DFG backends shouldn't emit type checks at KnownBlah edges
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-26  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG backends shouldn't emit type checks at KnownBlah edges
4         https://bugs.webkit.org/show_bug.cgi?id=157025
5
6         Reviewed by Michael Saboff.
7         
8         This fixes a crash I found when browsing Bing maps with forceEagerCompilation. I include a
9         100% repro test case.
10         
11         The issue is that our code still doesn't fully appreciate the devious implications of
12         KnownBlah use kinds. Consider KnownCell for example. It means: "trust me, I know that this
13         value will be a cell". You aren't required to provide a proof when you use KnownCell. Often,
14         we use it as a result of a path-sensitive proof. The abstract interpreter is not
15         path-sensitive, so AI will be absolutely sure that the KnownCell use might see a non-cell.
16         This can lead to debug assertions (which this change removes) and it can lead to the backends
17         emitting a type check. That type check can be pure evil if the node that has this edge does
18         not have an exit origin. Such a node would have passed validation because the validater would
19         have thought that the node cannot exit (after all, according to the IR semantics, there is no
20         speculation at KnownCell).
21
22         This comprehensively fixes the issue by recognizing that Foo(KnownCell:@x) means: I have
23         already proved that by the time you start executing Foo, @x will already be a cell. I cannot
24         tell you how I proved this but you can rely on it anyway. AI now takes advantage of this
25         meaning and will always do filtering of KnownBlah edges regardless of whether the backend
26         actually emits any type checks for those edges. Since the filtering runs before the backend,
27         the backend will not emit any checks because it will know that the edge was already checked
28         (by whatever mechanism we used when we made the edge KnownBlah).
29         
30         Note that it's good that we found this bug now. The DFG currently does very few
31         sparse-conditional or path-sensitive optimizations, but it will probably do more in the
32         future. The bug happens because GetByOffset and friends can achieve path-sensitive proofs via
33         watchpoints on the inferred type. Normally, AI can follow along with this proof. But in the
34         example program, and on Bing maps, we would GCSE one GetByOffset with another that had a
35         weaker proven type. That turned out to be completely sound - between the two GetByOffset's
36         there was a Branch to null check it. The inferred type of the second GetByOffset ended up
37         knowing that it cannot be null because null only occurred in some structures but not others.
38         If we added more sparse-conditional stuff to Branch, then AI would know how to follow along
39         with the proof but it would also create more situations where we'd have a path-sensitive
40         proof. So, it's good that we're now getting this right.
41
42         * dfg/DFGAbstractInterpreter.h:
43         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
44         * dfg/DFGAbstractInterpreterInlines.h:
45         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
46         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeKnownEdgeTypes):
47         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
48         * dfg/DFGSpeculativeJIT.cpp:
49         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
50         * dfg/DFGUseKind.h:
51         (JSC::DFG::typeFilterFor):
52         * ftl/FTLLowerDFGToB3.cpp:
53         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
54         * tests/stress/path-sensitive-known-cell-crash.js: Added.
55         (bar):
56         (foo):
57
58 2016-04-26  Gavin Barraclough  <barraclough@apple.com>
59
60         Enable separated heap by default on ios
61         https://bugs.webkit.org/show_bug.cgi?id=156720
62
63         Unreviewed rollout - caused memory regression.
64
65         * runtime/Options.cpp:
66         (JSC::recomputeDependentOptions):
67
68 2016-04-26  Joseph Pecoraro  <pecoraro@apple.com>
69
70         Improve jsc --help and making sampling options
71         https://bugs.webkit.org/show_bug.cgi?id=157015
72
73         Reviewed by Saam Barati.
74
75         Simplify sampling options to be easier to remember:
76
77           * --reportSamplingProfilerData => --sample
78           * --samplingProfilerTimingInterval => --sampleInterval
79
80         Update the --help to mention --sample, and restore the behavior of
81         --options outputing all possible options so you can discover which
82         options are available.        
83
84         * jsc.cpp:
85         (printUsageStatement):
86         (CommandLine::parseArguments):
87         Improve help and modify option dumping.
88
89         * runtime/Options.h:
90         * runtime/SamplingProfiler.cpp:
91         (JSC::SamplingProfiler::SamplingProfiler):
92         Rename the sampling interval option.
93
94 2016-04-26  Commit Queue  <commit-queue@webkit.org>
95
96         Unreviewed, rolling out r200083.
97         https://bugs.webkit.org/show_bug.cgi?id=157033
98
99          It brokes the debug build (Requested by gskachkov on
100         #webkit).
101
102         Reverted changeset:
103
104         "calling super() a second time in a constructor should throw"
105         https://bugs.webkit.org/show_bug.cgi?id=151113
106         http://trac.webkit.org/changeset/200083
107
108 2016-04-26  Skachkov Oleksandr  <gskachkov@gmail.com>
109
110         calling super() a second time in a constructor should throw
111         https://bugs.webkit.org/show_bug.cgi?id=151113
112
113         Reviewed by Saam Barati.
114
115         Currently, our implementation checks if 'super()' was called in a constructor more 
116         than once and raises a RuntimeError before the second call. According to the spec 
117         we need to raise an error just after the second super() is finished and before 
118         the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
119         To implement this behavior this patch adds a new op code, op_is_empty, that is used 
120         to check if 'this' is empty.
