Fix build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-06-21  Anders Carlsson  <andersca@apple.com>
2
3         Fix build.
4
5         * Configurations/FeatureDefines.xcconfig:
6
7 2016-06-21  Geoffrey Garen  <ggaren@apple.com>
8
9         Options::useImmortalObjects is not safe for conservative GC
10         https://bugs.webkit.org/show_bug.cgi?id=158999
11
12         Reviewed by Geoffrey Garen.
13
14         useImmortalObjects set the mark bit to keep an object from being
15         reallocated. This had the negative side-effect of convincing the
16         conservative marker that the object was a valid and live cell, which
17         would cause us to visit garbage.
18
19         * heap/Heap.cpp:
20         (JSC::Heap::didFinishCollection):
21         (JSC::Heap::resumeCompilerThreads):
22         (JSC::Heap::setFullActivityCallback):
23         (JSC::Heap::markDeadObjects): Deleted.
24         * heap/Heap.h: Don't set the mark bit on a dead object. That's a bug in
25         a conservative GC.
26
27         * heap/MarkedAllocator.cpp:
28         (JSC::MarkedAllocator::retire): New helper.
29
30         (JSC::MarkedAllocator::reset): Automatically retire old blocks when
31         we're doing the immortal objects thing. This has the effect of
32         preserving memory for debugging because we never recycle a previously
33         allocated block.
34
35 2016-06-21  Anders Carlsson  <andersca@apple.com>
36
37         Begin moving the Apple Pay code to the open source repository
38         https://bugs.webkit.org/show_bug.cgi?id=158998
39
40         Reviewed by Tim Horton.
41
42         * Configurations/FeatureDefines.xcconfig:
43         Add ENABLE_APPLE_PAY.
44
45 2016-06-21  Saam Barati  <sbarati@apple.com>
46
47         CodeBlock::shrinkToFit is racy
48         https://bugs.webkit.org/show_bug.cgi?id=158994
49         <rdar://problem/26920212>
50
51         Reviewed by Filip Pizlo.
52
53         To see why this is racy, consider the following scenario:
54         - CodeBlock A is link()ing its baseline compile.
55         - CodeBlock B is inlining A, and asks A for a result profile in DFGBytecodeParser.
56         - The race occurs when the link() step of the baseline compile calls shrinkToFit
57           on its m_resultProfiles field without grabbing a lock. This leads to a bad
58           time because the DFG compile will be reading from that vector as it's getting
59           changed by the baseline link() method.
60
61         This race has always existed, though the move to a concurrent baseline
62         JIT has made it more likely to occur. The solution is to have CodeBlock::shrinkToFit
63         grab its lock before shrinking the vector.
64
65         * bytecode/CodeBlock.cpp:
66         (JSC::CodeBlock::shrinkToFit):
67
68 2016-06-21  David Kilzer  <ddkilzer@apple.com>
69
70         Migrate testair & testb3 settings from Xcode project to ToolExecutable.xcconfig
71         <https://webkit.org/b/158989>
72
73         Reviewed by Andy Estes.
74
75         * Configurations/ToolExecutable.xcconfig:
76         (CODE_SIGN_ENTITLEMENTS_ios_testair): Add from Xcode project.
77         * JavaScriptCore.xcodeproj/project.pbxproj:
78         (CODE_SIGN_ENTITLEMENTS_ios_testair): Move to
79         ToolExecutable.xcconfig.
80         (PRODUCT_NAME): Remove.  This variable is already set for both
81         testair and testb3 since those build configurations use
82         ToolExecutable.xcconfig as a base.
83
84 2016-06-21  Saam Barati  <sbarati@apple.com>
85
86         LLInt doesn't throw stack exception overflow from parent frame
87         https://bugs.webkit.org/show_bug.cgi?id=158962
88         <rdar://problem/26902188>
89
90         Reviewed by Filip Pizlo.
91
92         All JIT tiers will throw stack overflow exceptions from the parent frame.
93         The LLInt, on the other hand, did not use to. I've changed the LLInt to be
94         consistent with the JITs. The reason I found this bug is because we had a
95         test that would give different results depending on if the function was compiled
96         in the baseline or the LLInt. Since Filip recently landed the concurrent baseline
97         JIT patch, this otherwise deterministic test became dependent on it being compiled
98         in the LLInt or one of the JIT tiers. I've added a new test that is deterministic
99         because it runs the test with --useJIT=false.
100
101         * llint/LLIntSlowPaths.cpp:
102         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
103         * tests/stress/llint-stack-overflow-location.js: Added.
104         (stackTraceDescription):
105         (foo):
106         (catch):
107
108 2016-06-21  David Kilzer  <ddkilzer@apple.com>
109
110         CODE_SIGN_ENTITLEMENTS should be applied to iOS Simulator builds
111         <https://webkit.org/b/158990>
112         <rdar://problem/26906273>
113
114         Reviewed by Dan Bernstein.
115
116         * Configurations/JSC.xcconfig:
117         (CODE_SIGN_ENTITLEMENTS): Change [sdk=iphoneos*] to
118         [sdk=iphone*] to apply setting to iOS Simulator as well.
119         * Configurations/ToolExecutable.xcconfig:
120         (CODE_SIGN_ENTITLEMENTS): Ditto.
121
122 2016-06-21  Keith Miller  <keith_miller@apple.com>
123
124         It should be easy to add a private global helper function for builtins
125         https://bugs.webkit.org/show_bug.cgi?id=158893
126
127         Reviewed by Mark Lam.
128
129         This patch does two things. First it moves all the builtin names
130         out of CommonIdentifiers and into BuiltinNames. This means that
131         adding a new function to the Builtins does not require rebuilding
132         all of JavaScriptCore. This patch also adds a new decorator to our
133         builtins @privateGlobal that will automatically put the function
134         on the global object. The name of the property will be the same as
135         the private name of the function.
136
137         This patch, also, removes the JSArrayIterator.h/.cpp files
138         as they no longer appear to be used in any real way. Finally,
139         the builtins tests have been rebaselined. It appears this has
140         not been done for a while so the expected files contain other
141         changes.
142
143         * CMakeLists.txt:
144         * JavaScriptCore.xcodeproj/project.pbxproj:
145         * Scripts/builtins/builtins_generate_combined_header.py:
146         (BuiltinsCombinedHeaderGenerator.generate_output):
147         (generate_section_for_code_name_macro):
148         (generate_section_for_global_private_code_name_macro):
149         * Scripts/builtins/builtins_model.py:
150         (BuiltinFunction.__init__):
151         (BuiltinFunction.fromString):
152         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
153         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
154         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
155         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
156         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
157         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
158         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
159         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
160         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
161         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
162         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
163         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
164         * builtins/ArrayIteratorPrototype.js:
165         * builtins/ArrayPrototype.js:
166         * builtins/BuiltinNames.h:
167         * builtins/GeneratorPrototype.js:
168         * builtins/GlobalObject.js:
169         * builtins/PromiseOperations.js:
170         * builtins/RegExpPrototype.js:
171         * builtins/StringPrototype.js:
172         * bytecode/BytecodeIntrinsicRegistry.cpp:
173         * bytecompiler/BytecodeGenerator.cpp:
174         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
175         (JSC::BytecodeGenerator::expectedFunctionForIdentifier):
176         (JSC::BytecodeGenerator::emitGetTemplateObject):
177         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
178         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
179         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
180         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
181         (JSC::BytecodeGenerator::emitGeneratorStateChange):
182         * bytecompiler/NodesCodegen.cpp:
183         (JSC::emitHomeObjectForCallee):
184         (JSC::emitPutHomeObject):
185         (JSC::FunctionNode::emitBytecode):
186         * dfg/DFGOperations.cpp:
187         * inspector/JSInjectedScriptHost.cpp:
188         (Inspector::JSInjectedScriptHost::subtype):
189         (Inspector::JSInjectedScriptHost::getInternalProperties): Deleted.
190         * parser/Lexer.cpp:
191         (JSC::Lexer<LChar>::parseIdentifier):
192         (JSC::Lexer<UChar>::parseIdentifier):
193         * parser/Nodes.h:
194         * parser/Parser.cpp:
195         (JSC::Parser<LexerType>::createGeneratorParameters):
196         (JSC::Parser<LexerType>::parseExportDeclaration):
197         * runtime/ArrayIteratorPrototype.cpp:
198         * runtime/ArrayIteratorPrototype.h:
199         * runtime/ArrayPrototype.cpp:
200         * runtime/CommonIdentifiers.cpp:
201         (JSC::CommonIdentifiers::CommonIdentifiers): Deleted.
202         * runtime/CommonIdentifiers.h:
203         * runtime/CommonSlowPaths.cpp:
204         (JSC::SLOW_PATH_DECL):
205         * runtime/IntlDateTimeFormat.cpp:
206         * runtime/IntlDateTimeFormatPrototype.cpp:
207         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
208         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
209         * runtime/IntlNumberFormatPrototype.cpp:
210         (JSC::IntlNumberFormatPrototypeGetterFormat):
211         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
212         * runtime/IntlObjectInlines.h:
213         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
214         * runtime/JSArrayIterator.cpp: Removed.
215         (JSC::JSArrayIterator::finishCreation): Deleted.
216         (JSC::JSArrayIterator::kind): Deleted.
217         (JSC::JSArrayIterator::iteratedValue): Deleted.
218         * runtime/JSArrayIterator.h: Removed.
219         (JSC::JSArrayIterator::createStructure): Deleted.
220         (JSC::JSArrayIterator::create): Deleted.
221         (JSC::JSArrayIterator::JSArrayIterator): Deleted.
222         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
223         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
224         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
225         * runtime/JSGlobalObject.cpp:
226         (JSC::JSGlobalObject::init):
227         * runtime/JSInternalPromise.cpp:
228         * runtime/JSInternalPromiseDeferred.cpp:
229         (JSC::JSInternalPromiseDeferred::create):
230         * runtime/JSPromise.cpp:
231         (JSC::JSPromise::finishCreation):
232         (JSC::JSPromise::result):
233         * runtime/JSPromiseDeferred.cpp:
234         (JSC::JSPromiseDeferred::create):
235         * runtime/JSStringIterator.cpp:
236         (JSC::JSStringIterator::finishCreation):
237         (JSC::JSStringIterator::iteratedValue):
238         (JSC::JSStringIterator::clone):
239         * runtime/MapPrototype.cpp:
240         (JSC::MapPrototype::finishCreation):
241         * runtime/ObjectConstructor.cpp:
242         (JSC::ObjectConstructor::finishCreation):
243         * runtime/ReflectObject.cpp:
244         (JSC::ReflectObject::finishCreation):
245         * runtime/StringPrototype.cpp:
246         (JSC::StringPrototype::finishCreation):
247         * runtime/TypedArrayInlines.h:
248
249 2016-06-20  Yusuke Suzuki  <utatane.tea@gmail.com>
250
251         [JSC] Use bytecode intrinsic to expose Module's loading status to builtin JS
252         https://bugs.webkit.org/show_bug.cgi?id=158871
253
254         Reviewed by Sam Weinig.
255
256         Now JSC has bytecode intrinsic system. Use it instead of exposing status values through the loader's properties.
257
258         * builtins/ModuleLoaderObject.js:
259         (newRegistryEntry):
260         (fulfillFetch):
261         (fulfillTranslate):
262         (commitInstantiated):
263         (requestFetch):
264         (requestTranslate):
265         (requestInstantiate):
266         (requestResolveDependencies.):
267         (requestResolveDependencies):
268         (requestLink):
269         (link):
270         (provide):
271         * bytecode/BytecodeIntrinsicRegistry.cpp:
272         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
273         * bytecode/BytecodeIntrinsicRegistry.h:
274         * runtime/ModuleLoaderObject.cpp:
275         (JSC::ModuleLoaderObject::finishCreation): Deleted.
276
277 2016-06-20  Commit Queue  <commit-queue@webkit.org>
278
279         Unreviewed, rolling out r202248.
280         https://bugs.webkit.org/show_bug.cgi?id=158960
281
282         breaks builds on the simulator (Requested by keith_mi_ on
283         #webkit).
284
285         Reverted changeset:
286
287         "It should be easy to add a private global helper function for
288         builtins"
289         https://bugs.webkit.org/show_bug.cgi?id=158893
290         http://trac.webkit.org/changeset/202248
291
292 2016-06-20  Keith Miller  <keith_miller@apple.com>
293
294         It should be easy to add a private global helper function for builtins
295         https://bugs.webkit.org/show_bug.cgi?id=158893
296
297         Reviewed by Mark Lam.
298
299         This patch does two things. First it moves all the builtin names
300         out of CommonIdentifiers and into BuiltinNames. This means that
301         adding a new function to the Builtins does not require rebuilding
302         all of JavaScriptCore. This patch also adds a new decorator to our
303         builtins @privateGlobal that will automatically put the function
304         on the global object. The name of the property will be the same as
305         the private name of the function.
306
307         This patch, also, removes the JSArrayIterator.h/.cpp files
308         as they no longer appear to be used in any real way. Finally,
309         the builtins tests have been rebaselined. It appears this has
310         not been done for a while so the expected files contain other
311         changes.
312
313         * CMakeLists.txt:
314         * JavaScriptCore.xcodeproj/project.pbxproj:
315         * Scripts/builtins/builtins_generate_combined_header.py:
316         (BuiltinsCombinedHeaderGenerator.generate_output):
317         (generate_section_for_code_name_macro):
318         (generate_section_for_global_private_code_name_macro):
319         * Scripts/builtins/builtins_model.py:
320         (BuiltinFunction.__init__):
321         (BuiltinFunction.fromString):
322         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
323         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
324         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
325         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
326         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
327         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
328         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
329         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
330         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
331         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
332         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
333         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
334         * builtins/ArrayIteratorPrototype.js:
335         * builtins/ArrayPrototype.js:
336         * builtins/BuiltinNames.h:
337         * builtins/GeneratorPrototype.js:
338         * builtins/GlobalObject.js:
339         * builtins/PromiseOperations.js:
340         * builtins/RegExpPrototype.js:
341         * builtins/StringPrototype.js:
342         * bytecode/BytecodeIntrinsicRegistry.cpp:
343         * bytecompiler/BytecodeGenerator.cpp:
344         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
345         (JSC::BytecodeGenerator::expectedFunctionForIdentifier):
346         (JSC::BytecodeGenerator::emitGetTemplateObject):
347         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
348         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
349         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
350         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
351         (JSC::BytecodeGenerator::emitGeneratorStateChange):
352         * bytecompiler/NodesCodegen.cpp:
353         (JSC::emitHomeObjectForCallee):
354         (JSC::emitPutHomeObject):
355         (JSC::FunctionNode::emitBytecode):
356         * dfg/DFGOperations.cpp:
357         * inspector/JSInjectedScriptHost.cpp:
358         (Inspector::JSInjectedScriptHost::subtype):
359         (Inspector::JSInjectedScriptHost::getInternalProperties): Deleted.
360         * parser/Lexer.cpp:
361         (JSC::Lexer<LChar>::parseIdentifier):
362         (JSC::Lexer<UChar>::parseIdentifier):
363         * parser/Nodes.h:
364         * parser/Parser.cpp:
365         (JSC::Parser<LexerType>::createGeneratorParameters):
366         (JSC::Parser<LexerType>::parseExportDeclaration):
367         * runtime/ArrayIteratorPrototype.cpp:
368         * runtime/ArrayIteratorPrototype.h:
369         * runtime/ArrayPrototype.cpp:
370         * runtime/CommonIdentifiers.cpp:
371         (JSC::CommonIdentifiers::CommonIdentifiers): Deleted.
372         * runtime/CommonIdentifiers.h:
373         * runtime/CommonSlowPaths.cpp:
374         (JSC::SLOW_PATH_DECL):
375         * runtime/IntlDateTimeFormat.cpp:
376         * runtime/IntlDateTimeFormatPrototype.cpp:
377         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
378         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
379         * runtime/IntlNumberFormatPrototype.cpp:
380         (JSC::IntlNumberFormatPrototypeGetterFormat):
381         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
382         * runtime/IntlObjectInlines.h:
383         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
384         * runtime/JSArrayIterator.cpp: Removed.
385         (JSC::JSArrayIterator::finishCreation): Deleted.
386         (JSC::JSArrayIterator::kind): Deleted.
387         (JSC::JSArrayIterator::iteratedValue): Deleted.
388         * runtime/JSArrayIterator.h: Removed.
389         (JSC::JSArrayIterator::createStructure): Deleted.
390         (JSC::JSArrayIterator::create): Deleted.
391         (JSC::JSArrayIterator::JSArrayIterator): Deleted.
392         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
393         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
394         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
395         * runtime/JSGlobalObject.cpp:
396         (JSC::JSGlobalObject::init):
397         * runtime/JSInternalPromise.cpp:
398         * runtime/JSInternalPromiseDeferred.cpp:
399         (JSC::JSInternalPromiseDeferred::create):
400         * runtime/JSPromise.cpp:
401         (JSC::JSPromise::finishCreation):
402         (JSC::JSPromise::result):
403         * runtime/JSPromiseDeferred.cpp:
404         (JSC::JSPromiseDeferred::create):
405         * runtime/JSStringIterator.cpp:
406         (JSC::JSStringIterator::finishCreation):
407         (JSC::JSStringIterator::iteratedValue):
408         (JSC::JSStringIterator::clone):
409         * runtime/MapPrototype.cpp:
410         (JSC::MapPrototype::finishCreation):
411         * runtime/ObjectConstructor.cpp:
412         (JSC::ObjectConstructor::finishCreation):
413         * runtime/ReflectObject.cpp:
414         (JSC::ReflectObject::finishCreation):
415         * runtime/StringPrototype.cpp:
416         (JSC::StringPrototype::finishCreation):
417         * runtime/TypedArrayInlines.h:
418
419 2016-06-20  Filip Pizlo  <fpizlo@apple.com>
420
421         LLInt64 Float64 get_by_val doesn't purify NaN
422         https://bugs.webkit.org/show_bug.cgi?id=158956
423
424         Reviewed by Michael Saboff.
425
426         * llint/LowLevelInterpreter64.asm: Fix the bug.
427         * tests/stress/float64-array-nan-inlined.js: Make this test also run in LLInt-only mode to catch this bug.
428
429 2016-06-20  Keith Rollin  <krollin@apple.com>
430
431         Remove RefPtr::release() and change calls sites to use WTFMove()
432         https://bugs.webkit.org/show_bug.cgi?id=158369
433
434         Reviewed by Chris Dumez.
435
436         RefPtr::release() releases its managed pointer awkwardly. It's more
437         direct and clearer to use WTFMove to transfer ownership of the managed
438         pointer.
439
440         As part of this cleanup, also change a lot of explicit data types to
441         'auto'.
