0a7a85666e1063783ef4194f646669c45a48942f
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: Add a way to create a Heap Snapshot
4         https://bugs.webkit.org/show_bug.cgi?id=155188
5
6         Reviewed by Brian Burg.
7
8         * inspector/agents/InspectorHeapAgent.h:
9         * inspector/protocol/Heap.json:
10         * inspector/agents/InspectorHeapAgent.cpp:
11         (Inspector::InspectorHeapAgent::snapshot):
12         Take a heap snapshot and return the JSON string result.
13
14         * inspector/protocol/Debugger.json:
15         Remove unused optional inferredName. Our displayName would be inferred.
16
17 2016-03-08  Oliver Hunt  <oliver@apple.com>
18
19         Fix ios bot build.
20
21         * jit/ExecutableAllocatorFixedVMPool.cpp:
22         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
23
24 2016-03-08  Mark Lam  <mark.lam@apple.com>
25
26         Implement Function.name support for getters/setters and inferring name of function properties.
27         https://bugs.webkit.org/show_bug.cgi?id=154865
28
29         Rubber-stamped by Joseph Pecoraro.
30
31         Follow up to the fix for this bug: adding a few small clean-ups for issues Joe
32         pointed out in the bug.
33
34         * runtime/JSBoundSlotBaseFunction.cpp:
35         (JSC::JSBoundSlotBaseFunction::create):
36         * runtime/JSCJSValue.cpp:
37         (JSC::JSValue::putToPrimitiveByIndex):
38
39 2016-03-08  Oliver Hunt  <oliver@apple.com>
40
41         Start moving to separated writable and executable mappings in the JIT
42         https://bugs.webkit.org/show_bug.cgi?id=155178
43
44         Reviewed by Fil Pizlo.
45
46         Start moving to a separate writable and executable heap for the various
47         JITs.
48
49         As part of our work to harden the JIT against various attacks, we're
50         moving away from our current RWX heap and on to using separate RW and X
51         mappings. This means that simply leaking the location of the executable
52         mapping is not sufficient to compromise JSC, so we can continue to
53         use direct executable pointers in our GC objects (which we need for
54         performance), but keep the writable pointer in only a single location
55         so that we are less likely to leak the address. To further obscure the
56         address of the writable region we place it in an execute only region
57         of memory so that it is not possible to read the location from 
58         anywhere. That means an attacker must have at least partial control
59         of PC (to call jitMemCopy) before they can start to attack the JIT.
60
61         This work is initially ARM64 only, as we use as the jitMemCopy is
62         currently specific to that platform's calling conventions and layout.
63         We're just landing it in the current form so that we can at least
64         ensure it doesn't regress.
65
66         * Configurations/FeatureDefines.xcconfig:
67         * assembler/ARM64Assembler.h:
68         (JSC::ARM64Assembler::ldp):
69         (JSC::ARM64Assembler::ldnp):
70         (JSC::ARM64Assembler::fillNops):
71         (JSC::ARM64Assembler::stp):
72         (JSC::ARM64Assembler::stnp):
73         (JSC::ARM64Assembler::replaceWithJump):
74         (JSC::ARM64Assembler::replaceWithLoad):
75         (JSC::ARM64Assembler::replaceWithAddressComputation):
76         (JSC::ARM64Assembler::setPointer):
77         (JSC::ARM64Assembler::repatchInt32):
78         (JSC::ARM64Assembler::repatchCompact):
79         (JSC::ARM64Assembler::linkJumpOrCall):
80         (JSC::ARM64Assembler::linkCompareAndBranch):
81         (JSC::ARM64Assembler::linkConditionalBranch):
82         (JSC::ARM64Assembler::linkTestAndBranch):
83         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
84         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
85         * assembler/LinkBuffer.cpp:
86         (JSC::LinkBuffer::copyCompactAndLinkCode):
87         (JSC::LinkBuffer::allocate):
88         * assembler/LinkBuffer.h:
89         (JSC::LinkBuffer::LinkBuffer):
90         * assembler/MacroAssemblerARM64.h:
91         (JSC::MacroAssemblerARM64::sub64):
92         (JSC::MacroAssemblerARM64::load64):
93         (JSC::MacroAssemblerARM64::loadPair64):
94         (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
95         (JSC::MacroAssemblerARM64::load8):
96         (JSC::MacroAssemblerARM64::store64):
97         (JSC::MacroAssemblerARM64::storePair64):
98         (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
99         (JSC::MacroAssemblerARM64::store8):
100         (JSC::MacroAssemblerARM64::branchAdd64):
101         (JSC::MacroAssemblerARM64::branchSub64):
102         * jit/ExecutableAllocator.h:
103         (JSC::performJITMemcpy):
104         * jit/ExecutableAllocatorFixedVMPool.cpp:
105         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
106         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
107         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
108         * runtime/Options.cpp:
109         (JSC::recomputeDependentOptions):
110         * runtime/Options.h:
111
112 2016-03-08  Mark Lam  <mark.lam@apple.com>
113
114         Implement Function.name support for getters/setters and inferring name of function properties.
115         https://bugs.webkit.org/show_bug.cgi?id=154865
116
117         Reviewed by Geoffrey Garen.
118
119         1. toString() no longer uses the value of Function.name as the name of the
120            function in the returned string, because ...
121
122             i. Function.name is supposed to be configurable.  Hence, it can be made
123                writable and can be set to any JSValue, or deleted.
124            ii. Function.prototype.toString() is supposed to produce a string that can be
125                eval'ed.  Hence, for JS functions, the function name in the produced
126                string must be a legal function name (and not some arbitrary value set in
127                Function.name).  For example, while a number is a legal value for
128                Function.name, it is not legal as the function name in the toString()
129                string.
130
131            Instead, we'll always use the original name from the JS source that the
132            function was parsed from.
133
134         2. JSFunction::name() now always return the original name, not the value of
135            the Function.name property.  As a result, it also no longer needs an
136            ExecState* arg.
137
138            If the original name is an empty string, JSFunction::name() will use the
139            inferred name.
140
141         3. For JS functions, the original name can be attained from their
142            FunctionExecutable object.
143
144            For host/native functions (which do not have a FunctionExecutable), we get the
145            "original" name from its NativeExecutable.
146
147         4. The m_hostFunctionStubMap now keys its NativeExecutable pointers using the
148            original name, in addition to the native function and constructor pointers.
149
150            This is needed because we want a different NativeExecutable for functions with
151            a different name (to satisfy (3) above).
152
153         5. Changed JSBoundFunction to store the name of its bound function in its
154            NativeExecutable.  This will later be used to generate the toString() string.
155            It's Function.name value is eagerly initialized at construction time.
156
157         6. Function.name for getters/setters are now prefixed with "get"/"set".
158            This was done both for the JSBoundSlotBaseFunctions and JS definable get/set
159            functions.
160
161         7. Added InternalFunction::m_originalName so that we can use it to generate the
162            toString() string.  We're storing it as a JSString instead of a WTF::String
163            only because we want InternalFunction to be continue to be trivially
164            destructible.
165
166         * inspector/JSInjectedScriptHost.cpp:
167         (Inspector::JSInjectedScriptHost::functionDetails):
168         * jit/JITThunks.cpp:
169         (JSC::JITThunks::finalize):
170         (JSC::JITThunks::hostFunctionStub):
171         * jit/JITThunks.h:
172         * runtime/Executable.h:
173         * runtime/FunctionPrototype.cpp:
174         (JSC::functionProtoFuncToString):
175         * runtime/InternalFunction.cpp:
176         (JSC::InternalFunction::finishCreation):
177         (JSC::InternalFunction::visitChildren):
178         (JSC::InternalFunction::name):
179         (JSC::InternalFunction::displayName):
180         * runtime/InternalFunction.h:
181         * runtime/JSBoundFunction.cpp:
182         (JSC::JSBoundFunction::create):
183         (JSC::JSBoundFunction::visitChildren):
184         (JSC::JSBoundFunction::toStringName): Deleted.
185         * runtime/JSBoundFunction.h:
186         (JSC::JSBoundFunction::boundThis):
187         (JSC::JSBoundFunction::boundArgs):
188         (JSC::JSBoundFunction::createStructure):
189         * runtime/JSBoundSlotBaseFunction.cpp:
190         (JSC::boundSlotBaseFunctionCall):
191         (JSC::JSBoundSlotBaseFunction::create):
192         * runtime/JSFunction.cpp:
193         (JSC::JSFunction::initializeRareData):
194         (JSC::JSFunction::name):
195         (JSC::JSFunction::displayName):
196         (JSC::JSFunction::calculatedDisplayName):
197         (JSC::JSFunction::reifyName):
198         * runtime/JSFunction.h:
199         * tests/es6.yaml:
200
201 2016-03-08  Commit Queue  <commit-queue@webkit.org>
202
203         Unreviewed, rolling out r197793 and r197799.
204         https://bugs.webkit.org/show_bug.cgi?id=155195
205
206         something weird happened while landing this and everything
207         broke (Requested by olliej on #webkit).
208
209         Reverted changesets:
210
211         "Start moving to separated writable and executable mappings in
212         the JIT"
213         https://bugs.webkit.org/show_bug.cgi?id=155178
214         http://trac.webkit.org/changeset/197793
215
216         "arm64 build fix after r197793."
217         http://trac.webkit.org/changeset/197799
218
219 2016-03-08  Alex Christensen  <achristensen@webkit.org>
220
221         arm64 build fix after r197793.
222
223         * jit/ExecutableAllocatorFixedVMPool.cpp:
224         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
225         (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
226         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
227         Use consistent ENABLE macro.  It looks like it was partially renamed.
228
229 2016-03-08  Filip Pizlo  <fpizlo@apple.com>
230
231         Regexp matching should incur less call overhead
232         https://bugs.webkit.org/show_bug.cgi?id=155181
233
234         Reviewed by Geoffrey Garen.
235
236         Previously we had DFG/FTL code call into the DFGOperation, which then called in to
237         RegExpObject, which then called into createRegExpMatchesArray, which then called into
238         RegExp, which then called the code generated by Yarr.
239
240         Now we have DFG/FTL code call into the DFGOperation, which does all of the things and calls
241         into code generated by Yarr.
242
243         This is another tiny Octane/regexp speed-up.
244
245         * JavaScriptCore.xcodeproj/project.pbxproj:
246         * dfg/DFGOperations.cpp:
247         * runtime/RegExp.cpp:
248         (JSC::regExpFlags):
249         (JSC::RegExp::compile):
250         (JSC::RegExp::match):
251         (JSC::RegExp::compileMatchOnly):
252         (JSC::RegExp::deleteCode):
253         (JSC::RegExpFunctionalTestCollector::clearRegExp): Deleted.
254         (JSC::RegExp::compileIfNecessary): Deleted.
255         (JSC::RegExp::compileIfNecessaryMatchOnly): Deleted.
256         * runtime/RegExp.h:
257         * runtime/RegExpInlines.h: Added.
258         (JSC::RegExpFunctionalTestCollector::clearRegExp):
259         (JSC::RegExp::compileIfNecessary):
260         (JSC::RegExp::matchInline):
261         (JSC::RegExp::compileIfNecessaryMatchOnly):
262         * runtime/RegExpMatchesArray.cpp:
263         (JSC::createEmptyRegExpMatchesArray):
264         (JSC::createStructureImpl):
265         (JSC::tryCreateUninitializedRegExpMatchesArray): Deleted.
266         (JSC::createRegExpMatchesArray): Deleted.
267         * runtime/RegExpMatchesArray.h:
268         (JSC::tryCreateUninitializedRegExpMatchesArray):
269         (JSC::createRegExpMatchesArray):
270         * runtime/RegExpObject.cpp:
271         (JSC::RegExpObject::put):
272         (JSC::RegExpObject::exec):
273         (JSC::RegExpObject::match):
274         (JSC::getLastIndexAsUnsigned): Deleted.
275         * runtime/RegExpObject.h:
276         (JSC::RegExpObject::getLastIndex):
277         (JSC::RegExpObject::test):
278         (JSC::RegExpObject::testInline):
279         * runtime/RegExpObjectInlines.h: Added.
280         (JSC::getRegExpObjectLastIndexAsUnsigned):
281         (JSC::RegExpObject::execInline):
282         (JSC::RegExpObject::matchInline):
283
284 2016-03-08  Mark Lam  <mark.lam@apple.com>
285
286         synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
287         https://bugs.webkit.org/show_bug.cgi?id=155169
288
289         Reviewed by Geoffrey Garen.
290
291         With the exception checks, we may end up throwing new exceptions over an existing
292         one that has been thrown but not handled yet, thereby obscuring it.  It may also
293         mean that the VM will continue running on potentially unstable state, which may
294         have undesirable consequences.
295
296         I first observed this in some failed assertion while running tests on a patch for
297         https://bugs.webkit.org/show_bug.cgi?id=154865.
298
299         Performance is neutral with this patch (tested on x86_64).
300
301         1. Deleted JSNotAnObject, and removed all uses of it.
302
303         2. Added exception checks, when needed, following calls to synthesizePrototype()
304            and JSValue::toObject().
305
306            The cases that do not need an exception check are the ones that already ensures
307            that JSValue::toObject() is only called on a value that is convertible to an
308            object.  In those cases, I added an assertion that no exception was thrown
309            after the call.
310
311         * CMakeLists.txt:
312         * JavaScriptCore.xcodeproj/project.pbxproj:
313         * inspector/ScriptCallStackFactory.cpp:
314         (Inspector::createScriptCallStackFromException):
315         * interpreter/Interpreter.cpp:
316         * jit/JITOperations.cpp:
317         * llint/LLIntSlowPaths.cpp:
318         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
319         * runtime/ArrayPrototype.cpp:
320         (JSC::arrayProtoFuncJoin):
321         (JSC::arrayProtoFuncConcat):
322         (JSC::arrayProtoFuncPop):
323         (JSC::arrayProtoFuncPush):
324         (JSC::arrayProtoFuncReverse):
325         (JSC::arrayProtoFuncShift):
326         (JSC::arrayProtoFuncSlice):
327         (JSC::arrayProtoFuncSplice):
328         (JSC::arrayProtoFuncUnShift):
329         (JSC::arrayProtoFuncIndexOf):
330         (JSC::arrayProtoFuncLastIndexOf):
331         (JSC::arrayProtoFuncValues):
332         (JSC::arrayProtoFuncEntries):
333         (JSC::arrayProtoFuncKeys):
334         * runtime/CommonSlowPaths.cpp:
335         (JSC::SLOW_PATH_DECL):
336         * runtime/ExceptionHelpers.cpp:
337         * runtime/JSCJSValue.cpp:
338         (JSC::JSValue::toObjectSlowCase):
339         (JSC::JSValue::toThisSlowCase):
340         (JSC::JSValue::synthesizePrototype):
341         (JSC::JSValue::putToPrimitive):
342         (JSC::JSValue::putToPrimitiveByIndex):
343         * runtime/JSCJSValueInlines.h:
344         (JSC::JSValue::getPropertySlot):
345         (JSC::JSValue::get):
346         * runtime/JSFunction.cpp:
347         * runtime/JSGlobalObjectFunctions.cpp:
348         (JSC::globalFuncProtoGetter):
349         * runtime/JSNotAnObject.cpp: Removed.
350         * runtime/JSNotAnObject.h: Removed.
351         * runtime/ObjectConstructor.cpp:
352         (JSC::objectConstructorDefineProperties):
353         (JSC::objectConstructorCreate):
354         * runtime/ObjectPrototype.cpp:
355         (JSC::objectProtoFuncValueOf):
356         (JSC::objectProtoFuncHasOwnProperty):
357         (JSC::objectProtoFuncIsPrototypeOf):
358         (JSC::objectProtoFuncToString):
359         * runtime/VM.cpp:
360         (JSC::VM::VM):
361         * runtime/VM.h:
362
363 2016-03-08  Oliver Hunt  <oliver@apple.com>
364
365         Start moving to separated writable and executable mappings in the JIT
366         https://bugs.webkit.org/show_bug.cgi?id=155178
367
368         Reviewed by Filip Pizlo.
369
370         Start moving to a separate writable and executable heap for the various
371         JITs.
372
373         As part of our work to harden the JIT against various attacks, we're
374         moving away from our current RWX heap and on to using separate RW and X
375         mappings. This means that simply leaking the location of the executable
376         mapping is not sufficient to compromise JSC, so we can continue to
377         use direct executable pointers in our GC objects (which we need for
378         performance), but keep the writable pointer in only a single location
379         so that we are less likely to leak the address. To further obscure the
380         address of the writable region we place it in an execute only region
381         of memory so that it is not possible to read the location from 
382         anywhere. That means an attacker must have at least partial control
383         of PC (to call jitMemCopy) before they can start to attack the JIT.
384
385         This work is initially ARM64 only, as we use as the jitMemCopy is
386         currently specific to that platform's calling conventions and layout.
387         We're just landing it in the current form so that we can at least
388         ensure it doesn't regress.
389
390         * Configurations/FeatureDefines.xcconfig:
391         * assembler/ARM64Assembler.h:
392         (JSC::ARM64Assembler::ldp):
393         (JSC::ARM64Assembler::ldnp):
394         (JSC::ARM64Assembler::fillNops):
395         (JSC::ARM64Assembler::stp):
396         (JSC::ARM64Assembler::stnp):
397         (JSC::ARM64Assembler::replaceWithJump):
398         (JSC::ARM64Assembler::replaceWithLoad):
399         (JSC::ARM64Assembler::replaceWithAddressComputation):
400         (JSC::ARM64Assembler::setPointer):
401         (JSC::ARM64Assembler::repatchInt32):
402         (JSC::ARM64Assembler::repatchCompact):
403         (JSC::ARM64Assembler::linkJumpOrCall):
404         (JSC::ARM64Assembler::linkCompareAndBranch):
405         (JSC::ARM64Assembler::linkConditionalBranch):
406         (JSC::ARM64Assembler::linkTestAndBranch):
407         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
408         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
409         * assembler/LinkBuffer.cpp:
410         (JSC::LinkBuffer::copyCompactAndLinkCode):
411         (JSC::LinkBuffer::allocate):
412         * assembler/LinkBuffer.h:
413         (JSC::LinkBuffer::LinkBuffer):
414         * assembler/MacroAssemblerARM64.h:
415         (JSC::MacroAssemblerARM64::sub64):
416         (JSC::MacroAssemblerARM64::load64):
417         (JSC::MacroAssemblerARM64::loadPair64):
418         (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
419         (JSC::MacroAssemblerARM64::load8):
420         (JSC::MacroAssemblerARM64::store64):
421         (JSC::MacroAssemblerARM64::storePair64):
422         (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
423         (JSC::MacroAssemblerARM64::store8):
424         (JSC::MacroAssemblerARM64::branchAdd64):
425         (JSC::MacroAssemblerARM64::branchSub64):
426         * jit/ExecutableAllocator.h:
427         (JSC::performJITMemcpy):
428         * jit/ExecutableAllocatorFixedVMPool.cpp:
429         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
430         (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
431         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
432         * runtime/Options.cpp:
433         (JSC::recomputeDependentOptions):
434         * runtime/Options.h:
435
436 2016-03-08  Michael Saboff  <msaboff@apple.com>
437
438         [ES6] Regular Expression canonicalization tables for Unicode need to be updated to use Unicode CaseFolding.txt
439         https://bugs.webkit.org/show_bug.cgi?id=155114
440
441         Reviewed by Darin Adler.
442
443         Extracted out the Unicode canonicalization table creation from
444         YarrCanonicalizeUnicode.js into a new Python script, generateYarrCanonicalizeUnicode.
445         That script generates the Unicode tables as the file YarrCanonicalizeUnicode.cpp in
446         DerivedSources/JavaScriptCore.
447
448         Updated the processing of ignore case to make the ASCII short cuts dependent on whether
449         or not we are a Unicode pattern.
450
451         Renamed yarr/YarrCanonicalizeUnicode.{cpp,js} back to their prior names,
452         YarrCanonicalizeUCS2.{cpp,js}.
453         Renamed yarr/YarrCanonicalizeUnicode.h to YarrCanonicalize.h as it declares both the
454         legacy UCS2 and Unicode tables.
455
456         * CMakeLists.txt:
457         * DerivedSources.make:
458         * JavaScriptCore.xcodeproj/project.pbxproj:
459         * generateYarrCanonicalizeUnicode: Added.
460         * ucd: Added.
461         * ucd/CaseFolding.txt: Added.  The current verion, 8.0, of the Unicode CaseFolding table.
462         * yarr/YarrCanonicalizeUCS2.cpp: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.cpp.
463         * yarr/YarrCanonicalize.h: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.h.
464         * yarr/YarrCanonicalizeUCS2.js: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.js.
465         (printHeader):
466         * yarr/YarrCanonicalizeUnicode.cpp: Removed.
467         * yarr/YarrCanonicalizeUnicode.h: Removed.
468         * yarr/YarrCanonicalizeUnicode.js: Removed.
469         * yarr/YarrInterpreter.cpp:
470         (JSC::Yarr::Interpreter::tryConsumeBackReference):
471         * yarr/YarrJIT.cpp:
472         * yarr/YarrPattern.cpp:
473         (JSC::Yarr::CharacterClassConstructor::putChar):
474
475 2016-03-08  Andreas Kling  <akling@apple.com>
476
477         WeakBlock::visit() should check for a WeakHandleOwner before consulting mark bits.
478         <https://webkit.org/b/155154>
479
480         Reviewed by Darin Adler.
481
482         Reorder the checks in WeakBlock::visit() so we don't look at the mark bits in MarkedBlock
483         unless the current WeakImpl has a WeakHandleOwner we need to consult.