121
122         * bytecode/BytecodeList.json:
123         * bytecode/BytecodeUseDef.h:
124         (JSC::computeUsesForBytecodeOffset):
125         (JSC::computeDefsForBytecodeOffset):
126         * bytecode/CodeBlock.cpp:
127         (JSC::CodeBlock::dumpBytecode):
128         * bytecompiler/BytecodeGenerator.cpp:
129         (JSC::BytecodeGenerator::emitIsEmpty):
130         * bytecompiler/BytecodeGenerator.h:
131         * bytecompiler/NodesCodegen.cpp:
132         (JSC::FunctionCallValueNode::emitBytecode):
133         * dfg/DFGAbstractInterpreterInlines.h:
134         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
135         * dfg/DFGByteCodeParser.cpp:
136         (JSC::DFG::ByteCodeParser::parseBlock):
137         * dfg/DFGCapabilities.cpp:
138         (JSC::DFG::capabilityLevel):
139         * dfg/DFGClobberize.h:
140         (JSC::DFG::clobberize):
141         * dfg/DFGDoesGC.cpp:
142         (JSC::DFG::doesGC):
143         * dfg/DFGFixupPhase.cpp:
144         (JSC::DFG::FixupPhase::fixupNode):
145         * dfg/DFGNodeType.h:
146         * dfg/DFGSafeToExecute.h:
147         (JSC::DFG::safeToExecute):
148         * dfg/DFGSpeculativeJIT32_64.cpp:
149         (JSC::DFG::SpeculativeJIT::compile):
150         * dfg/DFGSpeculativeJIT64.cpp:
151         (JSC::DFG::SpeculativeJIT::compile):
152         * ftl/FTLCapabilities.cpp:
153         (JSC::FTL::canCompile):
154         * ftl/FTLLowerDFGToB3.cpp:
155         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
156         (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
157         * jit/JIT.cpp:
158         (JSC::JIT::privateCompileMainPass):
159         * jit/JIT.h:
160         * jit/JITOpcodes.cpp:
161         (JSC::JIT::emit_op_is_empty):
162         * jit/JITOpcodes32_64.cpp:
163         (JSC::JIT::emit_op_is_empty):
164         * llint/LowLevelInterpreter32_64.asm:
165         * llint/LowLevelInterpreter64.asm:
166         * tests/stress/class-syntax-double-constructor.js: Added.
167
168 2016-04-25  Ryosuke Niwa  <rniwa@webkit.org>
169
170         Remove the build flag for template elements
171         https://bugs.webkit.org/show_bug.cgi?id=157022
172
173         Reviewed by Daniel Bates.
174
175         * Configurations/FeatureDefines.xcconfig:
176
177 2016-04-25  Benjamin Poulain  <bpoulain@apple.com>
178
179         [JSC] Constant folding of UInt32ToNumber is incorrect
180         https://bugs.webkit.org/show_bug.cgi?id=157011
181         rdar://problem/25769641
182
183         Reviewed by Geoffrey Garen.
184
185         UInt32ToNumber should return the unsigned 32bit value of
186         its child. The abstract interpreter fails to do that when handling
187         Int52.
188
189         None of the tests caught that because the bytecode generator already
190         fold the operation if given a constant. If the constant is not visible
191         from the bytecode generator (for example because it comes from an inlined call),
192         then the abstract interpreter folding was producing invalid results.
193
194         * dfg/DFGAbstractInterpreterInlines.h:
195         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
196         * tests/stress/uint32-to-number-constant-folding.js: Added.
197         (uint32ToNumberMinusOne):
198         (uint32ToNumberMinusOnePlusInteger):
199         (inlineMinusOne):
200         (uint32ToNumberOnHiddenMinusOne):
201         (uint32ToNumberOnHiddenMinusOnePlusInteger):
202         (inlineLargeNegativeNumber1):
203         (inlineLargeNegativeNumber2):
204         (inlineLargeNegativeNumber3):
205         (uint32ToNumberOnHiddenLargeNegativeNumber1):
206         (uint32ToNumberOnHiddenLargeNegativeNumber2):
207         (uint32ToNumberOnHiddenLargeNegativeNumber3):
208
209 2016-04-25  Fujii Hironori  <Hironori.Fujii@sony.com>
210
211         Heap corruption is detected when destructing JSGlobalObject
212         https://bugs.webkit.org/show_bug.cgi?id=156831
213
214         Reviewed by Mark Lam.
215
216         WebKit uses CRT static library on Windows.  Each copy of the CRT
217         library has its own heap manager, allocating memory in one CRT
218         library and passing the pointer across a DLL boundary to be freed
219         by a different copy of the CRT library is a potential cause for
220         heap corruption.
221
222           Potential Errors Passing CRT Objects Across DLL Boundaries
223           <https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>
224
225         JSGlobalObject::createRareDataIfNeeded is inlined but
226         JSGlobalObject::~JSGlobalObject is not.  Then, the heap of
227         allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
228         JavaScriptCore.dll.  Adding WTF_MAKE_FAST_ALLOCATED to
229         JSGlobalObjectRareData ensures heap consistency of it.  WTF::Lock
230         also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
231         the inlined constructor of JSGlobalObjectRareData.
232
233         Test: fast/dom/insertedIntoDocument-iframe.html
234
235         * runtime/JSGlobalObject.h:
236         Add WTF_MAKE_FAST_ALLOCATED to JSGlobalObjectRareData.
237
238 2016-04-25  Michael Saboff  <msaboff@apple.com>
239
240         Crash using @tryGetById in DFG
241         https://bugs.webkit.org/show_bug.cgi?id=156992
242
243         Reviewed by Filip Pizlo.
244
245         We need to spill live registers when compiling TryGetById in DFG.
246
247         * dfg/DFGSpeculativeJIT.cpp:
248         (JSC::DFG::SpeculativeJIT::compileTryGetById):
249         * tests/stress/regress-156992.js: New test.