442
443         * API/JSObjectRef.cpp:
444         (JSClassCreate):
445         * API/JSScriptRef.cpp:
446         * API/JSValueRef.cpp:
447         (JSValueToStringCopy):
448         * bytecompiler/StaticPropertyAnalyzer.h:
449         (JSC::StaticPropertyAnalyzer::newObject):
450         (JSC::StaticPropertyAnalyzer::mov):
451         * debugger/DebuggerCallFrame.cpp:
452         (JSC::DebuggerCallFrame::invalidate):
453         * dfg/DFGJITCompiler.cpp:
454         (JSC::DFG::JITCompiler::compile):
455         (JSC::DFG::JITCompiler::compileFunction):
456         * inspector/InspectorValues.cpp:
457         (Inspector::InspectorValue::parseJSON):
458         * inspector/agents/InspectorAgent.cpp:
459         (Inspector::InspectorAgent::activateExtraDomain):
460         (Inspector::InspectorAgent::activateExtraDomains):
461         * inspector/agents/InspectorDebuggerAgent.cpp:
462         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
463         * inspector/remote/RemoteInspector.mm:
464         (Inspector::RemoteInspector::receivedSetupMessage):
465         * jit/Repatch.cpp:
466         (JSC::linkPolymorphicCall):
467         * runtime/GenericTypedArrayViewInlines.h:
468         (JSC::GenericTypedArrayView<Adaptor>::create):
469         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
470         * runtime/JSArrayBufferConstructor.cpp:
471         (JSC::constructArrayBuffer):
472         * runtime/PropertyNameArray.h:
473         (JSC::PropertyNameArray::releaseData):
474         * runtime/Structure.cpp:
475         (JSC::Structure::toStructureShape):
476         * runtime/TypeSet.cpp:
477         (JSC::StructureShape::merge):
478         * tools/FunctionOverrides.cpp:
479         (JSC::initializeOverrideInfo):
480
481 2016-06-20  Joseph Pecoraro  <pecoraro@apple.com>
482
483         Web Inspector: console.profile should use the new Sampling Profiler
484         https://bugs.webkit.org/show_bug.cgi?id=153499
485         <rdar://problem/24352431>
486
487         Reviewed by Timothy Hatcher.
488
489         Currently console.profile/profileEnd behave slightly differently
490         between JSContext and Web inspection. Unifying will be part of:
491         <https://webkit.org/b/158753> Generalize the concept of Instruments on the backend
492
493         Both JSContext and Web inspection keep track of active
494         profiles started and stopped via console.profile/profileEnd.
495
496         JSContext inspection sends its programmatic start/stop
497         via the ScriptProfiler domain.
498
499         Web inspection sends its programmatic start/stop
500         via the Timeline domain, and also will start/stop backend
501         list of Instruments.
502
503         The functional differences between these is that for JSContext
504         inspection, console.profile only starts/stops the ScriptProfiler
505         domain, and does not auto-start other instruments. This isn't really
506         a problem right now given the instruments available for JSContext
507         inspection; but it will be nice to unify as we add more instruments.
508         Also, JSContext inspection won't have "Profile (name)" records in
509         its Events view, since those are currently generated only by the
510         Web's Timeline domain.
511
512         * inspector/protocol/ScriptProfiler.json:
513         * inspector/protocol/Timeline.json:
514         Events to inform the frontend of programmatic start/stop.
515
516         * debugger/Debugger.h:
517         * inspector/agents/InspectorDebuggerAgent.cpp:
518         (Inspector::InspectorDebuggerAgent::breakpointsActive):
519         (Inspector::InspectorDebuggerAgent::isPaused):
520         * inspector/agents/InspectorDebuggerAgent.h:
521         Expose breakpoints active state, since programmatic recording
522         will temporarily disabled breakpoints if needed.
523
524         * inspector/JSGlobalObjectConsoleClient.cpp:
525         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
526         (Inspector::JSGlobalObjectConsoleClient::profile):
527         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
528         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
529         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
530         * inspector/JSGlobalObjectConsoleClient.h:
531         * inspector/JSGlobalObjectInspectorController.cpp:
532         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
533         * inspector/agents/InspectorScriptProfilerAgent.cpp:
534         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted):
535         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped):
536         * inspector/agents/InspectorScriptProfilerAgent.h:
537         JSContext implementation of console.profile/profileEnd.
538
539 2016-06-19  Saam Barati  <sbarati@apple.com>
540
541         We should be able to generate more types of ICs inline
542         https://bugs.webkit.org/show_bug.cgi?id=158719
543         <rdar://problem/26825641>
544
545         Reviewed by Filip Pizlo.
546
547         This patch changes how we emit code for *byId ICs inline.
548         We no longer keep data labels to patch structure checks, etc.
549         Instead, we just regenerate the entire IC into a designated
550         region of code that the Baseline/DFG/FTL JIT will emit inline.
551         This makes it much simpler to patch inline ICs. All that's
552         needed to patch an inline IC is to memcpy the code from
553         a macro assembler inline using LinkBuffer. This architecture
554         will be easy to extend into other forms of ICs, such as one
555         for add, in the future.
556
557         To support this change, I've reworked the fields inside
558         StructureStubInfo. It now has one field that is the CodeLocationLabel 
559         of the start of the inline IC. Then it has a few ints that track deltas
560         to other locations in the IC such as the slow path start, slow path call, the
561         ICs 'done' location. We used to perform math on these ints in a bunch of different
562         places. I've consolidated that math into methods inside StructureStubInfo.
563
564         To generate inline ICs, I've implemented a new class called InlineAccess.
565         InlineAccess is stateless: it just has a bunch of static methods for
566         generating code into the inline region specified by StructureStubInfo.
567         Repatch will now decide when it wants to generate such an inline
568         IC, and it will ask InlineAccess to do so.
569
570         I've implemented three types of inline ICs to begin with (extending
571         this in the future should be easy):
572         - Self property loads (both inline and out of line offsets).
573         - Self property replace (both inline and out of line offsets).
574         - Array length on specific array types.
575         (An easy extension would be to implement JSString length.)
576
577         To know how much inline space to reserve, I've implemented a
578         method that stubs out the various inline cache shapes and 
579         dumps their size. This is used to determine how much space
580         to save inline. When InlineAccess ends up generating more
581         code than can fit inline, we will fall back to generating
582         code with PolymorphicAccess instead.
583
584         To make generating code into already allocated executable memory
585         efficient, I've made AssemblerData have 128 bytes of inline storage.
586         This saves us a malloc when splatting code into the inline region.
587
588         This patch also tidies up LinkBuffer's API for generating
589         into already allocated executable memory. Now, when generating
590         code that has less size than the already allocated space, LinkBuffer
591         will fill the extra space with nops. Also, if branch compaction shrinks
592         the code, LinkBuffer will add a nop sled at the end of the shrunken
593         code to take up the entire allocated size.
594
595         This looks like it could be a 1% octane progression.
596
597         * CMakeLists.txt:
598         * JavaScriptCore.xcodeproj/project.pbxproj:
599         * assembler/ARM64Assembler.h:
600         (JSC::ARM64Assembler::nop):
601         (JSC::ARM64Assembler::fillNops):
602         * assembler/ARMv7Assembler.h:
603         (JSC::ARMv7Assembler::nopw):
604         (JSC::ARMv7Assembler::nopPseudo16):
605         (JSC::ARMv7Assembler::nopPseudo32):
606         (JSC::ARMv7Assembler::fillNops):
607         (JSC::ARMv7Assembler::dmbSY):
608         * assembler/AbstractMacroAssembler.h:
609         (JSC::AbstractMacroAssembler::addLinkTask):
610         (JSC::AbstractMacroAssembler::emitNops):
611         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
612         * assembler/AssemblerBuffer.h:
613         (JSC::AssemblerData::AssemblerData):
614         (JSC::AssemblerData::operator=):
615         (JSC::AssemblerData::~AssemblerData):
616         (JSC::AssemblerData::buffer):
617         (JSC::AssemblerData::grow):
618         (JSC::AssemblerData::isInlineBuffer):
619         (JSC::AssemblerBuffer::AssemblerBuffer):
620         (JSC::AssemblerBuffer::ensureSpace):
621         (JSC::AssemblerBuffer::codeSize):
622         (JSC::AssemblerBuffer::setCodeSize):
623         (JSC::AssemblerBuffer::label):
624         (JSC::AssemblerBuffer::debugOffset):
625         (JSC::AssemblerBuffer::releaseAssemblerData):
626         * assembler/LinkBuffer.cpp:
627         (JSC::LinkBuffer::copyCompactAndLinkCode):
628         (JSC::LinkBuffer::linkCode):
629         (JSC::LinkBuffer::allocate):
630         (JSC::LinkBuffer::performFinalization):
631         (JSC::LinkBuffer::shrink): Deleted.
632         * assembler/LinkBuffer.h:
633         (JSC::LinkBuffer::LinkBuffer):
634         (JSC::LinkBuffer::debugAddress):
635         (JSC::LinkBuffer::size):
636         (JSC::LinkBuffer::wasAlreadyDisassembled):
637         (JSC::LinkBuffer::didAlreadyDisassemble):
638         (JSC::LinkBuffer::applyOffset):
639         (JSC::LinkBuffer::code):
640         * assembler/MacroAssemblerARM64.h:
641         (JSC::MacroAssemblerARM64::patchableBranch32):
642         (JSC::MacroAssemblerARM64::patchableBranch64):
643         * assembler/MacroAssemblerARMv7.h:
644         (JSC::MacroAssemblerARMv7::patchableBranch32):
645         (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
646         * assembler/X86Assembler.h:
647         (JSC::X86Assembler::nop):
648         (JSC::X86Assembler::fillNops):
649         * bytecode/CodeBlock.cpp:
650         (JSC::CodeBlock::printGetByIdCacheStatus):
651         * bytecode/InlineAccess.cpp: Added.
652         (JSC::InlineAccess::dumpCacheSizesAndCrash):
653         (JSC::linkCodeInline):
654         (JSC::InlineAccess::generateSelfPropertyAccess):
655         (JSC::getScratchRegister):
656         (JSC::hasFreeRegister):
657         (JSC::InlineAccess::canGenerateSelfPropertyReplace):
658         (JSC::InlineAccess::generateSelfPropertyReplace):
659         (JSC::InlineAccess::isCacheableArrayLength):
660         (JSC::InlineAccess::generateArrayLength):
661         (JSC::InlineAccess::rewireStubAsJump):
662         * bytecode/InlineAccess.h: Added.
663         (JSC::InlineAccess::sizeForPropertyAccess):
664         (JSC::InlineAccess::sizeForPropertyReplace):
665         (JSC::InlineAccess::sizeForLengthAccess):
666         * bytecode/PolymorphicAccess.cpp:
667         (JSC::PolymorphicAccess::regenerate):
668         * bytecode/StructureStubInfo.cpp:
669         (JSC::StructureStubInfo::initGetByIdSelf):
670         (JSC::StructureStubInfo::initArrayLength):
671         (JSC::StructureStubInfo::initPutByIdReplace):
672         (JSC::StructureStubInfo::deref):
673         (JSC::StructureStubInfo::aboutToDie):
674         (JSC::StructureStubInfo::propagateTransitions):
675         (JSC::StructureStubInfo::containsPC):
676         * bytecode/StructureStubInfo.h:
677         (JSC::StructureStubInfo::considerCaching):
678         (JSC::StructureStubInfo::slowPathCallLocation):
679         (JSC::StructureStubInfo::doneLocation):
680         (JSC::StructureStubInfo::slowPathStartLocation):
681         (JSC::StructureStubInfo::patchableJumpForIn):
682         (JSC::StructureStubInfo::valueRegs):
683         * dfg/DFGJITCompiler.cpp:
684         (JSC::DFG::JITCompiler::link):
685         * dfg/DFGOSRExitCompilerCommon.cpp:
686         (JSC::DFG::reifyInlinedCallFrames):
687         * dfg/DFGSpeculativeJIT32_64.cpp:
688         (JSC::DFG::SpeculativeJIT::cachedGetById):
689         * dfg/DFGSpeculativeJIT64.cpp:
690         (JSC::DFG::SpeculativeJIT::cachedGetById):
691         * ftl/FTLLowerDFGToB3.cpp:
692         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
693         (JSC::FTL::DFG::LowerDFGToB3::getById):
694         * jit/JITInlineCacheGenerator.cpp:
695         (JSC::JITByIdGenerator::finalize):
696         (JSC::JITByIdGenerator::generateFastCommon):
697         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
698         (JSC::JITGetByIdGenerator::generateFastPath):
699         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
700         (JSC::JITPutByIdGenerator::generateFastPath):
701         (JSC::JITPutByIdGenerator::slowPathFunction):
702         (JSC::JITByIdGenerator::generateFastPathChecks): Deleted.
703         * jit/JITInlineCacheGenerator.h:
704         (JSC::JITByIdGenerator::reportSlowPathCall):
705         (JSC::JITByIdGenerator::slowPathBegin):
706         (JSC::JITByIdGenerator::slowPathJump):
707         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
708         * jit/JITPropertyAccess.cpp:
709         (JSC::JIT::emitGetByValWithCachedId):
710         (JSC::JIT::emit_op_try_get_by_id):
711         (JSC::JIT::emit_op_get_by_id):
712         * jit/JITPropertyAccess32_64.cpp:
713         (JSC::JIT::emitGetByValWithCachedId):
714         (JSC::JIT::emit_op_try_get_by_id):
715         (JSC::JIT::emit_op_get_by_id):
716         * jit/Repatch.cpp:
717         (JSC::repatchCall):
718         (JSC::tryCacheGetByID):
719         (JSC::repatchGetByID):
720         (JSC::appropriateGenericPutByIdFunction):
721         (JSC::tryCachePutByID):
722         (JSC::repatchPutByID):
723         (JSC::tryRepatchIn):
724         (JSC::repatchIn):
725         (JSC::linkSlowFor):
726         (JSC::resetGetByID):
727         (JSC::resetPutByID):
728         (JSC::resetIn):
729         (JSC::repatchByIdSelfAccess): Deleted.
730         (JSC::resetGetByIDCheckAndLoad): Deleted.
731         (JSC::resetPutByIDCheckAndLoad): Deleted.
732         (JSC::replaceWithJump): Deleted.
733
734 2016-06-19  Filip Pizlo  <fpizlo@apple.com>
735
736         REGRESSION(concurrent baseline JIT): Kraken/ai-astar runs 20% slower
737         https://bugs.webkit.org/show_bug.cgi?id=158906
738
739         Reviewed by Benjamin Poulain.
740         
741         The concurrent baseline JIT was a 2-3% progression on JSBench, possibly a 1% progression
742         on PLT3, but a 2-5% regression on Kraken. This patch fixes the Kraken regression without
743         affecting the other tests.
744         
745         The problem is that Kraken/ai-astar's initialization code had a ginormous piece of init
746         code that took about 16ms to compile in baseline. There's no good way to avoid letting it
747         tier-up into baseline since it has a compute loop. The time it takes to run this code is
748         never measured. The concurrent baseline JIT caused us to schedule the compilation of this
749         huge code rather than doing it eagerly. This meant that after initialization was done and
750         we started actually running real stuff, all of the real stuff's compiles would be convoyed
751         behind this super-expensive baseline compile. Note that DFG and FTL compiles convoy behind
752         baseline compiles, since you can't schedule a DFG compile for a code block until that code
753         block is in baseline.
754         
755         This uses the simplest fix: if we are thinking about scheduling some compile and the
756         thread is busy, do the compile on the main thread instead. This doesn't completely
757         eliminate the ai-astar regression (we still have a 4% regression on that test) but it now
758         results in concurrent baseline JIT being an overall progression on Kraken as a whole (1%
759         on my machine). This is because concurrent baseline appears to help on other tests.
760
761         In the future, we could fix this even better by allowing the JITWorklist to spawn more
762         threads or by being smarter about baseline compilation. I think it's nasty that if a giant
763         piece of initialization code ends in a compute loop, we compile all of the code instead of
764         just the loop. It's also gross that a constant-like object creation expression will result
765         in so much code. It would result in less code if we allowed ourselves to do a bit more
766         static reasoning about object literals.
767         
768         But for now, I think that this is a great way to recover the Kraken regression while still
769         keeping the other progressions from concurrent baseline.
770
771         * jit/JITWorklist.cpp:
772         (JSC::JITWorklist::Plan::Plan):
773         (JSC::JITWorklist::Plan::compileInThread):
774         (JSC::JITWorklist::Plan::finalize):
775         (JSC::JITWorklist::Plan::codeBlock):
776         (JSC::JITWorklist::Plan::isFinishedCompiling):
777         (JSC::JITWorklist::Plan::compileNow):
778         (JSC::JITWorklist::JITWorklist):
779         (JSC::JITWorklist::compileLater):
780         (JSC::JITWorklist::compileNow):
781         (JSC::JITWorklist::runThread):
782         (JSC::JITWorklist::Plan::isFinalized): Deleted.
783         * jit/JITWorklist.h:
784
785 2016-06-17  Commit Queue  <commit-queue@webkit.org>
786
787         Unreviewed, rolling out r202152.
788         https://bugs.webkit.org/show_bug.cgi?id=158897
789
790         The new test is very unstable, timing out frequently
791         (Requested by ap on #webkit).
792
793         Reverted changeset:
794
795         "Web Inspector: console.profile should use the new Sampling
796         Profiler"
797         https://bugs.webkit.org/show_bug.cgi?id=153499
798         http://trac.webkit.org/changeset/202152
799
800 2016-06-14  Filip Pizlo  <fpizlo@apple.com>
801
802         Baseline JIT should be concurrent
803         https://bugs.webkit.org/show_bug.cgi?id=158755
804
805         Reviewed by Geoffrey Garen.
806         
807         This makes the baseline JIT concurrent. We want it to be concurrent because it takes up
808         about 1% of PLT3 and 10% of JSBench (though the JSBench number might be down from recent
809         optimizations).
810         
811         The idea is really simple: I separated the compile and link phases of JIT::privateCompile(),
812         and arranged to call the compile phase from another thread. This doesn't reuse the old
813         DFG::Worklist code, because that code does things we don't need (like compilation plan
814         cancellation to allow GC to interleave with compilations) and is structured in a way that
815         would have required more changes to the baseline JIT. Also, I think that code uses the wrong
816         API, and as a result, clients of that API have a bad time. For example, it's never clear who
817         has the responsibility of setting the JIT thresholds and the DFG::Worklist goes to great
818         lengths to try to help its client set those things correctly, but since it doesn't set them
819         directly, the client then has to have additional complex logic to combine what it learned
820         from the Worklist and what it knows to set the thresholds. This patch takes a simpler
821         approach: the JITWorklist takes complete control over scheduling compilations. It's like a
822         combination of DFG::Worklist and operationOptimize().
823         
824         Because the baseline JIT runs quickly, we can take some shortcuts. The JITWorklist requires
825         that all of its plans complete before a GC begins. This ensures that we don't have to worry
826         about interactions between the concurrent baseline JIT and the GC.
827         
828         I needed to do a bunch of minor changes to the JIT to handle the races that emerged. For
829         example, I needed to do things to opcodes that read profiling both in the main path code
830         generator and the slow path one. One trick I used was to create a copy of the instruction
831         stream and provide that for anyone interested in the original value of the profiles. Most
832         code still uses the CodeBlock's instruction stream because it may emit JIT code that points
833         at the stream.
834         
835         This also fixes a LLInt bug in prototype caching. This bug was revealed by this change
836         because more of our LayoutTests now run in LLInt.
837         
838         This looks like it might be a ~1% Octane speed-up (on command line) and a ~0.7% PLT3
839         speed-up. This also looks like a ~2% JSBench speed-up.
