDoubleConversion):
3439         (JSC::B3::testCeilArgWithEffectfulDoubleConversion):
3440         (JSC::B3::populateWithInterestingValues):
3441         (JSC::B3::run):
3442         * ftl/FTLB3Output.h:
3443         (JSC::FTL::Output::ceil64):
3444         * jit/ThunkGenerators.cpp:
3445         (JSC::ceilThunkGenerator):
3446
3447 2015-12-14  Andreas Kling  <akling@apple.com>
3448
3449         ResourceUsageOverlay should show GC timers.
3450         <https://webkit.org/b/152151>
3451
3452         Reviewed by Darin Adler.
3453
3454         Expose the next fire time (in WTF timestamp style) of a GCActivityCallback.
3455
3456         * heap/GCActivityCallback.cpp:
3457         (JSC::GCActivityCallback::scheduleTimer):
3458         (JSC::GCActivityCallback::cancelTimer):
3459         * heap/GCActivityCallback.h:
3460
3461 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3462
3463         Unreviewed, fix merge issue in a test.
3464
3465         * b3/testb3.cpp:
3466         (JSC::B3::testCheckTwoMegaCombos):
3467         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
3468
3469 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3470
3471         B3 should not give ValueReps for the non-stackmap children of a CheckValue to the generator callback
3472         https://bugs.webkit.org/show_bug.cgi?id=152224
3473
3474         Reviewed by Geoffrey Garen.
3475
3476         Previously, a stackmap generator for a Check had to know how many children the B3 value for the
3477         Check had at the time of code generation. That meant that B3 could not change the kind of Check
3478         that it was - for example it cannot turn a Check into a Patchpoint and it cannot turn a CheckAdd
3479         into a Check. But just changing the contract so that the stackmap generation params only get the
3480         stackmap children of the check means that B3 can transform Checks as it likes.
3481
3482         This is meant to aid sinking values into checks.
3483
3484         Also, I found that the effects of a Check did not include HeapRange::top(). I think it's best if
3485         exitsSideways does not imply reading top, the way that it does in DFG. In the DFG, that makes
3486         sense because the exit analysis is orthogonal, so the clobber analysis tells you about the reads
3487         not counting OSR exit - if you need to you can conditionally merge that with World based on a
3488         separate exit analysis. But in B3, the Effects object tells you about both exiting and reading,
3489         and it's computed by one analysis. Prior to this change, Check was not setting reads to top() so
3490         we were effectively saying that Effects::reads is meaningless when exitsSideways is true. It
3491         seems more sensible to instead force the analysis to set reads to top() when setting
3492         exitsSideways to true, not least because we only have one such analysis and many users. But it
3493         also makes sense for another reason: it allows us to bound the set of things that the program
3494         will read after it exits. That might not be useful to us now, but it's a nice feature to get for
3495         free. I've seen language features that have behave like exitsSideways that don't also read top,
3496         like an array bounds check that causes sudden termination without making any promises about how
3497         pretty the crash dump will look.
3498
3499         * b3/B3CheckSpecial.cpp:
3500         (JSC::B3::CheckSpecial::generate):
3501         * b3/B3Opcode.h:
3502         * b3/B3Value.cpp:
3503         (JSC::B3::Value::effects):
3504         * b3/testb3.cpp:
3505         (JSC::B3::testSimpleCheck):
3506         (JSC::B3::testCheckLessThan):
3507         (JSC::B3::testCheckMegaCombo):
3508         (JSC::B3::testCheckAddImm):
3509         (JSC::B3::testCheckAddImmCommute):
3510         (JSC::B3::testCheckAddImmSomeRegister):
3511         (JSC::B3::testCheckAdd):
3512         (JSC::B3::testCheckAdd64):
3513         (JSC::B3::testCheckSubImm):
3514         (JSC::B3::testCheckSubBadImm):
3515         (JSC::B3::testCheckSub):
3516         (JSC::B3::testCheckSub64):
3517         (JSC::B3::testCheckNeg):
3518         (JSC::B3::testCheckNeg64):
3519         (JSC::B3::testCheckMul):
3520         (JSC::B3::testCheckMulMemory):
3521         (JSC::B3::testCheckMul2):
3522         (JSC::B3::testCheckMul64):
3523         * ftl/FTLLowerDFGToLLVM.cpp:
3524         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
3525
3526 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3527
3528         Air: Support Architecture-specific forms and Opcodes
3529         https://bugs.webkit.org/show_bug.cgi?id=151736
3530
3531         Reviewed by Benjamin Poulain.
3532
3533         This adds really awesome architecture selection to the AirOpcode.opcodes file. If an opcode or
3534         opcode form is unavailable on some architecture, you can still mention its name in C++ code (it'll
3535         still be a member of the enum) but isValidForm() and all other reflective queries will tell you
3536         that it doesn't exist. This will make the instruction selector steer clear of it, and it will
3537         also ensure that the spiller doesn't try to use any unavailable architecture-specific address
3538         forms.
3539
3540         The new capability is documented extensively in a comment in AirOpcode.opcodes.
3541
3542         * b3/air/AirOpcode.opcodes:
3543         * b3/air/opcode_generator.rb:
3544
3545 2015-12-14  Mark Lam  <mark.lam@apple.com>
3546
3547         Misc. small fixes in snippet related code.
3548         https://bugs.webkit.org/show_bug.cgi?id=152259
3549
3550         Reviewed by Saam Barati.
3551
3552         * dfg/DFGSpeculativeJIT.cpp:
3553         (JSC::DFG::SpeculativeJIT::compileArithMul):
3554         - When loading a constant JSValue for a node, use the one that the node already
3555           provides instead of reconstructing it.  This is not a bug, but the fix makes
3556           the code cleaner.
3557
3558         * jit/JITBitAndGenerator.cpp:
3559         (JSC::JITBitAndGenerator::generateFastPath):
3560         - No need to do a bitand with a constant int 0xffffffff operand.
3561
3562         * jit/JITBitOrGenerator.cpp:
3563         (JSC::JITBitOrGenerator::generateFastPath):
3564         - Fix comments: bitor is '|', not '&'.
3565         - No need to do a bitor with a constant int 0 operand.
3566
3567         * jit/JITBitXorGenerator.cpp:
3568         (JSC::JITBitXorGenerator::generateFastPath):
3569         - Fix comments: bitxor is '^', not '&'.
3570
3571         * jit/JITRightShiftGenerator.cpp:
3572         (JSC::JITRightShiftGenerator::generateFastPath):
3573         - Renamed a jump target name to be clearer about its purpose.
3574
3575 2015-12-14  Mark Lam  <mark.lam@apple.com>
3576
3577         We should not employ the snippet code in the DFG if no OSR exit was previously encountered.
3578         https://bugs.webkit.org/show_bug.cgi?id=152255
3579
3580         Reviewed by Saam Barati.
3581
3582         * dfg/DFGFixupPhase.cpp:
3583         (JSC::DFG::FixupPhase::fixupNode):
3584
3585 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3586
3587         B3->Air compare-branch fusion should fuse even if the result of the comparison is used more than once
3588         https://bugs.webkit.org/show_bug.cgi?id=152198
3589
3590         Reviewed by Benjamin Poulain.
3591
3592         If we have a comparison operation that is branched on from multiple places, then we were
3593         previously executing the comparison to get a boolean result in a register and then we were
3594         testing/branching on that register in multiple places. This is actually less efficient than
3595         just fusing the compare/branch multiple times, even though this means that the comparison
3596         executes multiple times. This would only be bad if the comparison fused loads multiple times,
3597         since duplicating loads is both wrong and inefficient. So, this adds the notion of sharing to
3598         compare/branch fusion. If a compare is shared by multiple branches, then we refuse to fuse
3599         the load.
3600
3601         To write the test, I needed to zero-extend 8 to 32. In the process of thinking about how to
3602         do this, I realized that we needed lowerings for SExt8/SExt16. And I realized that the
3603         lowerings for the other extension operations were not fully fleshed out; for example they
3604         were incapable of load fusion. This patch fixes this and also adds some smart strength
3605         reductions for BitAnd(@x, 0xff/0xffff/0xffffffff) - all of which should be lowered to a zero
3606         extension.