250         (tryMultipleGetByIds):
251         (test):
252
253 2016-04-25  Saam barati  <sbarati@apple.com>
254
255         We don't have to parse a function's parameters every time if the function is in the source provider cache
256         https://bugs.webkit.org/show_bug.cgi?id=156943
257
258         Reviewed by Filip Pizlo.
259
260         This patch makes a few changes to make parsing inner functions
261         faster.
262
263         First, we were always parsing an inner function's parameter
264         list using the templatized TreeBuiler. This means if our parent scope
265         was building an AST, we ended up building AST nodes for the inner
266         function's parameter list even though these nodes would go unused.
267         This patch fixes that to *always* build an inner function's parameter
268         list using the SyntaxChecker. (Note that this is consistent now with
269         always building an inner function's body with a SyntaxChecker.)
270
271         Second, we were always parsing an inner function's parameter list
272         even if we had that function saved in the source provider cache.
273         I've fixed that bug and made it so that we skip over the parsing 
274         of a function's parameter list when it's in the source provider
275         cache. We could probably enhance this in the future to skip
276         over the entirety of a function starting at the "function"
277         keyword or any other start of the function (depending on
278         the function type: arrow function, method, etc).
279
280         This patch also renames a few fields. First, I fixed a typo
281         from "tocken" => "token" for a few field names. Secondly,
282         I renamed a field that was called 'bodyStartColumn' to 
283         'parametersStartColumn' because the field really held the
284         parameter list's start column.
285
286         I'm benchmarking this as a 1.5-2% octane/jquery speedup
287         on a 15" MBP.
288
289         * parser/ASTBuilder.h:
290         (JSC::ASTBuilder::createFunctionExpr):
291         (JSC::ASTBuilder::createMethodDefinition):
292         (JSC::ASTBuilder::createArrowFunctionExpr):
293         (JSC::ASTBuilder::createGetterOrSetterProperty):
294         (JSC::ASTBuilder::createFuncDeclStatement):
295         * parser/Lexer.cpp:
296         (JSC::Lexer<T>::lex):
297         * parser/Lexer.h:
298         (JSC::Lexer::currentPosition):
299         (JSC::Lexer::positionBeforeLastNewline):
300         (JSC::Lexer::lastTokenLocation):
301         (JSC::Lexer::setLastLineNumber):
302         (JSC::Lexer::lastLineNumber):
303         (JSC::Lexer::prevTerminator):
304         * parser/Parser.cpp:
305         (JSC::Parser<LexerType>::parseInner):
306         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
307         (JSC::Parser<LexerType>::parseFunctionBody):
308         (JSC::stringForFunctionMode):
309         (JSC::Parser<LexerType>::parseFunctionParameters):
310         (JSC::Parser<LexerType>::parseFunctionInfo):
311         * parser/Parser.h:
312         (JSC::Scope::usedVariablesContains):
313         (JSC::Scope::forEachUsedVariable):
314         (JSC::Scope::useVariable):
315         (JSC::Scope::copyCapturedVariablesToVector):
316         (JSC::Scope::fillParametersForSourceProviderCache):
317         (JSC::Scope::restoreFromSourceProviderCache):
318         * parser/ParserFunctionInfo.h:
319         * parser/SourceProviderCacheItem.h:
320         (JSC::SourceProviderCacheItem::endFunctionToken):
321         (JSC::SourceProviderCacheItem::usedVariables):
322         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
323
324 2016-04-25  Mark Lam  <mark.lam@apple.com>
325
326         Renaming SpecInt32, SpecInt52, MachineInt to SpecInt32Only, SpecInt52Only, AnyInt.
327         https://bugs.webkit.org/show_bug.cgi?id=156941
328
329         Reviewed by Filip Pizlo.
330
331         While looking at https://bugs.webkit.org/show_bug.cgi?id=153431, it was decided
332         that SpecInt32Only, SpecInt52Only, and AnyInt would be better names for
333         SpecInt32, SpecInt52, and MachineInt.  Let's do a bulk rename.
334
335         This is only a renaming patch, and deletion of a piece of unused code.  There are
336         no semantic changes.
337
338         * bindings/ScriptValue.cpp:
339         (Inspector::jsToInspectorValue):
340         * bytecode/SpeculatedType.cpp:
341         (JSC::dumpSpeculation):
342         (JSC::speculationToAbbreviatedString):
343         (JSC::speculationFromValue):
344         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
345         (JSC::typeOfDoubleNegation):
346         (JSC::typeOfDoubleRounding):
347         * bytecode/SpeculatedType.h:
348         (JSC::isInt32Speculation):
349         (JSC::isInt32OrBooleanSpeculation):
350         (JSC::isInt32SpeculationForArithmetic):
351         (JSC::isInt32OrBooleanSpeculationForArithmetic):
352         (JSC::isInt32OrBooleanSpeculationExpectingDefined):
353         (JSC::isInt52Speculation):
354         (JSC::isAnyIntSpeculation):
355         (JSC::isAnyIntAsDoubleSpeculation):
356         (JSC::isDoubleRealSpeculation):
357         (JSC::isMachineIntSpeculation): Deleted.
358         (JSC::isInt52AsDoubleSpeculation): Deleted.
359         (JSC::isIntegerSpeculation): Deleted.