484
485         I was originally hoping to make an optimization that could skip over entire WeakBlocks
486         if they didn't have a single WeakHandleOwner, but it turns out that scenario is not as
487         common as I suspected.
488
489         * heap/WeakBlock.cpp:
490         (JSC::WeakBlock::visit):
491
492 2016-03-07  Saam barati  <sbarati@apple.com>
493
494         [ES6] Implement revocable proxies
495         https://bugs.webkit.org/show_bug.cgi?id=154321
496
497         Reviewed by Mark Lam.
498
499         This patch is a straight forward implementation of Proxy.revocable
500         with respect to section 26.2.2.1 of the ECMAScript spec.
501         https://tc39.github.io/ecma262/#sec-proxy.revocable
502
503         This patch also fixes a bug in Proxy where we
504         were incorrectly caching "in", i.e, `"x" in proxy`.
505         We should never blatantly cache this because caching is observable
506         behavior by users of the language. We could come up with
507         a smarter caching scheme that caches only if the Proxy's
508         handler doesn't have a "has" property, i.e, we don't have
509         to call out to JS code. But for now, it's easiest to disable
510         caching.
511
512         * CMakeLists.txt:
513         * JavaScriptCore.xcodeproj/project.pbxproj:
514         * runtime/JSGlobalObject.cpp:
515         (JSC::JSGlobalObject::init):
516         (JSC::JSGlobalObject::visitChildren):
517         * runtime/JSGlobalObject.h:
518         (JSC::JSGlobalObject::moduleRecordStructure):
519         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
520         (JSC::JSGlobalObject::proxyObjectStructure):
521         (JSC::JSGlobalObject::proxyRevokeStructure):
522         (JSC::JSGlobalObject::wasmModuleStructure):
523         * runtime/ProxyConstructor.cpp:
524         (JSC::ProxyConstructor::create):
525         (JSC::ProxyConstructor::ProxyConstructor):
526         (JSC::makeRevocableProxy):
527         (JSC::proxyRevocableConstructorThrowError):
528         (JSC::ProxyConstructor::finishCreation):
529         (JSC::constructProxyObject):
530         * runtime/ProxyConstructor.h:
531         (JSC::ProxyConstructor::createStructure):
532         * runtime/ProxyObject.cpp:
533         (JSC::ProxyObject::finishCreation):
534         (JSC::performProxyGet):
535         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
536         (JSC::ProxyObject::performHasProperty):
537         (JSC::ProxyObject::performPut):
538         (JSC::performProxyCall):
539         (JSC::performProxyConstruct):
540         (JSC::ProxyObject::performDelete):
541         (JSC::ProxyObject::performPreventExtensions):
542         (JSC::ProxyObject::performIsExtensible):
543         (JSC::ProxyObject::performDefineOwnProperty):
544         (JSC::ProxyObject::performGetOwnPropertyNames):
545         (JSC::ProxyObject::performSetPrototype):
546         (JSC::ProxyObject::performGetPrototype):
547         (JSC::ProxyObject::getPrototype):
548         (JSC::ProxyObject::revoke):
549         (JSC::ProxyObject::visitChildren):
550         * runtime/ProxyObject.h:
551         (JSC::ProxyObject::create):
552         * runtime/ProxyRevoke.cpp: Added.
553         (JSC::ProxyRevoke::create):
554         (JSC::ProxyRevoke::ProxyRevoke):
555         (JSC::ProxyRevoke::finishCreation):
556         (JSC::performProxyRevoke):
557         (JSC::ProxyRevoke::getCallData):
558         (JSC::ProxyRevoke::visitChildren):
559         * runtime/ProxyRevoke.h: Added.
560         (JSC::ProxyRevoke::createStructure):
561         (JSC::ProxyRevoke::proxy):
562         (JSC::ProxyRevoke::setProxyToNull):
563         * tests/stress/proxy-has-property.js:
564         (assert):
565         (assert.let.handler.has):
566         (assert.let.foo):
567         * tests/stress/proxy-revoke.js: Added.
568         (assert):
569         (throw.new.Error.):
570         (throw.new.Error):
571         (callAllHandlers):
572         (shouldThrowNullHandler):
573         (allHandlersShouldThrow):
574         (i.let.trap.of.traps.trap.string_appeared_here.func):
575         (i.let.trap.of.traps.else.func):
576         (i.Proxy.revocable):
577
578 2016-03-07  Csaba Osztrogon√°c  <ossy@webkit.org>
579
580         Fix the ARM build after r197687
581         https://bugs.webkit.org/show_bug.cgi?id=155128
582
583         Reviewed by Saam Barati.
584
585         * assembler/MacroAssemblerARM.h:
586         (JSC::MacroAssemblerARM::moveZeroToDouble):
587
588 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
589
590         Reduce the number of instructions needed to record the last regexp result
591         https://bugs.webkit.org/show_bug.cgi?id=155161
592
593         Reviewed by Sam Weinig.
594
595         This tightens up RegExpCachedResult::record(). My profiling shows that we spend just
596         over 1% of the time in Octane/regexp in this function. This function had two obvious
597         redundancies:
598
599         1) It executed the write barrier on owner twice. It only needs to execute it once. Since
600            the same RegExpConstructor is likely to be used many times, it makes sense to do the
601            barrier without looking at the 'to' objects at all. In steady state, this means that
602            the RegExpConstructor will simply be OldGrey so this one barrier will always skip the
603            slow path.
604
605         2) It cleared some fields that didn't need to be cleared, since we can just use
606            m_reified to indicate that the fields are not meaningful anymore.
607
608         This is meant to be a microscopic regexp speed-up.
609
610         * runtime/RegExpCachedResult.cpp:
611         (JSC::RegExpCachedResult::visitChildren):
612         (JSC::RegExpCachedResult::lastResult):
613         * runtime/RegExpCachedResult.h:
614         (JSC::RegExpCachedResult::record):
615
616 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
617
618         createRegExpMatchesArray should allocate substrings more quickly
619         https://bugs.webkit.org/show_bug.cgi?id=155160
620
621         Reviewed by Sam Weinig.
622
623         This was calling a version of jsSubstring() that isn't inlineable because it was doing a lot
624         of checks in finishCreation(). In particular, it was checking that the base string is not
625         itself a substring and that it's been resolved. We don't need those checks here, since the
626         string must have been resolved prior to regexp processing.
627
628         This patch is also smart about whether to do checks for the empty and full substrings. In
629         the matches array loop, these checks are super unlikely to be profitable, so we just
630         unconditionally allocate the substring.
631
632         This removes those checks and makes the allocation inlineable. It looks like a 1% speed-up
633         on Octane/regexp.
634
635         * runtime/JSString.h:
636         (JSC::jsSubstring):
637         (JSC::jsSubstringOfResolved):
638         * runtime/RegExpMatchesArray.cpp:
639         (JSC::createRegExpMatchesArray):
640
641 2016-03-07  Benjamin Poulain  <bpoulain@apple.com>
642
643         [JSC] Small clean up of how we use SSA's valuesAtHead
644         https://bugs.webkit.org/show_bug.cgi?id=155152
645
646         Reviewed by Filip Pizlo.
647
648         liveAtHead and valuesAtHead contain the same nodes,
649         we do not need the extra look up.
650
651         This also opens the way to use the same kind of liveness
652         analysis as Air (where live values at head do not use a set).
653
654         * dfg/DFGInPlaceAbstractState.cpp:
655         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
656         (JSC::DFG::InPlaceAbstractState::merge):
657
658 2016-03-07  Brian Burg  <bburg@apple.com>
659
660         Web Inspector: the protocol generator should generate factory method stubs for protocol types
661         https://bugs.webkit.org/show_bug.cgi?id=155103
662         <rdar://problem/25002772>
663
664         Reviewed by Timothy Hatcher.
665
666         Generate stubs with unique names so that parsing methods can be used
667         reflectively at runtime, based on the protocol version that's loaded.
668
669         * JavaScriptCore.xcodeproj/project.pbxproj:
670         * inspector/scripts/codegen/__init__.py:
671         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
672         Added. For each type in a domain, add a method of the form
673         -[ProtocolTypeConversions _parseXXX:fromPayload]. This is in a category
674         method, and the selector is only ever looked up at runtime.
675
676         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
677         * inspector/scripts/generate-inspector-protocol-bindings.py:
678         (generate_from_specification):
679
680         Rebaseline test results with new generator output.
681
682         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
683         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
684         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
685         * inspector/scripts/tests/expected/enum-values.json-result:
686         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
687         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
688         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
689         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
690         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
691         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
692         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
693         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
694         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
695
696 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
697
698         RegExp.prototype.exec() should call into Yarr at most once
699         https://bugs.webkit.org/show_bug.cgi?id=155139
700
701         Reviewed by Saam Barati.
702
703         For apparently no good reason, RegExp.prototype.match() was calling into Yarr twice, almost
704         as if it was hoping that the non-matching case was so common that it was best to have the
705         matching case do the work all over again.
706
707         This is a 4% speed-up on Octane/regexp. It's also a matter of common sense: we should not be
708         in the business of presuming whether someone's match will succeed or fail. The increased
709         cost of running Yarr twice is so much larger than whatever savings we were getting from
710         running a match-only regexp that this is just not a good overall deal for the engine.
711
712         Also, it's interesting that we are seeing a 4% speed-up on regexp despite the fact that a
713         majority (almost a supermajority, I think) of calls into RegExp.prototype.match() are failed
714         matches. So, this change is a 4% speed-up despite being a slow down on the common case. That
715         tells you just how bad the old behavior was on the uncommon case.
716
717         * runtime/MatchResult.h:
718         (MatchResult::MatchResult):
719         (MatchResult::failed):
720         (MatchResult::operator bool):
721         * runtime/RegExpCachedResult.cpp:
722         (JSC::RegExpCachedResult::lastResult):
723         * runtime/RegExpConstructor.h:
724         (JSC::RegExpConstructor::setMultiline):
725         (JSC::RegExpConstructor::multiline):
726         (JSC::RegExpConstructor::performMatch):
727         (JSC::RegExpConstructor::recordMatch):
728         * runtime/RegExpMatchesArray.cpp:
729         (JSC::createRegExpMatchesArray):
730         (JSC::createEmptyRegExpMatchesArray):
731         (JSC::createStructureImpl):
732         * runtime/RegExpMatchesArray.h:
733         (JSC::createRegExpMatchesArray):
734         * runtime/RegExpObject.cpp:
735         (JSC::RegExpObject::put):
736         (JSC::getLastIndexAsUnsigned):
737         (JSC::RegExpObject::exec):
738         (JSC::RegExpObject::match):
739         * runtime/RegExpObject.h:
740         (JSC::RegExpObject::getLastIndex):
741         (JSC::RegExpObject::test):
742         * runtime/StringPrototype.cpp:
743         (JSC::stringProtoFuncMatch):
744
745 2016-03-07  Joseph Pecoraro  <pecoraro@apple.com>
746
747         Heap Snapshot should include different Edge types and data (Property, Index, Variable)
748         https://bugs.webkit.org/show_bug.cgi?id=154937
749
750         Reviewed by Geoffrey Garen.
751
752         * heap/SlotVisitor.cpp:
753         (JSC::SlotVisitor::appendHidden):
754         * heap/SlotVisitor.h:
755         * heap/SlotVisitorInlines.h:
756         (JSC::SlotVisitor::appendHidden):
757         (JSC::SlotVisitor::appendValuesHidden):
758         Add new visit methods to visit a reference without snapshotting the edge.
759
760         * heap/Heap.cpp:
761         (JSC::AddExtraHeapSnapshotEdges::AddExtraHeapSnapshotEdges):
762         (JSC::AddExtraHeapSnapshotEdges::operator()):
763         (JSC::Heap::addHeapSnapshotEdges):
764         (JSC::Heap::removeDeadHeapSnapshotNodes):
765         (JSC::Heap::collectImpl):
766         * heap/Heap.h:
767         After marking, visit the live cells for a chance to record extra
768         heap snapshotting information about the cell.
769
770         * heap/HeapSnapshotBuilder.cpp:
771         (JSC::HeapSnapshotBuilder::appendNode):
772         (JSC::HeapSnapshotBuilder::appendEdge):
773         (JSC::HeapSnapshotBuilder::appendPropertyNameEdge):
774         (JSC::HeapSnapshotBuilder::appendVariableNameEdge):
775         (JSC::HeapSnapshotBuilder::appendIndexEdge):
776         (JSC::HeapSnapshotBuilder::json):
777         * heap/HeapSnapshotBuilder.h:
778         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
779         Construct edges with extra data.
780
781         * runtime/ClassInfo.h:
782         * runtime/JSCell.cpp:
783         (JSC::JSCell::heapSnapshot):
784         * runtime/JSCell.h:
785         Add a new method to provide cells with an opportunity to provide
786         extra heap snapshotting information.
787
788         * runtime/JSObject.cpp:
789         (JSC::JSObject::visitButterfly):
790         (JSC::JSObject::visitChildren):
791         (JSC::JSObject::heapSnapshot):
792         (JSC::JSFinalObject::visitChildren):
793         * runtime/JSObject.h:
794         Capture object property names and index names when heap snapshotting.
795         Do not include them as internal edges in normal visitChildren.
796
797         * runtime/JSEnvironmentRecord.cpp:
798         (JSC::JSEnvironmentRecord::visitChildren):
799         (JSC::JSEnvironmentRecord::heapSnapshot):
800         * runtime/JSEnvironmentRecord.h:
801         * runtime/JSSegmentedVariableObject.cpp:
802         (JSC::JSSegmentedVariableObject::visitChildren):
803         (JSC::JSSegmentedVariableObject::heapSnapshot):
804         * runtime/JSSegmentedVariableObject.h:
805         Capture scope variable names when heap snapshotting.
806
807         * runtime/Structure.cpp:
808         (JSC::Structure::visitChildren):
809         * runtime/Structure.h:
810         * runtime/StructureInlines.h:
811         (JSC::Structure::propertyTable):
812         When performing a heap snapshotting collection, don't clear the
813         property table so that accessing the table during this GC is okay.
814
815         * tests/heapProfiler/driver/driver.js:
816         * tests/heapProfiler/property-edge-types.js: Added.
817         * tests/heapProfiler/variable-edge-types.js: Added.
818         Tests covering the different edge types and data we capture.
819
820 2016-03-07  Saam barati  <sbarati@apple.com>
821
822         [ES6] Implement Proxy.[[GetPrototypeOf]]
823         https://bugs.webkit.org/show_bug.cgi?id=155099
824
825         Reviewed by Mark Lam.
826
827         This patch is a straight forward implementation of Proxy.[[GetPrototypeOf]]
828         with respect to section 9.5.1 of the ECMAScript spec.
829         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-getprototypeof
830
831         * runtime/ProxyObject.cpp:
832         (JSC::performProxyGet):
833         (JSC::ProxyObject::setPrototype):
834         (JSC::ProxyObject::performGetPrototype):
835         (JSC::ProxyObject::getPrototype):
836         (JSC::ProxyObject::visitChildren):
837         * runtime/ProxyObject.h:
838         * tests/es6.yaml:
839         * tests/stress/proxy-get-prototype-of.js: Added.
840         (assert):
841         (throw.new.Error.let.handler.get getPrototypeOf):
842         (throw.new.Error.get let):
843         (throw.new.Error.get catch):
844         (throw.new.Error):
845         (assert.let.handler.getPrototypeOf):
846         (assert.get let):
847         (assert.get catch):
848         (assert.):
849         (let.handler.getPrototypeOf):
850         (get let):
851         (let.handler.has):
852
853 2016-03-07  Brian Burg  <bburg@apple.com>
854
855         Web Inspector: rename generated *EnumConversionHelpers.h to *TypeConversions.h
856         https://bugs.webkit.org/show_bug.cgi?id=155121
857         <rdar://problem/25010391>
858
859         Reviewed by Timothy Hatcher.
860
861         Split out this renaming from the work to generate factory method stubs for types.
862
863         * JavaScriptCore.xcodeproj/project.pbxproj:
864         * inspector/scripts/codegen/__init__.py:
865         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
866         (ObjCConfigurationImplementationGenerator.generate_output):
867         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
868         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
869         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objc_conversion_helpers.py.
870         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
871         (ObjCProtocolTypesImplementationGenerator.generate_output):
872         * inspector/scripts/codegen/objc_generator_templates.py:
873         * inspector/scripts/generate-inspector-protocol-bindings.py:
874         (generate_from_specification):
875
876         Rebaseline tests after changing generator order.
877
878         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
879         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
880         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
881         * inspector/scripts/tests/expected/enum-values.json-result:
882         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
883         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
884         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
885         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
886         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
887         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
888         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
889         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
890         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
891
892 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
893
894         [JSC] Improve and64() and or64() with immediate on x86
895         https://bugs.webkit.org/show_bug.cgi?id=155104
896
897         Reviewed by Geoffrey Garen.
898
899         GetButterflyReadOnly was doing:
900             movq 0x8(%rbx), %r9
901             movq $0xfffffffffffffffc, %r11
902             andq %r11, %r9
903         There is no need for the move to load the immediate,
904         andq sign extend its immediate.
905
906         With this patch, we have:
907             movq 0x8(%rbx), %r9
908             andq $0xfffffffffffffffc, %r9
909
910         * assembler/MacroAssemblerX86_64.h:
911         (JSC::MacroAssemblerX86_64::and64):
912         (JSC::MacroAssemblerX86_64::or64):
913
914 2016-03-07  Brian Burg  <bburg@apple.com>
915
916         Web Inspector: It should be possible to initialize generated ObjC protocol types from an NSDictionary payload
917         https://bugs.webkit.org/show_bug.cgi?id=155102
918         <rdar://problem/25002015>
919
920         Reviewed by Timothy Hatcher.
921
922         In Objective-C code, we sometimes prefer to parse JSON using Cocoa rather
923         than the InspectorValue classes. Support initializing protocol objects
924         directly from an NSDictionary payload. This delegates validation of values to
925         the setter methods that already exist on the protocol object classes.
926
927         * inspector/scripts/codegen/generate_objc_header.py:
928         (ObjCHeaderGenerator._generate_type_interface):
929         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
930         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
931         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
932         * inspector/scripts/codegen/objc_generator.py:
933         (ObjCGenerator.payload_to_objc_expression_for_member):
934         Add a new helper method to generate an expression to unpack the value
935         from an NSDictionary. If it's not a primitive, the setter performs
936         validation of the value's kind using -[NSObject isKindOfClass:].
937
938         Rebaseline relevant tests.
939
940         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
941         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
942         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
943         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
944         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
945         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
946         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
947
948 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
949
950         [JSC] Simplify the overflow check of ArithAbs
951         https://bugs.webkit.org/show_bug.cgi?id=155063
952
953         Reviewed by Geoffrey Garen.
954
955         The only integer that overflow abs(int32) is INT_MIN.
956         For some reason, our code testing for that case
957         was checking the top bit of the result specifically.
958
959         The code required a large immediate on x86 and an extra
960         register on ARM64.
961
962         This patch turns the overflow check into a branch on
963         the sign of the result.
964
965         * dfg/DFGSpeculativeJIT32_64.cpp:
966         (JSC::DFG::SpeculativeJIT::compile):
967         * dfg/DFGSpeculativeJIT64.cpp:
968         (JSC::DFG::SpeculativeJIT::compile):
969         * ftl/FTLLowerDFGToB3.cpp:
970         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
971         * jit/ThunkGenerators.cpp:
972         (JSC::absThunkGenerator):
973         * tests/stress/arith-abs-overflow.js: Added.
974         (opaqueAbs):
975
976 2016-03-07  Benjamin Poulain  <bpoulain@apple.com>
977
978         [JSC] Improve how DFG zero Floating Point registers
979         https://bugs.webkit.org/show_bug.cgi?id=155096
980
981         Reviewed by Geoffrey Garen.
982
983         DFG had a weird way of zeroing a FPR:
984             -zero a GP.
985             -move that to a FP.
986
987         Filip added moveZeroToDouble() for B3. This patch
988         uses that in the lower tiers.
989
990         * assembler/MacroAssemblerARMv7.h:
991         (JSC::MacroAssemblerARMv7::moveZeroToDouble):
992         * dfg/DFGSpeculativeJIT64.cpp:
993         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
994         * jit/ThunkGenerators.cpp:
995         (JSC::floorThunkGenerator):
996         (JSC::roundThunkGenerator):
997
998 2016-03-07  Andreas Kling  <akling@apple.com>
999
1000         REGRESSION (r197303): Web Inspector crashes web process when inspecting an element on TOT
1001         <https://webkit.org/b/154812>
1002
1003         Reviewed by Geoffrey Garen.
1004
1005         Guard against null pointer dereference for UnlinkedCodeBlocks that don't have any control flow
1006         profiling data.
1007
1008         * bytecode/CodeBlock.cpp:
1009         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1010         * bytecode/UnlinkedCodeBlock.h:
1011         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets):
1012
1013 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
1014
1015         [JSC] Remove a useless "Move" from baseline-JIT op_mul's fast path
1016         https://bugs.webkit.org/show_bug.cgi?id=155071
1017
1018         Reviewed by Geoffrey Garen.
1019
1020         We do not need to multiply to a scratch and then move the result
1021         to the destination. We can just multiply to the destination.