840
841         * CMakeLists.txt:
842         * JavaScriptCore.xcodeproj/project.pbxproj:
843         * debugger/Debugger.cpp:
844         (JSC::Debugger::setSteppingMode):
845         (JSC::Debugger::toggleBreakpoint):
846         (JSC::Debugger::clearBreakpoints):
847         (JSC::Debugger::clearDebuggerRequests):
848         * dfg/DFGOSRExitPreparation.cpp:
849         (JSC::DFG::prepareCodeOriginForOSRExit):
850         * heap/Heap.cpp:
851         (JSC::Heap::didFinishIterating):
852         (JSC::Heap::completeAllJITPlans):
853         (JSC::Heap::deleteAllCodeBlocks):
854         (JSC::Heap::collectImpl):
855         (JSC::Heap::completeAllDFGPlans): Deleted.
856         * heap/Heap.h:
857         * heap/HeapInlines.h:
858         (JSC::Heap::forEachCodeBlock):
859         * jit/JIT.cpp:
860         (JSC::JIT::emitNotifyWrite):
861         (JSC::JIT::privateCompileMainPass):
862         (JSC::JIT::privateCompileSlowCases):
863         (JSC::JIT::compileWithoutLinking):
864         (JSC::JIT::link):
865         (JSC::JIT::privateCompile):
866         (JSC::JIT::privateCompileExceptionHandlers):
867         * jit/JIT.h:
868         (JSC::JIT::compile):
869         (JSC::JIT::getSlowCase):
870         (JSC::JIT::linkSlowCase):
871         (JSC::JIT::linkDummySlowCase):
872         * jit/JITInlines.h:
873         (JSC::JIT::emitTagBool):
874         (JSC::JIT::originalInstruction):
875         * jit/JITPropertyAccess32_64.cpp:
876         (JSC::JIT::emitSlow_op_put_to_scope):
877         * jit/JITPropertyAccess.cpp:
878         (JSC::JIT::emitSlow_op_put_by_val):
879         (JSC::JIT::emit_op_resolve_scope):
880         (JSC::JIT::emitSlow_op_resolve_scope):
881         (JSC::JIT::emit_op_get_from_scope):
882         (JSC::JIT::emitSlow_op_get_from_scope):
883         (JSC::JIT::emit_op_put_to_scope):
884         (JSC::JIT::emitSlow_op_put_to_scope):
885         * jit/JITWorklist.cpp: Added.
886         (JSC::JITWorklist::Plan::Plan):
887         (JSC::JITWorklist::Plan::compileInThread):
888         (JSC::JITWorklist::Plan::finalize):
889         (JSC::JITWorklist::Plan::codeBlock):
890         (JSC::JITWorklist::Plan::vm):
891         (JSC::JITWorklist::Plan::isFinishedCompiling):
892         (JSC::JITWorklist::Plan::isFinalized):
893         (JSC::JITWorklist::JITWorklist):
894         (JSC::JITWorklist::~JITWorklist):
895         (JSC::JITWorklist::completeAllForVM):
896         (JSC::JITWorklist::poll):
897         (JSC::JITWorklist::compileLater):
898         (JSC::JITWorklist::compileNow):
899         (JSC::JITWorklist::runThread):
900         (JSC::JITWorklist::finalizePlans):
901         (JSC::JITWorklist::instance):
902         * jit/JITWorklist.h: Added.
903         * llint/LLIntSlowPaths.cpp:
904         (JSC::LLInt::jitCompileAndSetHeuristics):
905         * runtime/CommonSlowPaths.cpp:
906         (JSC::SLOW_PATH_DECL):
907         * runtime/CommonSlowPaths.h:
908         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
909         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
910         * runtime/VM.cpp:
911         (JSC::VM::~VM):
912
913 2016-06-16  Joseph Pecoraro  <pecoraro@apple.com>
914
915         Web Inspector: console.profile should use the new Sampling Profiler
916         https://bugs.webkit.org/show_bug.cgi?id=153499
917         <rdar://problem/24352431>
918
919         Reviewed by Timothy Hatcher.
920
921         Currently console.profile/profileEnd behave slightly differently
922         between JSContext and Web inspection. Unifying will be part of:
923         <https://webkit.org/b/158753> Generalize the concept of Instruments on the backend
924
925         Both JSContext and Web inspection keep track of active
926         profiles started and stopped via console.profile/profileEnd.
927
928         JSContext inspection sends its programmatic start/stop
929         via the ScriptProfiler domain.
930
931         Web inspection sends its programmatic start/stop
932         via the Timeline domain, and also will start/stop backend
933         list of Instruments.
934
935         The functional differences between these is that for JSContext
936         inspection, console.profile only starts/stops the ScriptProfiler
937         domain, and does not auto-start other instruments. This isn't really
938         a problem right now given the instruments available for JSContext
939         inspection; but it will be nice to unify as we add more instruments.
940         Also, JSContext inspection won't have "Profile (name)" records in
941         its Events view, since those are currently generated only by the
942         Web's Timeline domain.
943
944         * inspector/protocol/ScriptProfiler.json:
945         * inspector/protocol/Timeline.json:
946         Events to inform the frontend of programmatic start/stop.
947
948         * debugger/Debugger.h:
949         * inspector/agents/InspectorDebuggerAgent.cpp:
950         (Inspector::InspectorDebuggerAgent::breakpointsActive):
951         (Inspector::InspectorDebuggerAgent::isPaused):
952         * inspector/agents/InspectorDebuggerAgent.h:
953         Expose breakpoints active state, since programmatic recording
954         will temporarily disabled breakpoints if needed.
955
956         * inspector/JSGlobalObjectConsoleClient.cpp:
957         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
958         (Inspector::JSGlobalObjectConsoleClient::profile):
959         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
960         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
961         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
962         * inspector/JSGlobalObjectConsoleClient.h:
963         * inspector/JSGlobalObjectInspectorController.cpp:
964         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
965         * inspector/agents/InspectorScriptProfilerAgent.cpp:
966         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted):
967         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped):
968         * inspector/agents/InspectorScriptProfilerAgent.h:
969         JSContext implementation of console.profile/profileEnd.
970
971 2016-06-16  Filip Pizlo  <fpizlo@apple.com>
972
973         Kraken/stanford-crypto-pbkdf2.js sometimes crashes with an OSR assertion in FTL
974         https://bugs.webkit.org/show_bug.cgi?id=158850
975
976         Reviewed by Keith Miller.
977         
978         Bytecode liveness was incorrectly claiming that all tail-deleted locals are live! That's
979         crazy! We never noticed this because extending OSR liveness is usually not a showstopper and
980         until recently we didn't have a lot of tail-call test cases to play with. Well, we do now,
981         thanks to the increasing reliance on tail calls in our builtins.
982
983         * dfg/DFGGraph.cpp:
984         (JSC::DFG::Graph::localsLiveInBytecode): Fix the bug and add some optional tracing. Also restructure the code so that we don't break to return true, since that's counterintuitive.
985         * ftl/FTLLowerDFGToB3.cpp:
986         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments): Make this assertion print more useful information.
987
988 2016-06-16  Mark Lam  <mark.lam@apple.com>
989
990         Add collecting of LLINT slow path stats.
991         https://bugs.webkit.org/show_bug.cgi?id=158829
992
993         Reviewed by Keith Miller.
994
995         * llint/LLIntData.cpp:
996         (JSC::LLInt::Data::dumpStats):
997         * llint/LLIntData.h:
998         * llint/LLIntSlowPaths.cpp:
999         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1000         * llint/LLIntSlowPaths.h:
1001         * llint/LowLevelInterpreter.asm:
1002         * llint/LowLevelInterpreter32_64.asm:
1003         * llint/LowLevelInterpreter64.asm:
1004
1005 2016-06-15  Keith Miller  <keith_miller@apple.com>
1006
1007         Add support for Symbol.isConcatSpreadable (round 2)
1008         https://bugs.webkit.org/show_bug.cgi?id=158769
1009
1010         Reviewed by Mark Lam.
1011
1012         This patch adds support for Symbol.isConcatSpreadable. In order to
1013         do so, it was necessary to move the Array.prototype.concat function
1014         to JS. A number of different optimizations were needed to make
1015         such the move to a builtin performant. First, this patch adds a
1016         new Bytecode intrinsic, isJSArray, that checks if the value is a
1017         JSArray object. Specifically, isJSArray checks that the array
1018         object is a normal instance of JSArray and not a RuntimeArray or
1019         Array.prototype. isJSArray can also be converted into a constant
1020         by the DFG if we are able to prove that the incomming value is
1021         already a JSArray.
1022
1023         In order to further improve the perfomance we also now cover more
1024         indexing types in our fast path memcpy code. Before we would only
1025         memcpy Arrays if they had the same indexing type and did not have
1026         Array storage or were undecided. Now the memcpy code covers the
1027         following additional three cases:
1028
1029         1) One array is undecided and the other does not have array storage
1030
1031         2) One array is Int32 and the other is contiguous (we map this
1032         into a contiguous array).
1033
1034         3) The this value is an array and first argument is a non-array
1035         that does not have Symbol.isConcatSpreadable set.
1036
1037         This patch also adds a new fast path for concat with more than one
1038         array argument by using memcpy to append values onto the result
1039         array. This works roughly the same as the two array fast path
1040         using the same methodology to decide if we can memcpy the other
1041         butterfly into the result butterfly.
1042
1043         * JavaScriptCore.xcodeproj/project.pbxproj:
1044         * builtins/ArrayPrototype.js:
1045         (concatSlowPath):
1046         (concat):
1047         * bytecode/BytecodeIntrinsicRegistry.cpp:
1048         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1049         * bytecode/BytecodeIntrinsicRegistry.h:
1050         * bytecode/BytecodeList.json:
1051         * bytecode/BytecodeUseDef.h:
1052         (JSC::computeUsesForBytecodeOffset):
1053         (JSC::computeDefsForBytecodeOffset):
1054         * bytecode/CodeBlock.cpp:
1055         (JSC::CodeBlock::dumpBytecode):
1056         * bytecompiler/BytecodeGenerator.h:
1057         (JSC::BytecodeGenerator::emitIsJSArray):
1058         * bytecompiler/NodesCodegen.cpp:
1059         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
1060         * dfg/DFGAbstractInterpreterInlines.h:
1061         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1062         * dfg/DFGByteCodeParser.cpp:
1063         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1064         (JSC::DFG::ByteCodeParser::parseBlock):
1065         * dfg/DFGCapabilities.cpp:
1066         (JSC::DFG::capabilityLevel):
1067         * dfg/DFGClobberize.h:
1068         (JSC::DFG::clobberize):
1069         * dfg/DFGDoesGC.cpp:
1070         (JSC::DFG::doesGC):
1071         * dfg/DFGFixupPhase.cpp:
1072         (JSC::DFG::FixupPhase::fixupNode):
1073         * dfg/DFGNodeType.h:
1074         * dfg/DFGOperations.cpp:
1075         * dfg/DFGOperations.h:
1076         * dfg/DFGPredictionPropagationPhase.cpp:
1077         * dfg/DFGSafeToExecute.h:
1078         (JSC::DFG::safeToExecute):
1079         * dfg/DFGSpeculativeJIT.cpp:
1080         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1081         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
1082         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1083         * dfg/DFGSpeculativeJIT.h:
1084         (JSC::DFG::SpeculativeJIT::callOperation):
1085         * dfg/DFGSpeculativeJIT32_64.cpp:
1086         (JSC::DFG::SpeculativeJIT::compile):
1087         * dfg/DFGSpeculativeJIT64.cpp:
1088         (JSC::DFG::SpeculativeJIT::compile):
1089         * ftl/FTLCapabilities.cpp:
1090         (JSC::FTL::canCompile):
1091         * ftl/FTLLowerDFGToB3.cpp:
1092         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1093         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
1094         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
1095         (JSC::FTL::DFG::LowerDFGToB3::isArray):
1096         * jit/JIT.cpp:
1097         (JSC::JIT::privateCompileMainPass):
1098         * jit/JIT.h:
1099         * jit/JITOpcodes.cpp:
1100         (JSC::JIT::emit_op_is_jsarray):
1101         * jit/JITOpcodes32_64.cpp:
1102         (JSC::JIT::emit_op_is_jsarray):
1103         * jit/JITOperations.h:
1104         * llint/LLIntData.cpp:
1105         (JSC::LLInt::Data::performAssertions):
1106         * llint/LowLevelInterpreter.asm:
1107         * llint/LowLevelInterpreter32_64.asm:
1108         * llint/LowLevelInterpreter64.asm:
1109         * runtime/ArrayConstructor.h:
1110         (JSC::isArrayConstructor):
1111         * runtime/ArrayPrototype.cpp:
1112         (JSC::ArrayPrototype::finishCreation):
1113         (JSC::speciesWatchpointsValid):
1114         (JSC::speciesConstructArray):
1115         (JSC::moveElements):
1116         (JSC::concatAppendOne):
1117         (JSC::arrayProtoFuncConcat): Deleted.
1118         * runtime/ArrayPrototype.h:
1119         * runtime/CommonIdentifiers.h:
1120         * runtime/CommonSlowPaths.cpp:
1121         (JSC::SLOW_PATH_DECL):
1122         * runtime/IndexingType.h:
1123         (JSC::indexingTypeForValue):
1124         * runtime/JSArray.cpp:
1125         (JSC::JSArray::appendMemcpy):
1126         (JSC::JSArray::fastConcatWith): Deleted.
1127         * runtime/JSArray.h:
1128         (JSC::JSArray::createStructure):
1129         (JSC::isJSArray):
1130         (JSC::JSArray::fastConcatType): Deleted.
1131         * runtime/JSArrayInlines.h: Added.
1132         (JSC::JSArray::mergeIndexingTypeForCopying):
1133         (JSC::JSArray::canFastCopy):
1134         * runtime/JSGlobalObject.cpp:
1135         (JSC::JSGlobalObject::init):
1136         * runtime/JSObject.cpp:
1137         (JSC::JSObject::convertUndecidedForValue):
1138         * runtime/JSType.h:
1139         * runtime/ObjectConstructor.h:
1140         (JSC::constructObject):
1141         * tests/es6.yaml:
1142         * tests/stress/array-concat-spread-object.js: Added.
1143         (arrayEq):
1144         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
1145         (arrayEq):
1146         * tests/stress/array-concat-spread-proxy.js: Added.
1147         (arrayEq):
1148         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
1149         (arrayEq):
1150         * tests/stress/array-species-config-array-constructor.js:
1151
1152 2016-06-15  Mark Lam  <mark.lam@apple.com>
1153
1154         Assertion failure when returning incomplete property descriptor from proxy trap.
1155         https://bugs.webkit.org/show_bug.cgi?id=157078
1156
1157         Reviewed by Saam Barati.
1158
1159         If the proxy returns a descriptor that expects a value but does not specify one,
1160         we should use undefined for the value.
1161
1162         * runtime/ProxyObject.cpp:
1163         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1164         * tests/stress/proxy-returning-incomplete-property-descriptor.js: Added.
1165         (truthiness):
1166         (compare):
1167         (shouldBe):
1168         (test):
1169         (get test):
1170
1171 2016-06-15  Keith Miller  <keith_miller@apple.com>
1172
1173         Unreviewed, fix typo in test and move tests to the correct files.
1174
1175         * tests/stress/multi-get-by-offset-proto-or-unset.js:
1176         * tests/stress/multi-get-by-offset-proto-self-or-unset.js:
1177
1178 2016-06-15  Keith Miller  <keith_miller@apple.com>
1179
1180         DFGByteCodeParser should be able to infer the value of unset properties in MultiGetByOffset
1181         https://bugs.webkit.org/show_bug.cgi?id=158802
1182
1183         Reviewed by Filip Pizlo.
1184
1185         This patch adds support for unset properties in MultiGetByOffset. Since MultiGetByOffset
1186         already supports constant values this patch just adds a constant case where the fetched
1187         value is undefined. Fortunately (or unfortunately) we don't support object allocation
1188         sinking for constant cases of MultiGetByOffset, which means we don't need to adjust any
1189         in that phase.
1190
1191         * dfg/DFGByteCodeParser.cpp:
1192         (JSC::DFG::ByteCodeParser::planLoad):
1193         (JSC::DFG::ByteCodeParser::handleGetById):
1194         * dfg/DFGMultiGetByOffsetData.h:
1195         * tests/stress/multi-get-by-offset-proto-or-unset.js: Added.
1196         (foo):
1197         * tests/stress/multi-get-by-offset-proto-self-or-unset.js: Added.
1198         (foo):
1199         * tests/stress/multi-get-by-offset-self-or-unset.js: Added.
1200         (foo):
1201
1202 2016-06-15  Chris Dumez  <cdumez@apple.com>
1203
1204         Unreviewed GCC build fix after r202098.
1205
1206         * bytecode/CodeBlock.cpp:
1207         (JSC::CodeBlock::thresholdForJIT):
1208
1209 2016-06-14  Geoffrey Garen  <ggaren@apple.com>
1210
1211         compilation policy should adapt to past behavior
1212         https://bugs.webkit.org/show_bug.cgi?id=158759
1213
1214         Reviewed by Saam Barati.
1215
1216         This looks like a ~9% speedup on JSBench.
1217
1218         * bytecode/CodeBlock.cpp:
1219         (JSC::CodeBlock::~CodeBlock): Record when a CodeBlock dies without ever
1220         making it to DFG.
1221
1222         (JSC::CodeBlock::thresholdForJIT): CodeBlocks that make it to DFG should
1223         compile sooner; CodeBlocks that don't should compile later. The goal is
1224         to use past behavior, in addition to execution counts, to determine
1225         whether compilation is profitable.
1226
1227         (JSC::CodeBlock::jitAfterWarmUp):
1228         (JSC::CodeBlock::jitSoon): Apply the thresholdForJIT rule.
1229
1230         * bytecode/CodeBlock.h: Moved some code into the .cpp file so I could
1231         change stuff without recompiling.
1232         (JSC::CodeBlock::jitAfterWarmUp): Deleted.
1233         (JSC::CodeBlock::jitSoon): Deleted.
1234
1235         * bytecode/UnlinkedCodeBlock.cpp:
1236         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1237         * bytecode/UnlinkedCodeBlock.h:
1238         (JSC::UnlinkedCodeBlock::didOptimize):
1239         (JSC::UnlinkedCodeBlock::setDidOptimize): Added a piece of data to track
1240         whether we made it to DFG.
1241
1242         * jit/JITOperations.cpp: Record when we make it to DFG.
1243
1244 2016-06-15  Konstantin Tokarev  <annulen@yandex.ru>
1245
1246         Only Mac port needs ObjC API for JSC.
1247         https://bugs.webkit.org/show_bug.cgi?id=158780
1248
1249         Reviewed by Philippe Normand.
1250
1251         * API/JSBase.h: Removed !defined(BUILDING_GTK__)
1252
1253 2016-06-15  Keith Miller  <keith_miller@apple.com>
1254
1255         DFGByteCodeParser should be able to infer a property is unset from the Baseline inline cache.
1256         https://bugs.webkit.org/show_bug.cgi?id=158774
1257
1258         Reviewed by Filip Pizlo.
1259
1260         This patch allows the DFGByteCodeParser to speculatively convert a property access into a
1261         constant if that access was always a miss in the Baseline inline cache. This patch does
1262         not add support for MultiGetByOffset and unset properties. That functionality will come
1263         a future patch.