3607
3608         This is a big win on asm.js code. It's not enough to bridge the gap to LLVM, but it's a huge
3609         step in that direction.
3610
3611         * assembler/MacroAssemblerX86Common.h:
3612         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
3613         (JSC::MacroAssemblerX86Common::zeroExtend8To32):
3614         (JSC::MacroAssemblerX86Common::signExtend8To32):
3615         (JSC::MacroAssemblerX86Common::load16):
3616         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
3617         (JSC::MacroAssemblerX86Common::zeroExtend16To32):
3618         (JSC::MacroAssemblerX86Common::signExtend16To32):
3619         (JSC::MacroAssemblerX86Common::store32WithAddressOffsetPatch):
3620         * assembler/X86Assembler.h:
3621         (JSC::X86Assembler::movzbl_rr):
3622         (JSC::X86Assembler::movsbl_rr):
3623         (JSC::X86Assembler::movzwl_rr):
3624         (JSC::X86Assembler::movswl_rr):
3625         (JSC::X86Assembler::cmovl_rr):
3626         * b3/B3LowerToAir.cpp:
3627         (JSC::B3::Air::LowerToAir::createGenericCompare):
3628         (JSC::B3::Air::LowerToAir::lower):
3629         * b3/B3ReduceStrength.cpp:
3630         * b3/air/AirOpcode.opcodes:
3631         * b3/testb3.cpp:
3632         (JSC::B3::testCheckMegaCombo):
3633         (JSC::B3::testCheckTwoMegaCombos):
3634         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
3635         (JSC::B3::testCheckAddImm):
3636         (JSC::B3::testTruncSExt32):
3637         (JSC::B3::testSExt8):
3638         (JSC::B3::testSExt8Fold):
3639         (JSC::B3::testSExt8SExt8):
3640         (JSC::B3::testSExt8SExt16):
3641         (JSC::B3::testSExt8BitAnd):
3642         (JSC::B3::testBitAndSExt8):
3643         (JSC::B3::testSExt16):
3644         (JSC::B3::testSExt16Fold):
3645         (JSC::B3::testSExt16SExt16):
3646         (JSC::B3::testSExt16SExt8):
3647         (JSC::B3::testSExt16BitAnd):
3648         (JSC::B3::testBitAndSExt16):
3649         (JSC::B3::testSExt32BitAnd):
3650         (JSC::B3::testBitAndSExt32):
3651         (JSC::B3::testBasicSelect):
3652         (JSC::B3::run):
3653
3654 2015-12-14  Chris Dumez  <cdumez@apple.com>
3655
3656         Roll out r193974 and follow-up fixes as it caused JSC crashes
3657         https://bugs.webkit.org/show_bug.cgi?id=152256
3658
3659         Unreviewed, Roll out r193974 and follow-up fixes as it caused JSC crashes.
3660
3661         * API/JSCallbackObject.h:
3662         * builtins/FunctionPrototype.js:
3663         * bytecode/BytecodeBasicBlock.cpp:
3664         (JSC::isBranch):
3665         * bytecode/BytecodeList.json:
3666         * bytecode/BytecodeUseDef.h:
3667         (JSC::computeUsesForBytecodeOffset):
3668         (JSC::computeDefsForBytecodeOffset):
3669         * bytecode/CodeBlock.cpp:
3670         (JSC::CodeBlock::dumpBytecode):
3671         * bytecode/ExitKind.cpp:
3672         (JSC::exitKindToString): Deleted.
3673         * bytecode/ExitKind.h:
3674         * bytecode/PreciseJumpTargets.cpp:
3675         (JSC::getJumpTargetsForBytecodeOffset):
3676         * bytecompiler/BytecodeGenerator.cpp:
3677         (JSC::BytecodeGenerator::emitCheckHasInstance):
3678         (JSC::BytecodeGenerator::emitGetById): Deleted.
3679         * bytecompiler/BytecodeGenerator.h:
3680         (JSC::BytecodeGenerator::emitTypeOf): Deleted.