1022
1023         * jit/JITArithmetic.cpp:
1024         (JSC::JIT::emit_op_mul):
1025         * jit/JITMulGenerator.cpp:
1026         (JSC::JITMulGenerator::generateFastPath):
1027
1028 2016-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1029
1030         [JSC] StringObject.{put, defineOwnProperty} should realize indexed properties
1031         https://bugs.webkit.org/show_bug.cgi?id=155089
1032
1033         Reviewed by Geoffrey Garen.
1034
1035         Through implementing Reflect.set[1], we found StringObject does not obey the spec.
1036         StringObject::put should call putByIndex if the given propertyName is index.
1037         And StringObject::defineOwnProperty should recognize indexed properties since
1038         JSObject::defineOwnIndexedProperty is specialized to JSObject layout.
1039         Before calling JSObject::defineOwnProperty,
1040         StringObject should handle its special indexed own properties.
1041         It is responsibility of StringObject::defineOwnProperty.
1042
1043         And the logic is cleaned up by using validateAndApplyPropertyDescriptor.
1044
1045         [1]: https://bugs.webkit.org/show_bug.cgi?id=155024
1046
1047         * runtime/StringObject.cpp:
1048         (JSC::StringObject::put):
1049         (JSC::StringObject::putByIndex):
1050         (JSC::isStringOwnProperty):
1051         (JSC::StringObject::defineOwnProperty):
1052         (JSC::StringObject::deleteProperty):
1053         * tests/stress/string-object-define-own-property.js: Added.
1054         (shouldBe):
1055         (shouldThrow):
1056         * tests/stress/string-object-put-by-index.js: Added.
1057         (shouldBe):
1058         (shouldThrow):
1059         (testSloppy):
1060         (testStrict):
1061
1062 2016-03-06  Brian Burg  <bburg@apple.com>
1063
1064         Web Inspector: the protocol generator should have separate prefix options for Objective-C classes and filenames
1065         https://bugs.webkit.org/show_bug.cgi?id=155101
1066         <rdar://problem/25000053>
1067
1068         Reviewed by Timothy Hatcher.
1069
1070         It should be possible to generate Objective-C protocol types without prefixing all class names.
1071         The prefixes are only necessary when the generated files are part of a framework, but this isn't
1072         how the generated Objective-C frontend files are used.
1073
1074         Add a separate framework setting and switch over code to use the 'protocol_group' in filenames,
1075         and the 'objc_prefix' for Objective-C enum and class prefixes.
1076
1077         No tests need to be rebaselined because tests always set the protocol_group and objc_prefix
1078         to the same value.
1079
1080         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1081         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1082         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1083         (ObjCConfigurationImplementationGenerator.output_filename):
1084         (ObjCConfigurationImplementationGenerator.generate_output):
1085         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1086         (ObjCConfigurationHeaderGenerator.output_filename):
1087         (ObjCConfigurationHeaderGenerator.generate_output):
1088         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1089         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1090         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1091         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1092         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1093         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1094         (ObjCConversionHelpersGenerator.output_filename):
1095         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1096         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1097         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1098         * inspector/scripts/codegen/generate_objc_header.py:
1099         (ObjCHeaderGenerator.output_filename):
1100         * inspector/scripts/codegen/generate_objc_internal_header.py:
1101         (ObjCInternalHeaderGenerator.output_filename):
1102         (ObjCInternalHeaderGenerator.generate_output):
1103         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1104         (ObjCProtocolTypesImplementationGenerator.output_filename):
1105         (ObjCProtocolTypesImplementationGenerator.generate_output):
1106         * inspector/scripts/codegen/models.py:
1107         * inspector/scripts/codegen/objc_generator.py:
1108         (ObjCGenerator):
1109         (ObjCGenerator.protocol_name):
1110         (ObjCGenerator.objc_prefix):
1111
1112 2016-03-06  Brian Burg  <bburg@apple.com>
1113
1114         Unreviewed, rebaseline inspector protocol generator tests after r197563.
1115
1116         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1117         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1118         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1119         * inspector/scripts/tests/expected/enum-values.json-result:
1120         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1121
1122 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
1123
1124         [JSC] Improve DFG's Int32 ArithMul if one operand is a constant
1125         https://bugs.webkit.org/show_bug.cgi?id=155066
1126
1127         Reviewed by Filip Pizlo.
1128
1129         When multiplying an integer by a constant, DFG was doing quite
1130         a bit worse than baseline JIT.
1131         We were loading the constant into a register, doing the multiply,
1132         the checking the result and both operands for negative zero.
1133
1134         This patch changes:
1135         -Use the multiply-by-immediate form on x86.
1136         -Do as few checks as possible to detect negative-zero.
1137
1138         In most cases, this reduce the negative-zero checks
1139         to zero or one TEST+JUMP.
1140
1141         * assembler/MacroAssembler.h:
1142         (JSC::MacroAssembler::mul32):
1143         * dfg/DFGSpeculativeJIT.cpp:
1144         (JSC::DFG::SpeculativeJIT::compileArithMul):
1145
1146 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
1147
1148         [JSC] Remove a superfluous Move in front of every double unboxing
1149         https://bugs.webkit.org/show_bug.cgi?id=155064
1150
1151         Reviewed by Saam Barati.
1152
1153         Double unboxing was always doing:
1154             Move source, scratch
1155             Add64 tag, scratch
1156             IntToDouble scratch, fp
1157
1158         We do not need to "Move" to copy the source.
1159         Both x86 and ARM64 have an efficient 3 operands Add instruction.
1160
1161         * dfg/DFGSpeculativeJIT.cpp:
1162         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1163         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1164         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
1165         * dfg/DFGSpeculativeJIT.h:
1166         (JSC::DFG::SpeculativeJIT::unboxDouble):
1167         * jit/AssemblyHelpers.h:
1168         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
1169         (JSC::AssemblyHelpers::unboxDouble):
1170         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
1171
1172 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
1173
1174         [JSC] Use 3 operands Add in more places
1175         https://bugs.webkit.org/show_bug.cgi?id=155082
1176
1177         Reviewed by Filip Pizlo.
1178
1179         * assembler/MacroAssembler.h:
1180         (JSC::MacroAssembler::addPtr):
1181         (JSC::MacroAssembler::add32):
1182         * assembler/MacroAssemblerARMv7.h:
1183         (JSC::MacroAssemblerARMv7::add32):
1184         * dfg/DFGSpeculativeJIT.cpp:
1185         (JSC::DFG::SpeculativeJIT::compileArithAdd):
1186         The case with child1 constant is useless.
1187         The canonical form will have the constant as child2.
1188
1189         Also add register reuse for the fast-add.
1190         Registers are a scarce resource on x86.
1191
1192         * jit/CCallHelpers.h:
1193         (JSC::CCallHelpers::prepareForTailCallSlow):
1194         * yarr/YarrJIT.cpp:
1195         (JSC::Yarr::YarrGenerator::generate):
1196
1197 2016-03-06  Benjamin Poulain  <bpoulain@apple.com>
1198
1199         [JSC] Improve codegen of Compare and Test
1200         https://bugs.webkit.org/show_bug.cgi?id=155055
1201
1202         Reviewed by Filip Pizlo.
1203
1204         This patch introduces a few improvements on how we lower
1205         Compare and Test with immediates:
1206             -Add certain Immediate forms of ARM64.
1207             -Use CBZ/CBNZ when possible on ARM64.
1208             -When possible, convert a CMP into a TST
1209              On some hardware, we can issue more TST simultaneously.
1210
1211              On x86, any TST+Jump is candidate for macro-fusion.
1212              They are also smaller.
1213              (sections 3.4.2.2 and 3.5.1.9)
1214             -Do not load the mask immediate of a TST
1215              if it only contains ones (mostly useful for ARM64
1216              since that would not have been a valid immediate).
1217
1218         * assembler/MacroAssembler.h:
1219         (JSC::MacroAssembler::compare32):
1220         * assembler/MacroAssemblerARM64.h:
1221         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1222         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
1223         This is somewhat unrelated but I found that out while working
1224         on moveDoubleConditionallyTest32:
1225             If "thenCase" and "dest" are assigned the same register
1226             by the allocator, then the first (f)fcsel would override
1227             the "thenCase" and the second fcsel would always be "elseCase".
1228
1229         This is covered by testb3 but was only uncovered
1230         after recent "Move" removals in lowering.
1231
1232         (JSC::MacroAssemblerARM64::moveConditionally32):
1233         (JSC::MacroAssemblerARM64::moveConditionally64):
1234         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
1235         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
1236         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
1237         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
1238         (JSC::MacroAssemblerARM64::branch32):
1239         (JSC::MacroAssemblerARM64::branch64):
1240         (JSC::MacroAssemblerARM64::branchTest32):
1241         (JSC::MacroAssemblerARM64::test32):
1242         The version taking an immediate was guarded by
1243         (cond == Zero) || (cond == NonZero). That is overzealous,
1244         and only needed for CBZ/CBNZ.
1245
1246         (JSC::MacroAssemblerARM64::branchTest64):
1247         (JSC::MacroAssemblerARM64::compare32):
1248         (JSC::MacroAssemblerARM64::compare64):
1249         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
1250         * assembler/MacroAssemblerX86Common.h:
1251         (JSC::MacroAssemblerX86Common::moveConditionally32):
1252         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
1253         (JSC::MacroAssemblerX86Common::branch32):
1254         (JSC::MacroAssemblerX86Common::test32):
1255         (JSC::MacroAssemblerX86Common::branchTest32):
1256         (JSC::MacroAssemblerX86Common::compare32):
1257         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
1258         * assembler/MacroAssemblerX86_64.h:
1259         (JSC::MacroAssemblerX86_64::compare64):
1260         (JSC::MacroAssemblerX86_64::branch64):
1261         (JSC::MacroAssemblerX86_64::moveConditionally64):
1262         * b3/B3LowerToAir.cpp:
1263         (JSC::B3::Air::LowerToAir::createGenericCompare):
1264         Unfortunately this cannot be abstracted by the MacroAssembler.
1265         Those immediates are not valid, we have to pick the better
1266         for right away.
1267
1268         * b3/air/AirOpcode.opcodes:
1269         * b3/testb3.cpp:
1270         (JSC::B3::int64Operands):
1271         (JSC::B3::modelCompare):
1272         (JSC::B3::testCompareImpl):
1273         (JSC::B3::testCompare):
1274         (JSC::B3::b3Pow):
1275         (JSC::B3::testPowDoubleByIntegerLoop):
1276         Some versions of pow(double, int) do not return
1277         the exact same bits as our integer loop.
1278         Added a new version to have the same behavior
1279         as the B3 loop.
1280
1281         (JSC::B3::run):
1282         * dfg/DFGSpeculativeJIT.cpp:
1283         (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
1284         * dfg/DFGSpeculativeJIT64.cpp:
1285         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
1286         Comparing to an immediate is super common. Do not waste
1287         a register for that!
1288
1289 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
1290
1291         Unreviewed, fix build. This was a messed up merge.
1292
1293         * ftl/FTLLowerDFGToB3.cpp:
1294         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1295
1296 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
1297
1298         DFG should know how to speculate StringOrOther
1299         https://bugs.webkit.org/show_bug.cgi?id=155094
1300
1301         Reviewed by Saam Barati.
1302
1303         Any code that processes the regexp matches array was previously doing a relatively expensive
1304         Branch(Untyped:). This introduces a new use kind called StringOrOther, which is perfect for
1305         code that loops over the matches array and branches on the entries being non-empty.
1306
1307         To do this, I needed to introduce code into the FTL that creates new blocks. We still had that
1308         awful FTL_NEW_BLOCK idiom since the only way to debug LLVM IR was to ascribe names to basic
1309         blocks. B3 IR is inherently more debuggable since unlike LLVM, B3 knows how to always respect
1310         code origin, and it knows how to print the code origin nicely in the dumps. So, rather than
1311         continue using FTL_NEW_BLOCK(m_out, ("things")), I replaced all of that stuff with
1312         m_out.newBlock(). It's much nicer that way.
1313
1314         This is a tiny speed-up on Octane/regexp at best. I was hoping for more. Oh well.
1315
1316         * bytecode/SpeculatedType.h:
1317         (JSC::isStringSpeculation):
1318         (JSC::isStringOrOtherSpeculation):
1319         (JSC::isSymbolSpeculation):
1320         * dfg/DFGFixupPhase.cpp:
1321         (JSC::DFG::FixupPhase::fixupNode):
1322         * dfg/DFGNode.h:
1323         (JSC::DFG::Node::shouldSpeculateString):
1324         (JSC::DFG::Node::shouldSpeculateStringOrOther):
1325         (JSC::DFG::Node::shouldSpeculateStringObject):
1326         * dfg/DFGSafeToExecute.h:
1327         (JSC::DFG::SafeToExecuteEdge::operator()):
1328         * dfg/DFGSpeculativeJIT.cpp:
1329         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
1330         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
1331         (JSC::DFG::SpeculativeJIT::emitStringBranch):
1332         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
1333         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
1334         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1335         (JSC::DFG::SpeculativeJIT::speculateString):
1336         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
1337         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1338         (JSC::DFG::SpeculativeJIT::speculate):
1339         * dfg/DFGSpeculativeJIT.h:
1340         * dfg/DFGSpeculativeJIT32_64.cpp:
1341         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1342         (JSC::DFG::SpeculativeJIT::emitBranch):
1343         * dfg/DFGSpeculativeJIT64.cpp:
1344         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1345         (JSC::DFG::SpeculativeJIT::emitBranch):
1346         * dfg/DFGUseKind.cpp:
1347         (WTF::printInternal):
1348         * dfg/DFGUseKind.h:
1349         (JSC::DFG::typeFilterFor):
1350         * ftl/FTLCapabilities.cpp:
1351         (JSC::FTL::canCompile):
1352         * ftl/FTLLowerDFGToB3.cpp:
1353         (JSC::FTL::DFG::LowerDFGToB3::lower):
1354         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1355         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
1356         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1357         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
1358         (JSC::FTL::DFG::LowerDFGToB3::compileArithDiv):
1359         (JSC::FTL::DFG::LowerDFGToB3::compileArithMod):
1360         (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax):
1361         (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
1362         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1363         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructure):
1364         (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure):
1365         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
1366         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1367         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1368         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1369         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1370         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
1371         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
1372         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1373         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1374         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1375         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest):
1376         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
1377         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1378         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1379         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
1380         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
1381         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1382         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1383         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1384         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1385         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
1386         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
1387         (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
1388         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1389         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
1390         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
1391         (JSC::FTL::DFG::LowerDFGToB3::compileIsString):
1392         (JSC::FTL::DFG::LowerDFGToB3::compileIsObject):
1393         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
1394         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1395         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1396         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1397         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1398         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1399         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
1400         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1401         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
1402         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
1403         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1404         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1405         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
1406         (JSC::FTL::DFG::LowerDFGToB3::checkStructure):
1407         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
1408         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
1409         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1410         (JSC::FTL::DFG::LowerDFGToB3::loadVectorWithBarrier):
1411         (JSC::FTL::DFG::LowerDFGToB3::copyBarrier):
1412         (JSC::FTL::DFG::LowerDFGToB3::loadVectorReadOnly):
1413         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
1414         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
1415         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
1416         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1417         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1418         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd):
1419         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1420         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1421         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1422         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
1423         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
1424         (JSC::FTL::DFG::LowerDFGToB3::switchString):
1425         (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
1426         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
1427         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
1428         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
1429         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToJSValue):
1430         (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
1431         (JSC::FTL::DFG::LowerDFGToB3::convertDoubleToInt32):
1432         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1433         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
1434         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
1435         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
1436         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
1437         (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent):
1438         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
1439         (JSC::FTL::DFG::LowerDFGToB3::speculateRealNumber):
1440         (JSC::FTL::DFG::LowerDFGToB3::speculateNotStringVar):
1441         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
1442         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
1443         * ftl/FTLOutput.cpp:
1444         (JSC::FTL::Output::initialize):
1445         (JSC::FTL::Output::newBlock):
1446         (JSC::FTL::Output::check):
1447         * ftl/FTLOutput.h:
1448         (JSC::FTL::Output::setFrequency):
1449         (JSC::FTL::Output::insertNewBlocksBefore):
1450
1451 2016-03-06  Saam Barati  <sbarati@apple.com>
1452
1453         [[GetPrototypeOf]] should be a fully virtual method in the method table
1454         https://bugs.webkit.org/show_bug.cgi?id=155002
1455
1456         Reviewed by Filip Pizlo.
1457
1458         This patch makes us more consistent with how the ES6 specification models the
1459         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
1460         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
1461         still allows directly accessing the prototype for situations where this
1462         is the desired behavior. This is equivalent to getting the internal
1463         [[Prototype]] field as described in the specification. 
1464
1465         * API/JSObjectRef.cpp:
1466         (JSObjectGetPrototype):
1467         (JSObjectSetPrototype):
1468         * dfg/DFGOperations.cpp:
1469         * dfg/DFGOperations.h:
1470         * dfg/DFGSpeculativeJIT.cpp:
1471         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1472         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1473         * ftl/FTLLowerDFGToB3.cpp:
1474         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1475         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
1476         * jit/JITOpcodes.cpp:
1477         (JSC::JIT::emit_op_instanceof):
1478         (JSC::JIT::emitSlow_op_instanceof):
1479         * jit/JITOpcodes32_64.cpp:
1480         (JSC::JIT::emit_op_instanceof):
1481         (JSC::JIT::emitSlow_op_instanceof):
1482         * jit/JITOperations.cpp:
1483         * jit/JITOperations.h:
1484         * jsc.cpp:
1485         (functionCreateProxy):
1486         * llint/LLIntSlowPaths.cpp:
1487         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1488         * llint/LowLevelInterpreter.asm:
1489         * llint/LowLevelInterpreter32_64.asm:
1490         * llint/LowLevelInterpreter64.asm:
1491         * runtime/ArrayPrototype.cpp:
1492         (JSC::speciesConstructArray):
1493         * runtime/ClassInfo.h:
1494         * runtime/FunctionPrototype.cpp:
1495         (JSC::functionProtoFuncBind):
1496         * runtime/IntlCollatorPrototype.cpp:
1497         (JSC::IntlCollatorPrototypeGetterCompare):
1498         * runtime/IntlDateTimeFormatPrototype.cpp:
1499         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1500         * runtime/IntlNumberFormatPrototype.cpp:
1501         (JSC::IntlNumberFormatPrototypeGetterFormat):
1502         * runtime/JSBoundFunction.cpp:
1503         (JSC::hasInstanceBoundFunction):
1504         (JSC::getBoundFunctionStructure):
1505         (JSC::JSBoundFunction::create):
1506         * runtime/JSBoundFunction.h:
1507         * runtime/JSCJSValue.cpp:
1508         (JSC::JSValue::putToPrimitive):
1509         * runtime/JSCell.cpp:
1510         (JSC::JSCell::setPrototype):
1511         (JSC::JSCell::getPrototype):
1512         * runtime/JSCell.h:
1513         * runtime/JSGlobalObject.cpp:
1514         (JSC::JSGlobalObject::init):
1515         (JSC::JSGlobalObject::hasLegacyProfiler):
1516         (JSC::lastInPrototypeChain):
1517         (JSC::JSGlobalObject::objectPrototypeIsSane):
1518         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
1519         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
1520         * runtime/JSGlobalObject.h:
1521         (JSC::JSGlobalObject::finishCreation):
1522         * runtime/JSGlobalObjectFunctions.cpp:
1523         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
1524         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1525         (JSC::globalFuncProtoGetter):
1526         * runtime/JSLexicalEnvironment.cpp:
1527         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1528         * runtime/JSObject.cpp:
1529         (JSC::JSObject::calculatedClassName):
1530         (JSC::JSObject::putInlineSlow):
1531         (JSC::JSObject::setPrototypeWithCycleCheck):
1532         (JSC::JSObject::setPrototype):
1533         (JSC::JSObject::getPrototype):
1534         (JSC::JSObject::defaultHasInstance):
1535         (JSC::objectPrivateFuncInstanceOf):
1536         (JSC::JSObject::getPropertyNames):
1537         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1538         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
1539         (JSC::JSObject::getGenericPropertyNames):
1540         * runtime/JSObject.h:
1541         (JSC::JSObject::finishCreation):
1542         (JSC::JSObject::JSObject):
1543         (JSC::JSObject::getPrototypeDirect):
1544         (JSC::JSObject::getPrototype):
1545         (JSC::JSObject::getOwnNonIndexPropertySlot):
1546         (JSC::JSObject::getPropertySlot):
1547         (JSC::JSObject::getNonIndexPropertySlot):
1548         (JSC::JSObject::prototype): Deleted.
1549         * runtime/JSObjectInlines.h:
1550         (JSC::JSObject::canPerformFastPutInline):
1551         * runtime/JSProxy.cpp:
1552         (JSC::JSProxy::setTarget):
1553         * runtime/JSTypedArrayViewConstructor.cpp:
1554         (JSC::constructTypedArrayView):
1555         * runtime/ObjectConstructor.cpp:
1556         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
1557         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1558         (JSC::objectConstructorGetPrototypeOf):
1559         * runtime/ObjectPrototype.cpp:
1560         (JSC::objectProtoFuncIsPrototypeOf):
1561         * runtime/ProxyObject.cpp:
1562         (JSC::performProxyGet):
1563         (JSC::ProxyObject::performSetPrototype):
1564         * runtime/StructureInlines.h:
1565         (JSC::Structure::isValid):
1566         * tests/stress/proxy-has-property.js:
1567         (assert.let.h1.has):
1568         (assert.let.h2.has):
1569         (assert):
1570
1571 2016-03-06  Commit Queue  <commit-queue@webkit.org>
1572
1573         Unreviewed, rolling out r197645.
1574         https://bugs.webkit.org/show_bug.cgi?id=155097
1575
1576         "Doesn't build properly when building entire webkit"
1577         (Requested by saamyjoon on #webkit).