1264
1265         * bytecode/ComplexGetStatus.cpp:
1266         (JSC::ComplexGetStatus::computeFor):
1267         * bytecode/GetByIdStatus.cpp:
1268         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1269         * bytecode/GetByIdVariant.h:
1270         (JSC::GetByIdVariant::isPropertyUnset):
1271         * bytecode/PutByIdVariant.h:
1272         (JSC::PutByIdVariant::isPropertyUnset):
1273         * dfg/DFGByteCodeParser.cpp:
1274         (JSC::DFG::ByteCodeParser::load):
1275         (JSC::DFG::ByteCodeParser::handleGetById):
1276         * tests/stress/undefined-access-then-self-change.js: Added.
1277         (foo):
1278
1279 2016-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1280
1281         [JSC] Move calling convention flags to WTF
1282         https://bugs.webkit.org/show_bug.cgi?id=158661
1283
1284         Reviewed by Keith Miller.
1285
1286         Due to some calling convention flags and JIT_OPERATION flags, MathCommon.h includes MacroAssemblerCodeRef and JITOperations.h.
1287         But MacroAssembler and JIT part should not be necessary for the MathCommon component.
1288         As with other calling convention flags like JSC_HOST_CALL, these flags should be in WTF.
1289
1290         * assembler/MacroAssemblerCodeRef.h:
1291         * jit/JITOperations.h:
1292         Add wtf/Platform.h inclusion driven by the Windows port build failure.
1293
1294         * runtime/MathCommon.h:
1295
1296 2016-06-15  Romain Bellessort  <romain.bellessort@crf.canon.fr>
1297
1298         Enabling Shadow DOM for all platforms
1299         https://bugs.webkit.org/show_bug.cgi?id=158738
1300
1301         Reviewed by Ryosuke Niwa.
1302
1303         Removed Shadow DOM from options (enabled by default)
1304
1305         * Configurations/FeatureDefines.xcconfig:
1306
1307 2016-06-14  Caio Lima  <ticaiolima@gmail.com>
1308
1309         The parser doesn't properly parse "super" when default parameter is an
1310         arrow function.
1311         https://bugs.webkit.org/show_bug.cgi?id=157872.
1312
1313         Reviewed by Saam Barati.
1314
1315         The "super" member or "super()" could not be used when default parameter is an
1316         arrow function, resuling in sytax error. It happened because the
1317         "closestOrdinaryFunctionScope" was not being initialized properly
1318         before "parseFunctionParameters" step and the condition
1319         "functionSuperBinding == SuperBinding::NotNeeded" or
1320         "functionConstructorKind != ConstructorKind::Derived" on
1321         "Parser<LexerType>::parseMemberExpression" step were being true
1322         resulting in SyntaxError.
1323
1324         * parser/Parser.cpp: 
1325         (JSC::Parser<LexerType>::parseFunctionInfo): setting
1326         "functionScope->setExpectedSuperBinding(expectedSuperBinding)" and
1327         "functionScope->setConstructorKind(constructorKind)" before
1328         "parseFunctionParameters" step.
1329
1330 2016-06-14  Joseph Pecoraro  <pecoraro@apple.com>
1331
1332         Web Inspector: Rename Timeline.setAutoCaptureInstruments to Timeline.setInstruments
1333         https://bugs.webkit.org/show_bug.cgi?id=158762
1334
1335         Reviewed by Timothy Hatcher.
1336
1337         Rename the protocol methods since the backend may use the instruments
1338         for purposes other then auto-capture, such as programmatic capture
1339         via console.profile.
1340
1341         * inspector/protocol/Timeline.json:
1342
1343 2016-06-14  David Kilzer  <ddkilzer@apple.com>
1344
1345         Document the native format of JSChar type
1346         <http://webkit.org/b/156137>
1347
1348         Reviewed by Darin Adler.
1349
1350         * API/JSStringRef.h:
1351         (typedef JSChar): Update documentation.
1352
1353 2016-06-14  Keith Miller  <keith_miller@apple.com>
1354
1355         The Array species constructor watchpoints should be created the first time they are needed rather than on creation
1356         https://bugs.webkit.org/show_bug.cgi?id=158754
1357
1358         Reviewed by Benjamin Poulain.
1359
1360         We use adaptive watchpoints for some Array prototype functions to
1361         ensure that the user has not overridden the value of the
1362         Array.prototype.constructor or Array[Symbol.species]. This patch
1363         changes when the Array species constructor watchpoints are
1364         initialized. Before, those watchpoints would be created when the
1365         global object is initialized. This had the advantage that it did
1366         not require validating the constructor and Symbol.species
1367         properties. On the other hand, it also meant that if the user were
1368         to reconfigure properties Array.prototype, which would cause the
1369         structure of the property to become an uncachable dictionary,
1370         prior to running code that the watchpoints would be
1371         invalidated. It turns out that JSBench amazon, for instance, does
1372         reconfigure some of Array.prototype's properties. This patch
1373         initializes the watchpoints the first time they are needed. Since
1374         we only initialize once we also flatten the structure of Array and
1375         Array.prototype.
1376
1377         * runtime/ArrayPrototype.cpp:
1378         (JSC::speciesConstructArray):
1379         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
1380         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1381         (JSC::ArrayPrototype::setConstructor): Deleted.
1382         * runtime/ArrayPrototype.h:
1383         (JSC::ArrayPrototype::speciesWatchpointStatus):
1384         (JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties): Deleted.
1385         * runtime/JSGlobalObject.cpp:
1386         (JSC::JSGlobalObject::init):
1387         * runtime/JSGlobalObject.h:
1388         (JSC::JSGlobalObject::speciesGetterSetter):
1389         (JSC::JSGlobalObject::arrayConstructor):
1390         * tests/stress/array-symbol-species-lazy-watchpoints.js: Added.
1391         (test):
1392         (arrayEq):
1393         (A):
1394
1395 2016-06-14  Keith Miller  <keith_miller@apple.com>
1396
1397         REGRESSION(202002-202014): 845 32-bit JSC Stress Test failures
1398         https://bugs.webkit.org/show_bug.cgi?id=158737
1399
1400         Reviewed by Filip Pizlo.
1401
1402         When the this child and arguments child for the varargs nodes was switched I missed one
1403         case in the 32-bit build.
1404
1405         * dfg/DFGSpeculativeJIT32_64.cpp:
1406         (JSC::DFG::SpeculativeJIT::emitCall):
1407
1408 2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>
1409
1410         setUpStaticFunctionSlot does not handle Builtin|Accessor properties
1411         https://bugs.webkit.org/show_bug.cgi?id=158637
1412
1413         Reviewed by Geoff Garen.
1414
1415         setUpStaticFunctionSlot contains a duplicate copy of the body of the function reifyStaticProperty
1416         - however it is missing handling for Accessor type under Builtin functions.
1417         Fix the bug by de-duplicating - setUpStaticFunctionSlot should just call reifyStaticProperty.
1418
1419         * runtime/Lookup.cpp:
1420         (JSC::setUpStaticFunctionSlot):
1421             - should just call reifyStaticProperty.
1422         * runtime/Lookup.h:
1423         (JSC::lookupPut):
1424         (JSC::reifyStaticProperty):
1425             - changed reifyStaticProperty to take PropertyName.
1426
1427 2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>
1428
1429         JSBoundSlotBaseFunction no longer binds slot base
1430         https://bugs.webkit.org/show_bug.cgi?id=157978
1431
1432         Reviewed by Geoff Garen.
1433
1434         This class is basically currently named after a bug. We should never have
1435         been binding function to slot bases - this was not ever correct behavior.
1436         This was fixed earlier in the year, but there is still some cruft including
1437         the class name to clean up.
1438
1439             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction
1440             - removed m_boundSlotBase - don't retain the original slot base
1441               (we were not really using it anyway).
1442             - ASSERT customGetterSetter->getter/setter are non-null, rather than checking.
1443             - Store the PropertyName such that we can pass this to the getter
1444               (we're currently reperforming the String->Identifier conversion every time).
1445             - Removed JSFunction::lookUpOrCreateNativeExecutable - this is just overhead,
1446               and not used consistently.
1447
1448         * CMakeLists.txt:
1449         * JavaScriptCore.xcodeproj/project.pbxproj:
1450         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
1451         * runtime/JSBoundSlotBaseFunction.h: Removed.
1452             - JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction
1453         * runtime/JSCustomGetterSetterFunction.cpp: Copied from Source/JavaScriptCore/runtime/JSBoundSlotBaseFunction.cpp.
1454         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1455             - made a static function on JSCustomGetterSetterFunction such that accessor
1456               to member properties could be made private. Call variant of callCustomSetter
1457               that does not require slotBase, ASSERT getter/setter present, pass stored
1458               PropertyName to getter.
1459         (JSC::JSCustomGetterSetterFunction::JSCustomGetterSetterFunction):
1460             - renamed, store propertyName.
1461         (JSC::JSCustomGetterSetterFunction::create):
1462             - use same function name to Executable as is being passed to Function::finishCreation.
1463         (JSC::JSCustomGetterSetterFunction::visitChildren):
1464         (JSC::JSCustomGetterSetterFunction::finishCreation):
1465             - removed m_boundSlotBase.
1466         * runtime/JSCustomGetterSetterFunction.h: Copied from Source/JavaScriptCore/runtime/JSBoundSlotBaseFunction.h.
1467         (JSC::JSCustomGetterSetterFunction::customGetterSetter):
1468         (JSC::JSCustomGetterSetterFunction::isSetter):
1469             - made private.
1470         (JSC::JSCustomGetterSetterFunction::propertyName):
1471             - new accessor.
1472         (JSC::JSBoundSlotBaseFunction::boundSlotBase): Deleted.
1473             - removed.
1474         * runtime/JSFunction.cpp:
1475         (JSC::JSFunction::create):
1476         (JSC::JSFunction::lookUpOrCreateNativeExecutable): Deleted.
1477             - removed lookUpOrCreateNativeExecutable. This inconsistently used wrapper was providing no value, only bloat.
1478         * runtime/JSFunction.h:
1479         * runtime/JSGlobalObject.cpp:
1480         (JSC::JSGlobalObject::init):
1481         (JSC::JSGlobalObject::visitChildren):
1482             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction, etc.
1483         * runtime/JSGlobalObject.h:
1484         (JSC::JSGlobalObject::customGetterSetterFunctionStructure):
1485         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
1486             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction, etc.
1487         * runtime/JSNativeStdFunction.cpp:
1488         (JSC::JSNativeStdFunction::create):
1489             - removed lookUpOrCreateNativeExecutable.
1490         * runtime/JSObject.cpp:
1491         (JSC::getCustomGetterSetterFunctionForGetterSetter):
1492         (JSC::JSObject::getOwnPropertyDescriptor):
1493         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
1494             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction, etc.
1495         * runtime/VM.h:
1496             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction, etc.
1497
1498 2016-06-13  Saam Barati  <sbarati@apple.com>
1499
1500         The sampling profiler should further protect itself against certain forms of sampling bias that arise due to the sampling interval being in sync with some other system process
1501         https://bugs.webkit.org/show_bug.cgi?id=158678
1502
1503         Reviewed by Benjamin Poulain.
1504
1505         I first became aware of this problem when I read this paper:
1506         http://plv.colorado.edu/papers/mytkowicz-pldi10.pdf
1507
1508         To provide background for this change, I'll quote a paragraph
1509         from section 6.2:
1510         "One statically sound method for collecting random samples is to collect a
1511         sample at every t + r milliseconds, where t is the desired sampling interval
1512         and r is a random number between −t and t. One might think that sampling every
1513         t seconds is enough (i.e., drop the r component) but it is not: specifically,
1514         if a profiler samples every t seconds, the sampling rate would be synchronized
1515         with any program or system activity that occurs at regular time intervals [17].
1516         For example, if the thread scheduler switches between threads every 10ms and our
1517         sampling interval was also 10ms, then we may always take samples immediately after
1518         a thread switch. Because performance is often different immediately after a thread
1519         switch than at other points (e.g., due to cache and TLB warm-up effects) we would
1520         get biased data. The random component, r, guards against such situations."
1521
1522         * runtime/SamplingProfiler.cpp:
1523         (JSC::SamplingProfiler::timerLoop):
1524
1525 2016-06-13  Oliver Hunt  <oliver@apple.com>
1526
1527         DFG Validation fails when performing a concatenation with only a single entry
1528         https://bugs.webkit.org/show_bug.cgi?id=158699
1529
1530         Reviewed by Saam Barati.
1531
1532         Fairly simple short circuiting of a single replacement template string
1533         without any padding to be planted as a simple to string rather than
1534         op_strcat.
1535
1536         * bytecompiler/NodesCodegen.cpp:
1537         (JSC::TemplateLiteralNode::emitBytecode):
1538         * tests/stress/template-literal.js:
1539         (testSingleNode):
1540
1541 2016-06-13  Filip Pizlo  <fpizlo@apple.com>
1542
1543         FTL::Output methods should be out-of-line whenever possible
1544         https://bugs.webkit.org/show_bug.cgi?id=158704
1545
1546         Reviewed by Benjamin Poulain.
1547         
1548         These methods turn into a non-trivial amount of code because of the template-based B3 API.
1549         Inlining them didn't achieve any performance advantages for the FTL, but it did make the
1550         code larger. This outlines most methods in FTL::Output. It makes FTL::LowerDFGToB3 smaller
1551         and it doesn't change performance.
1552
1553         * ftl/FTLOutput.cpp:
1554         (JSC::FTL::Output::appendTo):
1555         (JSC::FTL::Output::framePointer):
1556         (JSC::FTL::Output::lockedStackSlot):
1557         (JSC::FTL::Output::constBool):
1558         (JSC::FTL::Output::constInt32):
1559         (JSC::FTL::Output::constInt64):
1560         (JSC::FTL::Output::constDouble):
1561         (JSC::FTL::Output::phi):
1562         (JSC::FTL::Output::add):
1563         (JSC::FTL::Output::sub):
1564         (JSC::FTL::Output::mul):
1565         (JSC::FTL::Output::div):
1566         (JSC::FTL::Output::chillDiv):
1567         (JSC::FTL::Output::mod):
1568         (JSC::FTL::Output::chillMod):
1569         (JSC::FTL::Output::neg):
1570         (JSC::FTL::Output::doubleAdd):
1571         (JSC::FTL::Output::doubleSub):
1572         (JSC::FTL::Output::doubleMul):
1573         (JSC::FTL::Output::doubleDiv):
1574         (JSC::FTL::Output::doubleMod):
1575         (JSC::FTL::Output::bitAnd):
1576         (JSC::FTL::Output::bitOr):
1577         (JSC::FTL::Output::bitXor):
1578         (JSC::FTL::Output::shl):
1579         (JSC::FTL::Output::aShr):
1580         (JSC::FTL::Output::lShr):
1581         (JSC::FTL::Output::bitNot):
1582         (JSC::FTL::Output::logicalNot):
1583         (JSC::FTL::Output::ctlz32):
1584         (JSC::FTL::Output::doubleAbs):
1585         (JSC::FTL::Output::doubleCeil):
1586         (JSC::FTL::Output::doubleFloor):
1587         (JSC::FTL::Output::doubleTrunc):
1588         (JSC::FTL::Output::doubleSin):
1589         (JSC::FTL::Output::doubleCos):
1590         (JSC::FTL::Output::doublePow):
1591         (JSC::FTL::Output::doublePowi):
1592         (JSC::FTL::Output::doubleSqrt):
1593         (JSC::FTL::Output::doubleLog):
1594         (JSC::FTL::Output::hasSensibleDoubleToInt):
1595         (JSC::FTL::Output::doubleToUInt):
1596         (JSC::FTL::Output::signExt32To64):
1597         (JSC::FTL::Output::zeroExt):
1598         (JSC::FTL::Output::intToDouble):
1599         (JSC::FTL::Output::unsignedToDouble):
1600         (JSC::FTL::Output::castToInt32):
1601         (JSC::FTL::Output::doubleToFloat):
1602         (JSC::FTL::Output::floatToDouble):
1603         (JSC::FTL::Output::load):
1604         (JSC::FTL::Output::load8SignExt32):
1605         (JSC::FTL::Output::baseIndex):
1606         (JSC::FTL::Output::equal):
1607         (JSC::FTL::Output::notEqual):
1608         (JSC::FTL::Output::above):
1609         (JSC::FTL::Output::aboveOrEqual):
1610         (JSC::FTL::Output::below):
1611         (JSC::FTL::Output::belowOrEqual):
1612         (JSC::FTL::Output::greaterThan):
1613         (JSC::FTL::Output::greaterThanOrEqual):
1614         (JSC::FTL::Output::lessThan):
1615         (JSC::FTL::Output::lessThanOrEqual):
1616         (JSC::FTL::Output::doubleEqual):
1617         (JSC::FTL::Output::doubleEqualOrUnordered):
1618         (JSC::FTL::Output::doubleNotEqualOrUnordered):
1619         (JSC::FTL::Output::doubleLessThan):
1620         (JSC::FTL::Output::doubleLessThanOrEqual):
1621         (JSC::FTL::Output::doubleGreaterThan):
1622         (JSC::FTL::Output::doubleGreaterThanOrEqual):
1623         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1624         (JSC::FTL::Output::doubleLessThanOrUnordered):
1625         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
1626         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
1627         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
1628         (JSC::FTL::Output::isZero32):
1629         (JSC::FTL::Output::notZero32):
1630         (JSC::FTL::Output::isZero64):
1631         (JSC::FTL::Output::notZero64):
1632         (JSC::FTL::Output::select):
1633         (JSC::FTL::Output::jump):
1634         (JSC::FTL::Output::branch):
1635         (JSC::FTL::Output::check):
1636         (JSC::FTL::Output::ret):
1637         (JSC::FTL::Output::unreachable):
1638         (JSC::FTL::Output::speculate):
1639         (JSC::FTL::Output::speculateAdd):
1640         (JSC::FTL::Output::speculateSub):
1641         (JSC::FTL::Output::speculateMul):
1642         (JSC::FTL::Output::patchpoint):
1643         (JSC::FTL::Output::trap):
1644         (JSC::FTL::Output::anchor):
1645         (JSC::FTL::Output::bitCast):
1646         (JSC::FTL::Output::fround):
1647         * ftl/FTLOutput.h:
1648         (JSC::FTL::Output::setOrigin):
1649         (JSC::FTL::Output::origin):
1650         (JSC::FTL::Output::constIntPtr):
1651         (JSC::FTL::Output::doubleNeg):
1652         (JSC::FTL::Output::zeroExtPtr):
1653         (JSC::FTL::Output::load32NonNegative):
1654         (JSC::FTL::Output::isNull):
1655         (JSC::FTL::Output::notNull):
1656         (JSC::FTL::Output::testIsZeroPtr):
1657         (JSC::FTL::Output::testNonZeroPtr):
1658         (JSC::FTL::Output::call):
1659         (JSC::FTL::Output::operation):
1660         (JSC::FTL::Output::branch):
1661         (JSC::FTL::Output::switchInstruction):
1662         (JSC::FTL::Output::addIncomingToPhi):
1663         (JSC::FTL::Output::framePointer): Deleted.
1664         (JSC::FTL::Output::constBool): Deleted.
1665         (JSC::FTL::Output::constInt32): Deleted.
1666         (JSC::FTL::Output::constInt64): Deleted.
1667         (JSC::FTL::Output::constDouble): Deleted.
1668         (JSC::FTL::Output::phi): Deleted.