360         * dfg/DFGAbstractInterpreterInlines.h:
361         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
362         * dfg/DFGAbstractValue.cpp:
363         (JSC::DFG::AbstractValue::set):
364         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
365         (JSC::DFG::AbstractValue::checkConsistency):
366         (JSC::DFG::AbstractValue::resultType):
367         * dfg/DFGAbstractValue.h:
368         (JSC::DFG::AbstractValue::validateType):
369         * dfg/DFGArgumentsUtilities.cpp:
370         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
371         * dfg/DFGByteCodeParser.cpp:
372         (JSC::DFG::ByteCodeParser::handleInlining):
373         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
374         * dfg/DFGFixupPhase.cpp:
375         (JSC::DFG::FixupPhase::fixupNode):
376         (JSC::DFG::FixupPhase::fixupToThis):
377         (JSC::DFG::FixupPhase::observeUseKindOnNode):
378         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
379         (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
380         (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
381         (JSC::DFG::FixupPhase::truncateConstantToInt32):
382         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
383         (JSC::DFG::FixupPhase::prependGetArrayLength):
384         (JSC::DFG::FixupPhase::fixupChecksInBlock):
385         * dfg/DFGGraph.h:
386         (JSC::DFG::Graph::addShouldSpeculateInt32):
387         (JSC::DFG::Graph::addShouldSpeculateAnyInt):
388         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
389         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt):
390         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
391         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt):
392         (JSC::DFG::Graph::addShouldSpeculateMachineInt): Deleted.
393         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt): Deleted.
394         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt): Deleted.
395         * dfg/DFGInPlaceAbstractState.cpp:
396         (JSC::DFG::InPlaceAbstractState::initialize):
397         * dfg/DFGJITCompiler.cpp:
398         (JSC::DFG::JITCompiler::noticeOSREntry):
399         * dfg/DFGNode.cpp:
400         (JSC::DFG::Node::convertToIdentityOn):
401         * dfg/DFGNode.h:
402         (JSC::DFG::Node::asNumber):
403         (JSC::DFG::Node::isAnyIntConstant):
404         (JSC::DFG::Node::asAnyInt):
405         (JSC::DFG::Node::isBooleanConstant):
406         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
407         (JSC::DFG::Node::shouldSpeculateAnyInt):
408         (JSC::DFG::Node::shouldSpeculateDouble):
409         (JSC::DFG::Node::shouldSpeculateNumber):
410         (JSC::DFG::Node::isMachineIntConstant): Deleted.
411         (JSC::DFG::Node::asMachineInt): Deleted.
412         (JSC::DFG::Node::shouldSpeculateMachineInt): Deleted.
413         * dfg/DFGOSREntry.cpp:
414         (JSC::DFG::OSREntryData::dumpInContext):
415         (JSC::DFG::prepareOSREntry):
416         * dfg/DFGOSREntry.h:
417         * dfg/DFGPredictionPropagationPhase.cpp:
418         * dfg/DFGSSALoweringPhase.cpp:
419         (JSC::DFG::SSALoweringPhase::handleNode):
420         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
421         * dfg/DFGSafeToExecute.h:
422         (JSC::DFG::SafeToExecuteEdge::operator()):
423         * dfg/DFGSpeculativeJIT.cpp:
424         (JSC::DFG::SpeculativeJIT::silentFill):
425         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
426         (JSC::DFG::SpeculativeJIT::compileArithAdd):
427         (JSC::DFG::SpeculativeJIT::compileArithSub):
428         (JSC::DFG::SpeculativeJIT::compileArithNegate):
429         (JSC::DFG::SpeculativeJIT::speculateInt32):
430         (JSC::DFG::SpeculativeJIT::speculateNumber):
431         (JSC::DFG::SpeculativeJIT::speculateMisc):
432         (JSC::DFG::SpeculativeJIT::speculate):
433         * dfg/DFGSpeculativeJIT.h:
434         (JSC::DFG::SpeculativeJIT::spill):
435         (JSC::DFG::SpeculativeJIT::isKnownInteger):
436         (JSC::DFG::SpeculativeJIT::isKnownCell):
437         (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
438         (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
439         (JSC::DFG::SpeculativeJIT::isKnownNotCell):
440         (JSC::DFG::SpeculativeJIT::isKnownNotOther):
441         * dfg/DFGSpeculativeJIT32_64.cpp:
442         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
443         (JSC::DFG::SpeculativeJIT::compile):
444         * dfg/DFGSpeculativeJIT64.cpp:
445         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
446         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
447         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
448         (JSC::DFG::SpeculativeJIT::emitBranch):
449         (JSC::DFG::SpeculativeJIT::compile):
450         (JSC::DFG::SpeculativeJIT::blessBoolean):
451         (JSC::DFG::SpeculativeJIT::convertAnyInt):
452         (JSC::DFG::SpeculativeJIT::speculateAnyInt):
453         (JSC::DFG::SpeculativeJIT::speculateDoubleRepAnyInt):
454         (JSC::DFG::SpeculativeJIT::convertMachineInt): Deleted.
455         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
456         (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt): Deleted.