1578
1579         Reverted changeset:
1580
1581         "[[GetPrototypeOf]] should be a fully virtual method in the
1582         method table"
1583         https://bugs.webkit.org/show_bug.cgi?id=155002
1584         http://trac.webkit.org/changeset/197645
1585
1586 2016-03-06  Saam barati  <sbarati@apple.com>
1587
1588         [[GetPrototypeOf]] should be a fully virtual method in the method table
1589         https://bugs.webkit.org/show_bug.cgi?id=155002
1590
1591         Reviewed by Filip Pizlo.
1592
1593         This patch makes us more consistent with how the ES6 specification models the
1594         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
1595         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
1596         still allows directly accessing the prototype for situations where this
1597         is the desired behavior. This is equivalent to getting the internal
1598         [[Prototype]] field as described in the specification. 
1599
1600         * API/JSObjectRef.cpp:
1601         (JSObjectGetPrototype):
1602         (JSObjectSetPrototype):
1603         * dfg/DFGOperations.cpp:
1604         * dfg/DFGOperations.h:
1605         * dfg/DFGSpeculativeJIT.cpp:
1606         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1607         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1608         * ftl/FTLLowerDFGToB3.cpp:
1609         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1610         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
1611         * jit/JITOpcodes.cpp:
1612         (JSC::JIT::emit_op_instanceof):
1613         (JSC::JIT::emitSlow_op_instanceof):
1614         * jit/JITOpcodes32_64.cpp:
1615         (JSC::JIT::emit_op_instanceof):
1616         (JSC::JIT::emitSlow_op_instanceof):
1617         * jit/JITOperations.cpp:
1618         * jit/JITOperations.h:
1619         * jsc.cpp:
1620         (functionCreateProxy):
1621         * llint/LLIntSlowPaths.cpp:
1622         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1623         * llint/LowLevelInterpreter.asm:
1624         * llint/LowLevelInterpreter32_64.asm:
1625         * llint/LowLevelInterpreter64.asm:
1626         * runtime/ArrayPrototype.cpp:
1627         (JSC::speciesConstructArray):
1628         * runtime/ClassInfo.h:
1629         * runtime/FunctionPrototype.cpp:
1630         (JSC::functionProtoFuncBind):
1631         * runtime/IntlCollatorPrototype.cpp:
1632         (JSC::IntlCollatorPrototypeGetterCompare):
1633         * runtime/IntlDateTimeFormatPrototype.cpp:
1634         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1635         * runtime/IntlNumberFormatPrototype.cpp:
1636         (JSC::IntlNumberFormatPrototypeGetterFormat):
1637         * runtime/JSBoundFunction.cpp:
1638         (JSC::hasInstanceBoundFunction):
1639         (JSC::getBoundFunctionStructure):
1640         (JSC::JSBoundFunction::create):
1641         * runtime/JSBoundFunction.h:
1642         * runtime/JSCJSValue.cpp:
1643         (JSC::JSValue::putToPrimitive):
1644         * runtime/JSCell.cpp:
1645         (JSC::JSCell::setPrototype):
1646         (JSC::JSCell::getPrototype):
1647         * runtime/JSCell.h:
1648         * runtime/JSGlobalObject.cpp:
1649         (JSC::JSGlobalObject::init):
1650         (JSC::JSGlobalObject::hasLegacyProfiler):
1651         (JSC::lastInPrototypeChain):
1652         (JSC::JSGlobalObject::objectPrototypeIsSane):
1653         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
1654         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
1655         * runtime/JSGlobalObject.h:
1656         (JSC::JSGlobalObject::finishCreation):
1657         * runtime/JSGlobalObjectFunctions.cpp:
1658         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
1659         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1660         (JSC::globalFuncProtoGetter):
1661         * runtime/JSLexicalEnvironment.cpp:
1662         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1663         * runtime/JSObject.cpp:
1664         (JSC::JSObject::calculatedClassName):
1665         (JSC::JSObject::putInlineSlow):
1666         (JSC::JSObject::setPrototypeWithCycleCheck):
1667         (JSC::JSObject::setPrototype):
1668         (JSC::JSObject::getPrototype):
1669         (JSC::JSObject::defaultHasInstance):
1670         (JSC::objectPrivateFuncInstanceOf):
1671         (JSC::JSObject::getPropertyNames):
1672         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1673         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
1674         (JSC::JSObject::getGenericPropertyNames):
1675         * runtime/JSObject.h:
1676         (JSC::JSObject::finishCreation):
1677         (JSC::JSObject::JSObject):
1678         (JSC::JSObject::getPrototypeDirect):
1679         (JSC::JSObject::getPrototype):
1680         (JSC::JSObject::getOwnNonIndexPropertySlot):
1681         (JSC::JSObject::getPropertySlot):
1682         (JSC::JSObject::getNonIndexPropertySlot):
1683         (JSC::JSObject::prototype): Deleted.
1684         * runtime/JSObjectInlines.h:
1685         (JSC::JSObject::canPerformFastPutInline):
1686         * runtime/JSProxy.cpp:
1687         (JSC::JSProxy::setTarget):
1688         * runtime/JSTypedArrayViewConstructor.cpp:
1689         (JSC::constructTypedArrayView):
1690         * runtime/ObjectConstructor.cpp:
1691         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
1692         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1693         (JSC::objectConstructorGetPrototypeOf):
1694         * runtime/ObjectPrototype.cpp:
1695         (JSC::objectProtoFuncIsPrototypeOf):
1696         * runtime/ProxyObject.cpp:
1697         (JSC::performProxyGet):
1698         (JSC::ProxyObject::performSetPrototype):
1699         * runtime/StructureInlines.h:
1700         (JSC::Structure::isValid):
1701         * tests/stress/proxy-has-property.js:
1702         (assert.let.h1.has):
1703         (assert.let.h2.has):
1704         (assert):
1705
1706 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
1707
1708         RegExpMatchesArray doesn't know how to have a bad time
1709         https://bugs.webkit.org/show_bug.cgi?id=155069
1710
1711         Reviewed by Yusuke Suzuki.
1712
1713         In trunk if we are having a bad time, the regexp matches array is still allocated with a
1714         non-slow-put indexing shape, which makes it have the wrong behavior on indexed setters on
1715         the prototype chain.
1716
1717         Getting this to work right requires introducing bad time code paths into the regexp matches
1718         array. It also requires something more drastic: making this code not play games with the
1719         global object. The code that creates the matches array needs to have the actual global
1720         object of the regexp native function that it's logically created by.
1721
1722         This is totally different from how we've handled global objects in the past because it means
1723         that the global object is not a constant. Normally we can make it a constant because a
1724         script executable will know its global object. But with native functions, it's the function
1725         instance that knows the global object - not the native executable. When we inline a native
1726         intrinsic, we are guaranteed to know the native executable but we're not guaranteed to know
1727         the functon instance. This means that the global object may be a variable that gets computed
1728         by looking at the instance at run-time. So, the RegExpExec/RegExpTest nodes in DFG IR now
1729         take a global object child. That also meant adding a new node type, GetGlobalObject, which
1730         does the thing to the callee that CallFrame::lexicalGlobalObject() would have done.
1731         Eventually, we'll probably have to make other native intrinsics also use GetGlobalObject. It
1732         turns out that this really isn't so bad because usually it's constant-folded anyway, since
1733         although the intrinsic code supports executable-based inlining (which leaves the callee
1734         instance as an unknown), it happens rarely for intrinsics. So, conveying the global object
1735         via a child isn't any worse than conveying it via meta-data, and it's probably better than
1736         telling the inliner not to do executable-based inlining of native intrinsics. That would
1737         have been a confusing special-case.
1738
1739         This is perf-neutral on my machines but it fixes a bug and it unlocks some interesting
1740         possibilities. For example, RegExpExec can now make a firm promise about the type of array
1741         it's creating.
1742
1743         This also contains some other changes:
1744         
1745         - We are now using Structure::addPropertyTransition() in a lot of places even though it was
1746           meant to be an internal method with a quirky contract - for example if only works if you
1747           know that there is not existing transition. This relaxes this constraint.
1748         
1749         - Restores the use of "*" for heap references in JSString.h. It's very unusual to have heap
1750           references pointed at with "&", since we don't currently do that anywhere. The fact that
1751           it was using the wrong reference type also meant that the code couldn't elegantly make use
1752           of some our GC pointer helpers like jsCast<>.
1753
1754         * dfg/DFGAbstractInterpreterInlines.h:
1755         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1756         * dfg/DFGByteCodeParser.cpp:
1757         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1758         (JSC::DFG::ByteCodeParser::handleMinMax):
1759         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1760         * dfg/DFGClobberize.h:
1761         (JSC::DFG::clobberize):
1762         * dfg/DFGDoesGC.cpp:
1763         (JSC::DFG::doesGC):
1764         * dfg/DFGFixupPhase.cpp:
1765         (JSC::DFG::FixupPhase::fixupNode):
1766         * dfg/DFGNodeType.h:
1767         * dfg/DFGOperations.cpp:
1768         * dfg/DFGOperations.h:
1769         * dfg/DFGPredictionPropagationPhase.cpp:
1770         (JSC::DFG::PredictionPropagationPhase::propagate):
1771         * dfg/DFGSafeToExecute.h:
1772         (JSC::DFG::safeToExecute):
1773         * dfg/DFGSpeculativeJIT.cpp:
1774         (JSC::DFG::SpeculativeJIT::compileSkipScope):
1775         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
1776         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1777         * dfg/DFGSpeculativeJIT.h:
1778         (JSC::DFG::SpeculativeJIT::callOperation):
1779         * dfg/DFGSpeculativeJIT32_64.cpp:
1780         (JSC::DFG::SpeculativeJIT::compile):
1781         * dfg/DFGSpeculativeJIT64.cpp:
1782         (JSC::DFG::SpeculativeJIT::compile):
1783         * ftl/FTLCapabilities.cpp:
1784         (JSC::FTL::canCompile):
1785         * ftl/FTLLowerDFGToB3.cpp:
1786         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1787         (JSC::FTL::DFG::LowerDFGToB3::compileSkipScope):
1788         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalObject):
1789         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
1790         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
1791         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
1792         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1793         * jit/JITOperations.h:
1794         * runtime/JSGlobalObject.cpp:
1795         (JSC::JSGlobalObject::init):
1796         (JSC::JSGlobalObject::haveABadTime):
1797         (JSC::JSGlobalObject::visitChildren):
1798         * runtime/JSGlobalObject.h:
1799         * runtime/JSObject.h:
1800         (JSC::JSObject::putDirectInternal):
1801         * runtime/JSString.h:
1802         (JSC::jsString):
1803         (JSC::jsSubstring):
1804         * runtime/RegExpCachedResult.cpp:
1805         (JSC::RegExpCachedResult::lastResult):
1806         * runtime/RegExpMatchesArray.cpp:
1807         (JSC::tryCreateUninitializedRegExpMatchesArray):
1808         (JSC::createRegExpMatchesArray):
1809         (JSC::createStructureImpl):
1810         (JSC::createRegExpMatchesArrayStructure):
1811         (JSC::createRegExpMatchesArraySlowPutStructure):
1812         * runtime/RegExpMatchesArray.h:
1813         * runtime/RegExpObject.cpp:
1814         (JSC::RegExpObject::put):
1815         (JSC::RegExpObject::exec):
1816         (JSC::RegExpObject::match):
1817         * runtime/RegExpObject.h:
1818         (JSC::RegExpObject::getLastIndex):
1819         (JSC::RegExpObject::test):
1820         * runtime/RegExpPrototype.cpp:
1821         (JSC::regExpProtoFuncTest):
1822         (JSC::regExpProtoFuncExec):
1823         (JSC::regExpProtoFuncCompile):
1824         * runtime/StringPrototype.cpp:
1825         (JSC::stringProtoFuncMatch):
1826         * runtime/Structure.cpp:
1827         (JSC::Structure::suggestedArrayStorageTransition):
1828         (JSC::Structure::addPropertyTransition):
1829         (JSC::Structure::addNewPropertyTransition):
1830         * runtime/Structure.h:
1831         * tests/stress/regexp-matches-array-bad-time.js: Added.
1832         * tests/stress/regexp-matches-array-slow-put.js: Added.
1833
1834 2016-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1835
1836         [JSC] RegExp#lastIndex should handle writable attribute when defining in defineOwnProperty path
1837         https://bugs.webkit.org/show_bug.cgi?id=155093
1838
1839         Reviewed by Filip Pizlo.
1840
1841         Before this patch, `setLastIndex(ExecState* exec, size_t lastIndex)` always overwrites the existing value
1842         regardless of writable attribute.
1843         And when defining RegExp#lastIndex in defineOwnProperty, we need to define the value first
1844         before making the attribute readonly. After changing the writable attribute, we cannot define the value.
1845
1846         * runtime/RegExpObject.cpp:
1847         (JSC::RegExpObject::defineOwnProperty):
1848         * runtime/RegExpObject.h:
1849         (JSC::RegExpObject::setLastIndex):
1850         * tests/stress/regexp-last-index-writable.js: Added.
1851         (shouldBe):
1852         (shouldThrow):
1853         (regExpLastIndex):
1854
1855 2016-03-05  Filip Pizlo  <fpizlo@apple.com>
1856
1857         The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell
1858         https://bugs.webkit.org/show_bug.cgi?id=154900
1859
1860         Reviewed by Saam Barati.
1861
1862         These old operations used to speculate cell. That's what they did when they were first
1863         introduced. That was probably about as good as they could do back then because we didn't have
1864         very powerful checks. Now we have powerful checks, so we can do this right.
1865
1866         The most profitable thing to check is that child1 is a RegExpObject and child2 is a JSString.
1867         Sometimes though, we will not know what child2 is even though we know that child1 is a
1868         RegExpObject. So, this patch means that RegExpExec/RegExpTest have the following overloads:
1869
1870             RegExpExec(RegExpObject:, String:)
1871             RegExpExec(RegExpObject:, Untyped:)
1872             RegExpExec(Untyped:, Untyped:)
1873
1874         This shaves off some type checks in Octane/regexp. It also cleans up some problems in our
1875         modeling of the effectfulness of these operations.
1876
1877         * dfg/DFGAbstractInterpreterInlines.h:
1878         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1879         * dfg/DFGClobberize.h:
1880         (JSC::DFG::clobberize):
1881         * dfg/DFGFixupPhase.cpp:
1882         (JSC::DFG::FixupPhase::fixupNode):
1883         * dfg/DFGOperations.cpp:
1884         * dfg/DFGOperations.h:
1885         * dfg/DFGSpeculativeJIT.h:
1886         (JSC::DFG::SpeculativeJIT::callOperation):
1887         * dfg/DFGSpeculativeJIT32_64.cpp:
1888         (JSC::DFG::SpeculativeJIT::compile):
1889         * dfg/DFGSpeculativeJIT64.cpp:
1890         (JSC::DFG::SpeculativeJIT::compile):
1891         * ftl/FTLLowerDFGToB3.cpp:
1892         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
1893         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
1894         * jit/JITOperations.h:
1895
1896 2016-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1897
1898         [ES6] Support Reflect.construct
1899         https://bugs.webkit.org/show_bug.cgi?id=147330
1900
1901         Reviewed by Saam Barati.
1902
1903         Based on Saam's r196868, this patch adds support for Reflect.construct.
1904         This patch implements OrdinaryCreateFromConstructor[1] for fallback cases.
1905         This path is rarely taken. For example,
1906
1907             Reflect.construct(function () { }, [], Map);
1908
1909         In this case, the `new.target` becomes `Map`.
1910         So we should create an object that `__proto__` is `Map.prototype`.
1911
1912         And to allow forward declaration (and encouraging strong type checking), we change
1913         ConstructType, CallType to C++11 enum class.
1914
1915         [1]: http://ecma-international.org/ecma-262/6.0/#sec-ordinarycreatefromconstructor
1916
1917         * API/JSCallbackConstructor.cpp:
1918         (JSC::JSCallbackConstructor::getConstructData):
1919         * API/JSCallbackFunction.cpp:
1920         (JSC::JSCallbackFunction::getCallData):
1921         * API/JSCallbackObjectFunctions.h:
1922         (JSC::JSCallbackObject<Parent>::getConstructData):
1923         (JSC::JSCallbackObject<Parent>::getCallData):
1924         * API/JSObjectRef.cpp:
1925         (JSObjectIsFunction):
1926         (JSObjectCallAsFunction):
1927         (JSObjectIsConstructor):
1928         (JSObjectCallAsConstructor):
1929         * API/ObjCCallbackFunction.mm:
1930         (JSC::ObjCCallbackFunction::getCallData):
1931         (JSC::ObjCCallbackFunction::getConstructData):
1932         * bindings/ScriptFunctionCall.cpp:
1933         (Deprecated::ScriptFunctionCall::call):
1934         * bindings/ScriptValue.cpp:
1935         (Deprecated::ScriptValue::isFunction):
1936         * builtins/ReflectObject.js:
1937         * dfg/DFGOperations.cpp:
1938         * inspector/InjectedScriptManager.cpp:
1939         (Inspector::InjectedScriptManager::createInjectedScript):
1940         * interpreter/Interpreter.cpp:
1941         (JSC::sizeOfVarargs):
1942         (JSC::Interpreter::execute):
1943         (JSC::Interpreter::executeCall):
1944         (JSC::Interpreter::executeConstruct):
1945         * jit/JITOperations.cpp:
1946         * llint/LLIntSlowPaths.cpp:
1947         (JSC::LLInt::handleHostCall):
1948         * runtime/ArrayConstructor.cpp:
1949         (JSC::ArrayConstructor::getConstructData):
1950         (JSC::ArrayConstructor::getCallData):
1951         * runtime/ArrayPrototype.cpp:
1952         (JSC::arrayProtoFuncToString):
1953         (JSC::arrayProtoFuncToLocaleString):
1954         (JSC::getLength): Deleted.