1669         (JSC::FTL::Output::add): Deleted.
1670         (JSC::FTL::Output::sub): Deleted.
1671         (JSC::FTL::Output::mul): Deleted.
1672         (JSC::FTL::Output::div): Deleted.
1673         (JSC::FTL::Output::chillDiv): Deleted.
1674         (JSC::FTL::Output::mod): Deleted.
1675         (JSC::FTL::Output::chillMod): Deleted.
1676         (JSC::FTL::Output::doubleAdd): Deleted.
1677         (JSC::FTL::Output::doubleSub): Deleted.
1678         (JSC::FTL::Output::doubleMul): Deleted.
1679         (JSC::FTL::Output::doubleDiv): Deleted.
1680         (JSC::FTL::Output::doubleMod): Deleted.
1681         (JSC::FTL::Output::bitAnd): Deleted.
1682         (JSC::FTL::Output::bitOr): Deleted.
1683         (JSC::FTL::Output::bitXor): Deleted.
1684         (JSC::FTL::Output::shl): Deleted.
1685         (JSC::FTL::Output::aShr): Deleted.
1686         (JSC::FTL::Output::lShr): Deleted.
1687         (JSC::FTL::Output::ctlz32): Deleted.
1688         (JSC::FTL::Output::addWithOverflow32): Deleted.
1689         (JSC::FTL::Output::subWithOverflow32): Deleted.
1690         (JSC::FTL::Output::mulWithOverflow32): Deleted.
1691         (JSC::FTL::Output::addWithOverflow64): Deleted.
1692         (JSC::FTL::Output::subWithOverflow64): Deleted.
1693         (JSC::FTL::Output::mulWithOverflow64): Deleted.
1694         (JSC::FTL::Output::doubleAbs): Deleted.
1695         (JSC::FTL::Output::doubleCeil): Deleted.
1696         (JSC::FTL::Output::doubleFloor): Deleted.
1697         (JSC::FTL::Output::doubleSin): Deleted.
1698         (JSC::FTL::Output::doubleCos): Deleted.
1699         (JSC::FTL::Output::doublePow): Deleted.
1700         (JSC::FTL::Output::doubleSqrt): Deleted.
1701         (JSC::FTL::Output::doubleLog): Deleted.
1702         (JSC::FTL::Output::signExt32To64): Deleted.
1703         (JSC::FTL::Output::zeroExt): Deleted.
1704         (JSC::FTL::Output::intToDouble): Deleted.
1705         (JSC::FTL::Output::castToInt32): Deleted.
1706         (JSC::FTL::Output::doubleToFloat): Deleted.
1707         (JSC::FTL::Output::floatToDouble): Deleted.
1708         (JSC::FTL::Output::equal): Deleted.
1709         (JSC::FTL::Output::notEqual): Deleted.
1710         (JSC::FTL::Output::above): Deleted.
1711         (JSC::FTL::Output::aboveOrEqual): Deleted.
1712         (JSC::FTL::Output::below): Deleted.
1713         (JSC::FTL::Output::belowOrEqual): Deleted.
1714         (JSC::FTL::Output::greaterThan): Deleted.
1715         (JSC::FTL::Output::greaterThanOrEqual): Deleted.
1716         (JSC::FTL::Output::lessThan): Deleted.
1717         (JSC::FTL::Output::lessThanOrEqual): Deleted.
1718         (JSC::FTL::Output::doubleEqual): Deleted.
1719         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
1720         (JSC::FTL::Output::doubleNotEqualOrUnordered): Deleted.
1721         (JSC::FTL::Output::doubleLessThan): Deleted.
1722         (JSC::FTL::Output::doubleLessThanOrEqual): Deleted.
1723         (JSC::FTL::Output::doubleGreaterThan): Deleted.
1724         (JSC::FTL::Output::doubleGreaterThanOrEqual): Deleted.
1725         (JSC::FTL::Output::doubleNotEqualAndOrdered): Deleted.
1726         (JSC::FTL::Output::doubleLessThanOrUnordered): Deleted.
1727         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered): Deleted.
1728         (JSC::FTL::Output::doubleGreaterThanOrUnordered): Deleted.
1729         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered): Deleted.
1730         (JSC::FTL::Output::isZero32): Deleted.
1731         (JSC::FTL::Output::notZero32): Deleted.
1732         (JSC::FTL::Output::isZero64): Deleted.
1733         (JSC::FTL::Output::notZero64): Deleted.
1734         (JSC::FTL::Output::select): Deleted.
1735         (JSC::FTL::Output::extractValue): Deleted.
1736         (JSC::FTL::Output::jump): Deleted.
1737         (JSC::FTL::Output::ret): Deleted.
1738         (JSC::FTL::Output::unreachable): Deleted.
1739         (JSC::FTL::Output::speculate): Deleted.
1740         (JSC::FTL::Output::speculateAdd): Deleted.
1741         (JSC::FTL::Output::speculateSub): Deleted.
1742         (JSC::FTL::Output::speculateMul): Deleted.
1743         (JSC::FTL::Output::patchpoint): Deleted.
1744         (JSC::FTL::Output::trap): Deleted.
1745         (JSC::FTL::Output::anchor): Deleted.
1746         (JSC::FTL::Output::bitCast): Deleted.
1747         (JSC::FTL::Output::fround): Deleted.
1748
1749 2016-06-13  Keith Miller  <keith_miller@apple.com>
1750
1751         Unreviewed, Cloop build fix.
1752
1753         * bytecode/BytecodeList.json:
1754
1755 2016-06-12  Keith Miller  <keith_miller@apple.com>
1756
1757         Add new builtin opcode tailCallForwardArguments
1758         https://bugs.webkit.org/show_bug.cgi?id=158666
1759
1760         Reviewed by Filip Pizlo.
1761
1762         We should support the ability to have a builtin forward its
1763         arguments to a helper without allocating an arguments object. This
1764         patch adds a new bytecode intrinsic @tailCallForwardArguments that
1765         takes two values. The first is the target of the call and the
1766         second is the new this value. This opcode will tail call to the
1767         passed function without triggering an allocation of an arguments
1768         object for the caller function.
1769
1770         In the LLInt and Baseline this function acts the same way a normal
1771         tail call does.  The bytecode will allocate a new stack frame
1772         copying all the arguments of the caller function into the new
1773         frame, along with the new this. Then when the actual call happens
1774         the new frame is copied over the caller frame. While this is not
1775         necessary, it allows the target function to have more arguments
1776         than the caller function via arity fixup.
1777
1778         Once we get to the DFG we reuse existing DFG Nodes for forwarding
1779         arguments, although there were some minor changes. This patch
1780         swaps the meaning of the second and third children for each DFG
1781         varargs node, exchanging the argmuments and this child,
1782         respectively. It also makes the arguments child for each varargs
1783         node, as well as the ForwardVarargs node optional. If the optional
1784         child is missing, then forwarding node assumes that the arguments
1785         for the node's inlineCallFrame should be used instead. Finally,
1786         when inlining the target of an inlined
1787         op_tail_call_forward_arguments we make sure the arguments of the
1788         forwarding function are marked as non-unboxable since this would
1789         normally be done by the caller's create arguments object node,
1790         which does not exist in this case.
1791
1792         * bytecode/BytecodeIntrinsicRegistry.h:
1793         * bytecode/BytecodeList.json:
1794         * bytecode/BytecodeUseDef.h:
1795         (JSC::computeUsesForBytecodeOffset):
1796         (JSC::computeDefsForBytecodeOffset):
1797         * bytecode/CallLinkInfo.h:
1798         (JSC::CallLinkInfo::callTypeFor):
1799         * bytecode/CodeBlock.cpp:
1800         (JSC::CodeBlock::dumpBytecode):
1801         (JSC::CodeBlock::finishCreation):
1802         * bytecompiler/BytecodeGenerator.cpp:
1803         (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
1804         (JSC::BytecodeGenerator::emitCallVarargs):
1805         * bytecompiler/BytecodeGenerator.h:
1806         * bytecompiler/NodesCodegen.cpp:
1807         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tailCallForwardArguments):
1808         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
1809         * dfg/DFGArgumentsEliminationPhase.cpp:
1810         * dfg/DFGByteCodeParser.cpp:
1811         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1812         (JSC::DFG::ByteCodeParser::handleCall):
1813         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1814         (JSC::DFG::ByteCodeParser::handleInlining):
1815         (JSC::DFG::ByteCodeParser::parseBlock):
1816         * dfg/DFGCapabilities.cpp:
1817         (JSC::DFG::capabilityLevel):
1818         * dfg/DFGFixupPhase.cpp:
1819         (JSC::DFG::FixupPhase::fixupNode):
1820         * dfg/DFGNode.h:
1821         (JSC::DFG::Node::hasArgumentsChild):
1822         (JSC::DFG::Node::argumentsChild):
1823         * dfg/DFGPreciseLocalClobberize.h:
1824         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1825         * dfg/DFGPredictionPropagationPhase.cpp:
1826         * dfg/DFGSpeculativeJIT.cpp:
1827         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1828         * dfg/DFGSpeculativeJIT32_64.cpp:
1829         (JSC::DFG::SpeculativeJIT::emitCall):
1830         * dfg/DFGSpeculativeJIT64.cpp:
1831         (JSC::DFG::SpeculativeJIT::emitCall):
1832         * dfg/DFGVarargsForwardingPhase.cpp:
1833         * ftl/FTLLowerDFGToB3.cpp:
1834         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1835         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
1836         * interpreter/Interpreter.cpp:
1837         (JSC::sizeFrameForForwardArguments):
1838         (JSC::setupForwardArgumentsFrame):
1839         (JSC::setupForwardArgumentsFrameAndSetThis):
1840         * interpreter/Interpreter.h:
1841         * jit/JIT.cpp:
1842         (JSC::JIT::privateCompileMainPass):
1843         (JSC::JIT::privateCompileSlowCases):
1844         * jit/JIT.h:
1845         * jit/JITCall.cpp:
1846         (JSC::JIT::compileSetupVarargsFrame):
1847         (JSC::JIT::compileOpCall):
1848         (JSC::JIT::compileOpCallSlowCase):
1849         (JSC::JIT::emit_op_tail_call_forward_arguments):
1850         (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
1851         * jit/JITCall32_64.cpp:
1852         (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
1853         (JSC::JIT::emit_op_tail_call_forward_arguments):
1854         (JSC::JIT::compileSetupVarargsFrame):
1855         (JSC::JIT::compileOpCall):
1856         * jit/JITOperations.cpp:
1857         * jit/JITOperations.h:
1858         * llint/LLIntSlowPaths.cpp:
1859         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1860         (JSC::LLInt::varargsSetup):
1861         * llint/LLIntSlowPaths.h:
1862         * llint/LowLevelInterpreter.asm:
1863         * tests/stress/tailCallForwardArguments.js: Added.
1864         (putFuncToPrivateName.createBuiltin):
1865         (putFuncToPrivateName):
1866         (createTailCallForwardingFuncWith):
1867         (baz):
1868         (baz2):
1869         (baz3):
1870         (let.bodyText):
1871         (baz4):
1872         (baz5):
1873         (arrayEq):
1874
1875 2016-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1876
1877         Unreviewed, follow up patch for r201964
1878         https://bugs.webkit.org/show_bug.cgi?id=158619
1879
1880         Fix typo in the comment.
1881
1882         * runtime/MathCommon.h:
1883         (JSC::toInt32):
1884
1885 2016-06-13  Mark Lam  <mark.lam@apple.com>
1886
1887         Add a mechanism for collecting LLINT stats.
1888         https://bugs.webkit.org/show_bug.cgi?id=158668
1889
1890         Reviewed by Filip Pizlo.
1891
1892         This patch will add a mechanism for collecting the stats on LLINT opcode
1893         execution counts.  The changes made to enable this are:
1894
1895         1. Refactored how Options availability work so that we can add a new category:
1896            Configurable (in addition to the pre-existing Normal and Restricted
1897            availability).
1898                Normal options - always available.
1899                Restricted options - only available on debug builds.
1900                Configurable options - depends on #define flag options.
1901
1902            This change is necessary so that:
1903            a. we won't have to rebuild the world when we want to enable that #define flag
1904               to make that Configurable option available.
1905            b. when the #define flag is disabled, the option will be invisible to the user.
1906
1907            With this, we add our first configurable option, JSC_reportLLIntStats, which
1908            is dependent on the ENABLE_LLINT_STATS flag.  See next.
1909
1910         2. Added the ENABLE_LLINT_STATS flag in LLIntCommon.h.  To enable LLINT stats
1911            collection, we'll need to set this flag to a non-zero value, and rebuilding
1912            the project.  By design, this will only require a minimal set of files to
1913            be rebuilt.
1914
1915            ENABLE_LLINT_STATS is 0 (i.e. disabled) by default.
1916
1917         3. Added a slow path callback to the LLINT's traceExecution() macro, to call
1918            _llint_count_opcode(), which in turns counts the opcode.  This callback will
1919            only be built into the LLINT if ENABLE_LLINT_STATS is non-zero.
1920
1921         4. Added s_opcodeStatsArray to LLInt::Data.  This is where the stats are
1922            recorded and stored.
1923
1924         5. Added calls to LLInt::Data::dumpStats() in jsc.cpp and DumpRenderTree.mm
1925            to dump the LLINT stats if enabled.  If enabled, the LLINT stats will be
1926            sorted and dumped (via dataLog) before the programs terminate.
1927
1928         * interpreter/Interpreter.h:
1929         * jsc.cpp:
1930         (main):
1931         * llint/LLIntCommon.h:
1932         * llint/LLIntData.cpp:
1933         (JSC::LLInt::initialize):
1934         (JSC::LLInt::Data::dumpStats):
1935         * llint/LLIntData.h:
1936         (JSC::LLInt::Data::opcodeStats):
1937         * llint/LLIntOfflineAsmConfig.h:
1938         * llint/LLIntSlowPaths.cpp:
1939         (JSC::LLInt::llint_crash):
1940         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1941         * llint/LLIntSlowPaths.h:
1942         * llint/LowLevelInterpreter.asm:
1943         * runtime/Options.cpp:
1944         (JSC::parse):
1945         (JSC::Options::isAvailable):
1946         (JSC::overrideOptionWithHeuristic):
1947         (JSC::scaleJITPolicy):
1948         (JSC::Options::initialize):
1949         (JSC::Options::setOptionWithoutAlias):
1950         (JSC::Options::dumpAllOptions):
1951         (JSC::Options::dumpOption):
1952         * runtime/Options.h:
1953         (JSC::Option::Option):
1954         (JSC::Option::operator!=):
1955         (JSC::Option::id):
1956
1957 2016-06-11  Mark Lam  <mark.lam@apple.com>
1958
1959         Minimize the amount of memcpy done for allocating Error stacks.
1960         https://bugs.webkit.org/show_bug.cgi?id=158664
1961
1962         Reviewed by Darin Adler.
1963
1964         Currently, Vector<StackFrame> are being copied around multiple times in the
1965         process of creating Error stacks.
1966
1967         This patch avoids this unnecessary copying by:
1968         1. Sizing the StackFrame vector correctly to begin with, and skipping
1969            undesirable top frames before filling in the vector.
1970         2. Using perfect forwarding or passing by reference to pass the vector data around
1971            instead of copying the vectors.
1972         3. Changing the Exception object to take a Vector<StackFrame> instead of a
1973            RefCountedArray<StackFrame>.
1974
1975         This patch has passed the JSC and layout tests.  Benchmarks show that perf is
1976         neutral.
1977
1978         * API/tests/testapi.mm:
1979         (testObjectiveCAPI):
1980         * inspector/ScriptCallStackFactory.cpp:
1981         (Inspector::createScriptCallStackFromException):
1982         * interpreter/Interpreter.cpp:
1983         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1984         (JSC::GetStackTraceFunctor::operator()):
1985         (JSC::Interpreter::getStackTrace):
1986         (JSC::Interpreter::stackTraceAsString):
1987         (JSC::findExceptionHandler):
1988         * interpreter/Interpreter.h:
1989         * runtime/Error.cpp:
1990         (JSC::addErrorInfoAndGetBytecodeOffset):
1991         * runtime/Exception.cpp:
1992         (JSC::Exception::finishCreation):
1993         * runtime/Exception.h:
1994         (JSC::Exception::valueOffset):
1995         (JSC::Exception::value):
1996         (JSC::Exception::stack):
1997         (JSC::Exception::didNotifyInspectorOfThrow):
1998         (JSC::Exception::setDidNotifyInspectorOfThrow):
1999
2000 2016-06-11  Mark Lam  <mark.lam@apple.com>
2001
2002         Tests that overflows the stack should not be run with the sampling profiler.
2003         https://bugs.webkit.org/show_bug.cgi?id=158663
2004
2005         Reviewed by Saam Barati.
2006
2007         The sampling profiler will be sampling the whole stack, and the amount of memory
2008         churn will make this tests time out, especially with debug builds.  Hence,
2009         let's not run the test with the sampling profiler configuration.
2010
2011         * tests/stress/mutual-tail-call-no-stack-overflow.js:
2012         (shouldThrow):
2013
2014 2016-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2015
2016         Unreviewed, attempt to fix r201964 failure on Apple ports
2017         https://bugs.webkit.org/show_bug.cgi?id=158619
2018
2019         Reviewed by Mark Lam.
2020
2021         Add Private attributes to MathCommon.h.
2022
2023         * JavaScriptCore.xcodeproj/project.pbxproj:
2024
2025 2016-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2026
2027         [JSC] Inline JSC::toInt32 to improve kraken
2028         https://bugs.webkit.org/show_bug.cgi?id=158619
2029
2030         Reviewed by Mark Lam.
2031
2032         Several kraken benchmarks show that JSC::toInt32 is frequently called.
2033         For example, stanford-crypto-pbkdf2 reports that the hottest runtime function is JSC::toInt32.
2034
2035         The data is below (taken by Linux perf tools).
2036         5.50%  jsc      libJavaScriptCore.so.1.0.0  [.] _ZN3JSC7toInt32Ed
2037         3.96%  jsc      libJavaScriptCore.so.1.0.0  [.] _ZN3JSC20arrayProtoFuncConcatEPNS_9ExecStateE
2038         2.48%  jsc      libJavaScriptCore.so.1.0.0  [.] _ZN3JSC19arrayProtoFuncSliceEPNS_9ExecStateE
2039         1.69%  jsc      libJavaScriptCore.so.1.0.0  [.] _ZNK3JSC9Structure27holesMustForwardToPrototypeERNS_2VME
2040
2041         This is because of CommonSlowPaths' bit operations's JSValue::toInt32.
2042         Due to the slow path, in `value | 0`, `value` may be a double number value. In that case, JSC::toInt32 is called.
2043
2044         While JSC::toIn32 is hot, the function itself is very small. It's worth inlining.
2045
2046         This change offers the following kraken improvements.
2047
2048                                                          baseline                  patched
2049         Kraken:
2050            audio-beat-detection                       47.492+-1.701             46.657+-1.232           might be 1.0179x faster
2051            stanford-crypto-aes                        43.669+-0.210      ^      42.862+-0.115         ^ definitely 1.0188x faster
2052            stanford-crypto-ccm                        45.213+-1.424             44.490+-1.290           might be 1.0162x faster
2053            stanford-crypto-pbkdf2                    107.665+-0.581      ^     106.229+-0.807         ^ definitely 1.0135x faster
2054
2055         This patch only focused on the call to toInt32 from the runtime functions.
2056         So JSC::toInt32 calls from the baseline / DFG remain.
2057         We ensure that JIT code uses operationToInt32 instead of JSC::toInt32 since JSC::toInt32 is now marked as ALWAYS_INLINE.