3681         * bytecompiler/NodesCodegen.cpp:
3682         (JSC::InstanceOfNode::emitBytecode):
3683         (JSC::LogicalOpNode::emitBytecode): Deleted.
3684         (JSC::LogicalOpNode::emitBytecodeInConditionContext): Deleted.
3685         * dfg/DFGAbstractInterpreterInlines.h:
3686         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3687         * dfg/DFGByteCodeParser.cpp:
3688         (JSC::DFG::ByteCodeParser::parseBlock):
3689         * dfg/DFGCapabilities.cpp:
3690         (JSC::DFG::capabilityLevel):
3691         * dfg/DFGClobberize.h:
3692         (JSC::DFG::clobberize):
3693         * dfg/DFGDoesGC.cpp:
3694         (JSC::DFG::doesGC):
3695         * dfg/DFGFixupPhase.cpp:
3696         (JSC::DFG::FixupPhase::fixupNode):
3697         * dfg/DFGHeapLocation.cpp:
3698         (WTF::printInternal):
3699         * dfg/DFGHeapLocation.h:
3700         * dfg/DFGNode.h:
3701         (JSC::DFG::Node::hasCellOperand): Deleted.
3702         (JSC::DFG::Node::hasTransition): Deleted.
3703         * dfg/DFGNodeType.h:
3704         * dfg/DFGPredictionPropagationPhase.cpp:
3705         (JSC::DFG::PredictionPropagationPhase::propagate):
3706         * dfg/DFGSafeToExecute.h:
3707         (JSC::DFG::safeToExecute):
3708         * dfg/DFGSpeculativeJIT.cpp:
3709         (JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
3710         (JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.
3711         * dfg/DFGSpeculativeJIT.h:
3712         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
3713         * dfg/DFGSpeculativeJIT32_64.cpp:
3714         (JSC::DFG::SpeculativeJIT::compile):
3715         * dfg/DFGSpeculativeJIT64.cpp:
3716         (JSC::DFG::SpeculativeJIT::compile):
3717         * ftl/FTLCapabilities.cpp:
3718         (JSC::FTL::canCompile):
3719         * ftl/FTLIntrinsicRepository.h:
3720         * ftl/FTLLowerDFGToLLVM.cpp:
3721         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3722         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance):
3723         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOf): Deleted.
3724         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty): Deleted.
3725         * jit/CCallHelpers.h:
3726         (JSC::CCallHelpers::setupArguments): Deleted.
3727         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
3728         * jit/JIT.cpp:
3729         (JSC::JIT::privateCompileMainPass):
3730         (JSC::JIT::privateCompileSlowCases):
3731         * jit/JIT.h:
3732         * jit/JITInlines.h:
3733         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3734         (JSC::JIT::callOperation): Deleted.
3735         * jit/JITOpcodes.cpp:
3736         (JSC::JIT::emit_op_check_has_instance):
3737         (JSC::JIT::emit_op_instanceof):
3738         (JSC::JIT::emitSlow_op_check_has_instance):
3739         (JSC::JIT::emitSlow_op_instanceof):
3740         (JSC::JIT::emit_op_is_undefined): Deleted.
3741         (JSC::JIT::emitSlow_op_to_number): Deleted.
3742         (JSC::JIT::emitSlow_op_to_string): Deleted.
3743         * jit/JITOpcodes32_64.cpp:
3744         (JSC::JIT::emit_op_check_has_instance):
3745         (JSC::JIT::emit_op_instanceof):
3746         (JSC::JIT::emitSlow_op_check_has_instance):
3747         (JSC::JIT::emitSlow_op_instanceof):
3748         (JSC::JIT::emit_op_is_undefined): Deleted.
3749         * jit/JITOperations.cpp:
3750         * jit/JITOperations.h:
3751         * llint/LLIntData.cpp:
3752         (JSC::LLInt::Data::performAssertions): Deleted.
3753         * llint/LLIntSlowPaths.cpp:
3754         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3755         * llint/LLIntSlowPaths.h:
3756         * llint/LowLevelInterpreter32_64.asm:
3757         * llint/LowLevelInterpreter64.asm:
3758         * runtime/CommonIdentifiers.h:
3759         * runtime/ExceptionHelpers.cpp:
3760         (JSC::invalidParameterInstanceofSourceAppender):
3761         (JSC::createInvalidInstanceofParameterError):
3762         (JSC::createError): Deleted.