1955         * runtime/BooleanConstructor.cpp:
1956         (JSC::BooleanConstructor::getConstructData):
1957         (JSC::BooleanConstructor::getCallData):
1958         * runtime/CallData.cpp:
1959         (JSC::call):
1960         * runtime/CallData.h:
1961         * runtime/CommonSlowPaths.cpp:
1962         (JSC::SLOW_PATH_DECL):
1963         * runtime/ConstructData.cpp:
1964         (JSC::construct):
1965         * runtime/ConstructData.h:
1966         * runtime/DateConstructor.cpp:
1967         (JSC::DateConstructor::getConstructData):
1968         (JSC::DateConstructor::getCallData):
1969         * runtime/DatePrototype.cpp:
1970         (JSC::dateProtoFuncToJSON):
1971         * runtime/Error.h:
1972         (JSC::StrictModeTypeErrorFunction::getConstructData):
1973         (JSC::StrictModeTypeErrorFunction::getCallData):
1974         * runtime/ErrorConstructor.cpp:
1975         (JSC::ErrorConstructor::getConstructData):
1976         (JSC::ErrorConstructor::getCallData):
1977         * runtime/ExceptionHelpers.cpp:
1978         (JSC::errorDescriptionForValue):
1979         * runtime/FunctionConstructor.cpp:
1980         (JSC::FunctionConstructor::getConstructData):
1981         (JSC::FunctionConstructor::getCallData):
1982         * runtime/FunctionPrototype.cpp:
1983         (JSC::FunctionPrototype::getCallData):
1984         (JSC::functionProtoFuncToString):
1985         (JSC::functionProtoFuncBind):
1986         * runtime/GeneratorFunctionConstructor.cpp:
1987         (JSC::GeneratorFunctionConstructor::getCallData):
1988         (JSC::GeneratorFunctionConstructor::getConstructData):
1989         * runtime/InternalFunction.cpp:
1990         (JSC::InternalFunction::getCallData):
1991         * runtime/IntlCollatorConstructor.cpp:
1992         (JSC::IntlCollatorConstructor::getConstructData):
1993         (JSC::IntlCollatorConstructor::getCallData):
1994         * runtime/IntlDateTimeFormatConstructor.cpp:
1995         (JSC::IntlDateTimeFormatConstructor::getConstructData):
1996         (JSC::IntlDateTimeFormatConstructor::getCallData):
1997         * runtime/IntlNumberFormatConstructor.cpp:
1998         (JSC::IntlNumberFormatConstructor::getConstructData):
1999         (JSC::IntlNumberFormatConstructor::getCallData):
2000         * runtime/IteratorOperations.cpp:
2001         (JSC::iteratorNext):
2002         (JSC::iteratorClose):
2003         * runtime/JSArray.h:
2004         (JSC::getLength):
2005         * runtime/JSArrayBufferConstructor.cpp:
2006         (JSC::JSArrayBufferConstructor::getConstructData):
2007         (JSC::JSArrayBufferConstructor::getCallData):
2008         * runtime/JSBoundFunction.cpp:
2009         (JSC::boundFunctionCall):
2010         (JSC::boundFunctionConstruct):
2011         (JSC::JSBoundFunction::create):
2012         * runtime/JSCJSValue.h:
2013         * runtime/JSCJSValueInlines.h:
2014         (JSC::JSValue::isFunction):
2015         (JSC::JSValue::isConstructor):
2016         * runtime/JSCell.cpp:
2017         (JSC::JSCell::getCallData):
2018         (JSC::JSCell::getConstructData):
2019         * runtime/JSFunction.cpp:
2020         (JSC::JSFunction::getCallData):
2021         (JSC::JSFunction::getConstructData):
2022         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2023         (JSC::constructGenericTypedArrayViewWithArguments):
2024         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData):
2025         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2026         * runtime/JSInternalPromise.cpp:
2027         (JSC::JSInternalPromise::then):
2028         * runtime/JSInternalPromiseConstructor.cpp:
2029         (JSC::JSInternalPromiseConstructor::getConstructData):
2030         (JSC::JSInternalPromiseConstructor::getCallData):
2031         * runtime/JSJob.cpp:
2032         (JSC::JSJobMicrotask::run):
2033         * runtime/JSONObject.cpp:
2034         (JSC::Stringifier::Stringifier):
2035         (JSC::Stringifier::toJSONImpl):
2036         (JSC::Stringifier::appendStringifiedValue):
2037         (JSC::JSONProtoFuncParse):
2038         * runtime/JSObject.cpp:
2039         (JSC::callToPrimitiveFunction):
2040         (JSC::JSObject::hasInstance):
2041         (JSC::JSObject::getMethod):
2042         * runtime/JSObject.h:
2043         (JSC::getCallData):
2044         (JSC::getConstructData):
2045         * runtime/JSPromise.cpp:
2046         (JSC::JSPromise::initialize):
2047         * runtime/JSPromiseConstructor.cpp:
2048         (JSC::JSPromiseConstructor::getConstructData):
2049         (JSC::JSPromiseConstructor::getCallData):
2050         * runtime/JSPromiseDeferred.cpp:
2051         (JSC::newPromiseCapability):
2052         (JSC::callFunction):
2053         * runtime/JSTypedArrayViewConstructor.cpp:
2054         (JSC::constructTypedArrayView):
2055         (JSC::JSTypedArrayViewConstructor::getConstructData):
2056         (JSC::JSTypedArrayViewConstructor::getCallData):
2057         * runtime/MapConstructor.cpp:
2058         (JSC::constructMap):
2059         (JSC::MapConstructor::getConstructData):
2060         (JSC::MapConstructor::getCallData):
2061         * runtime/ModuleLoaderObject.cpp:
2062         (JSC::ModuleLoaderObject::provide):
2063         (JSC::ModuleLoaderObject::loadAndEvaluateModule):
2064         (JSC::ModuleLoaderObject::loadModule):
2065         (JSC::ModuleLoaderObject::linkAndEvaluateModule):
2066         * runtime/NativeErrorConstructor.cpp:
2067         (JSC::NativeErrorConstructor::getConstructData):
2068         (JSC::NativeErrorConstructor::getCallData):
2069         * runtime/NullGetterFunction.cpp:
2070         (JSC::NullGetterFunction::getCallData):
2071         (JSC::NullGetterFunction::getConstructData):
2072         * runtime/NullSetterFunction.cpp:
2073         (JSC::NullSetterFunction::getCallData):
2074         (JSC::NullSetterFunction::getConstructData):
2075         * runtime/NumberConstructor.cpp:
2076         (JSC::NumberConstructor::getConstructData):
2077         (JSC::NumberConstructor::getCallData):
2078         * runtime/ObjectConstructor.cpp:
2079         (JSC::ObjectConstructor::getConstructData):
2080         (JSC::ObjectConstructor::getCallData):
2081         (JSC::toPropertyDescriptor):
2082         * runtime/ObjectPrototype.cpp:
2083         (JSC::objectProtoFuncDefineGetter):
2084         (JSC::objectProtoFuncDefineSetter):
2085         (JSC::objectProtoFuncToLocaleString):
2086         * runtime/Operations.cpp:
2087         (JSC::jsTypeStringForValue):
2088         (JSC::jsIsObjectTypeOrNull):
2089         (JSC::jsIsFunctionType):
2090         * runtime/ProxyConstructor.cpp:
2091         (JSC::ProxyConstructor::getConstructData):
2092         (JSC::ProxyConstructor::getCallData):
2093         * runtime/ProxyObject.cpp:
2094         (JSC::ProxyObject::finishCreation):
2095         (JSC::performProxyCall):
2096         (JSC::ProxyObject::getCallData):
2097         (JSC::performProxyConstruct):
2098         (JSC::ProxyObject::getConstructData):
2099         * runtime/ReflectObject.cpp:
2100         (JSC::reflectObjectConstruct):
2101         * runtime/RegExpConstructor.cpp:
2102         (JSC::RegExpConstructor::getConstructData):
2103         (JSC::RegExpConstructor::getCallData):
2104         * runtime/RuntimeType.h:
2105         * runtime/SamplingProfiler.cpp:
2106         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2107         * runtime/SetConstructor.cpp:
2108         (JSC::constructSet):
2109         (JSC::SetConstructor::getConstructData):
2110         (JSC::SetConstructor::getCallData):
2111         * runtime/StringConstructor.cpp:
2112         (JSC::StringConstructor::getConstructData):
2113         (JSC::StringConstructor::getCallData):
2114         * runtime/StringPrototype.cpp:
2115         (JSC::replaceUsingRegExpSearch):
2116         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
2117         (JSC::operationStringProtoFuncReplaceRegExpString):
2118         (JSC::replaceUsingStringSearch):
2119         * runtime/SymbolConstructor.cpp:
2120         (JSC::SymbolConstructor::getConstructData):
2121         (JSC::SymbolConstructor::getCallData):
2122         * runtime/WeakMapConstructor.cpp:
2123         (JSC::constructWeakMap):
2124         (JSC::WeakMapConstructor::getConstructData):
2125         (JSC::WeakMapConstructor::getCallData):
2126         * runtime/WeakSetConstructor.cpp:
2127         (JSC::constructWeakSet):
2128         (JSC::WeakSetConstructor::getConstructData):
2129         (JSC::WeakSetConstructor::getCallData):
2130         * tests/es6.yaml:
2131         * tests/stress/reflect-construct.js: Added.
2132         (shouldBe):
2133         (shouldThrow):
2134         (shouldThrow.array.get length):
2135         (shouldThrow.array.get 0):
2136         (array.get length):
2137         (array.get 0):
2138         (shouldBe.Reflect.construct):
2139         (shouldBe.Reflect.construct.Hello):
2140         (3.shouldBe.Reflect.construct.Hello):
2141         (3.newTarget):
2142         (0.shouldBe.Reflect.construct):
2143         (shouldBe.A):
2144         (shouldBe.B):
2145         (nativeConstructorTest.DerivedMap):
2146         (nativeConstructorTest.FailedMap):
2147         (set noInline):
2148
2149 2016-03-04  Andreas Kling  <akling@apple.com>
2150
2151         [iOS] Throw away compiled RegExp code when navigating to a new page.
2152         <https://webkit.org/b/155015>
2153
2154         Reviewed by Anders Carlsson.
2155
2156         Add a mechanism to have the VM discard all RegExp bytecode and JIT code.
2157
2158         * runtime/VM.cpp:
2159         (JSC::VM::deleteAllRegExpCode):
2160         * runtime/VM.h:
2161
2162 2016-03-04  David Kilzer  <ddkilzer@apple.com>
2163
2164         REGRESSION (r197531): JavaScriptCore ASan build fails due to weak external symbol
2165         <http://webkit.org/b/155033>
2166         <rdar://problem/24979661>
2167
2168         Reviewed by Alexey Proskuryakov.
2169
2170         * runtime/JSObject.cpp:
2171         (JSC::JSObject::ordinaryToPrimitive): Don't mark this method
2172         inline since it's also used in DatePrototype.cpp, and is
2173         declared as a public class method.
2174         * runtime/JSObject.h:
2175         (JSC::JSObject::ordinaryToPrimitive): Don't export this method
2176         since it is not used outside of JavaScriptCore.
2177
2178 2016-03-04  Alex Christensen  <achristensen@webkit.org>
2179
2180         Remove vcxproj build system
2181         https://bugs.webkit.org/show_bug.cgi?id=154388
2182
2183         Rubber-stamped by Brent Fulgham.
2184
2185         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed.
2186         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Removed.
2187         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Removed.
2188         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Removed.
2189         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Removed.
2190         * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Removed.
2191         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Removed.
2192         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Removed.
2193         * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Removed.
2194         * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Removed.
2195         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Removed.
2196         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Removed.
2197         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Removed.
2198         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Removed.
2199         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Removed.
2200         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Removed.
2201         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Removed.
2202         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Removed.
2203         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Removed.
2204         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Removed.
2205         * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Removed.
2206         * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Removed.
2207         * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Removed.
2208         * JavaScriptCore.vcxproj/build-generated-files.pl: Removed.
2209         * JavaScriptCore.vcxproj/copy-files.cmd: Removed.
2210
2211 2016-03-04  Chris Dumez  <cdumez@apple.com>
2212
2213         Location.reload should not be writable
2214         https://bugs.webkit.org/show_bug.cgi?id=154989
2215
2216         Reviewed by Gavin Barraclough.
2217
2218         After r196770, operations marked as [Unforgeable] in the IDL (such as
2219         Location.reload) are correctly reported as not writable by
2220         Object.getOwnPropertyDescriptor(). Trying to set such property in JS
2221         is correctly ignored (or throws in strict mode) if the object has
2222         previously been reified. However, due to a bug in putEntry(), it was
2223         still possible to override the property if the object was not reified
2224         yet. This patch fixes the issue by checking in putEntry() that entries
2225         that are functions are not ReadOnly before calling putDirect().
2226
2227         * runtime/Lookup.h:
2228         (JSC::putEntry):
2229
2230 2016-03-04  Skachkov Oleksandr  <gskachkov@gmail.com>
2231
2232         [ES6] Arrow function syntax. Lexical bind "super" inside of the arrow function in generator.
2233         https://bugs.webkit.org/show_bug.cgi?id=152575
2234
2235         Reviewed by Yusuke Suzuki.
2236
2237         Added support of the 'SuperProperty' in arrow function within of the generator 
2238         method of class. Before patch parser  did not recognize that current arrow function 
2239         is declated inside of the generator and raise SyntaxError.
2240
2241         * parser/Parser.cpp:
2242         (JSC::Parser<LexerType>::parseFunctionInfo):
2243         * parser/Parser.h:
2244         (JSC::Scope::Scope):
2245         (JSC::Scope::isGeneratorBoundary):
2246         (JSC::Scope::setIsFunction):
2247         (JSC::Scope::setIsGenerator):
2248         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
2249         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
2250
2251 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
2252
2253         DFG/FTL should inline accesses to RegExpObject::m_lastIndex
2254         https://bugs.webkit.org/show_bug.cgi?id=155003
2255
2256         Reviewed by Benjamin Poulain.
2257
2258         The Octane/regexp benchmark sets RegExps' lastIndex a lot. I could imagine this being
2259         something that people want to do. Right now, I'm not convinced that making the RegExp object
2260         be more plain-JS would be a good idea considering that pretty much all uses of it will
2261         require some special compiler magic. Also, it's good that this patch teaches the compiler
2262         how to reason about lastIndex since some of my other plans for regexp involve having the
2263         compiler treat more regexp stuff as intrinsic.
2264
2265         This is a smaller Octane/regexp speed-up than I hoped - maybe around 1%. It's an enormous
2266         speed-up on the microbenchmarks attached to this patch.
2267
2268         * dfg/DFGAbstractHeap.h:
2269         * dfg/DFGAbstractInterpreterInlines.h:
2270         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2271         * dfg/DFGClobberize.h:
2272         (JSC::DFG::clobberize):
2273         * dfg/DFGDoesGC.cpp:
2274         (JSC::DFG::doesGC):
2275         * dfg/DFGFixupPhase.cpp:
2276         (JSC::DFG::FixupPhase::fixupNode):
2277         * dfg/DFGHeapLocation.h:
2278         * dfg/DFGNodeType.h:
2279         * dfg/DFGPredictionPropagationPhase.cpp:
2280         (JSC::DFG::PredictionPropagationPhase::propagate):
2281         * dfg/DFGSafeToExecute.h:
2282         (JSC::DFG::safeToExecute):
2283         * dfg/DFGSpeculativeJIT.cpp:
2284         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2285         (JSC::DFG::SpeculativeJIT::compileGetRegExpObjectLastIndex):
2286         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2287         * dfg/DFGSpeculativeJIT.h:
2288         * dfg/DFGSpeculativeJIT32_64.cpp:
2289         (JSC::DFG::SpeculativeJIT::compile):
2290         * dfg/DFGSpeculativeJIT64.cpp:
2291         (JSC::DFG::SpeculativeJIT::compile):
2292         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2293         * ftl/FTLAbstractHeapRepository.cpp:
2294         * ftl/FTLAbstractHeapRepository.h:
2295         * ftl/FTLCapabilities.cpp:
2296         (JSC::FTL::canCompile):
2297         * ftl/FTLLowerDFGToB3.cpp:
2298         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2299         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
2300         (JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):
2301         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2302         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
2303         (JSC::FTL::DFG::LowerDFGToB3::lowObject):
2304         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject):
2305         (JSC::FTL::DFG::LowerDFGToB3::lowString):
2306         * runtime/RegExpObject.h:
2307         (JSC::RegExpObject::createStructure):
2308         (JSC::RegExpObject::offsetOfLastIndex):
2309
2310 2016-03-03  Chris Dumez  <cdumez@apple.com>
2311
2312         Regression(r196770): Unable to use HipChat Mac app
2313         https://bugs.webkit.org/show_bug.cgi?id=154999
2314         <rdar://problem/24931959>
2315
2316         Reviewed by Darin Adler.
2317
2318         Add a setter to PutPropertySlot to override the 'isStrictMode' flag.
2319
2320         * runtime/PutPropertySlot.h:
2321         (JSC::PutPropertySlot::setStrictMode):
2322
2323 2016-03-03  Benjamin Poulain  <bpoulain@apple.com>
2324
2325         [JSC] Add support for MADD, MSUB and MNEG to Air
2326         https://bugs.webkit.org/show_bug.cgi?id=154997
2327
2328         Reviewed by Filip Pizlo.
2329
2330         ARM64 can do an Add/Sub in the Multiply units.
2331         LLVM was doing so but we lost that when switching to B3.
2332
2333         This patch adds those instructions in Air.
2334
2335         There are more ALUs than multiply units, thus we are more
2336         likely to successfully schedule a Multiply+Add than 2 Multiply.
2337         I am conservative and only emit a multiply-add if the value
2338         can be interned. As far as I can tell from what is generated
2339         by LLVM, that backend had the same rule.
2340
2341         * assembler/MacroAssemblerARM64.h:
2342         (JSC::MacroAssemblerARM64::multiplyAdd32):
2343         (JSC::MacroAssemblerARM64::multiplySub32):
2344         (JSC::MacroAssemblerARM64::multiplyNeg32):
2345         (JSC::MacroAssemblerARM64::multiplyAdd64):
2346         (JSC::MacroAssemblerARM64::multiplySub64):
2347         (JSC::MacroAssemblerARM64::multiplyNeg64):
2348         * b3/B3LowerToAir.cpp:
2349         (JSC::B3::Air::LowerToAir::lower):
2350         * b3/air/AirOpcode.opcodes:
2351         * b3/testb3.cpp:
2352         (JSC::B3::populateWithInterestingValues):
2353         (JSC::B3::floatingPointOperands):
2354         (JSC::B3::int64Operands):
2355         (JSC::B3::int32Operands):
2356         (JSC::B3::testMulAddArgsLeft):
2357         (JSC::B3::testMulAddArgsRight):
2358         (JSC::B3::testMulAddArgsLeft32):
2359         (JSC::B3::testMulAddArgsRight32):
2360         (JSC::B3::testMulSubArgsLeft):
2361         (JSC::B3::testMulSubArgsRight):
2362         (JSC::B3::testMulSubArgsLeft32):
2363         (JSC::B3::testMulSubArgsRight32):
2364         (JSC::B3::testMulNegArgs):
2365         (JSC::B3::testMulNegArgs32):
2366         (JSC::B3::run):
2367
2368 2016-03-03  Saam Barati  <sbarati@apple.com>
2369
2370         [ES6] Implement Proxy.[[SetPrototypeOf]]
2371         https://bugs.webkit.org/show_bug.cgi?id=154931
2372
2373         Reviewed by Ryosuke Niwa.
2374
2375         This patch is a straight forward implementation of Proxy.[[SetPrototypeOf]]
2376         with respect to section 9.5.2 of the ECMAScript spec.
2377         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-setprototypeof-v
2378
2379         * runtime/JSObject.cpp:
2380         (JSC::JSObject::putInlineSlow):
2381         * runtime/ProxyObject.cpp:
2382         (JSC::ProxyObject::put):
2383         (JSC::ProxyObject::getGenericPropertyNames):
2384         (JSC::ProxyObject::performSetPrototype):
2385         (JSC::ProxyObject::setPrototype):
2386         (JSC::ProxyObject::visitChildren):
2387         * runtime/ProxyObject.h:
2388         * tests/es6.yaml:
2389         * tests/stress/proxy-set-prototype-of.js: Added.
2390         (assert):
2391         (throw.new.Error.let.handler.get setPrototypeOf):
2392         (throw.new.Error.set let):
2393         (throw.new.Error.set catch):
2394         (throw.new.Error):
2395         (assert.let.handler.setPrototypeOf):
2396         (assert.set let):
2397         (assert.set catch):
2398         (let.handler.setPrototypeOf):
2399         (set let):
2400         (set catch):
2401
2402 2016-03-03  Keith Miller  <keith_miller@apple.com>
2403
2404         JSArrayBuffers should be collected less aggressively
2405         https://bugs.webkit.org/show_bug.cgi?id=154982
2406
2407         Reviewed by Geoffrey Garen.
2408
2409         We are currently too aggressive in our collection of ArrayBuffer wrappers.
2410         There are three cases where we need to avoid collecting ArrayBuffer wrappers.
2411         1. If the wrapper has custom properties.
2412         2. If the wrapper is a subclass of ArrayBuffer.
2413         3. If the wrapper is in a WeakMap/WeakSet.
2414
2415         Currently, we only pass the first case in WebCore and none in the jsc CLI.
2416         This patch removes some optimizations that cause us to collect when we
2417         should not. Namely, always skipping the object unless it has custom
2418         properties. Additionally, in the case of subclassing, we also need a way
2419         for custom JSArrayBuffer objects to register themselves as the wrapper for
2420         an ArrayBuffer class.
2421
2422         Finally, this patch fixes an issue where views would not mark their ArrayBuffer
2423         as an opaque root. This patch also moves an associated ASSERT that the
2424         ArrayBuffer held by a view is not null in JSGenericTypedArrayView::visitChildren
2425         into JSArrayBufferView::visitChildren, where we add the opaque root.
2426
2427         * runtime/JSArrayBuffer.cpp:
2428         (JSC::JSArrayBuffer::finishCreation):
2429         (JSC::JSArrayBuffer::create):
2430         (JSC::JSArrayBuffer::createWithoutWrapping):
2431         * runtime/JSArrayBuffer.h:
2432         * runtime/JSArrayBufferView.cpp:
2433         (JSC::JSArrayBufferView::visitChildren):
2434         * runtime/JSArrayBufferView.h:
2435         * runtime/JSGenericTypedArrayViewInlines.h:
2436         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
2437         * runtime/SimpleTypedArrayController.cpp:
2438         (JSC::SimpleTypedArrayController::toJS):
2439         (JSC::SimpleTypedArrayController::registerWrapper):
2440         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
2441         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::finalize):
2442         * runtime/SimpleTypedArrayController.h:
2443         * runtime/TypedArrayController.h:
2444
2445 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
2446
2447         Octane/regexp's Exec function should benefit from array length accessor inlining
2448         https://bugs.webkit.org/show_bug.cgi?id=154994
2449
2450         Reviewed by Benjamin Poulain.
2451
2452         It does:
2453
2454             var thingy = blahbitty.blah;
2455             if (thingy)
2456                 foo = thingy.length;
2457
2458         So, 'thingy' is SpecArray | SpecOther, which prevents the array length accessor inlining from
2459         kicking in. Our strategy for this elsewhere in the DFG is to allow a one-time speculation that
2460         we won't see SpecOther, since *usually* we see SpecOther mixed with other stuff in cases like
2461         this where there is some null check guarding the code.
2462
2463         This gives another slight speed-up on Octane/regexp.
2464
2465         * bytecode/SpeculatedType.h:
2466         (JSC::isCellSpeculation):
2467         (JSC::isCellOrOtherSpeculation):
2468         (JSC::isNotCellSpeculation):
2469         * dfg/DFGFixupPhase.cpp:
2470         (JSC::DFG::FixupPhase::fixupNode):
2471         * dfg/DFGNode.h:
2472         (JSC::DFG::Node::shouldSpeculateCell):
2473         (JSC::DFG::Node::shouldSpeculateCellOrOther):
2474         (JSC::DFG::Node::shouldSpeculateNotCell):
2475
2476 2016-03-03  Saam Barati  <sbarati@apple.com>
2477
2478         Add Proxy tests for exceptions that depend on an object being non-extensible and having configurable properties
2479         https://bugs.webkit.org/show_bug.cgi?id=154745
2480
2481         Reviewed by Geoffrey Garen.
2482
2483         This patch is mostly an implementation of Proxy.[[OwnPropertyKeys]] 
2484         with respect to section 9.5.11 of the ECMAScript spec.
2485         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys
2486
2487         This patch also changes call sites of getOwnPropertyNames and
2488         getPropertyNames to expect that an exception can be thrown.