457         * dfg/DFGUseKind.cpp:
458         (WTF::printInternal):
459         * dfg/DFGUseKind.h:
460         (JSC::DFG::typeFilterFor):
461         (JSC::DFG::isNumerical):
462         (JSC::DFG::isDouble):
463         * dfg/DFGValidate.cpp:
464         * dfg/DFGVariableAccessData.cpp:
465         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
466         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
467         (JSC::DFG::VariableAccessData::flushFormat):
468         * ftl/FTLCapabilities.cpp:
469         (JSC::FTL::canCompile):
470         * ftl/FTLLowerDFGToB3.cpp:
471         (JSC::FTL::DFG::LowerDFGToB3::compileInt52Constant):
472         (JSC::FTL::DFG::LowerDFGToB3::compileInt52Rep):
473         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
474         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
475         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
476         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
477         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
478         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
479         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToInt32):
480         (JSC::FTL::DFG::LowerDFGToB3::isInt32):
481         (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
482         (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
483         (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
484         (JSC::FTL::DFG::LowerDFGToB3::speculate):
485         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
486         (JSC::FTL::DFG::LowerDFGToB3::speculateAnyInt):
487         (JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepReal):
488         (JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepAnyInt):
489         (JSC::FTL::DFG::LowerDFGToB3::speculateMachineInt): Deleted.
490         (JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepMachineInt): Deleted.
491         * jit/JITOpcodes.cpp:
492         (JSC::JIT::emit_op_profile_type):
493         * jit/JITOpcodes32_64.cpp:
494         (JSC::JIT::emit_op_profile_type):
495         * runtime/JSCJSValue.h:
496         * runtime/JSCJSValueInlines.h:
497         (JSC::isInt52):
498         (JSC::JSValue::isAnyInt):
499         (JSC::JSValue::asAnyInt):
500         (JSC::JSValue::isMachineInt): Deleted.
501         (JSC::JSValue::asMachineInt): Deleted.
502         * runtime/RuntimeType.cpp:
503         (JSC::runtimeTypeForValue):
504         (JSC::runtimeTypeAsString):
505         * runtime/RuntimeType.h:
506         * runtime/TypeSet.cpp:
507         (JSC::TypeSet::dumpTypes):
508         (JSC::TypeSet::displayName):
509         (JSC::TypeSet::inspectorTypeSet):
510         (JSC::TypeSet::toJSONString):
511
512 2016-04-24  Yusuke Suzuki  <utatane.tea@gmail.com>
513
514         [JSC] Optimize JSON.parse string fast path
515         https://bugs.webkit.org/show_bug.cgi?id=156953
516
517         Reviewed by Mark Lam.
518
519         This patch further optimizes the string parsing fast path.
520         Previously, we generated the WTF::String to hold the ownership of the token's string.
521         And always copied the token in LiteralParser side.
522         Instead, we hold the ownership of the token String by the StringBuilder in LiteralParser::Lexer,
523         and remove the processing in the string parsing fast path.
524         This patch gives us stable 1 - 2.5% improvement in Kraken json-parse-financial.
525
526                                        Baseline                  Modified
527
528         json-parse-financial        41.383+-0.248      ^      40.894+-0.189         ^ definitely 1.0120x faster
529
530         * runtime/LiteralParser.cpp:
531         (JSC::LiteralParser<CharType>::tryJSONPParse):
532         (JSC::LiteralParser<CharType>::Lexer::lex):
533         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
534         (JSC::LiteralParser<CharType>::parse):
535         (JSC::LiteralParser<CharType>::Lexer::lexString): Deleted.
536         * runtime/LiteralParser.h:
537         (JSC::LiteralParser::tryLiteralParse):
538         (JSC::LiteralParser::Lexer::currentToken):
539         (JSC::LiteralParser::Lexer::LiteralParserTokenPtr::LiteralParserTokenPtr):
540         (JSC::LiteralParser::Lexer::LiteralParserTokenPtr::operator->):
541
542 2016-04-24  Filip Pizlo <fpizlo@apple.com> and Andy VanWagoner <thetalecrafter@gmail.com>
543
544         [INTL] Implement String.prototype.localeCompare in ECMA-402
545         https://bugs.webkit.org/show_bug.cgi?id=147607
546
547         Reviewed by Darin Adler.
548         
549         Part of this change is just rolling 194394 back in.
550         
551         The other part is making that not a regression on CDjs. Other than the fact that it uses
552         bound functions, the problem with this new localeCompare implementation is that it uses
553         the arguments object. It uses it in a way that *seems* like ArgumentsEliminationPhase
554         ought to handle, but to my surprise it didn't:
555         
556         - If we have a ForceExit GetByVal on the arguments object, we would previously assume that
557           it escaped. That's false since we just exit at ForceExit. On the other hand we probably
558           should be pruning unreachable paths before we get here, but that's a separate issue. I
559           don't want to play with phase order right now.
560         
561         - If we have a OutOfBounds GetByVal on the arguments object, then the best that would
562           previously happen is that we'd compile it into an in-bounds arguments access. That's quite
563           bad, as Andy's localeCompare illustrates: it uses out-of-bounds access on the arguments
564           object to detect if an argument was passed. This change introduces an OutOfBounds version
565           of GetMyArgumentByVal for this purpose.
566         
567         This change required registering sane chain watchpoints. In the process, I noticed that the
568         old way of doing it had a race condition: we might register watchpoints for the structure
569         that had become insane. This change introduces a double-checking idiom that I believe works
570         because once the structure becomes insane it can't go back to sane and watchpoints
571         registration already involves executing the hardest possible fences.