3763         (JSC::createNotAFunctionError): Deleted.
3764         (JSC::createNotAnObjectError): Deleted.
3765         * runtime/ExceptionHelpers.h:
3766         * runtime/FunctionPrototype.cpp:
3767         (JSC::FunctionPrototype::addFunctionProperties):
3768         * runtime/FunctionPrototype.h:
3769         * runtime/JSBoundFunction.cpp:
3770         (JSC::JSBoundFunction::create): Deleted.
3771         (JSC::JSBoundFunction::customHasInstance): Deleted.
3772         * runtime/JSBoundFunction.h:
3773         * runtime/JSGlobalObject.cpp:
3774         (JSC::JSGlobalObject::init):
3775         (JSC::JSGlobalObject::visitChildren): Deleted.
3776         * runtime/JSGlobalObject.h:
3777         (JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.
3778         * runtime/JSObject.cpp:
3779         (JSC::JSObject::hasInstance):
3780         (JSC::JSObject::defaultHasInstance): Deleted.
3781         (JSC::JSObject::getPropertyNames): Deleted.
3782         (JSC::JSObject::getOwnPropertyNames): Deleted.
3783         * runtime/JSObject.h:
3784         (JSC::JSFinalObject::create): Deleted.
3785         * runtime/JSTypeInfo.h:
3786         (JSC::TypeInfo::TypeInfo):
3787         (JSC::TypeInfo::overridesHasInstance):
3788         * runtime/WriteBarrier.h:
3789         (JSC::WriteBarrierBase<Unknown>::slot):
3790         * tests/es6.yaml:
3791         * tests/stress/instanceof-custom-hasinstancesymbol.js: Removed.
3792         * tests/stress/symbol-hasInstance.js: Removed.
3793
3794 2015-12-13  Benjamin Poulain  <bpoulain@apple.com>
3795
3796         [JSC] Remove FTL::Output's doubleEqualOrUnordered()
3797         https://bugs.webkit.org/show_bug.cgi?id=152234
3798
3799         Reviewed by Sam Weinig.
3800
3801         It is unused, one less thing to worry about.
3802
3803         * ftl/FTLB3Output.h:
3804         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
3805         * ftl/FTLOutput.h:
3806         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
3807
3808 2015-12-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3809
3810         [JSC] Should not emit get_by_id for indexed property access
3811         https://bugs.webkit.org/show_bug.cgi?id=151354
3812
3813         Reviewed by Darin Adler.
3814
3815         Before this patch, `a["1"]` is converted to `a.1` get_by_id operation in the bytecode compiler.
3816         get_by_id emits IC. IC rely on the fact that Structure transition occur when adding / removing object's properties.
3817         However, it's not true for indexed element properties. They are stored in the element storage and Structure transition does not occur.
3818
3819         For example, in the following case,
3820
3821              function getOne(a) { return a['1']; }
3822
3823              for (var i = 0; i < 36; ++i)
3824                  getOne({2: true});
3825
3826              if (!getOne({1: true}))
3827                  throw new Error("OUT");
3828
3829         In this case, `a['1']` creates get_by_id. `getOne({2: true})` calls makes getOne's get_by_id to create IC says that,
3830         "when comming this structure chain, there is no property in "1", so we should return `undefined`".
3831
3832         After that, we call `getOne({1: true})`. But in this case, `{2: true}` and `{1: true}` have the same structure chain,
3833         because indexed property addition does not occur structure transition.
3834         So previous IC fast path is used and return `undefined`. But the correct answer is returning `true`.
3835
3836         This patch fixes the above issue. When there is string bracket access, we only emits get_by_id if the given string is not an index.