2058         Linux perf profiler also finds that this `operationToInt32` is frequently called in the above benchmarks.
2059         It may be good to introduce asm emit for that instead of calling JSC::toInt32 operation in the separated patch.
2060
2061         * dfg/DFGSpeculativeJIT.cpp:
2062         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2063         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2064         * ftl/FTLLowerDFGToB3.cpp:
2065         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
2066         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
2067         * runtime/JSCJSValue.cpp:
2068         (JSC::toInt32): Deleted.
2069         * runtime/JSCJSValueInlines.h:
2070         * runtime/MathCommon.cpp:
2071         (JSC::operationToInt32):
2072         * runtime/MathCommon.h:
2073         (JSC::toInt32):
2074
2075 2016-06-10  Filip Pizlo  <fpizlo@apple.com>
2076
2077         The backend should be happy to compile Unreachable even if AI didn't prove it to be unreachable
2078         https://bugs.webkit.org/show_bug.cgi?id=158631
2079
2080         Reviewed by Keith Miller.
2081         
2082         We've been slowly making the DFG Unreachable opcode behave like a grown-up. When we first
2083         added it, it was a hack for Throw, and we could always rely on AI proving that Unreachable
2084         was not reachable. But then we started using Unreachable as a proper Unreachable opcode,
2085         like Oops in B3 for example, which has a more nuanced meaning: you use it whenever you
2086         emit code that *you* know will not return, and you need some way of terminating the basic
2087         block. The DFG is not a proof-carrying compiler, and it never will be. So, when you have
2088         proved that something is not reachable, you should be able to use Unreachable even if
2089         there is no guarantee that the compiler will later be able to replicate your proof. This
2090         means that the backend may find itself compiling Unreachable because AI did not prove that
2091         it was unreachable.
2092         
2093         Prior to this change, we would crash compiling Unreachable because we would rely on AI
2094         preventing us from reaching Unreachable in the backend. But that's silly! We don't want
2095         users of Unreachable to have to also convince AI that their Unreachable is really
2096         Unreachable.
2097         
2098         This fixes crashes on real websites. I couldn't work out how to turn them into a reduced
2099         test.
2100
2101         * assembler/AbortReason.h:
2102         * dfg/DFGSpeculativeJIT.cpp:
2103         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
2104         (JSC::DFG::SpeculativeJIT::unreachable):
2105         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2106         * dfg/DFGSpeculativeJIT.h:
2107         * dfg/DFGSpeculativeJIT32_64.cpp:
2108         (JSC::DFG::SpeculativeJIT::compile):
2109         * dfg/DFGSpeculativeJIT64.cpp:
2110         (JSC::DFG::SpeculativeJIT::compile):
2111         * ftl/FTLLowerDFGToB3.cpp:
2112         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2113         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
2114         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
2115         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
2116
2117 2016-06-09  Alex Christensen  <achristensen@webkit.org>
2118
2119         Clean up JavaScriptCore.vcxproj directory after switching to CMake.
2120
2121         * JavaScriptCore.vcxproj/LLInt: Removed.
2122         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly: Removed.
2123         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: Removed.
2124         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
2125         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Removed.
2126         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets: Removed.
2127         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
2128         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
2129         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Removed.
2130         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor: Removed.
2131         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
2132         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
2133         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
2134         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: Removed.
2135         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.
2136         * JavaScriptCore.vcxproj/jsc: Removed.
2137         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Removed.
2138         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Removed.
2139         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Removed.
2140         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Removed.
2141         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Removed.
2142         * JavaScriptCore.vcxproj/jsc/jscDebug.props: Removed.
2143         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Removed.
2144         * JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Removed.
2145         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Removed.
2146         * JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Removed.
2147         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Removed.
2148         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Removed.
2149         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Removed.
2150         * JavaScriptCore.vcxproj/jsc/jscProduction.props: Removed.
2151         * JavaScriptCore.vcxproj/jsc/jscRelease.props: Removed.
2152         * JavaScriptCore.vcxproj/testRegExp: Removed.
2153         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Removed.
2154         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Removed.
2155         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Removed.
2156         * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Removed.
2157         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Removed.
2158         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Removed.
2159         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Removed.
2160         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Removed.
2161         * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Removed.
2162         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Removed.
2163         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Removed.
2164         * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: Removed.
2165         * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Removed.
2166         * JavaScriptCore.vcxproj/testapi: Removed.
2167         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Removed.
2168         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Removed.
2169         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Removed.
2170         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Removed.
2171         * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Removed.
2172         * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: Removed.
2173         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Removed.
2174         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Removed.
2175         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Removed.
2176         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Removed.
2177         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Removed.
2178         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Removed.
2179         * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Removed.
2180         * JavaScriptCore.vcxproj/testapi/testapiProduction.props: Removed.
2181         * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Removed.
2182         * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: Removed.
2183         * shell/DLLLauncherMain.cpp: Copied from JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp.
2184         * shell/PlatformWin.cmake:
2185
2186 2016-06-09  Filip Pizlo  <fpizlo@apple.com>
2187
2188         Rare failure in stress/v8-deltablue-strict.js.ftl-eager
2189         https://bugs.webkit.org/show_bug.cgi?id=158591
2190
2191         Reviewed by Saam Barati.
2192         
2193         This is a simple and sensible fix to an amazing compiler bug that previously only
2194         manifested rarely in the v8-deltablue-strict test. It required on average 1000 runs while
2195         the system was under load for the bug to manifest. Fortunately, the bug is 100% repro with
2196         concurrent JIT disabled in the new "constant-fold-multi-get-by-offset-to-get-by-offset-on-
2197         prototype-and-sink-allocation.js" test.
2198         
2199         The problem here is that we were allowing ourselves to be super sloppy with the meaning of
2200         the two children of GetByOffset, and to a lesser extent, PutByOffset. The first two
2201         children of these nodes have these meanings:
2202         
2203         child1: the storage from which to load (or to which to store)
2204         child2: the logical object base
2205         
2206         Normally, child1 == child2, but child1 may point to a node that vends the storage pointer
2207         in case we are using multiple indirections to get to the property. That's fairly common.
2208         
2209         Where this gets nutty is that we don't validate the behavior of child1. Previously, the
2210         DFG::Validate phase would accept code that had child1 point to one object and child2 point
2211         to another object. That's bad because then, analyses will assume that we're loading from
2212         one object while we are actually loading from another. One of the fixes is to make
2213         Validate smarter about this, so that future problems with this get caught sooner.
2214         
2215         The actual bug was in ConstantFoldingPhase. When we first wrote ConstantFoldingPhase's
2216         logic for converting GetByIds and MultiGetByOffsets to GetByOffset, we assumed that this
2217         was only for non-prototype loads. This was becuase the logic was originally written based
2218         on a static GetByIdStatus analysis, which does not handle prototypes. So, as a shortcut,
2219         we would convert the GetById (or MultiGetByOffset) to a GetByOffset by doing this
2220         shuffling of children:
2221         
2222         child1 got the storage pointer, which might be a new GetButterfly node that we created.
2223         child2 got the old value of child1.
2224         
2225         The bug was introduced when I later made it possible for a monomorphic prototype
2226         MultiGetByOffset to be converted to a GetByOffset. Then this algorithm would mean that:
2227         
2228         child1 got either a pointer to the prototype or a storage pointer derived from the
2229             prototype.
2230         child2 got the old value of child1, which was a pointer to the base object (i.e. not the
2231             prototype).
2232         
2233         This happens super rarely because most prototype loads that we can statically reason about
2234         also happen to load constants, so we don't convert to GetByOffset at all. You need the
2235         strange combination of a MultiGetByOffset (not GetById or GetByOffset) on some prototypes
2236         and some static reasoning about the base so that we can convert it to a GetByOffset, but
2237         not enough static reasoning that we can convert it to a constant.
2238         
2239         Even if the bad thing happened, then this is not enough for it to cause symptons. If we
2240         did nothing else - like none of the other optimizations succeeded - then this would
2241         be OK because the backend will emit code based on child1, which is right. But disaster
2242         strikes when the code otherwise looks sane enough for ObjectAllocationSinkingPhase to kick
2243         in. This phase operates on child2, as any good phase should: child1 is only interesting
2244         for knowing *how* to load, not *what* we are loading. The phase is right to ignore child1.
2245
2246         So the phase would assume that we are loading the prototype property ("f" in the new test
2247         or "addToGraph" in deltablue) from the sunken base object allocation in the inlined
2248         constructor. The base object has no such property, but the phase conservatively assumes
2249         that it does indeed have such a property. That's just how the phase does things: it is
2250         very abstract and general, so it assumes that the set of properties on an allocation is
2251         the set of properties that accesses to the allocation speak of. Clearly, this GetByOffset
2252         was speaking of the property as being on the allocation. When sinking completed, it would
2253         convert the GetByOffset to the sunken (a.k.a. promoted) property. But nobody stored to
2254         this property on the allocation, so we'd get the bottom value, which is 1927. Why 1927? I
2255         don't remember anymore, but apparently I chose it. It helped here - when I started seeing
2256         that value come up, it took a quick grep to realize that this was the object allocation
2257         sinking phase's bottom value.
2258         
2259         The real fix to the bug is to make Node::convertToGetByOffset() take an explicit new base
2260         since its clients will use it to potentially create a load on a different object than the
2261         base of the original operation, as in the relatively new
2262         MultiGetByOffset(prototype)->GetByOffset optimization. As far as I know, the PutByOffset
2263         code did not have the same bug because we don't have any optimizations that turn a PutById
2264         or MultiPutByOffset into a PutByOffset on anything but the base object. But the logical
2265         bug is definitely there: there's code in ConstantFoldingPhase that claims to be able to
2266         convert any node to a PutByOffset on any base, but it actually silently reuses the
2267         original node's child1 as the logical base (i.e. child2). This patch makes all of this
2268         stuff explicit. You can't make this mistake anymore.
2269
2270         * dfg/DFGConstantFoldingPhase.cpp:
2271         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2272         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2273         * dfg/DFGNode.h:
2274         (JSC::DFG::Node::convertToGetStack):
2275         (JSC::DFG::Node::convertToGetByOffset):
2276         (JSC::DFG::Node::convertToMultiGetByOffset):
2277         (JSC::DFG::Node::convertToPutByOffset):
2278         * dfg/DFGValidate.cpp:
2279         * tests/stress/constant-fold-multi-get-by-offset-to-get-by-offset-on-prototype-and-sink-allocation.js: Added.
2280         (ThingA):
2281         (ThingB):
2282         (foo):
2283         (bar):
2284         * tests/stress/sink-to-impossible-multi-get-by-offset-on-prototypes.js: Added.
2285         (ThingA):
2286         (ThingB):
2287         (ThingC):
2288         (bar):
2289         (foo):
2290
2291 2016-06-09  Mark Lam  <mark.lam@apple.com>
2292
2293         Make some methods const.
2294         https://bugs.webkit.org/show_bug.cgi?id=158594
2295
2296         Reviewed by Benjamin Poulain.
2297
2298         * bytecode/CodeBlock.cpp:
2299         (JSC::CodeBlock::columnNumberForBytecodeOffset):
2300         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
2301         * bytecode/CodeBlock.h:
2302         * bytecode/ExpressionRangeInfo.h:
2303         (JSC::ExpressionRangeInfo::encodeFatColumnMode):
2304         (JSC::ExpressionRangeInfo::decodeFatLineMode):
2305         (JSC::ExpressionRangeInfo::decodeFatColumnMode):
2306         * bytecode/UnlinkedCodeBlock.cpp:
2307         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
2308         (JSC::UnlinkedCodeBlock::getLineAndColumn):
2309         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
2310         * bytecode/UnlinkedCodeBlock.h:
2311         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
2312         * interpreter/Interpreter.cpp:
2313         (JSC::Interpreter::isOpcode):
2314         (JSC::StackFrame::computeLineAndColumn):
2315         (JSC::StackFrame::toString):
2316         * interpreter/Interpreter.h:
2317         (JSC::StackFrame::isNative):
2318
2319 2016-06-09  Michael Saboff  <msaboff@apple.com>
2320
2321         ES6: Reusing function name as a parameter name shouldn't throw Syntax Error
2322         https://bugs.webkit.org/show_bug.cgi?id=158575
2323
2324         Reviewed by Benjamin Poulain.
2325
2326         The check for a parameter with a duplicate name doesn't take into account the
2327         type of the prior variable.  Added a check that the duplicate is also a
2328         parameter.
2329
2330         See the relevant spec section at:
2331         http://www.ecma-international.org/ecma-262/6.0/#sec-function-definitions-static-semantics-early-errors
2332
2333         * parser/Parser.h:
2334         (JSC::Scope::declareParameter):
2335
2336 2016-06-09  Chris Dumez  <cdumez@apple.com>
2337
2338         Unreviewed, rolling out r201836, r201845, and r201848.
2339
2340         Looks like a 1-2% PLT regression on iOS
2341
2342         Reverted changesets:
2343
2344         "[JSC] Change some parameters based on a random search"
2345         https://bugs.webkit.org/show_bug.cgi?id=158514
2346         http://trac.webkit.org/changeset/201836
2347
2348         "Tempory fix for the debug bots"
2349         http://trac.webkit.org/changeset/201845
2350
2351         "Change thresholdForOptimizeSoon to match
2352         thresholdForOptimizeAfterWarmUp"
2353         http://trac.webkit.org/changeset/201848
2354
2355 2016-06-09  Commit Queue  <commit-queue@webkit.org>
2356
2357         Unreviewed, rolling out r201810.
2358         https://bugs.webkit.org/show_bug.cgi?id=158563
2359
2360         breaks build without ENABLE_WEB_ANIMATION (Requested by
2361         mcatanzaro on #webkit).
2362
2363         Reverted changeset:
2364
2365         "[web-animations] Add Animatable, AnimationEffect,
2366         KeyframeEffect and Animation interface"
2367         https://bugs.webkit.org/show_bug.cgi?id=156096
2368         http://trac.webkit.org/changeset/201810
2369
2370 2016-06-08  Gavin & Ellie Barraclough  <barraclough@apple.com>
2371
2372         JSObject::reifyAllStaticProperties cleanup
2373         https://bugs.webkit.org/show_bug.cgi?id=158543
2374
2375         Reviewed by Mark Lam.
2376
2377         - JSObject & Structure contain fields labeled 'staticFunctionsReified', however reification now
2378           affects all properties, not just functions. Rename to 'staticPropertiesReified'.
2379         - reifyAllStaticProperties relies on a 'hasStaticProperties' method on ClassInfo that walks the
2380           ClassInfo inheritance chain looking for static property tables. We can now more efficiently
2381           get this information from TypeInfo.
2382         - reifyAllStaticProperties triggers a 'toUncacheableDictionaryTransition'; this is overzealous,
2383           cacheable dictionary is sufficient - this is what we do in the case of DOM prototype property
2384           reification (see 'reifyStaticProperties' in Lookup.h). (Changing this with an eye on switching
2385           DOM prototype property reification to use JSObject:: reifyAllStaticProperties, rather than
2386           having its own special purpose code path.)
2387
2388         * runtime/ClassInfo.h:
2389         (JSC::ClassInfo::hasStaticProperties): Deleted.
2390             - deprecated by TypeInfo::hasStaticPropertyTable.
2391         * runtime/JSObject.cpp:
2392         (JSC::JSObject::putInlineSlow):
2393         (JSC::JSObject::deleteProperty):
2394         (JSC::JSObject::getOwnNonIndexPropertyNames):
2395             - staticFunctionsReified -> staticPropertiesReified
2396         (JSC::JSObject::reifyAllStaticProperties):
2397             - hasStaticProperties -> TypeInfo::hasStaticPropertyTable
2398             - toUncacheableDictionaryTransition -> toCacheableDictionaryTransition
2399             - staticFunctionsReified -> staticPropertiesReified
2400         * runtime/JSObject.h:
2401         (JSC::JSObject::staticPropertiesReified):
2402         (JSC::JSObject::staticFunctionsReified): Deleted.
2403         * runtime/Lookup.cpp:
2404         (JSC::setUpStaticFunctionSlot):
2405         * runtime/Lookup.h:
2406         (JSC::getStaticPropertySlotFromTable):
2407         (JSC::replaceStaticPropertySlot):
2408         * runtime/Structure.cpp:
2409         (JSC::Structure::Structure):
2410         * runtime/Structure.h:
2411             - staticFunctionsReified -> staticPropertiesReified
2412
2413 2016-06-08  Benjamin Poulain  <bpoulain@apple.com>
2414
2415         Change thresholdForOptimizeSoon to match thresholdForOptimizeAfterWarmUp
2416
2417         Unreviewed.
2418
2419         This adds back the assertion removed in r201845.
2420         Making those threshold equal is completely perf neutral
2421         (on Haswell rMBP with 20 runs).
2422
2423         * runtime/Options.cpp:
2424         (JSC::Options::initialize):
2425         * runtime/Options.h:
2426
2427 2016-06-08  Benjamin Poulain  <bpoulain@apple.com>
2428
2429         Tempory fix for the debug bots
2430
2431         Unreviewed.
2432
2433         * runtime/Options.cpp:
2434         (JSC::Options::initialize):
2435         Weaken an assertion while I test values for thresholdForOptimizeSoon.
2436
2437 2016-06-08  Benjamin Poulain  <bpoulain@apple.com>
2438
2439         [JSC] Change some parameters based on a random search
2440         https://bugs.webkit.org/show_bug.cgi?id=158514
2441
2442         Reviewed by Filip Pizlo.
2443
2444         Over the weekend, I left an iMac running the JSC benchmarks
2445         while changing a bunch of parameters.
2446
2447         The parameters were changed randomly, with a random deviation
2448         from the original value.
2449         To converge toward good values, the range was subject
2450         to exponential annealing over time.
2451
2452         The values in this patch is the best outcome my iMac could
2453         find over the weekend. It is about 1% better on the Haswell
2454         machines I tested.
2455
2456         * bytecode/CodeBlock.cpp:
2457         (JSC::CodeBlock::optimizationThresholdScalingFactor):
2458         * runtime/Options.h:
2459
2460 2016-06-08  Gavin Barraclough  <barraclough@apple.com>
2461
2462         Remove removeDirect
2463         https://bugs.webkit.org/show_bug.cgi?id=158516
2464
2465         Reviewed by Ryosuke Niwa.
2466
2467         removeDirect is typically used as a subroutine of deleteProperty, but is also available to
2468         call directly. Having this functionality factored out to a separate routine is a bad idea
2469         on a couple of fronts:
2470
2471         - for the main use within deleteProperty there is redundancy (presence of the property
2472           was being checked twice) and inconsistency (the two functions returned different results
2473           in the case of a nonexistent property; the result from removeDirect was never observed).