572
573         * builtins/StringPrototype.js:
574         (repeat):
575         (localeCompare):
576         (search):
577         * dfg/DFGAbstractInterpreterInlines.h:
578         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
579         * dfg/DFGArgumentsEliminationPhase.cpp:
580         * dfg/DFGArrayMode.cpp:
581         (JSC::DFG::ArrayMode::refine):
582         * dfg/DFGClobberize.h:
583         (JSC::DFG::clobberize):
584         * dfg/DFGConstantFoldingPhase.cpp:
585         (JSC::DFG::ConstantFoldingPhase::foldConstants):
586         * dfg/DFGDoesGC.cpp:
587         (JSC::DFG::doesGC):
588         * dfg/DFGFixupPhase.cpp:
589         (JSC::DFG::FixupPhase::fixupNode):
590         * dfg/DFGNodeType.h:
591         * dfg/DFGPreciseLocalClobberize.h:
592         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
593         * dfg/DFGPredictionPropagationPhase.cpp:
594         * dfg/DFGSafeToExecute.h:
595         (JSC::DFG::safeToExecute):
596         * dfg/DFGSpeculativeJIT.cpp:
597         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
598         * dfg/DFGSpeculativeJIT32_64.cpp:
599         (JSC::DFG::SpeculativeJIT::compile):
600         * dfg/DFGSpeculativeJIT64.cpp:
601         (JSC::DFG::SpeculativeJIT::compile):
602         * dfg/DFGValidate.cpp:
603         * ftl/FTLCapabilities.cpp:
604         (JSC::FTL::canCompile):
605         * ftl/FTLLowerDFGToB3.cpp:
606         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
607         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
608         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
609         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
610         * ftl/FTLTypedPointer.h:
611         (JSC::FTL::TypedPointer::TypedPointer):
612         (JSC::FTL::TypedPointer::operator bool):
613         (JSC::FTL::TypedPointer::heap):
614         (JSC::FTL::TypedPointer::operator!): Deleted.
615         * runtime/StringPrototype.cpp:
616         (JSC::StringPrototype::finishCreation):
617
618 2016-04-23  Filip Pizlo  <fpizlo@apple.com>
619
620         Unreviewed, unbreak cloop.
621
622         * runtime/VM.cpp:
623         (JSC::VM::getHostFunction):
624
625 2016-04-22  Filip Pizlo  <fpizlo@apple.com>
626
627         Speed up bound functions a bit
628         https://bugs.webkit.org/show_bug.cgi?id=156889
629
630         Reviewed by Saam Barati.
631         
632         Bound functions are hard to optimize because JSC doesn't have a good notion of non-JS code
633         that does JS-ey things like make JS calls. What I mean by "non-JS code" is code that did not
634         originate from JS source. A bound function does a highly polymorphic call to the target
635         stored in the JSBoundFunction. Prior to this change, we represented it as native code that
636         used the generic native->JS call API. That's not cheap.
637         
638         We could model bound functions using a builtin, but it's not clear that this would be easy
639         to grok, since so much of the code would have to access special parts of the JSBoundFunction
640         type. Doing it that way might solve the performance problems but it would mean extra work to
641         arrange for the builtin to have speedy access to the call target, the bound this, and the
642         bound arguments. Also, optimizing bound functions that way would mean that bound function
643         performance would be gated on the performance of a bunch of other things in our system. For
644         example, we'd want this polymorphic call to be handled like the funnel that it is: if we're
645         compiling the bound function's outgoing call with no context then we should compile it as
646         fully polymorphic but we can let it assume basic sanity like that the callee is a real
647         function; but if we're compiling the call with any amount of calling context then we want to
648         use normal call IC's.
649         
650         Since the builtin path wouldn't lead to a simpler patch and since I think that the VM will
651         benefit in the long run from using custom handling for bound functions, I kept the native
652         code and just added Intrinsic/thunk support.
653         
654         This just adds an Intrinsic for bound function calls where the JSBoundFunction targets a
655         JSFunction instance and has no bound arguments (only bound this). This intrinsic is
656         currently only implemented as a thunk and not yet recognized by the DFG bytecode parser.
657
658         I needed to loosen some restrictions to do this. For one, I was really tired of our bad use
659         of ENABLE(JIT) conditionals, which made it so that any serious client of Intrinsics would
660         have to have #ifdefs. Really what should happen is that if the JIT is not enabled then we
661         just ignore intrinsics. Also, the code was previously assuming that having a native
662         constructor and knowing the Intrinsic for your native call were mutually exclusive. This
663         change makes it possible to have a native executable that has a custom function, custom
664         constructor, and an Intrinsic.
665         
666         This is a >4x speed-up on bound function calls with no bound arguments.
667
668         In the future, we should teach the DFG Intrinsic handling to deal with bound functions and
669         we should teach the inliner (and ByteCodeParser::handleCall() in general) how to deal with
670         the function call inside the bound function. That would be super awesome.
671
672         * assembler/AbstractMacroAssembler.h:
673         (JSC::AbstractMacroAssembler::timesPtr):
674         (JSC::AbstractMacroAssembler::Address::withOffset):
675         (JSC::AbstractMacroAssembler::BaseIndex::BaseIndex):
676         (JSC::MacroAssemblerType>::Address::indexedBy):
677         * jit/AssemblyHelpers.h:
678         (JSC::AssemblyHelpers::storeCell):
679         (JSC::AssemblyHelpers::loadCell):
680         (JSC::AssemblyHelpers::storeValue):
681         (JSC::AssemblyHelpers::emitSaveCalleeSaves):
682         (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
683         (JSC::AssemblyHelpers::emitRestoreCalleeSaves):
684         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
685         (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer):
686         * jit/JITThunks.cpp:
687         (JSC::JITThunks::ctiNativeTailCall):
688         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
689         (JSC::JITThunks::ctiStub):
690         (JSC::JITThunks::hostFunctionStub):
691         (JSC::JITThunks::clearHostFunctionStubs):
692         * jit/JITThunks.h:
693         * jit/SpecializedThunkJIT.h:
694         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
695         (JSC::SpecializedThunkJIT::tagReturnAsInt32):
696         (JSC::SpecializedThunkJIT::emitSaveThenMaterializeTagRegisters): Deleted.