2489
2490         * dfg/DFGOperations.cpp:
2491         * inspector/JSInjectedScriptHost.cpp:
2492         (Inspector::JSInjectedScriptHost::iteratorEntries):
2493         * interpreter/Interpreter.cpp:
2494         (JSC::Interpreter::execute):
2495         * runtime/IntlObject.cpp:
2496         (JSC::supportedLocales):
2497         * runtime/JSCJSValue.h:
2498         * runtime/JSCJSValueInlines.h:
2499         (JSC::JSValue::get):
2500         (JSC::JSValue::put):
2501         * runtime/JSONObject.cpp:
2502         (JSC::Stringifier::Holder::appendNextProperty):
2503         (JSC::Walker::walk):
2504         * runtime/JSObject.cpp:
2505         (JSC::JSObject::getPropertyNames):
2506         (JSC::JSObject::getGenericPropertyNames):
2507         * runtime/JSObject.h:
2508         (JSC::makeIdentifier):
2509         (JSC::createListFromArrayLike):
2510         * runtime/JSPropertyNameEnumerator.h:
2511         (JSC::propertyNameEnumerator):
2512         * runtime/JSPropertyNameIterator.cpp:
2513         (JSC::JSPropertyNameIterator::create):
2514         * runtime/MapConstructor.cpp:
2515         (JSC::constructMap):
2516         * runtime/ObjectConstructor.cpp:
2517         (JSC::defineProperties):
2518         (JSC::objectConstructorSeal):
2519         (JSC::objectConstructorFreeze):
2520         (JSC::objectConstructorIsSealed):
2521         (JSC::objectConstructorIsFrozen):
2522         (JSC::ownPropertyKeys):
2523         * runtime/ProxyObject.cpp:
2524         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2525         (JSC::ProxyObject::deleteProperty):
2526         (JSC::ProxyObject::deletePropertyByIndex):
2527         (JSC::ProxyObject::defineOwnProperty):
2528         (JSC::ProxyObject::performGetOwnPropertyNames):
2529         (JSC::ProxyObject::getOwnPropertyNames):
2530         (JSC::ProxyObject::getOwnNonIndexPropertyNames):
2531         (JSC::ProxyObject::getStructurePropertyNames):
2532         (JSC::ProxyObject::getGenericPropertyNames):
2533         (JSC::ProxyObject::visitChildren):
2534         * runtime/ProxyObject.h:
2535         (JSC::ProxyObject::create):
2536         (JSC::ProxyObject::createStructure):
2537         * runtime/Structure.cpp:
2538         (JSC::Structure::Structure):
2539         (JSC::Structure::add):
2540         (JSC::Structure::getPropertyNamesFromStructure):
2541         (JSC::Structure::checkConsistency):
2542         (JSC::Structure::canCachePropertyNameEnumerator):
2543         (JSC::Structure::canAccessPropertiesQuicklyForEnumeration):
2544         (JSC::Structure::canAccessPropertiesQuickly): Deleted.
2545         * runtime/Structure.h:
2546         * runtime/WeakMapConstructor.cpp:
2547         (JSC::constructWeakMap):
2548         * tests/es6.yaml:
2549         * tests/stress/proxy-own-keys.js: Added.
2550         (assert):
2551         (throw.new.Error.let.handler.ownKeys):
2552         (throw.new.Error):
2553         (assert.let.handler.get ownKeys):
2554         (assert.let.handler.ownKeys):
2555         (let.handler.ownKeys):
2556         (i.catch):
2557         (shallowEq):
2558         (let.handler.getOwnPropertyDescriptor):
2559         (i.set assert):
2560         (set add):
2561         (set assert):
2562         (set if):
2563
2564 2016-03-03  Keith Miller  <keith_miller@apple.com>
2565
2566         Array prototype JS builtins should support Symbol.species
2567         https://bugs.webkit.org/show_bug.cgi?id=154710
2568
2569         Reviewed by Geoffrey Garen.
2570
2571         Add support for Symbol.species in the Array.prototype JS
2572         builtin functions.
2573
2574         * builtins/ArrayPrototype.js:
2575         (filter):
2576         (map):
2577         * runtime/ArrayConstructor.cpp:
2578         (JSC::ArrayConstructor::finishCreation):
2579         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
2580         * runtime/ArrayConstructor.h:
2581         (JSC::ArrayConstructor::create):
2582         * runtime/CommonIdentifiers.h:
2583         * runtime/JSGlobalObject.cpp:
2584         (JSC::JSGlobalObject::init):
2585         * tests/stress/array-species-functions.js:
2586         (id):
2587
2588 2016-03-03  Michael Saboff  <msaboff@apple.com>
2589
2590         [ES6] Make Unicode RegExp pattern parsing conform to the spec
2591         https://bugs.webkit.org/show_bug.cgi?id=154988
2592
2593         Reviewed by Benjamin Poulain.
2594
2595         Updated RegExp pattern processing with 'u' (Unicode) flag to conform to the
2596         spec (https://tc39.github.io/ecma262/2016/#sec-patterns).  In the spec, the
2597         grammar is annotated with [U] annotations.  Productions that are prefixed with
2598         [+U] are only available with the Unicode flags while productions prefixed with
2599         [~U] are only available without the Unicode flag.
2600         
2601         Added flags argument to Yarr::checkSyntax() so we can catch Unicode flag related
2602         parsing errors at syntax checking time.  Restricted what escapes are available for
2603         non Unicode patterns.  Most of this is defined in the IdentityEscape rule in the
2604         pattern grammar.
2605
2606         Added \- as a CharacterClass only escape in Unicode patterns.
2607
2608         Updated the tests for these changes.
2609
2610         Made changes suggested in https://bugs.webkit.org/show_bug.cgi?id=154842#c22 after
2611         change set r197426 was landed.
2612
2613         * parser/ASTBuilder.h:
2614         (JSC::ASTBuilder::createRegExp):
2615         * parser/Parser.cpp:
2616         (JSC::Parser<LexerType>::parsePrimaryExpression):
2617         * parser/SyntaxChecker.h:
2618         (JSC::SyntaxChecker::createRegExp):
2619         * yarr/YarrInterpreter.cpp:
2620         (JSC::Yarr::Interpreter::InputStream::readChecked):
2621         (JSC::Yarr::Interpreter::InputStream::readSurrogatePairChecked):
2622         (JSC::Yarr::Interpreter::InputStream::reread):
2623         (JSC::Yarr::Interpreter::InputStream::uncheckInput):
2624         (JSC::Yarr::Interpreter::InputStream::atStart):
2625         (JSC::Yarr::Interpreter::InputStream::atEnd):
2626         (JSC::Yarr::Interpreter::testCharacterClass):
2627         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
2628         (JSC::Yarr::Interpreter::matchDisjunction):
2629         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
2630         * yarr/YarrParser.h:
2631         (JSC::Yarr::Parser::Parser):
2632         (JSC::Yarr::Parser::isIdentityEscapeAnError):
2633         (JSC::Yarr::Parser::parseEscape):
2634         (JSC::Yarr::Parser::parse):
2635         * yarr/YarrPattern.cpp:
2636         (JSC::Yarr::CharacterClassConstructor::putChar):
2637         (JSC::Yarr::CharacterClassConstructor::putRange):
2638         (JSC::Yarr::CharacterClassConstructor::addSorted):
2639         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
2640         * yarr/YarrSyntaxChecker.cpp:
2641         (JSC::Yarr::SyntaxChecker::disjunction):
2642         (JSC::Yarr::checkSyntax):
2643         * yarr/YarrSyntaxChecker.h:
2644
2645 2016-03-03  Saam barati  <sbarati@apple.com>
2646
2647         [ES6] Implement Proxy.[[DefineOwnProperty]]
2648         https://bugs.webkit.org/show_bug.cgi?id=154759
2649
2650         Reviewed by Geoffrey Garen and Mark Lam.
2651
2652         This patch is a straight forward implementation of Proxy.[[DefineOwnProperty]]
2653         with respect to section 9.5.6 of the ECMAScript spec.
2654         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-defineownproperty-p-desc
2655
2656         * runtime/ObjectConstructor.cpp:
2657         (JSC::objectConstructorGetOwnPropertyDescriptor):
2658         (JSC::objectConstructorGetOwnPropertyDescriptors):
2659         * runtime/ObjectConstructor.h:
2660         (JSC::constructEmptyObject):
2661         (JSC::constructObjectFromPropertyDescriptor):
2662         * runtime/ProxyObject.cpp:
2663         (JSC::ProxyObject::isExtensible):
2664         (JSC::ProxyObject::performDefineOwnProperty):
2665         (JSC::ProxyObject::defineOwnProperty):
2666         (JSC::ProxyObject::visitChildren):
2667         * runtime/ProxyObject.h:
2668         * tests/es6.yaml:
2669         * tests/stress/proxy-define-own-property.js: Added.
2670         (assert):
2671         (throw.new.Error):
2672         (assert.let.handler.get defineProperty):
2673         (assert.let.handler.defineProperty):
2674         (let.handler.defineProperty):
2675         (i.catch):
2676         (assert.try.):
2677         (assert.set get catch):
2678         (assert.let.setter):
2679         (assert.let.getter):
2680         (assert.set get let.handler.defineProperty):
2681         (assert.set get let):
2682         (assert.):
2683
2684 2016-03-03  Keith Miller  <keith_miller@apple.com>
2685
2686         [ES6] Add support for Symbol.toPrimitive
2687         https://bugs.webkit.org/show_bug.cgi?id=154877
2688
2689         Reviewed by Saam Barati.
2690
2691         This patch adds suport for Symbol.toPrimitive. Since we don't currently
2692         generate snippits for one side of a binary operation we only need to change
2693         the JSObject::ToPrimitive function and update some optimizations in the DFG
2694         that need to know how conversions to primitive values should work. As of
2695         ES6, the date prototype is also no longer special cased in the ToPrimitive
2696         operation. Instead, Date.prototype has a Symbol.species function that
2697         replicates the old behavior.
2698
2699         * bytecode/ObjectPropertyConditionSet.cpp:
2700         (JSC::generateConditionsForPropertyMissConcurrently):
2701         * bytecode/ObjectPropertyConditionSet.h:
2702         * dfg/DFGGraph.cpp:
2703         (JSC::DFG::Graph::watchConditions):
2704         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2705         * dfg/DFGGraph.h:
2706         * runtime/CommonIdentifiers.h:
2707         * runtime/DatePrototype.cpp:
2708         (JSC::DatePrototype::finishCreation):
2709         (JSC::dateProtoFuncToPrimitiveSymbol):
2710         * runtime/Error.cpp:
2711         (JSC::throwTypeError):
2712         * runtime/Error.h:
2713         * runtime/JSCJSValueInlines.h:
2714         (JSC::toPreferredPrimitiveType):
2715         * runtime/JSObject.cpp:
2716         (JSC::callToPrimitiveFunction):
2717         (JSC::JSObject::ordinaryToPrimitive):
2718         (JSC::JSObject::defaultValue):
2719         (JSC::JSObject::toPrimitive):
2720         (JSC::JSObject::getPrimitiveNumber):
2721         (JSC::callDefaultValueFunction): Deleted.
2722         (JSC::throwTypeError): Deleted.
2723         * runtime/JSObject.h:
2724         (JSC::JSObject::toPrimitive): Deleted.
2725         * runtime/SmallStrings.h:
2726         * runtime/SymbolPrototype.cpp:
2727         (JSC::SymbolPrototype::finishCreation):
2728         * runtime/SymbolPrototype.h:
2729         (JSC::SymbolPrototype::create):
2730         * tests/es6.yaml:
2731         * tests/stress/date-symbol-toprimitive.js: Added.
2732         * tests/stress/ropes-symbol-toprimitive.js: Added.
2733         (ropify):
2734         (String.prototype.Symbol.toPrimitive):
2735         * tests/stress/symbol-toprimitive.js: Added.
2736         (foo.Symbol.toPrimitive):
2737         (catch):
2738
2739 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
2740
2741         DFG should be able to compile StringReplace
2742         https://bugs.webkit.org/show_bug.cgi?id=154979
2743
2744         Reviewed by Benjamin Poulain.
2745
2746         Adds support for StringReplace to the DFG tier. This is a 3% speed-up on Octane/regexp.
2747
2748         * dfg/DFGByteCodeParser.cpp:
2749         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2750         * dfg/DFGSpeculativeJIT.cpp:
2751         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
2752         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
2753         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2754         * dfg/DFGSpeculativeJIT.h:
2755         (JSC::DFG::SpeculativeJIT::callOperation):
2756         * dfg/DFGSpeculativeJIT32_64.cpp:
2757         (JSC::DFG::SpeculativeJIT::compile):
2758         * dfg/DFGSpeculativeJIT64.cpp:
2759         (JSC::DFG::SpeculativeJIT::compile):
2760         * jit/JITOperations.h:
2761
2762 2016-03-03  Saam barati  <sbarati@apple.com>
2763
2764         [[SetPrototypeOf]] isn't properly implemented everywhere
2765         https://bugs.webkit.org/show_bug.cgi?id=154943
2766
2767         Reviewed by Benjamin Poulain.
2768
2769         We were copy-pasting implememntation bits that belong in OrdinarySetPrototypeOf 
2770         in a few different places that call O.[[SetPrototypeOf]](v)
2771         rather than having those bits in OrdinarySetPrototypeOf itself.
2772         We need to put those copy-pasted bits into OrdinarySetPrototypeOf
2773         and not the call sites of O.[[SetPrototypeOf]](v) because
2774         O.[[SetPrototypeOf]](v) won't always call into OrdinarySetPrototypeOf.
2775         This is needed for correctness because this behavior is now observable
2776         with the ES6 Proxy object.
2777
2778         * runtime/ClassInfo.h:
2779         * runtime/JSCell.cpp:
2780         (JSC::JSCell::isExtensible):
2781         (JSC::JSCell::setPrototype):
2782         * runtime/JSCell.h:
2783         * runtime/JSGlobalObjectFunctions.cpp:
2784         (JSC::globalFuncProtoSetter):
2785         * runtime/JSObject.cpp:
2786         (JSC::JSObject::setPrototypeDirect):
2787         (JSC::JSObject::setPrototypeWithCycleCheck):
2788         (JSC::JSObject::setPrototype):
2789         (JSC::JSObject::allowsAccessFrom):
2790         * runtime/JSObject.h:
2791         (JSC::JSObject::mayInterceptIndexedAccesses):
2792         * runtime/ObjectConstructor.cpp:
2793         (JSC::objectConstructorSetPrototypeOf):
2794         * runtime/ReflectObject.cpp:
2795         (JSC::reflectObjectSetPrototypeOf):
2796
2797 2016-03-03  Alex Christensen  <achristensen@webkit.org>
2798
2799         Fix Windows build after r197489.
2800
2801         * jsc.cpp:
2802
2803 2016-03-02  Filip Pizlo  <fpizlo@apple.com>
2804
2805         RegExpExec/RegExpTest should not unconditionally speculate cell
2806         https://bugs.webkit.org/show_bug.cgi?id=154901
2807
2808         Reviewed by Benjamin Poulain.
2809
2810         This is a three part change. It all started with a simple goal: end the rage-recompiles in
2811         Octane/regexp by enabling the DFG and FTL to do untyped RegExpExec/RegExpTest. This keeps us
2812         in the optimized code when you do a regexp match on a number, for example.
2813
2814         While implementing this, I realized that DFGOperations.cpp was bad at exception checking. When
2815         it did check for exceptions, it used exec->hadException() instead of vm.exception(). So I
2816         fixed that. I also made sure that the regexp operations checked for exception after doing
2817         toString().
2818
2819         Unfortunately, the introduction of untyped RegExpExec/RegExpTest caused a regression on
2820         Octane/regexp. This was because we were simultaneously scheduling replacement and OSR compiles
2821         of some large functions with the FTL JIT. The OSR compiles were not useful. This was a
2822         regression from the previous changes to make OSR compiles happen sooner. The problem is that
2823         this change also removed the throttling of OSR compiles even in those cases where we suspect
2824         that replacement is more likely. This patch reintroduces that throttling, but only in the
2825         replacement path.
2826
2827         This change ends up being neutral overall.
2828
2829         * dfg/DFGFixupPhase.cpp:
2830         (JSC::DFG::FixupPhase::fixupNode):
2831         * dfg/DFGOperations.cpp:
2832         * dfg/DFGOperations.h:
2833         * dfg/DFGSpeculativeJIT32_64.cpp:
2834         (JSC::DFG::SpeculativeJIT::compile):
2835         * dfg/DFGSpeculativeJIT64.cpp:
2836         (JSC::DFG::SpeculativeJIT::compile):
2837         * ftl/FTLLowerDFGToB3.cpp:
2838         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
2839         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
2840         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2841         * tests/stress/regexp-exec-effect-after-exception.js: Added.
2842
2843 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
2844
2845         [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
2846         https://bugs.webkit.org/show_bug.cgi?id=154947
2847
2848         Reviewed by Filip Pizlo.
2849
2850         This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.
2851
2852         The problem was that JSCell_freeListNext and JSCell_structureID were
2853         considered as disjoint. When reordering instructions, the scheduler
2854         could move the write of the StructureID first to reduce dependencies.
2855         This would erase half of JSCell_freeListNext before we get a chance
2856         to load the value.
2857
2858         This patch changes the hierarchy to make sure nothing is written
2859         until JSCell_freeListNext is processed.
2860
2861         All credits for this patch go to Filip.
2862
2863         * ftl/FTLAbstractHeapRepository.cpp:
2864         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2865         * ftl/FTLAbstractHeapRepository.h:
2866
2867 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
2868
2869         [JSC] Improve Select of Doubles based on Double condition
2870         https://bugs.webkit.org/show_bug.cgi?id=154572
2871
2872         Reviewed by Filip Pizlo.
2873
2874         Octane has a bunch of Select on Double based on comparing Doubles.
2875         A few nodes generate that: ValueRep, Min, Max, etc.
2876
2877         On ARM64, we can improve our code a lot. ARM can do a select
2878         based on flags with the FCSEL instruction.
2879
2880         On x86, this patch adds aggressive aliasing for moveDoubleConditionallyXXX.
2881         This has obviously a much more limited impact.
2882
2883         * assembler/MacroAssembler.h:
2884         (JSC::MacroAssembler::moveDoubleConditionally32): Deleted.
2885         (JSC::MacroAssembler::moveDoubleConditionally64): Deleted.
2886         (JSC::MacroAssembler::moveDoubleConditionallyTest32): Deleted.
2887         (JSC::MacroAssembler::moveDoubleConditionallyTest64): Deleted.
2888         (JSC::MacroAssembler::moveDoubleConditionallyDouble): Deleted.
2889         (JSC::MacroAssembler::moveDoubleConditionallyFloat): Deleted.
2890         * assembler/MacroAssemblerARM64.h:
2891         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
2892         (JSC::MacroAssemblerARM64::moveDoubleConditionallyDouble):
2893         (JSC::MacroAssemblerARM64::moveDoubleConditionallyFloat):
2894         (JSC::MacroAssemblerARM64::moveConditionally32):
2895         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
2896         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
2897         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
2898         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest64):
2899         (JSC::MacroAssemblerARM64::branch64):
2900         * assembler/MacroAssemblerX86Common.h:
2901         (JSC::MacroAssemblerX86Common::moveConditionally32):
2902         (JSC::MacroAssemblerX86Common::moveDoubleConditionally32):
2903         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyTest32):
2904         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyDouble):
2905         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyFloat):
2906         * assembler/MacroAssemblerX86_64.h:
2907         (JSC::MacroAssemblerX86_64::moveDoubleConditionally64):
2908         (JSC::MacroAssemblerX86_64::moveDoubleConditionallyTest64):
2909         * b3/air/AirInstInlines.h:
2910         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2911         * b3/air/AirOpcode.opcodes:
2912         * b3/testb3.cpp:
2913         (JSC::B3::populateWithInterestingValues):
2914         (JSC::B3::floatingPointOperands):
2915         (JSC::B3::int64Operands):
2916         (JSC::B3::int32Operands):
2917         (JSC::B3::testSelectCompareFloat):
2918         (JSC::B3::testSelectCompareFloatToDouble):
2919         (JSC::B3::testSelectDoubleCompareDouble):
2920         (JSC::B3::testSelectDoubleCompareDoubleWithAliasing):
2921         (JSC::B3::testSelectFloatCompareFloat):
2922         (JSC::B3::testSelectFloatCompareFloatWithAliasing):
2923         (JSC::B3::run):
2924
2925 2016-03-02  Joseph Pecoraro  <pecoraro@apple.com>
2926
2927         Add ability to generate a Heap Snapshot
2928         https://bugs.webkit.org/show_bug.cgi?id=154847
2929
2930         Reviewed by Mark Lam.
2931
2932         This adds HeapSnapshot, HeapSnapshotBuilder, and HeapProfiler.
2933
2934         HeapProfiler hangs off of the VM and holds the list of snapshots.
2935         I expect to add other HeapProfiling features, such as allocation
2936         tracking, to the profiler.
2937
2938         HeapSnapshot contains a collection of live cells and their identifiers.
2939         It can point to a previous HeapSnapshot, to ensure that a cell that
2940         already received an identifier maintains the same identifier across
2941         multiple snapshots. When a snapshotted cell gets garbage collected,
2942         the cell will be swept from the HeapSnapshot at the end of collection
2943         to ensure the list contains only live cells.
2944
2945         When building a HeapSnapshot nodes are added in increasing node
2946         identifier order. When done building, the list of nodes is complete
2947         and the snapshot is finalized. At this point the nodes are sorted
2948         by JSCell* address to allow for quick lookup of a JSCell*.
2949
2950         HeapSnapshotBuilder is where snapshotting begins. The builder
2951         will initiate a specialized heap snapshotting garbage collection.
2952         During this collection the builder will be notified of all marked
2953         (live) cells, and connections between cells, as seen by SlotVisitors.
2954         The builder can reference the previous, readonly, HeapSnapshots to
2955         avoid creating new nodes for cells that have already been snapshotted.
2956         When it is determined that we are visiting a live cell for the first
2957         time, we give the cell a unique identifier and add it to the the
2958         snapshot we are building.
2959
2960         Since edge data is costly, and of little long term utility, this
2961         data is only held by the builder for serialization, and not stored
2962         long term with the HeapSnapshot node data.