2474
2475         - all uses of removeDirect are in practical terms incorrect. removeDirect had the
2476           advantage of ignoring the configurable (DontDelete) attributes, but this is achievable
2477           using the DeletePropertyMode setting - and the disadvantage of failing delete static
2478           table properties. Last uses were one that was removed in bug #158295 (where failure to
2479           delete static properties was a problem), and as addressed in this patch removeDirect is
2480           being used to implement runtime enabled features. This only works because we currently
2481           force reification of all properties on the DOM prototype objects, so in effect there are
2482           no static properties. In order to make the code robust such that runtime enabled
2483           features would still work even if we were not reifying static properties (a change we
2484           may want to make) we should be calling deleteProperty in this case too.
2485
2486         * runtime/JSObject.cpp:
2487         (JSC::JSObject::deleteProperty):
2488             - incorporated removeDirect functionality, added comments & ASSERT.
2489         (JSC::JSObject::removeDirect): Deleted.
2490             - removed.
2491         * runtime/JSObject.h:
2492             - removed removeDirect.
2493
2494 2016-06-08  Mark Lam  <mark.lam@apple.com>
2495
2496         Simplify Interpreter::StackFrame.
2497         https://bugs.webkit.org/show_bug.cgi?id=158498
2498
2499         Reviewed by Saam Barati.
2500
2501         Previously, Interpreter::StackFrame (which is used to capture info for
2502         Error.stack) eagerly extracts info out of CodeBlock and duplicates the work that
2503         CodeBlock does to compute line and column numbers (amongst other things).
2504
2505         This patch does away with the eager extraction and only stashes the CodeBlock
2506         pointer in the Interpreter::StackFrame.  Instead, Interpreter::StackFrame will
2507         provide methods for computing the desired values on request later.
2508
2509         One difference in implementation: the old StackFrame offers a sourceURL and a
2510         friendlySourceURL().  The only difference between the 2 is that for native
2511         functions, sourceURL returns an empty string, and friendlySourceURL() returns
2512         "[native code]".  This is how it affects the clients of StackFrame:
2513
2514             - In the old code, the Error object's addErrorInfoAndGetBytecodeOffset() and
2515               the inspector's createScriptCallStackFromException() would check if
2516               sourceURL is empty.  If so, they will use this as an indicator to use
2517               alternate source info in the Error object e.g. url and line numbers from
2518               the parser that produced a SyntaxError.
2519
2520             - In the new implementation, StackFrame only has a sourceURL() function that
2521               behaves like the old friendlySourceURL().  The client code which were
2522               relying on sourceURL being empty, will now explicitly check if the
2523               StackFrame is for native code using a new isNative() query in addition to
2524               the sourceURL being empty.  This achieve functional parity with the old
2525               behavior.
2526
2527         Also fix Error.cpp's addErrorInfoAndGetBytecodeOffset() to take a bytecodeOffset
2528         pointer instead of a reference.  The bytecodeOffset arg is supposed to be
2529         optional, but was implemented in a unclear way.  This change clarifies it.
2530
2531         * inspector/ScriptCallStackFactory.cpp:
2532         (Inspector::createScriptCallStackFromException):
2533         * interpreter/Interpreter.cpp:
2534         (JSC::StackFrame::sourceID):
2535         (JSC::StackFrame::sourceURL):
2536         (JSC::StackFrame::functionName):
2537         (JSC::eval):
2538         (JSC::Interpreter::isOpcode):
2539         (JSC::StackFrame::computeLineAndColumn):
2540         (JSC::StackFrame::toString):
2541         (JSC::GetStackTraceFunctor::operator()):
2542         (JSC::StackFrame::friendlySourceURL): Deleted.
2543         (JSC::StackFrame::friendlyFunctionName): Deleted.
2544         (JSC::getStackFrameCodeType): Deleted.
2545         (JSC::StackFrame::expressionInfo): Deleted.
2546         * interpreter/Interpreter.h:
2547         (JSC::StackFrame::isNative):
2548         * runtime/Error.cpp:
2549         (JSC::addErrorInfoAndGetBytecodeOffset):
2550         (JSC::addErrorInfo):
2551         * runtime/Error.h:
2552         * runtime/ErrorInstance.cpp:
2553         (JSC::ErrorInstance::finishCreation):
2554
2555 2016-06-08  Keith Miller  <keith_miller@apple.com>
2556
2557         We should be able to lookup symbols by identifier in builtins
2558         https://bugs.webkit.org/show_bug.cgi?id=158530
2559
2560         Reviewed by Mark Lam.
2561
2562         This patch allows us to lookup the value of a symbol property on a
2563         object by identifier in builtins. Before, it was only possible to
2564         do so if we were directly emitting the bytecodes, such as in a
2565         for-of loop looking for Symbol.iterator. As we tier up we convert
2566         the builtin's get_by_val symbol lookups into get_by_id
2567         lookups. However, there is still a significant performance
2568         difference between get_by_id and get_by_val in the LLInt, where
2569         this transformation does not take place.
2570
2571         In order to make this work we hijack BuiltinNames'
2572         m_publicToPrivateMap so that it points the @<symbol>Symbol to the
2573         appropriate vm symbol. This way when we lex the identifier it will
2574         become the appropriate symbol's identifier.  Currently, if the
2575         symbol is used to name a property in an object literal we will not
2576         keep a cache of the Symbol objects we have already seen. We could
2577         add a map for symbols but since we can only load symbols by
2578         identifier in builtins its likely not worth it. Additionally, even
2579         in builtins it is extremely rare to use Symbols in object
2580         literals.
2581
2582         * builtins/ArrayConstructor.js:
2583         (from):
2584         * builtins/ArrayPrototype.js:
2585         (filter):
2586         (map):
2587         * builtins/BuiltinNames.h:
2588         (JSC::BuiltinNames::BuiltinNames):
2589         * builtins/BuiltinUtils.h:
2590         * builtins/GlobalObject.js:
2591         (speciesConstructor):
2592         * builtins/StringPrototype.js:
2593         (match):
2594         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
2595         (search):
2596         (split):
2597         * builtins/TypedArrayConstructor.js:
2598         (from):
2599         * builtins/TypedArrayPrototype.js:
2600         (map):
2601         (filter):
2602         * bytecode/BytecodeIntrinsicRegistry.cpp:
2603         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): Deleted.
2604         * bytecode/BytecodeIntrinsicRegistry.h:
2605         * bytecompiler/BytecodeGenerator.cpp:
2606         (JSC::BytecodeGenerator::emitLoad):
2607         * parser/Parser.cpp:
2608         (JSC::Parser<LexerType>::parseInner):
2609
2610 2016-06-08  Rawinder Singh  <rawinder.singh-webkit@cisra.canon.com.au>
2611
2612         [web-animations] Add Animatable, AnimationEffect, KeyframeEffect and Animation interface
2613         https://bugs.webkit.org/show_bug.cgi?id=156096
2614
2615         Reviewed by Dean Jackson.
2616
2617         Adds:
2618         - Animatable interface and implementation of getAnimations in Element
2619         - Interface and implementation for Document getAnimations method.
2620         - AnimationEffect interface and class stub.
2621         - KeyframeEffect interface and constructor implementation.
2622         - 'Animation' interface, constructor and query methods for effect and timeline.
2623         - Remove runtime condition on Web animation interfaces (compile time flag is specified).
2624
2625         * runtime/CommonIdentifiers.h:
2626
2627 2016-06-08  Chris Dumez  <cdumez@apple.com>
2628
2629         self.hasOwnProperty() does not work inside Web workers
2630         https://bugs.webkit.org/show_bug.cgi?id=158446
2631         <rdar://problem/26638397>
2632
2633         Reviewed by Geoffrey Garen.
2634
2635         Add a factory function to JSProxy to create a JSProxy without a target.
2636         Also make the setTarget() method public so that the target can now be
2637         set after creation. This is needed so that we can create a proxy for
2638         JSWorkerGlobalScope, then create the JSWorkerGlobalScope object,
2639         passing it the proxy and finally set the target on the proxy.
2640
2641         * runtime/JSProxy.h:
2642         (JSC::JSProxy::create):
2643
2644 2016-06-07  Filip Pizlo  <fpizlo@apple.com>
2645
2646         Add result validation to JSAir
2647         https://bugs.webkit.org/show_bug.cgi?id=158493
2648
2649         Reviewed by Saam Barati.
2650         
2651         Add a ::jsHash() method to some things, to compute a hash code that is suitable for
2652         comparing a C++ Code to a JSAir Code. This is different from existing hashing functionality
2653         because it errs on the side of easy reproducibility from JS rather than speed.
2654
2655         * b3/air/AirArg.cpp:
2656         (JSC::B3::Air::Arg::isCompatibleType):
2657         (JSC::B3::Air::Arg::jsHash):
2658         (JSC::B3::Air::Arg::dump):
2659         * b3/air/AirArg.h:
2660         (JSC::B3::Air::Arg::asDoubleCondition):
2661         (JSC::B3::Air::Arg::isInvertible):
2662         (JSC::B3::Air::Arg::isUnsignedCond):
2663         (JSC::B3::Air::Arg::Arg):
2664         * b3/air/AirCode.cpp:
2665         (JSC::B3::Air::Code::addFastTmp):
2666         (JSC::B3::Air::Code::jsHash):
2667         * b3/air/AirCode.h:
2668         (JSC::B3::Air::Code::lastPhaseName):
2669         * b3/air/AirDumpAsJS.cpp:
2670         (JSC::B3::Air::dumpAsJS):
2671         * b3/air/AirGenerate.cpp:
2672         (JSC::B3::Air::prepareForGeneration):
2673         * b3/air/AirInst.cpp:
2674         (JSC::B3::Air::Inst::hasArgEffects):
2675         (JSC::B3::Air::Inst::jsHash):
2676         (JSC::B3::Air::Inst::dump):
2677         * b3/air/AirInst.h:
2678         * b3/air/AirStackSlot.cpp:
2679         (JSC::B3::Air::StackSlot::setOffsetFromFP):
2680         (JSC::B3::Air::StackSlot::jsHash):
2681         (JSC::B3::Air::StackSlot::dump):
2682         * b3/air/AirStackSlot.h:
2683         * b3/air/opcode_generator.rb:
2684
2685 2016-06-07  Mark Lam  <mark.lam@apple.com>
2686
2687         Need an exception check after constructEmptyArray().
2688         https://bugs.webkit.org/show_bug.cgi?id=158411
2689
2690         Reviewed by Saam Barati.
2691
2692         Added an exception check after each call to constructEmptyArray().
2693
2694         * inspector/JSInjectedScriptHost.cpp:
2695         (Inspector::JSInjectedScriptHost::getInternalProperties):
2696         (Inspector::JSInjectedScriptHost::weakMapEntries):
2697         (Inspector::JSInjectedScriptHost::weakSetEntries):
2698         (Inspector::JSInjectedScriptHost::iteratorEntries):
2699         * interpreter/ShadowChicken.cpp:
2700         (JSC::ShadowChicken::functionsOnStack):
2701         * profiler/ProfilerBytecodeSequence.cpp:
2702         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
2703         * profiler/ProfilerCompilation.cpp:
2704         (JSC::Profiler::Compilation::toJS):
2705         * profiler/ProfilerDatabase.cpp:
2706         (JSC::Profiler::Database::toJS):
2707         * profiler/ProfilerOSRExitSite.cpp:
2708         (JSC::Profiler::OSRExitSite::toJS):
2709         * profiler/ProfilerOriginStack.cpp:
2710         (JSC::Profiler::OriginStack::toJS):
2711         * runtime/ArrayPrototype.cpp:
2712         (JSC::arrayProtoFuncConcat):
2713         (JSC::arrayProtoFuncSlice):
2714         (JSC::arrayProtoFuncSplice):
2715         * runtime/LiteralParser.cpp:
2716         (JSC::LiteralParser<CharType>::parse):
2717         * runtime/ModuleLoaderObject.cpp:
2718         (JSC::moduleLoaderObjectRequestedModules):
2719         * runtime/ObjectConstructor.cpp:
2720         (JSC::ownPropertyKeys):
2721         * runtime/RegExpObject.cpp:
2722         (JSC::collectMatches):
2723         * runtime/RegExpPrototype.cpp:
2724         (JSC::regExpProtoFuncSplitFast):
2725         * runtime/StringPrototype.cpp:
2726         (JSC::stringProtoFuncSplitFast):
2727         * runtime/TemplateRegistry.cpp:
2728         (JSC::TemplateRegistry::getTemplateObject):
2729
2730         * tests/stress/regress-158411.js: Added.
2731
2732 2016-06-07  Filip Pizlo  <fpizlo@apple.com>
2733
2734         Implement Air::allocateStack() in ES6 to see how much of a bad idea that is
2735         https://bugs.webkit.org/show_bug.cgi?id=158318
2736
2737         Reviewed by Saam Barati.
2738         
2739         Most of these changes are to support dumpAsJS(). But I also found some duplicate and dead
2740         code while rewriting it to JS.
2741
2742         * CMakeLists.txt:
2743         * JavaScriptCore.xcodeproj/project.pbxproj:
2744         * b3/air/AirAllocateStack.cpp:
2745         * b3/air/AirArg.h:
2746         (JSC::B3::Air::Arg::isSomeImm):
2747         (JSC::B3::Air::Arg::isAddr):
2748         (JSC::B3::Air::Arg::tmpIndex):
2749         (JSC::B3::Air::Arg::isValidImmForm):
2750         (JSC::B3::Air::Arg::withOffset): Deleted. This was dead code.
2751         * b3/air/AirArgInlines.h: It turns out that Inst has a ForEach thing that duplicated some of the logic of ArgThingHelper, so I just made ArgThingHelper more powerful.
2752         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
2753         (JSC::B3::Air::ArgThingHelper<Reg>::is):
2754         (JSC::B3::Air::ArgThingHelper<Reg>::as):
2755         (JSC::B3::Air::ArgThingHelper<Reg>::forEachFast):
2756         (JSC::B3::Air::ArgThingHelper<Reg>::forEach):
2757         (JSC::B3::Air::Arg::is):
2758         * b3/air/AirDumpAsJS.cpp: Added.
2759         (JSC::B3::Air::dumpAsJS):
2760         * b3/air/AirDumpAsJS.h: Added.
2761         * b3/air/AirFixObviousSpills.cpp:
2762         * b3/air/AirGenerate.cpp:
2763         (JSC::B3::Air::prepareForGeneration):
2764         * b3/air/AirInstInlines.h:
2765         (JSC::B3::Air::Inst::forEach):
2766         (JSC::B3::Air::Inst::extraClobberedRegs):
2767         (JSC::B3::Air::ForEach<Tmp>::forEach): Deleted. This was doing what ArgThingHelper would have done but not as well.
2768         (JSC::B3::Air::ForEach<Arg>::forEach): Deleted.
2769         (JSC::B3::Air::ForEach<Reg>::forEach): Deleted.
2770         * b3/air/AirLogRegisterPressure.cpp:
2771         * b3/air/AirReportUsedRegisters.cpp:
2772         * b3/air/AirSpillEverything.cpp:
2773         * b3/air/opcode_generator.rb: Make this dump opcode.js, which is like what it dumps for C++.
2774         * jit/Reg.cpp:
2775         (JSC::Reg::debugName):
2776         (JSC::Reg::dump):
2777         * jit/Reg.h:
2778         (JSC::Reg::hash):
2779         * jsc.cpp: Fix jsc so that it reports the filename and line number of parser errors.
2780         (dumpException):
2781         * parser/ParserError.h: Make it easier to debug this code.
2782         (WTF::printInternal):
2783         * runtime/Options.h:
2784
2785 2016-06-07  Keith Rollin  <krollin@apple.com>
2786
2787         Remove all uses of PassRefPtr in WTF
2788         https://bugs.webkit.org/show_bug.cgi?id=157596
2789         <rdar://problem/26234391>
2790
2791         Reviewed by Chris Dumez.
2792
2793         Update calls to interfaces that no longer take or return PassRefPtrs.
2794
2795         * runtime/JSString.cpp:
2796         (JSC::JSRopeString::resolveRope):
2797         * runtime/JSString.h:
2798         (JSC::JSString::JSString):
2799         (JSC::jsSubstring):
2800         * runtime/PrivateName.h:
2801         (JSC::PrivateName::PrivateName):
2802         * runtime/SmallStrings.cpp:
2803         (JSC::SmallStringsStorage::SmallStringsStorage):
2804         * runtime/StringConstructor.cpp:
2805         (JSC::stringFromCharCodeSlowCase):
2806         * runtime/StringPrototype.cpp:
2807         (JSC::jsSpliceSubstrings):
2808         (JSC::jsSpliceSubstringsWithSeparators):
2809         (JSC::replaceUsingStringSearch):
2810         (JSC::repeatCharacter):
2811         (JSC::stringProtoFuncFontsize):
2812         (JSC::stringProtoFuncLink):
2813         (JSC::normalize):
2814
2815 2016-06-07  Saam barati  <sbarati@apple.com>
2816
2817         InvalidationPointInjectionPhase creates bogus InvalidationPoints that may even be inserted when it's not OK to exit
2818         https://bugs.webkit.org/show_bug.cgi?id=158499
2819         <rdar://problem/26647473>
2820
2821         Reviewed by Mark Lam and Benjamin Poulain.
2822
2823         InvalidationPointInjectionPhase forgot to clear m_originThatHadFire 
2824         before analyzing the current block it's analyzing. This meant that
2825         the phase allowed a residual m_originThatHadFire that was set from the
2826         previous block to effect a completely unrelated block. This is usually
2827         harmless, but sometimes we would insert an InvalidationPoint at a point
2828         in the graph when exiting is invalid. This would cause a crash.
2829
2830         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2831         (JSC::DFG::InvalidationPointInjectionPhase::run):
2832         * tests/stress/dont-crash-on-bad-invalidation-point.js: Added.
2833         (dontCrash):
2834
2835 2016-06-07  Saam Barati  <sbarati@apple.com>
2836
2837         operationProcessTypeProfilerLogDFG doesn't update topCallFrame
2838         https://bugs.webkit.org/show_bug.cgi?id=158428
2839         <rdar://problem/26571493>
2840
2841         Reviewed by Mark Lam.
2842
2843         * dfg/DFGOperations.cpp:
2844
2845 2016-06-07  Mark Lam  <mark.lam@apple.com>
2846
2847         calculatedDisplayName() and friends actually need a VM& and not a ExecState/CallFrame.
2848         https://bugs.webkit.org/show_bug.cgi?id=158488
2849
2850         Reviewed by Geoffrey Garen.
2851
2852         calculatedDisplayName() (and some of its friends) actually just need a VM&.
2853         Their work has nothing to do with an ExecState at all.  This patch will make that
2854         clear by changing these functions to take a VM& arg instead of an ExecState* or
2855         CallFrame*.
2856
2857         Also removed the JS_EXPORT_PRIVATE attribute from Interpreter::StackFrame::toString().
2858         The JS_EXPORT_PRIVATE attribute was a holdover from the days when WebInspector
2859         was entirely in WebCore.  It is no longer needed.