697         (JSC::SpecializedThunkJIT::emitRestoreSavedTagRegisters): Deleted.
698         * jit/ThunkGenerators.cpp:
699         (JSC::virtualThunkFor):
700         (JSC::nativeForGenerator):
701         (JSC::nativeCallGenerator):
702         (JSC::nativeTailCallGenerator):
703         (JSC::nativeTailCallWithoutSavedTagsGenerator):
704         (JSC::nativeConstructGenerator):
705         (JSC::randomThunkGenerator):
706         (JSC::boundThisNoArgsFunctionCallGenerator):
707         * jit/ThunkGenerators.h:
708         * runtime/Executable.cpp:
709         (JSC::NativeExecutable::create):
710         (JSC::NativeExecutable::destroy):
711         (JSC::NativeExecutable::createStructure):
712         (JSC::NativeExecutable::finishCreation):
713         (JSC::NativeExecutable::NativeExecutable):
714         (JSC::ScriptExecutable::ScriptExecutable):
715         * runtime/Executable.h:
716         * runtime/FunctionPrototype.cpp:
717         (JSC::functionProtoFuncBind):
718         * runtime/IntlCollatorPrototype.cpp:
719         (JSC::IntlCollatorPrototypeGetterCompare):
720         * runtime/Intrinsic.h:
721         * runtime/JSBoundFunction.cpp:
722         (JSC::boundThisNoArgsFunctionCall):
723         (JSC::boundFunctionCall):
724         (JSC::boundThisNoArgsFunctionConstruct):
725         (JSC::boundFunctionConstruct):
726         (JSC::getBoundFunctionStructure):
727         (JSC::JSBoundFunction::create):
728         (JSC::JSBoundFunction::customHasInstance):
729         (JSC::JSBoundFunction::JSBoundFunction):
730         * runtime/JSBoundFunction.h:
731         (JSC::JSBoundFunction::targetFunction):
732         (JSC::JSBoundFunction::boundThis):
733         (JSC::JSBoundFunction::boundArgs):
734         (JSC::JSBoundFunction::createStructure):
735         (JSC::JSBoundFunction::offsetOfTargetFunction):
736         (JSC::JSBoundFunction::offsetOfBoundThis):
737         * runtime/JSFunction.cpp:
738         (JSC::JSFunction::lookUpOrCreateNativeExecutable):
739         (JSC::JSFunction::create):
740         * runtime/VM.cpp:
741         (JSC::thunkGeneratorForIntrinsic):
742         (JSC::VM::getHostFunction):
743         * runtime/VM.h:
744         (JSC::VM::getCTIStub):
745         (JSC::VM::exceptionOffset):
746
747 2016-04-22  Joonghun Park  <jh718.park@samsung.com>
748
749         [JSC] Fix build break since r199866
750         https://bugs.webkit.org/show_bug.cgi?id=156892
751
752         Reviewed by Darin Adler.
753
754         * runtime/MathCommon.cpp: Follow up to r199913. Remove 'include cmath' in cpp file.
755
756 2016-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
757
758         [JSC] Optimize number parsing and string parsing in LiteralParser
759         https://bugs.webkit.org/show_bug.cgi?id=156896
760
761         Reviewed by Mark Lam.
762
763         This patch aim to improve JSON.parse performance. Major 2 optimizations are included.
764
765         1. Change `double result` to `int32_t result` in integer parsing case.
766         We already have the optimized path for integer parsing, when it's digits are less than 10.
767         At that case, the maximum number is 999999999, and the minimum number is -99999999.
768         The both are in range of Int32. So We can use int32_t for accumulation instead of double.
769
770         2. Add the string parsing fast / slow cases.
771         We add the fast case for string parsing, which does not include any escape sequences.
772
773         Both optimizations improve Kraken json-parse-financial, roughly 3.5 - 4.5%.
774
775         json-parse-financial        49.128+-1.589             46.979+-0.912           might be 1.0457x faster
776
777         * runtime/LiteralParser.cpp:
778         (JSC::isJSONWhiteSpace):
779         (JSC::isSafeStringCharacter):
780         (JSC::LiteralParser<CharType>::Lexer::lexString):
781         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
782         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
783         * runtime/LiteralParser.h:
784
785 2016-04-22  Joseph Pecoraro  <pecoraro@apple.com>
786
787         Web Inspector: Source directives lost when using Function constructor repeatedly
788         https://bugs.webkit.org/show_bug.cgi?id=156863
789         <rdar://problem/25861064>
790
791         Reviewed by Geoffrey Garen.
792
793         Source directives (sourceURL and sourceMappingURL) are normally accessed through
794         the SourceProvider and normally set when the script is parsed. However, when a
795         CodeCache lookup skips parsing, the new SourceProvider never gets the directives
796         (sourceURL/sourceMappingURL). This patch stores the directives on the UnlinkedCodeBlock
797         and UnlinkedFunctionExecutable when entering the cache, and copies to the new providers
798         when the cache is used.
799
800         * bytecode/UnlinkedCodeBlock.h:
801         (JSC::UnlinkedCodeBlock::sourceURLDirective):
802         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective):
803         (JSC::UnlinkedCodeBlock::setSourceURLDirective):
804         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective):
805         * bytecode/UnlinkedFunctionExecutable.h:
806         * parser/SourceProvider.h:
807         * runtime/CodeCache.cpp:
808         (JSC::CodeCache::getGlobalCodeBlock):
809         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
810         * runtime/CodeCache.h:
811         Store directives on the unlinked code block / executable when adding
812         to the cache, so they can be used to update new providers when the
813         cache gets used.