3837         There are bugs in get_by_id, put_by_id, put_by_id (direct). But only get_by_id poses user observable issue.
3838         Because in the put_by_id case, the generic path just says "this put is uncacheable".
3839
3840         * bytecompiler/BytecodeGenerator.cpp:
3841         (JSC::BytecodeGenerator::emitGetById):
3842         (JSC::BytecodeGenerator::emitPutById):
3843         (JSC::BytecodeGenerator::emitDirectPutById):
3844         * bytecompiler/NodesCodegen.cpp:
3845         (JSC::isNonIndexStringElement):
3846         (JSC::BracketAccessorNode::emitBytecode):
3847         (JSC::FunctionCallBracketNode::emitBytecode):
3848         (JSC::AssignBracketNode::emitBytecode):
3849         (JSC::ObjectPatternNode::bindValue):
3850         * tests/stress/element-property-get-should-not-handled-with-get-by-id.js: Added.
3851         (getOne):
3852
3853 2015-12-13  Andreas Kling  <akling@apple.com>
3854
3855         CachedScript could have a copy-free path for all-ASCII scripts.
3856         <https://webkit.org/b/152203>
3857
3858         Reviewed by Antti Koivisto.
3859
3860         Make SourceProvider vend a StringView instead of a String.
3861         This relaxes the promises that providers have to make about string lifetimes.
3862
3863         This means that on the WebCore side, CachedScript is free to cache a String
3864         internally, while only ever exposing it as a temporary StringView.
3865
3866         A few extra copies (CPU, not memory) are introduced, none of them on hot paths.
3867
3868         * API/JSScriptRef.cpp:
3869         * bytecode/CodeBlock.cpp:
3870         (JSC::CodeBlock::sourceCodeForTools):
3871         (JSC::CodeBlock::dumpSource):
3872         * inspector/ScriptDebugServer.cpp:
3873         (Inspector::ScriptDebugServer::dispatchDidParseSource):
3874         (Inspector::ScriptDebugServer::dispatchFailedToParseSource):
3875         * interpreter/Interpreter.cpp:
3876         (JSC::Interpreter::execute):
3877         * jsc.cpp:
3878         (functionFindTypeForExpression):
3879         (functionHasBasicBlockExecuted):
3880         (functionBasicBlockExecutionCount):
3881         * parser/Lexer.cpp:
3882         (JSC::Lexer<T>::setCode):
3883         * parser/Lexer.h:
3884         (JSC::Lexer<LChar>::setCodeStart):
3885         (JSC::Lexer<UChar>::setCodeStart):
3886         * parser/Parser.h:
3887         (JSC::Parser::getToken):
3888         * parser/SourceCode.cpp:
3889         (JSC::SourceCode::toUTF8):
3890         * parser/SourceCode.h:
3891         (JSC::SourceCode::hash):
3892         (JSC::SourceCode::view):
3893         (JSC::SourceCode::toString): Deleted.
3894         * parser/SourceCodeKey.h:
3895         (JSC::SourceCodeKey::SourceCodeKey):
3896         (JSC::SourceCodeKey::string):
3897         * parser/SourceProvider.h:
3898         (JSC::SourceProvider::getRange):
3899         * runtime/Completion.cpp:
3900         (JSC::loadAndEvaluateModule):
3901         (JSC::loadModule):
3902         * runtime/ErrorInstance.cpp:
3903         (JSC::appendSourceToError):
3904         * runtime/FunctionPrototype.cpp:
3905         (JSC::functionProtoFuncToString):
3906         * tools/FunctionOverrides.cpp:
3907         (JSC::initializeOverrideInfo):
3908         (JSC::FunctionOverrides::initializeOverrideFor):
3909
3910 2015-12-12  Benjamin Poulain  <benjamin@webkit.org>
3911
3912         [JSC] Add lowering for B3's Store8 opcode
3913         https://bugs.webkit.org/show_bug.cgi?id=152208
3914
3915         Reviewed by Geoffrey Garen.
3916
3917         B3 has an opcode to store 8bit values but it had
3918         no lowering.
3919
3920         * b3/B3LowerToAir.cpp:
3921         (JSC::B3::Air::LowerToAir::createStore):
3922         (JSC::B3::Air::LowerToAir::lower):
3923         * b3/air/AirOpcode.opcodes:
3924         * b3/testb3.cpp:
3925         (JSC::B3::testStore8Arg):
3926         (JSC::B3::testStore8Imm):