2860
2861         * debugger/DebuggerCallFrame.cpp:
2862         (JSC::DebuggerCallFrame::functionName):
2863         * inspector/JSInjectedScriptHost.cpp:
2864         (Inspector::JSInjectedScriptHost::functionDetails):
2865         * inspector/ScriptCallStackFactory.cpp:
2866         (Inspector::createScriptCallStackFromException):
2867         * interpreter/CallFrame.cpp:
2868         (JSC::CallFrame::friendlyFunctionName):
2869         * interpreter/Interpreter.cpp:
2870         (JSC::StackFrame::friendlySourceURL):
2871         (JSC::StackFrame::friendlyFunctionName):
2872         (JSC::StackFrame::expressionInfo):
2873         (JSC::StackFrame::toString):
2874         (JSC::Interpreter::stackTraceAsString):
2875         * interpreter/Interpreter.h:
2876         * interpreter/StackVisitor.cpp:
2877         (JSC::StackVisitor::Frame::functionName):
2878         * runtime/InternalFunction.cpp:
2879         (JSC::InternalFunction::name):
2880         (JSC::InternalFunction::displayName):
2881         (JSC::InternalFunction::getCallData):
2882         (JSC::InternalFunction::calculatedDisplayName):
2883         * runtime/InternalFunction.h:
2884         (JSC::InternalFunction::createStructure):
2885         * runtime/JSFunction.cpp:
2886         (JSC::JSFunction::name):
2887         (JSC::JSFunction::displayName):
2888         (JSC::JSFunction::calculatedDisplayName):
2889         (JSC::JSFunction::getConstructData):
2890         (JSC::getCalculatedDisplayName):
2891         * runtime/JSFunction.h:
2892         (JSC::JSFunction::executable):
2893         * runtime/JSObject.cpp:
2894         (JSC::JSObject::calculatedClassName):
2895
2896 2016-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2897
2898         [JSC] Do not allocate unnecessary UTF-8 string for encodeXXX functions
2899         https://bugs.webkit.org/show_bug.cgi?id=158416
2900
2901         Reviewed by Darin Adler and Geoffrey Garen.
2902
2903         Previously, encodeXXX functions first allocate new UTF-8 string, and generate (& allocate) the results from this UTF-8 string.
2904         It is costly since this UTF-8 string is always wasted. In this patch, we generate the results without this UTF-8 string.
2905         We precisely implement ECMA262's Encode abstract operation[1].
2906
2907         This optimized encodeXXX functions provide great improvement in kraken stanford-crypto-sha256-iterative since it frequently calls
2908         these functions. We can see 6 - 7% improvements.
2909
2910                                                       baseline                  patched
2911
2912         stanford-crypto-sha256-iterative           37.952+-0.155      ^      35.484+-0.265         ^ definitely 1.0695x faster
2913
2914
2915         [1]: https://tc39.github.io/ecma262/#sec-encode
2916
2917         * runtime/JSGlobalObjectFunctions.cpp:
2918         (JSC::toSafeView):
2919         Use this helper function to retrieve JSString::SafeView.
2920
2921         (JSC::makeCharacterBitmap):
2922         (JSC::encode):
2923         In encode, we reserve N length buffer at first. This is important when the length of the given string is long enough,
2924         preventing frequent unnecessary buffer reallocations. This reserving contributes to 1% kraken stanford-crypto-sha256-iterative progression.
2925
2926         (JSC::decode):
2927         Previously, Bitmap accidentally includes \0. And instead of removing this \0, we checked character != 0.
2928         This patch fixes it for the Bitmap not to include \0.
2929
2930         (JSC::globalFuncParseInt):
2931         (JSC::globalFuncEscape):
2932         (JSC::globalFuncUnescape):
2933         * tests/stress/encode-decode-ascii.js: Added.
2934         (shouldBe):
2935         * tests/stress/encode-decode-unicode.js: Added.
2936         (shouldBe):
2937         (isLowSurrogate):
2938         (isHighSurrogate):
2939         (isSurrogate):
2940         * tests/stress/encode-decode-uri-component-surrogates.js: Added.
2941         (shouldBe):
2942         (toHighSurrogate):
2943         (toLowSurrogate):
2944         * tests/stress/encode-decode-uri-surrogates.js: Added.
2945         (shouldBe):
2946         (toHighSurrogate):
2947         (toLowSurrogate):
2948         * tests/stress/encode-decode-zero.js: Added.
2949         (shouldBe):
2950         * tests/stress/escape-unescape-surrogates.js: Added.
2951         (shouldBe):
2952         (toHighSurrogate):
2953         (toLowSurrogate):
2954
2955 2016-06-07  Ting-Wei Lan  <lantw44@gmail.com>
2956
2957         [GTK] Include locale.h before using LC_ALL
2958         https://bugs.webkit.org/show_bug.cgi?id=158470
2959
2960         Reviewed by Darin Adler.
2961
2962         * jsc.cpp:
2963
2964 2016-06-07  Joseph Pecoraro  <pecoraro@apple.com>
2965
2966         Unskip generator related stress tests
2967         https://bugs.webkit.org/show_bug.cgi?id=158461
2968
2969         Reviewed by Darin Adler.
2970
2971         * tests/stress/generator-methods.js:
2972         * tests/stress/generator-syntax.js:
2973         * tests/stress/yield-and-line-terminator.js:
2974         * tests/stress/yield-label-generator.js:
2975         * tests/stress/yield-named-accessors-generator.js:
2976         * tests/stress/yield-named-variable-generator.js:
2977         * tests/stress/yield-out-of-generator.js:
2978
2979 2016-06-06  Joseph Pecoraro  <pecoraro@apple.com>
2980
2981         Fix typo in test name trailing-comma-in-function-paramters.js
2982         https://bugs.webkit.org/show_bug.cgi?id=158462
2983
2984         Reviewed by Mark Lam.
2985
2986         * tests/stress/trailing-comma-in-function-parameters.js: Renamed from Source/JavaScriptCore/tests/stress/trailing-comma-in-function-paramters.js.
2987
2988 2016-06-06  Andreas Kling  <akling@apple.com>
2989
2990         REGRESSION(r197595): 2% JSBench regression on iPhone 5.
2991         <https://webkit.org/b/158459>
2992
2993         Unreviewed rollout.
2994
2995         * runtime/VM.cpp:
2996         (JSC::VM::deleteAllRegExpCode): Deleted.
2997         * runtime/VM.h:
2998
2999 2016-06-06  Michael Saboff  <msaboff@apple.com>
3000
3001         octal and binary parsing is wrong for some programs
3002         https://bugs.webkit.org/show_bug.cgi?id=158437
3003
3004         Reviewed by Saam Barati.
3005
3006         When there is an error parsing an binary or octal literal, we need to clear the returnValue
3007         of any residual value.  This is because the processing of returnValue happens before the
3008         syntax check for the extra character.  Without clearing returnValue, we end trying to
3009         categorize the value as an INTEGER or DOUBLE token.  If the value happens to be an
3010         impure NaN, we ASSERT.
3011
3012         * parser/Lexer.cpp:
3013         (JSC::Lexer<T>::parseBinary):
3014         (JSC::Lexer<T>::parseOctal):
3015         * tests/stress/regress-158437.js: New test.
3016
3017 2016-06-06  Mark Lam  <mark.lam@apple.com>
3018
3019         32-bit JSC stress test failing: stress/recursive-try-catch.js.ftl-no-cjit-validate-sampling-profiler
3020         https://bugs.webkit.org/show_bug.cgi?id=158362
3021
3022         Reviewed by Michael Saboff.
3023
3024         The test does infinite recursion until it overflows the stack.  That means the
3025         sampling profiler will have to capture excessively large samples, which in turn
3026         makes it run very slowly.  This is what causes the test time out.
3027
3028         The fix is to not run the test with the sampling profiler.
3029
3030         * tests/stress/recursive-try-catch.js:
3031
3032 2016-06-06  Andreas Kling  <akling@apple.com>
3033
3034         Don't reportAbandonedObjectGraph() after throwing out linked code or RegExps.
3035         <https://webkit.org/b/158444>
3036
3037         Unreviewed.
3038
3039         This is a speculative change for iOS performance bots. The calls to reportAbandonedObjectGraph
3040         were basically redundant, since mainframe navigation will cause GC acceleration anyway via
3041         ScriptController.
3042
3043         This appears successful at recovering the ~0.7% regression I could reproduce locally on newer
3044         hardware but it's a bit too noisy to say for sure.
3045
3046         * runtime/VM.cpp:
3047         (JSC::VM::deleteAllLinkedCode):
3048         (JSC::VM::deleteAllRegExpCode):
3049
3050 2016-06-06  Skachkov Oleksandr  <gskachkov@gmail.com>
3051         [ESNext] Trailing commas in function parameters.
3052         https://bugs.webkit.org/show_bug.cgi?id=158020
3053
3054         Reviewed by Keith Miller.
3055
3056         ESNext allow to add trailing commas in function parameters and function arguments.
3057         Link to spec - https://jeffmo.github.io/es-trailing-function-commas 
3058         Example of using - (function (a, b,) { return a + b; })(1,2,);
3059
3060         * parser/Parser.cpp:
3061         (JSC::Parser<LexerType>::parseFormalParameters):
3062         (JSC::Parser<LexerType>::parseArguments):
3063         * tests/stress/trailing-comma-in-function-paramters.js: Added.
3064
3065 2016-06-05  Gavin & Ellie Barraclough  <barraclough@apple.com>
3066
3067         Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead.
3068         https://bugs.webkit.org/show_bug.cgi?id=158178
3069
3070         Reviewed by Darin Adler.
3071
3072         As of bug #158059 most JSC static table property access no longer requires getOwnPropertySlot to be
3073         overridden. Port remaining calls to the getStatic* functions in Lookup.h over to the new mechanism.
3074
3075         Deprecate getStatic* functions in Lookup.h
3076
3077         * runtime/Lookup.h:
3078         (JSC::getStaticPropertySlot): Deleted.
3079         (JSC::getStaticFunctionSlot): Deleted.
3080         (JSC::getStaticValueSlot): Deleted.
3081             - No longer required. Static table access now via JSObject.
3082
3083 2016-06-06  Guillaume Emont  <guijemont@igalia.com>
3084
3085         [jsc][mips] Implement absDouble()
3086         https://bugs.webkit.org/show_bug.cgi?id=158206
3087
3088         Reviewed by Mark Lam.
3089
3090         Implement absDouble() for MIPS. This is needed because Math.pow() uses
3091         it since r200208.
3092
3093         * assembler/MIPSAssembler.h:
3094         (JSC::MIPSAssembler::absd):
3095         * assembler/MacroAssemblerMIPS.h:
3096         (JSC::MacroAssemblerMIPS::absDouble):
3097
3098 2016-06-03  Oliver Hunt  <oliver@apple.com>
3099
3100         RegExp unicode parsing reads an extra character before failing
3101         https://bugs.webkit.org/show_bug.cgi?id=158376
3102
3103         Reviewed by Saam Barati.
3104
3105         This was a probably harmless bug, but keeps triggering assertions
3106         for me locally. Essentially we'd see a parse error, set the error
3107         type, but then carry on parsing. In debug builds this asserts, in
3108         release builds you are pretty safe unless you're exceptionally
3109         unlucky with where the error occurs.
3110
3111         * yarr/YarrParser.h:
3112         (JSC::Yarr::Parser::parseEscape):
3113
3114 2016-06-06  Guillaume Emont  <guijemont@igalia.com>
3115
3116         [jsc][mips] fix JIT::emit_op_log_shadow_chicken_prologue/_tail
3117         https://bugs.webkit.org/show_bug.cgi?id=158209
3118
3119         Reviewed by Mark Lam.
3120
3121         On MIPS, changes GPRInfo::nonArgGPR0 to be regT4 instead of regT0,
3122         since the code of JIT::emit_op_log_shadow_chicken_prologue/_tail()
3123         expects nonArgGPR0 to be a different register from regT0 and regT2.
3124
3125         * jit/GPRInfo.h:
3126
3127 2016-06-06  Chris Dumez  <cdumez@apple.com>
3128
3129         Crash under JSObject::getOwnPropertyDescriptor()
3130         https://bugs.webkit.org/show_bug.cgi?id=158382
3131         <rdar://problem/26605004>
3132
3133         Reviewed by Mark Lam.
3134
3135         * runtime/JSObject.h:
3136         (JSC::JSObject::putDirectInternal):
3137         We were crashing under getOwnPropertyDescriptor() because the
3138         CustomAccessor was not properly reset on window.statusbar when
3139         setting it to false (which is allowed because the property is
3140         marked as [Replaceable] in the IDL). We now property reset the
3141         CustomAccessor flag in putDirectInternal() when needed. This
3142         fixes the crash.
3143
3144 2016-06-06  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
3145
3146         [EFL] Move efl include paths to JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
3147         https://bugs.webkit.org/show_bug.cgi?id=158418
3148
3149         Reviewed by Csaba Osztrogonác.
3150
3151         In Source/JavaScriptCore/PlatformEfl.cmake, we don't use JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
3152         for efl include paths.
3153
3154         * PlatformEfl.cmake:
3155         * tests/stress/encode-decode-ascii.js: Added.
3156         (shouldBe):
3157         * tests/stress/encode-decode-unicode.js: Added.
3158         (shouldBe):
3159         (isLowSurrogate):
3160         (isHighSurrogate):
3161         (isSurrogate):
3162         * tests/stress/encode-decode-uri-component-surrogates.js: Added.
3163         (shouldBe):
3164         (toHighSurrogate):
3165         (toLowSurrogate):
3166         * tests/stress/encode-decode-uri-surrogates.js: Added.
3167         (shouldBe):
3168         (toHighSurrogate):
3169         (toLowSurrogate):
3170         * tests/stress/encode-decode-zero.js: Added.
3171         (shouldBe):
3172         * tests/stress/escape-unescape-surrogates.js: Added.
3173         (shouldBe):
3174         (toHighSurrogate):
3175         (toLowSurrogate):
3176
3177 2016-06-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3178
3179         Change ProxyObject.[[Get]] not to use custom accessor
3180         https://bugs.webkit.org/show_bug.cgi?id=157080
3181
3182         Reviewed by Darin Adler.
3183
3184         This patch focuses on introducing the second part of the followings.
3185         But to do so, first and third parts are necessary.
3186
3187         1. Insert missing exception checks for getPropertySlot.
3188
3189             While getPropertySlot can perform user-observable behavior if the slot is not VMInquiry,
3190             several places miss exeption checks. For example, ProxyObject's hasProperty already can
3191             throw any errors. Looking through the code, we found several missing error checks after
3192             hasProperty, but this will be fixed in the separated patch[1].
3193
3194         2. Do not use custom accessor to implement ProxyObject's [[Get]].
3195
3196             The caller already allows getOwnPropertySlot to throw an exception if the type
3197             is not VMInquiry. So instead of using custom accessor, we simply implement it
3198             directly in the ProxyObject's method.
3199
3200         3. Strip slotBase from custom accessor.
3201
3202             The custom accessor should not be bound to the specific slot base[2], since it
3203             is just an accessor. There is an alternative design: makeing this custom accessor
3204             to custom value accessor and accept both the slot base and the receiver instead
3205             of allowing throwing an error from getOwnPropertySlot. But we take the first design
3206             that allows getPropertySlot to throw an error, since hasProperty (that does not call
3207             getValue of the custom getters) can already throw any errors.
3208
3209             To query the property with the non-user-observable way, we already provided the way for that:
3210             use VMInquiry and isTaintedByProxy() instead.
3211
3212         Tests just ensure that the current semantics works correctly after this patch.
3213         And this patch is performance neutral.
3214
3215         Later, we will attempt to rename "thisValue" to "receiver"[3].
3216
3217         [1]: https://bugs.webkit.org/show_bug.cgi?id=158398
3218         [2]: https://bugs.webkit.org/show_bug.cgi?id=157978
3219         [3]: https://bugs.webkit.org/show_bug.cgi?id=158397
3220
3221         * API/JSCallbackObject.h:
3222         * API/JSCallbackObjectFunctions.h:
3223         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3224         (JSC::JSCallbackObject<Parent>::callbackGetter):
3225         * bytecode/PolymorphicAccess.cpp:
3226         (JSC::AccessCase::generateImpl):
3227         * dfg/DFGOperations.cpp:
3228         * interpreter/Interpreter.cpp:
3229         (JSC::Interpreter::execute):
3230         * jit/JITOperations.cpp:
3231         * jsc.cpp:
3232         (WTF::ImpureGetter::getOwnPropertySlot):
3233         (WTF::CustomGetter::customGetter):
3234         (WTF::RuntimeArray::lengthGetter):
3235         (GlobalObject::finishCreation):
3236         (GlobalObject::moduleLoaderFetch):
3237         (functionGetGetterSetter):
3238         (functionRun):
3239         (functionLoad):
3240         (functionLoadString):
3241         (functionReadFile):
3242         (functionCheckSyntax):
3243         (functionLoadWebAssembly):
3244         (functionLoadModule):
3245         (functionCreateBuiltin):
3246         (functionCheckModuleSyntax):
3247         (dumpException):
3248         (runWithScripts):
3249         (runInteractive):
3250         * llint/LLIntSlowPaths.cpp:
3251         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3252         * runtime/CommonSlowPaths.cpp:
3253         (JSC::SLOW_PATH_DECL):
3254         * runtime/JSBoundSlotBaseFunction.cpp:
3255         (JSC::boundSlotBaseFunctionCall):
3256         * runtime/JSCJSValue.h:
3257         * runtime/JSCJSValueInlines.h:
3258         (JSC::JSValue::getPropertySlot):
3259         * runtime/JSCellInlines.h:
3260         (JSC::ExecState::vm):
3261         This change is super important for performance. We add several `exec->hadException()` calls into the super hot path, like JSC::operationGetByIdOptimize.
3262         Without this change, we call ExecState::vm() and it is not inlined. This causes 1 - 2% performance regression in Octane PDFJS.
3263
3264         * runtime/JSFunction.cpp:
3265         (JSC::JSFunction::argumentsGetter):
3266         (JSC::JSFunction::callerGetter):
3267         * runtime/JSFunction.h:
3268         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3269         (JSC::constructGenericTypedArrayViewWithArguments):
3270         * runtime/JSModuleNamespaceObject.cpp:
3271         (JSC::callbackGetter):
3272         * runtime/JSONObject.cpp:
3273         (JSC::Stringifier::Holder::appendNextProperty):
3274         Here's UNLIKELY is important for Kraken's json-stringify-tinderbox. Without it, we can observe 0.5% regression.
3275
3276         (JSC::Walker::walk):
3277         * runtime/JSObject.h:
3278         (JSC::JSObject::getPropertySlot):
3279         * runtime/ObjectPrototype.cpp:
3280         (JSC::objectProtoFuncToString):
3281         * runtime/PropertySlot.cpp:
3282         (JSC::PropertySlot::customGetter):
3283         * runtime/PropertySlot.h:
3284         (JSC::PropertySlot::thisValue):
3285         * runtime/ProxyObject.cpp:
3286         (JSC::performProxyGet):
3287         (JSC::ProxyObject::performGet):
3288         (JSC::ProxyObject::getOwnPropertySlotCommon):
3289         * runtime/ProxyObject.h:
3290         * runtime/RegExpConstructor.cpp:
3291         (JSC::regExpConstructorDollar):
3292         (JSC::regExpConstructorInput):
3293         (JSC::regExpConstructorMultiline):
3294         (JSC::regExpConstructorLastMatch):
3295         (JSC::regExpConstructorLastParen):
3296         (JSC::regExpConstructorLeftContext):
3297         (JSC::regExpConstructorRightContext):
3298         * tests/stress/get-from-scope-dynamic-onto-proxy.js: Added.
3299         (shouldBe):
3300         (shouldThrow.handler.has):
3301         (handler.has):
3302         (try.handler.has):