2963
2964         The goals of HeapSnapshotting at this time are:
2965         - minimal impact on performance when not profiling the heap
2966         - unique identifier for cells, so they may be identified across multiple snapshots
2967         - nodes and edges to be able to construct a graph of which nodes reference/retain which other nodes
2968         - node data - identifier, type (class name), size
2969         - edge data - from cell, to cell, type / data (to come in a follow-up patch)
2970
2971         * CMakeLists.txt:
2972         * JavaScriptCore.xcodeproj/project.pbxproj:
2973         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2974         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2975         Add new files to the build.
2976
2977         * heap/Heap.cpp:
2978         (JSC::Heap::isHeapSnapshotting):
2979         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
2980         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
2981         (JSC::Heap::removeDeadHeapSnapshotNodes):
2982         (JSC::Heap::collectImpl):
2983         After every collection, sweep dead cells from in memory snapshots.
2984
2985         * runtime/VM.cpp:
2986         (JSC::VM::ensureHeapProfiler):
2987         * runtime/VM.h:
2988         (JSC::VM::heapProfiler):
2989         * heap/Heap.h:
2990         * heap/HeapProfiler.cpp: Added.
2991         (JSC::HeapProfiler::HeapProfiler):
2992         (JSC::HeapProfiler::~HeapProfiler):
2993         (JSC::HeapProfiler::mostRecentSnapshot):
2994         (JSC::HeapProfiler::appendSnapshot):
2995         (JSC::HeapProfiler::clearSnapshots):
2996         (JSC::HeapProfiler::setActiveSnapshotBuilder):
2997         * heap/HeapProfiler.h: Added.
2998         (JSC::HeapProfiler::vm):
2999         (JSC::HeapProfiler::activeSnapshotBuilder):
3000         VM and Heap can look at the profiler to determine if we are building a
3001         snapshot, or the "head" snapshot to use for sweeping.
3002
3003         * heap/HeapSnapshot.cpp: Added.
3004         (JSC::HeapSnapshot::HeapSnapshot):
3005         (JSC::HeapSnapshot::~HeapSnapshot):
3006         (JSC::HeapSnapshot::appendNode):
3007         Add a node to the unfinalized list of new cells.
3008
3009         (JSC::HeapSnapshot::sweepCell):
3010         (JSC::HeapSnapshot::shrinkToFit):
3011         Collect a list of cells for sweeping and then remove them all at once
3012         in shrinkToFit. This is done to avoid thrashing of individual removes
3013         that could cause many overlapping moves within the Vector.
3014
3015         (JSC::HeapSnapshot::finalize):
3016         Sort the list, and also cache the bounding start/stop identifiers.
3017         No other snapshot can contain an identifier in this range, so it will
3018         improve lookup of a node from an identifier.
3019
3020         (JSC::HeapSnapshot::nodeForCell):
3021         (JSC::HeapSnapshot::nodeForObjectIdentifier):
3022         Search helpers.
3023
3024         * heap/HeapSnapshotBuilder.h: Added.
3025         (JSC::HeapSnapshotNode::HeapSnapshotNode):
3026         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
3027         Node and Edge struct types the builder creates.
3028
3029         * heap/HeapSnapshotBuilder.cpp: Added.
3030         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
3031         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
3032         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
3033         (JSC::HeapSnapshotBuilder::buildSnapshot):
3034         (JSC::HeapSnapshotBuilder::appendNode):
3035         (JSC::HeapSnapshotBuilder::appendEdge):
3036         When building the snapshot, generating the next identifier, and
3037         appending to any of the lists must be guarded by a lock because
3038         SlotVisitors running in parallel may be accessing the builder.
3039
3040         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell):
3041         Looking up if a node already exists in a previous snapshot can be
3042         done without a lock because at this point the data is readonly.
3043
3044         (JSC::edgeTypeToNumber):
3045         (JSC::edgeTypeToString):
3046         (JSC::HeapSnapshotBuilder::json):
3047         JSON serialization of a heap snapshot contains node and edge data.
3048
3049         * heap/SlotVisitor.h:
3050         * heap/SlotVisitor.cpp:
3051         (JSC::SlotVisitor::didStartMarking):
3052         (JSC::SlotVisitor::reset):
3053         Set/clear the active snapshot builder to know if this will be a
3054         snapshotting GC or not.
3055
3056         (JSC::SlotVisitor::append):
3057         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3058         Inform the builder of a new node or edge.
3059
3060         (JSC::SlotVisitor::visitChildren):
3061         Remember the current cell we are visiting so that if we need to
3062         inform the builder of edges we know the "from" cell.
3063
3064         * jsc.cpp:
3065         (SimpleObject::SimpleObject):
3066         (SimpleObject::create):
3067         (SimpleObject::finishCreation):
3068         (SimpleObject::visitChildren):
3069         (SimpleObject::createStructure):
3070         (SimpleObject::hiddenValue):
3071         (SimpleObject::setHiddenValue):
3072         Create a new class "SimpleObject" that can be used by heap snapshotting
3073         tests. It is easy to filter for this new class name and test internal
3074         edge relationships created by garbage collection visiting the cell.
3075
3076         (functionCreateSimpleObject):
3077         (functionGetHiddenValue):
3078         (functionSetHiddenValue):
3079         Expose methods to create and interact with a SimpleObject.
3080
3081         (functionGenerateHeapSnapshot):
3082         Expose methods to create a heap snapshot. This currently automatically
3083         turns the serialized string into a JSON object. That may change.
3084
3085         * tests/heapProfiler.yaml: Added.
3086         * tests/heapProfiler/basic-edges.js: Added.
3087         (excludeStructure):
3088         * tests/heapProfiler/basic-nodes.js: Added.
3089         (hasDifferentSizeNodes):
3090         (hasAllInternalNodes):
3091         Add tests for basic node and edge data.
3092
3093         * tests/heapProfiler/driver/driver.js: Added.
3094         (assert):
3095         (CheapHeapSnapshotNode):
3096         (CheapHeapSnapshotEdge):
3097         (CheapHeapSnapshotEdge.prototype.get from):
3098         (CheapHeapSnapshotEdge.prototype.get to):
3099         (CheapHeapSnapshot):
3100         (CheapHeapSnapshot.prototype.get nodes):
3101         (CheapHeapSnapshot.prototype.get edges):
3102         (CheapHeapSnapshot.prototype.nodeWithIdentifier):
3103         (CheapHeapSnapshot.prototype.nodesWithClassName):
3104         (CheapHeapSnapshot.prototype.classNameFromTableIndex):
3105         (CheapHeapSnapshot.prototype.edgeTypeFromTableIndex):
3106         (createCheapHeapSnapshot):
3107         (HeapSnapshotNode):
3108         (HeapSnapshotEdge):
3109         (HeapSnapshot):
3110         (HeapSnapshot.prototype.nodesWithClassName):
3111         (createHeapSnapshot):
3112         Add two HeapSnapshot representations.
3113         CheapHeapSnapshot creates two lists of node and edge data that
3114         lazily creates objects as needed.
3115         HeapSnapshot creates an object for each node and edge. This
3116         is wasteful but easier to use.
3117
3118 2016-03-02  Filip Pizlo  <fpizlo@apple.com>
3119
3120         RegExpPrototype should check for exceptions after calling toString and doing so should not be expensive
3121         https://bugs.webkit.org/show_bug.cgi?id=154927
3122
3123         Reviewed by Saam Barati.
3124
3125         While working on regexp optimizations, I found that RegExpPrototype calls toString(), an
3126         effectful operation that could do anything, without then checking for hadException().
3127
3128         So I added a call to hadException().
3129
3130         But that regressed Octane/regexp by 5%!  That's a lot!  It turns out that
3131         exec->hadException() is soooper slow. So, I made it cheaper to check for exceptions from
3132         toString(): there is now a variant called toStringFast() that returns null iff it throws an
3133         exception.
3134
3135         This allowed me to add the exception check without regressing perf.
3136
3137         Note that toString() must retain its old behavior of returning an empty string on exception.
3138         There is just too much code that relies on that behavior.
3139
3140         * runtime/JSCJSValue.cpp:
3141         (JSC::JSValue::isValidCallee):
3142         (JSC::JSValue::toStringSlowCase):
3143         (JSC::JSValue::toWTFStringSlowCase):
3144         * runtime/JSCJSValue.h:
3145         (JSC::JSValue::asValue):
3146         * runtime/JSString.h:
3147         (JSC::JSValue::toString):
3148         (JSC::JSValue::toStringFast):
3149         (JSC::JSValue::toWTFString):
3150         * runtime/RegExpPrototype.cpp:
3151         (JSC::regExpProtoFuncTest):
3152         (JSC::regExpProtoFuncExec):
3153         (JSC::regExpProtoFuncCompile):
3154
3155 2016-03-02  Saam barati  <sbarati@apple.com>
3156
3157         clean up JSObject::isExtensibleInline and JSObject::setPrototypeOfInline, and rename setPrototypeOf to setPrototype
3158         https://bugs.webkit.org/show_bug.cgi?id=154942
3159
3160         Reviewed by Benjamin Poulain.
3161
3162         These don't need to be inlined in the way they are.
3163         Doing dynamic dispatch is ok performance wise until
3164         we have evidence stating otherwise.
3165
3166         * API/JSObjectRef.cpp:
3167         (JSObjectSetPrototype):
3168         (JSObjectHasProperty):
3169         * runtime/ClassInfo.h:
3170         * runtime/IntlCollatorConstructor.cpp:
3171         (JSC::constructIntlCollator):
3172         * runtime/IntlDateTimeFormatConstructor.cpp:
3173         (JSC::constructIntlDateTimeFormat):
3174         * runtime/IntlNumberFormatConstructor.cpp:
3175         (JSC::constructIntlNumberFormat):
3176         * runtime/JSCell.cpp:
3177         (JSC::JSCell::isExtensible):
3178         (JSC::JSCell::setPrototype):
3179         (JSC::JSCell::setPrototypeOf): Deleted.
3180         * runtime/JSCell.h:
3181         * runtime/JSGlobalObjectFunctions.cpp:
3182         (JSC::globalFuncProtoSetter):
3183         * runtime/JSObject.cpp:
3184         (JSC::JSObject::setPrototypeWithCycleCheck):
3185         (JSC::JSObject::setPrototype):
3186         (JSC::JSObject::allowsAccessFrom):
3187         (JSC::JSObject::isExtensible):
3188         (JSC::JSObject::reifyAllStaticProperties):
3189         (JSC::JSObject::defineOwnNonIndexProperty):
3190         (JSC::JSObject::setPrototypeOf): Deleted.
3191         * runtime/JSObject.h:
3192         (JSC::JSObject::mayInterceptIndexedAccesses):
3193         (JSC::JSObject::indexingShouldBeSparse):
3194         (JSC::JSObject::setPrototypeOfInline): Deleted.
3195         (JSC::JSObject::isExtensibleInline): Deleted.
3196         * runtime/ObjectConstructor.cpp:
3197         (JSC::objectConstructorSetPrototypeOf):
3198         (JSC::objectConstructorIsSealed):
3199         (JSC::objectConstructorIsFrozen):
3200         (JSC::objectConstructorIsExtensible):
3201         * runtime/ProxyObject.cpp:
3202         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3203         (JSC::ProxyObject::performHasProperty):
3204         (JSC::ProxyObject::performPreventExtensions):
3205         (JSC::ProxyObject::performIsExtensible):
3206         * runtime/ReflectObject.cpp:
3207         (JSC::reflectObjectIsExtensible):
3208         (JSC::reflectObjectSetPrototypeOf):
3209         * runtime/StringObject.cpp:
3210         (JSC::StringObject::defineOwnProperty):
3211
3212 2016-03-02  Konstantin Tokarev  <annulen@yandex.ru>
3213
3214         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
3215         https://bugs.webkit.org/show_bug.cgi?id=154651
3216
3217         Reviewed by Alex Christensen.
3218
3219         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
3220
3221 2016-03-02  Saam barati  <sbarati@apple.com>
3222
3223         [[SetPrototypeOf]] should be a fully virtual method in ClassInfo::methodTable
3224         https://bugs.webkit.org/show_bug.cgi?id=154897
3225
3226         Reviewed by Filip Pizlo.
3227
3228         This patch makes us more consistent with how the ES6 specification models the
3229         [[SetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
3230         is a prerequisite for implementing Proxy.[[SetPrototypeOf]]. This patch
3231         still allows directly setting the prototype for situations where this
3232         is the desired behavior. This is equivalent to setting the internal
3233         [[Prototype]] field as described in the specification. 
3234
3235         * API/JSClassRef.cpp:
3236         (OpaqueJSClass::prototype):
3237         * API/JSObjectRef.cpp:
3238         (JSObjectMake):
3239         (JSObjectSetPrototype):
3240         (JSObjectHasProperty):
3241         * API/JSWrapperMap.mm:
3242         (makeWrapper):
3243         * runtime/ClassInfo.h:
3244         * runtime/IntlCollatorConstructor.cpp:
3245         (JSC::constructIntlCollator):
3246         * runtime/IntlDateTimeFormatConstructor.cpp:
3247         (JSC::constructIntlDateTimeFormat):
3248         * runtime/IntlNumberFormatConstructor.cpp:
3249         (JSC::constructIntlNumberFormat):
3250         * runtime/JSCell.cpp:
3251         (JSC::JSCell::isExtensible):
3252         (JSC::JSCell::setPrototypeOf):
3253         * runtime/JSCell.h:
3254         * runtime/JSGlobalObject.cpp:
3255         (JSC::JSGlobalObject::resetPrototype):
3256         * runtime/JSGlobalObjectFunctions.cpp:
3257         (JSC::globalFuncProtoSetter):
3258         * runtime/JSObject.cpp:
3259         (JSC::JSObject::switchToSlowPutArrayStorage):
3260         (JSC::JSObject::setPrototypeDirect):
3261         (JSC::JSObject::setPrototypeWithCycleCheck):
3262         (JSC::JSObject::setPrototypeOf):
3263         (JSC::JSObject::allowsAccessFrom):
3264         (JSC::JSObject::setPrototype): Deleted.
3265         * runtime/JSObject.h:
3266         (JSC::JSObject::setPrototypeOfInline):
3267         (JSC::JSObject::mayInterceptIndexedAccesses):
3268         * runtime/JSProxy.cpp:
3269         (JSC::JSProxy::setTarget):
3270         * runtime/ObjectConstructor.cpp:
3271         (JSC::objectConstructorSetPrototypeOf):
3272         * runtime/ReflectObject.cpp:
3273         (JSC::reflectObjectSetPrototypeOf):
3274
3275 2016-03-02  Saam barati  <sbarati@apple.com>
3276
3277         SIGSEGV in Proxy [[Get]] and [[Set]] recursion
3278         https://bugs.webkit.org/show_bug.cgi?id=154854
3279
3280         Reviewed by Yusuke Suzuki.
3281
3282         We need to be aware of the possibility that the VM
3283         may recurse and that we can stack overflow.
3284
3285         * runtime/ProxyObject.cpp:
3286         (JSC::performProxyGet):
3287         (JSC::ProxyObject::performPut):
3288         * tests/stress/proxy-get-and-set-recursion-stack-overflow.js: Added.
3289         (assert):
3290         (testStackOverflowGet):
3291         (testStackOverflowIndexedGet):
3292         (testStackOverflowSet):
3293         (testStackOverflowIndexedSet):
3294
3295 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
3296
3297         [JSC] Use a Move without REX byte when possible
3298         https://bugs.webkit.org/show_bug.cgi?id=154801
3299
3300         Reviewed by Alex Christensen.
3301
3302         Filip wrote an optimization in the register allocator
3303         to use 32bit "Move" when we don't care about the top bytes.
3304
3305         When I moved the commutative ops to the fake 3 operands instruction
3306         I largely destroyed this since all the "Moves" became full register.
3307
3308         In this patch, I switch back to 32bit "Moves" for 32bit operations.
3309
3310         * assembler/MacroAssemblerX86Common.h:
3311         (JSC::MacroAssemblerX86Common::and32):
3312         (JSC::MacroAssemblerX86Common::lshift32):
3313         (JSC::MacroAssemblerX86Common::mul32):
3314         (JSC::MacroAssemblerX86Common::or32):
3315         (JSC::MacroAssemblerX86Common::rshift32):
3316         (JSC::MacroAssemblerX86Common::urshift32):
3317         (JSC::MacroAssemblerX86Common::xor32):
3318         (JSC::MacroAssemblerX86Common::branchAdd32):
3319         (JSC::MacroAssemblerX86Common::branchMul32):
3320         (JSC::MacroAssemblerX86Common::branchSub32):
3321         (JSC::MacroAssemblerX86Common::move32IfNeeded):
3322
3323 2016-03-01  Benjamin Poulain  <benjamin@webkit.org>
3324
3325         [JSC] Simplify ArithMod(ArithMod(x, const1), const2) if const2 >= const1
3326         https://bugs.webkit.org/show_bug.cgi?id=154904
3327
3328         Reviewed by Saam Barati.
3329
3330         The ASM test "ubench" has a "x % 10 % 255".
3331         The second modulo should be eliminated.
3332
3333         This is a 15% improvement on ASMJS' ubench.
3334
3335         * dfg/DFGStrengthReductionPhase.cpp:
3336         (JSC::DFG::StrengthReductionPhase::handleNode):
3337         * tests/stress/arith-modulo-twice.js: Added.
3338         (opaqueModuloSmaller):
3339         (opaqueModuloEqual):
3340         (opaqueModuloLarger):
3341         (opaqueModuloSmallerNeg):
3342         (opaqueModuloEqualNeg):
3343         (opaqueModuloLargerNeg):
3344         (opaqueExpectedOther):
3345
3346 2016-03-01  Ryosuke Niwa  <rniwa@webkit.org>
3347
3348         Unreviewed. Update the status of Proxy objects to "In Development".
3349
3350         * features.json:
3351
3352 2016-03-01  Commit Queue  <commit-queue@webkit.org>
3353
3354         Unreviewed, rolling out r197226 and r197256.
3355         https://bugs.webkit.org/show_bug.cgi?id=154910
3356
3357         Caused crashes on Mac 32-bit and on ARM (Requested by ap on
3358         #webkit).
3359
3360         Reverted changesets:
3361
3362         "Remove the on demand executable allocator"
3363         https://bugs.webkit.org/show_bug.cgi?id=154749
3364         http://trac.webkit.org/changeset/197226
3365
3366         "CLoop build fix."
3367         http://trac.webkit.org/changeset/197256
3368
3369 2016-03-01  Joseph Pecoraro  <pecoraro@apple.com>
3370
3371         Simplify some StringBuilder appends
3372         https://bugs.webkit.org/show_bug.cgi?id=154902
3373
3374         Reviewed by Mark Lam.
3375
3376         * runtime/ExceptionHelpers.cpp:
3377         (JSC::notAFunctionSourceAppender):
3378         * runtime/SamplingProfiler.cpp:
3379         (JSC::SamplingProfiler::stackTracesAsJSON):
3380         Use StringBuilder::append(char) instead of append(char*) where possible.
3381
3382 2016-03-01  Keith Miller  <keith_miller@apple.com>
3383
3384         Promise.prototype.then should use Symbol.species to construct the return Promise
3385         https://bugs.webkit.org/show_bug.cgi?id=154862
3386
3387         Reviewed by Saam Barati.
3388
3389         * builtins/PromisePrototype.js:
3390         * tests/stress/promise-species-functions.js: Added.
3391         (Symbol.species):
3392         (id):
3393         (funcThrows):
3394         (makeC):
3395         (test.species):
3396         (test.speciesThrows):
3397         (test):
3398
3399 2016-03-01  Michael Saboff  <msaboff@apple.com>
3400
3401         [ES6] Add support for Unicode regular expressions
3402         https://bugs.webkit.org/show_bug.cgi?id=154842
3403
3404         Reviewed by Filip Pizlo.
3405
3406         Added processing of Unicode regular expressions to the Yarr interpreter.
3407
3408         Changed parsing of regular expression patterns and PatternTerms to process characters as
3409         UChar32 in the Yarr code.  The parser converts matched surrogate pairs into the appropriate
3410         Unicode character when the expression is parsed.  When matching a unicode expression and
3411         reading source characters, we convert proper surrogate pair into a Unicode character and
3412         advance the source cursor, "pos", one more position.  The exception to this is when we
3413         know when generating a fixed character atom that we need to match a unicode character
3414         that doesn't fit in 16 bits.  The code calls this an extendedUnicodeCharacter and has a
3415         helper to determine this.
3416
3417         Added 'u' flag and 'unicode' identifier to regular expression classes.  Added an "isUnicode"
3418         parameter to YarrPattern pattern() and internal users of that function.
3419
3420         Updated the generation of the canonicalization tables to include a new set a tables that
3421         follow the ES 6.0, 21.2.2.8.2 Step 2.  Renamed the YarrCanonicalizeUCS2.* files to
3422         YarrCanonicalizeUnicode.*. 
3423
3424         Added a new Layout/js test that tests the added functionality.  Updated other tests that
3425         have minor es6 unicode checks and look for valid flags.
3426
3427         Ran the ChakraCore Unicode regular expression tests as well.
3428
3429         * CMakeLists.txt:
3430         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3431         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3432         * JavaScriptCore.xcodeproj/project.pbxproj:
3433
3434         * inspector/ContentSearchUtilities.cpp:
3435         (Inspector::ContentSearchUtilities::findMagicComment):
3436         * yarr/RegularExpression.cpp:
3437         (JSC::Yarr::RegularExpression::Private::compile):
3438         Updated use of pattern().
3439
3440         * runtime/CommonIdentifiers.h:
3441         * runtime/RegExp.cpp:
3442         (JSC::regExpFlags):
3443         (JSC::RegExpFunctionalTestCollector::outputOneTest):
3444         (JSC::RegExp::finishCreation):
3445         (JSC::RegExp::compile):
3446         (JSC::RegExp::compileMatchOnly):
3447         * runtime/RegExp.h:
3448         * runtime/RegExpKey.h:
3449         * runtime/RegExpPrototype.cpp:
3450         (JSC::regExpProtoFuncCompile):
3451         (JSC::flagsString):
3452         (JSC::regExpProtoGetterMultiline):
3453         (JSC::regExpProtoGetterUnicode):
3454         (JSC::regExpProtoGetterFlags):
3455         Updated for new 'y' (unicode) flag.  Add check to use the interpreter for unicode regular expressions.
3456
3457         * tests/es6.yaml:
3458         * tests/stress/static-getter-in-names.js:
3459         Updated tests for new flag and for passing the minimal es6 regular expression processing.
3460
3461         * yarr/Yarr.h: Updated the size of information now kept for backtracking.
3462
3463         * yarr/YarrCanonicalizeUCS2.cpp: Removed.
3464         * yarr/YarrCanonicalizeUCS2.h: Removed.
3465         * yarr/YarrCanonicalizeUCS2.js: Removed.
3466         * yarr/YarrCanonicalizeUnicode.cpp: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.cpp.
3467         * yarr/YarrCanonicalizeUnicode.h: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.h.
3468         (JSC::Yarr::canonicalCharacterSetInfo):
3469         (JSC::Yarr::canonicalRangeInfoFor):
3470         (JSC::Yarr::getCanonicalPair):
3471         (JSC::Yarr::isCanonicallyUnique):
3472         (JSC::Yarr::areCanonicallyEquivalent):
3473         (JSC::Yarr::rangeInfoFor): Deleted.
3474         * yarr/YarrCanonicalizeUnicode.js: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.js.
3475         (printHeader):
3476         (printFooter):
3477         (hex):
3478         (canonicalize):
3479         (canonicalizeUnicode):
3480         (createUCS2CanonicalGroups):
3481         (createUnicodeCanonicalGroups):
3482         (cu.in.groupedCanonically.characters.sort): Deleted.
3483         (cu.in.groupedCanonically.else): Deleted.
3484         Refactored to output two sets of tables, one for UCS2 and one for Unicode.  The UCS2 tables follow
3485         the legacy canonicalization rules now specified in ES 6.0, 21.2.2.8.2 Step 3.  The new Unicode
3486         tables follow the rules specified in ES 6.0, 21.2.2.8.2 Step 2.  Eliminated the unused Latin1 tables.
3487
3488         * yarr/YarrInterpreter.cpp:
3489         (JSC::Yarr::Interpreter::InputStream::InputStream):
3490         (JSC::Yarr::Interpreter::InputStream::readChecked):
3491         (JSC::Yarr::Interpreter::InputStream::readSurrogatePairChecked):
3492         (JSC::Yarr::Interpreter::InputStream::reread):
3493         (JSC::Yarr::Interpreter::InputStream::prev):
3494         (JSC::Yarr::Interpreter::testCharacterClass):
3495         (JSC::Yarr::Interpreter::checkCharacter):
3496         (JSC::Yarr::Interpreter::checkSurrogatePair):
3497         (JSC::Yarr::Interpreter::checkCasedCharacter):
3498         (JSC::Yarr::Interpreter::tryConsumeBackReference):
3499         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
3500         (JSC::Yarr::Interpreter::matchCharacterClass):
3501         (JSC::Yarr::Interpreter::backtrackCharacterClass):
3502         (JSC::Yarr::Interpreter::matchParenthesesTerminalEnd):
3503         (JSC::Yarr::Interpreter::matchDisjunction):
3504         (JSC::Yarr::Interpreter::Interpreter):
3505         (JSC::Yarr::ByteCompiler::assertionWordBoundary):
3506         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
3507         * yarr/YarrInterpreter.h:
3508         (JSC::Yarr::ByteTerm::ByteTerm):
3509         (JSC::Yarr::BytecodePattern::BytecodePattern):
3510         * yarr/YarrJIT.cpp:
3511         (JSC::Yarr::YarrGenerator::optimizeAlternative):
3512         (JSC::Yarr::YarrGenerator::matchCharacterClassRange):
3513         (JSC::Yarr::YarrGenerator::matchCharacterClass):
3514         (JSC::Yarr::YarrGenerator::notAtEndOfInput):
3515         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
3516         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
3517         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
3518         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
3519         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
3520         * yarr/YarrParser.h:
3521         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
3522         (JSC::Yarr::Parser::Parser):
3523         (JSC::Yarr::Parser::parseEscape):
3524         (JSC::Yarr::Parser::consumePossibleSurrogatePair):
3525         (JSC::Yarr::Parser::parseCharacterClass):
3526         (JSC::Yarr::Parser::parseTokens):
3527         (JSC::Yarr::Parser::parse):
3528         (JSC::Yarr::Parser::atEndOfPattern):
3529         (JSC::Yarr::Parser::patternRemaining):
3530         (JSC::Yarr::Parser::peek):
3531         (JSC::Yarr::parse):
3532         * yarr/YarrPattern.cpp:
3533         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
3534         (JSC::Yarr::CharacterClassConstructor::append):
3535         (JSC::Yarr::CharacterClassConstructor::putChar):
3536         (JSC::Yarr::CharacterClassConstructor::putUnicodeIgnoreCase):
3537         (JSC::Yarr::CharacterClassConstructor::putRange):
3538         (JSC::Yarr::CharacterClassConstructor::charClass):
3539         (JSC::Yarr::CharacterClassConstructor::addSorted):
3540         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
3541         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
3542         (JSC::Yarr::YarrPatternConstructor::assertionWordBoundary):
3543         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
3544         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBegin):
3545         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassAtom):
3546         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassRange):
3547         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
3548         (JSC::Yarr::YarrPattern::compile):
3549         (JSC::Yarr::YarrPattern::YarrPattern):
3550         * yarr/YarrPattern.h:
3551         (JSC::Yarr::CharacterRange::CharacterRange):
3552         (JSC::Yarr::CharacterClass::CharacterClass):
3553         (JSC::Yarr::PatternTerm::PatternTerm):
3554         (JSC::Yarr::YarrPattern::reset):
3555         * yarr/YarrSyntaxChecker.cpp:
3556         (JSC::Yarr::SyntaxChecker::assertionBOL):
3557         (JSC::Yarr::SyntaxChecker::assertionEOL):
3558         (JSC::Yarr::SyntaxChecker::assertionWordBoundary):
3559         (JSC::Yarr::SyntaxChecker::atomPatternCharacter):
3560         (JSC::Yarr::SyntaxChecker::atomBuiltInCharacterClass):
3561         (JSC::Yarr::SyntaxChecker::atomCharacterClassBegin):
3562         (JSC::Yarr::SyntaxChecker::atomCharacterClassAtom):
3563         (JSC::Yarr::checkSyntax):
3564
3565 2016-03-01  Saam barati  <sbarati@apple.com>
3566
3567         Remove FIXMEs and add valid test cases after necessary patch has landed.
3568
3569         Rubber stamped by Mark Lam.
3570
3571         * tests/stress/proxy-prevent-extensions.js:
3572         (assert.Object.isSealed):
3573         (assert):
3574
3575 2016-03-01  Saam barati  <sbarati@apple.com>
3576
3577         [ES6] Implement Proxy.[[IsExtensible]]
3578         https://bugs.webkit.org/show_bug.cgi?id=154872
3579
3580         Reviewed by Oliver Hunt.
3581
3582         This patch is a direct implementation of Proxy.[[IsExtensible]] with respect to section 9.5.3
3583         of the ECMAScript 6 spec.
3584         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-isextensible
3585
3586         * runtime/ProxyObject.cpp:
3587         (JSC::ProxyObject::preventExtensions):
3588         (JSC::ProxyObject::performIsExtensible):
3589         (JSC::ProxyObject::isExtensible):
3590         (JSC::ProxyObject::visitChildren):
3591         * runtime/ProxyObject.h:
3592         * tests/es6.yaml:
3593         * tests/stress/proxy-is-extensible.js: Added.
3594         (assert):
3595         (throw.new.Error.let.handler.get isExtensible):
3596         (throw.new.Error):
3597         (assert.let.handler.isExtensible):
3598         (assert.):
3599         (let.handler.isExtensible):
3600
3601 2016-03-01  Saam barati  <sbarati@apple.com>
3602
3603         [ES6] Implement Proxy.[[PreventExtensions]]
3604         https://bugs.webkit.org/show_bug.cgi?id=154873
3605
3606         Reviewed by Oliver Hunt.
3607
3608         This patch is a direct implementation of Proxy.[[PreventExtensions]] with respect to section 9.5.4
3609         of the ECMAScript 6 spec.
3610         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-preventextensions
3611
3612         * runtime/ProxyObject.cpp:
3613         (JSC::ProxyObject::deletePropertyByIndex):
3614         (JSC::ProxyObject::performPreventExtensions):
3615         (JSC::ProxyObject::preventExtensions):
3616         (JSC::ProxyObject::visitChildren):
3617         * runtime/ProxyObject.h:
3618         * tests/es6.yaml:
3619         * tests/stress/proxy-prevent-extensions.js: Added.
3620         (assert):
3621         (throw.new.Error.let.handler.get preventExtensions):
3622         (throw.new.Error):
3623         (assert.let.handler.preventExtensions):
3624         (assert.):
3625         (let.handler.preventExtensions):
3626         (assert.Object.isSealed.let.handler.preventExtensions):
3627         (assert.Object.isSealed):
3628
3629 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
3630
3631         FTL should simplify StringReplace with an empty replacement string
3632         https://bugs.webkit.org/show_bug.cgi?id=154871
3633
3634         Reviewed by Michael Saboff.
3635
3636         This is a simple and hugely profitable change. If we do a string.replace(/things/, ""), then
3637         this calls directly into StringPrototype's replace-with-empty-string logic instead of going
3638         through stuff that does checks before reaching that same conclusion.
3639
3640         This speeds up Octane/regexp by about 6-10%. It also speeds up the attached microbenchmark by
3641         about 7%.
3642
3643         * ftl/FTLLowerDFGToB3.cpp:
3644         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
3645         * runtime/StringPrototype.cpp:
3646         (JSC::jsSpliceSubstringsWithSeparators):
3647         (JSC::removeUsingRegExpSearch):
3648         (JSC::replaceUsingRegExpSearch):
3649         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
3650         (JSC::operationStringProtoFuncReplaceRegExpString):
3651         * runtime/StringPrototype.h:
3652
3653 2016-03-01  Alex Christensen  <achristensen@webkit.org>
3654
3655         Reduce size of internal windows build output
3656         https://bugs.webkit.org/show_bug.cgi?id=154763
3657
3658         Reviewed by Brent Fulgham.
3659
3660         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
3661
3662 2016-03-01  Saam barati  <sbarati@apple.com>
3663
3664         [[IsExtensible]] should be a virtual method in the method table
3665         https://bugs.webkit.org/show_bug.cgi?id=154799
3666
3667         Reviewed by Mark Lam.
3668
3669         This patch makes us more consistent with how the ES6 specification models the
3670         [[IsExtensible]] trap. Moving this method into ClassInfo::methodTable 
3671         is a prerequisite for implementing Proxy.[[IsExtensible]].
3672
3673         * runtime/ClassInfo.h:
3674         * runtime/JSCell.cpp:
3675         (JSC::JSCell::preventExtensions):
3676         (JSC::JSCell::isExtensible):
3677         * runtime/JSCell.h:
3678         * runtime/JSGlobalObjectFunctions.cpp:
3679         (JSC::globalFuncProtoSetter):
3680         * runtime/JSObject.cpp:
3681         (JSC::JSObject::preventExtensions):
3682         (JSC::JSObject::isExtensible):
3683         (JSC::JSObject::reifyAllStaticProperties):
3684         (JSC::JSObject::defineOwnIndexedProperty):
3685         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3686         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3687         (JSC::JSObject::defineOwnNonIndexProperty):
3688         (JSC::JSObject::defineOwnProperty):
3689         * runtime/JSObject.h:
3690         (JSC::JSObject::isSealed):
3691         (JSC::JSObject::isFrozen):
3692         (JSC::JSObject::isExtensibleImpl):
3693         (JSC::JSObject::isStructureExtensible):
3694         (JSC::JSObject::isExtensibleInline):
3695         (JSC::JSObject::indexingShouldBeSparse):
3696         (JSC::JSObject::putDirectInternal):
3697         (JSC::JSObject::isExtensible): Deleted.
3698         * runtime/ObjectConstructor.cpp:
3699         (JSC::objectConstructorSetPrototypeOf):
3700         (JSC::objectConstructorIsSealed):
3701         (JSC::objectConstructorIsFrozen):
3702         (JSC::objectConstructorIsExtensible):
3703         (JSC::objectConstructorIs):
3704         * runtime/ProxyObject.cpp:
3705         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3706         (JSC::ProxyObject::performHasProperty):
3707         * runtime/ReflectObject.cpp:
3708         (JSC::reflectObjectIsExtensible):
3709         (JSC::reflectObjectSetPrototypeOf):
3710         * runtime/SparseArrayValueMap.cpp:
3711         (JSC::SparseArrayValueMap::putEntry):
3712         (JSC::SparseArrayValueMap::putDirect):
3713         * runtime/StringObject.cpp:
3714         (JSC::StringObject::defineOwnProperty):
3715         * runtime/Structure.cpp:
3716         (JSC::Structure::isSealed):
3717         (JSC::Structure::isFrozen):
3718         * runtime/Structure.h:
3719
3720 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
3721
3722         Unreviewed, fix CLOOP build.
3723
3724         * jit/JITOperations.h:
3725
3726 2016-03-01  Skachkov Oleksandr  <gskachkov@gmail.com>
3727
3728         [ES6] Arrow function. Some not used byte code is emited
3729         https://bugs.webkit.org/show_bug.cgi?id=154639
3730
3731         Reviewed by Saam Barati.
3732
3733         Currently bytecode that is generated for arrow function is not optimal. 
3734         Current fix removed following unnecessary bytecode:
3735         1.create_lexical_environment not emited always for arrow function, only if some of 
3736         features(this/super/arguments/eval) is used inside of the arrow function. 
3737         2.load 'this' from arrow function scope in constructor is done only if super 
3738         contains in arrow function 
3739
3740         * bytecompiler/BytecodeGenerator.cpp:
3741         (JSC::BytecodeGenerator::BytecodeGenerator):
3742         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
3743         * bytecompiler/BytecodeGenerator.h:
3744         * bytecompiler/NodesCodegen.cpp:
3745         (JSC::ThisNode::emitBytecode):
3746         (JSC::FunctionNode::emitBytecode):
3747         * parser/Nodes.h:
3748         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
3749         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
3750
3751 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
3752
3753         Turn String.prototype.replace into an intrinsic
3754         https://bugs.webkit.org/show_bug.cgi?id=154835
3755
3756         Reviewed by Michael Saboff.
3757
3758         Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
3759         of checks to see if the parameters are what they are likely to often be (a string, a
3760         regexp, and a string). The intuition of this patch is that it's good to remove those checks
3761         and it's good to call the native function as directly as possible.
3762
3763         This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
3764         It also improves Octane/jquery.
3765
3766         This is only the beginning of what I want to do with replace optimizations. The other
3767         optimizations will rely on StringReplace being revealed as a construct in DFG IR.
3768
3769         * JavaScriptCore.xcodeproj/project.pbxproj:
3770         * bytecode/SpeculatedType.cpp:
3771         (JSC::dumpSpeculation):
3772         (JSC::speculationToAbbreviatedString):
3773         (JSC::speculationFromClassInfo):
3774         * bytecode/SpeculatedType.h:
3775         (JSC::isStringOrStringObjectSpeculation):
3776         (JSC::isRegExpObjectSpeculation):
3777         (JSC::isBoolInt32Speculation):
3778         * dfg/DFGAbstractInterpreterInlines.h:
3779         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3780         * dfg/DFGByteCodeParser.cpp:
3781         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3782         * dfg/DFGClobberize.h:
3783         (JSC::DFG::clobberize):
3784         * dfg/DFGDoesGC.cpp:
3785         (JSC::DFG::doesGC):
3786         * dfg/DFGFixupPhase.cpp:
3787         (JSC::DFG::FixupPhase::fixupNode):
3788         * dfg/DFGNode.h:
3789         (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
3790         (JSC::DFG::Node::shouldSpeculateRegExpObject):
3791         (JSC::DFG::Node::shouldSpeculateSymbol):
3792         * dfg/DFGNodeType.h:
3793         * dfg/DFGPredictionPropagationPhase.cpp:
3794         (JSC::DFG::PredictionPropagationPhase::propagate):
3795         * dfg/DFGSafeToExecute.h:
3796         (JSC::DFG::SafeToExecuteEdge::operator()):
3797         (JSC::DFG::safeToExecute):
3798         * dfg/DFGSpeculativeJIT.cpp:
3799         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3800         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
3801         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
3802         (JSC::DFG::SpeculativeJIT::speculate):
3803         * dfg/DFGSpeculativeJIT.h:
3804         * dfg/DFGSpeculativeJIT32_64.cpp:
3805         (JSC::DFG::SpeculativeJIT::compile):
3806         * dfg/DFGSpeculativeJIT64.cpp:
3807         (JSC::DFG::SpeculativeJIT::compile):
3808         * dfg/DFGUseKind.cpp:
3809         (WTF::printInternal):
3810         * dfg/DFGUseKind.h:
3811         (JSC::DFG::typeFilterFor):
3812         (JSC::DFG::isCell):
3813         * ftl/FTLCapabilities.cpp:
3814         (JSC::FTL::canCompile):
3815         * ftl/FTLLowerDFGToB3.cpp:
3816         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3817         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3818         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
3819         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
3820         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3821         (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
3822         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
3823         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
3824         * jit/JITOperations.h:
3825         * runtime/Intrinsic.h:
3826         * runtime/JSType.h:
3827         * runtime/RegExpObject.h:
3828         (JSC::RegExpObject::createStructure):
3829         * runtime/StringPrototype.cpp:
3830         (JSC::StringPrototype::finishCreation):
3831         (JSC::removeUsingRegExpSearch):
3832         (JSC::replaceUsingRegExpSearch):
3833         (JSC::operationStringProtoFuncReplaceRegExpString):
3834         (JSC::replaceUsingStringSearch):
3835         (JSC::stringProtoFuncRepeat):
3836         (JSC::replace):
3837         (JSC::stringProtoFuncReplace):
3838         (JSC::operationStringProtoFuncReplaceGeneric):
3839         (JSC::stringProtoFuncToString):
3840         * runtime/StringPrototype.h:
3841
3842 2016-03-01  Commit Queue  <commit-queue@webkit.org>
3843
3844         Unreviewed, rolling out r197056.
3845         https://bugs.webkit.org/show_bug.cgi?id=154870
3846
3847         broke win ews (Requested by alexchristensen on #webkit).
3848
3849         Reverted changeset:
3850
3851         "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
3852         https://bugs.webkit.org/show_bug.cgi?id=154651
3853         http://trac.webkit.org/changeset/197056
3854
3855 2016-02-29  Saam barati  <sbarati@apple.com>
3856
3857         [[PreventExtensions]] should be a virtual method in the method table.
3858         https://bugs.webkit.org/show_bug.cgi?id=154800
3859
3860         Reviewed by Yusuke Suzuki.
3861
3862         This patch makes us more consistent with how the ES6 specification models the
3863         [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable 
3864         is a prerequisite for implementing Proxy.[[PreventExtensions]].
3865
3866         * runtime/ClassInfo.h:
3867         * runtime/JSCell.cpp:
3868         (JSC::JSCell::getGenericPropertyNames):
3869         (JSC::JSCell::preventExtensions):
3870         * runtime/JSCell.h:
3871         * runtime/JSModuleNamespaceObject.cpp:
3872         (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
3873         (JSC::JSModuleNamespaceObject::finishCreation):
3874         (JSC::JSModuleNamespaceObject::destroy):
3875         * runtime/JSModuleNamespaceObject.h:
3876         (JSC::JSModuleNamespaceObject::create):
3877         (JSC::JSModuleNamespaceObject::moduleRecord):
3878         * runtime/JSObject.cpp:
3879         (JSC::JSObject::freeze):
3880         (JSC::JSObject::preventExtensions):
3881         (JSC::JSObject::reifyAllStaticProperties):
3882         * runtime/JSObject.h:
3883         (JSC::JSObject::isSealed):
3884         (JSC::JSObject::isFrozen):
3885         (JSC::JSObject::isExtensible):
3886         * runtime/ObjectConstructor.cpp:
3887         (JSC::objectConstructorSeal):
3888         (JSC::objectConstructorFreeze):
3889         (JSC::objectConstructorPreventExtensions):
3890         (JSC::objectConstructorIsSealed):
3891         * runtime/ReflectObject.cpp:
3892         (JSC::reflectObjectPreventExtensions):
3893         * runtime/Structure.cpp:
3894         (JSC::Structure::Structure):
3895         (JSC::Structure::preventExtensionsTransition):
3896         * runtime/Structure.h:
3897
3898 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3899
3900         [JSC] Private symbols should not be trapped by proxy handler
3901         https://bugs.webkit.org/show_bug.cgi?id=154817
3902
3903         Reviewed by Mark Lam.
3904
3905         Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
3906         For example, in ArrayIteratorPrototype.js
3907
3908             var itemKind = this.@arrayIterationKind;
3909             if (itemKind === @undefined)
3910                 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
3911
3912         Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
3913         But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
3914
3915         To avoid these situation, we perform the default operations onto property operations with private symbols.
3916
3917         * runtime/ProxyObject.cpp:
3918         (JSC::performProxyGet):
3919 &nbs