814
815         * runtime/JSGlobalObject.cpp:
816         Add needed header after CodeCache header cleanup.
817
818 2016-04-22  Mark Lam  <mark.lam@apple.com>
819
820         javascript jit bug affecting Google Maps.
821         https://bugs.webkit.org/show_bug.cgi?id=153431
822
823         Reviewed by Filip Pizlo.
824
825         The issue was due to the abstract interpreter wrongly marking the type of the
826         value read from the Uint3Array as SpecInt52, which precludes it from being an
827         Int32.  This proves to be false, and the generated code failed to handle the case
828         where the read value is actually an Int32.
829
830         The fix is to have the abstract interpreter use SpecMachineInt instead of
831         SpecInt52.
832
833         * bytecode/SpeculatedType.h:
834         * dfg/DFGAbstractInterpreterInlines.h:
835         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
836
837 2016-04-22  Benjamin Poulain  <bpoulain@apple.com>
838
839         [JSC] PredictionPropagation should not be in the top 5 heaviest phases
840         https://bugs.webkit.org/show_bug.cgi?id=156891
841
842         Reviewed by Mark Lam.
843
844         In DFG, PredictionPropagation is often way too high in profiles.
845         It is a simple phase, it should not be that hot.
846
847         Most of the time is spent accessing memory. This patch attempts
848         to reduce that.
849
850         First, propagate() is split in processInvariants() and propagates().
851         The step processInvariants() sets all the types for nodes for which
852         the type does not depends on other nodes.
853
854         Adding processInvariants() lowers two hotspot inside PredictionPropagation:
855         speculationFromValue() and setPrediction().
856
857         Next, to avoid touching all the nodes at every operation, we keep
858         track of the nodes that actually need propagate().
859         The vector m_dependentNodes keeps the list of those nodes and propagate()
860         only need to process them at each phase.
861
862         This is a smaller gain because growing m_dependentNodes negates
863         some of the gains.
864
865         On 3d-cube, this moves PredictionPropagation from fifth position
866         to ninth. A lot of the remaining overhead is caused by double-voting
867         and cannot be fixed by moving stuff around.
868
869         * dfg/DFGPredictionPropagationPhase.cpp:
870         (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint): Deleted.
871         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
872         (JSC::DFG::PredictionPropagationPhase::propagateForward): Deleted.
873         (JSC::DFG::PredictionPropagationPhase::propagateBackward): Deleted.
874         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): Deleted.
875         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): Deleted.
876         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions): Deleted.
877
878 2016-04-22  Geoffrey Garen  <ggaren@apple.com>
879
880         super should be available in object literals
881         https://bugs.webkit.org/show_bug.cgi?id=156933
882
883         Reviewed by Saam Barati.
884
885         When we originally implemented classes, super seemed to be a class-only
886         feature. But the final spec says it's available in object literals too.
887
888         * bytecompiler/NodesCodegen.cpp:
889         (JSC::PropertyListNode::emitBytecode): Having 'super' and being a class
890         property are no longer synonymous, so we track two separate variables.
891
892         (JSC::PropertyListNode::emitPutConstantProperty): Being inside the super
893         branch no longer guarantees that you're a class property, so we decide
894         our attributes and our function name dynamically.
895
896         * parser/ASTBuilder.h:
897         (JSC::ASTBuilder::createArrowFunctionExpr):
898         (JSC::ASTBuilder::createGetterOrSetterProperty):
899         (JSC::ASTBuilder::createArguments):
900         (JSC::ASTBuilder::createArgumentsList):
901         (JSC::ASTBuilder::createProperty):
902         (JSC::ASTBuilder::createPropertyList): Pass through state to indicate
903         whether we're a class property, since we can't infer it from 'super'
904         anymore.
905
906         * parser/NodeConstructors.h:
907         (JSC::PropertyNode::PropertyNode): See ASTBuilder.h.
908
909         * parser/Nodes.h:
910         (JSC::PropertyNode::expressionName):
911         (JSC::PropertyNode::name):
912         (JSC::PropertyNode::type):
913         (JSC::PropertyNode::needsSuperBinding):
914         (JSC::PropertyNode::isClassProperty):
915         (JSC::PropertyNode::putType): See ASTBuilder.h.
916
917         * parser/Parser.cpp:
918         (JSC::Parser<LexerType>::parseFunctionInfo):
919         (JSC::Parser<LexerType>::parseClass):
920         (JSC::Parser<LexerType>::parseProperty):
921         (JSC::Parser<LexerType>::parsePropertyMethod):
922         (JSC::Parser<LexerType>::parseGetterSetter):
923         (JSC::Parser<LexerType>::parseMemberExpression): I made these error
924         messages generic because it is no longer practical to say concise things
925         about the list of places you can use super.
926
927         * parser/Parser.h:
928
929         * parser/SyntaxChecker.h:
930         (JSC::SyntaxChecker::createArgumentsList):
931         (JSC::SyntaxChecker::createProperty):
932         (JSC::SyntaxChecker::appendExportSpecifier):
933         (JSC::SyntaxChecker::appendConstDecl):
934         (JSC::SyntaxChecker::createGetterOrSetterProperty): Updated for
935         interface change.
936
937         * tests/stress/generator-with-super.js:
938         (test):
939         * tests/stress/modules-syntax-error.js:
940         * tests/stress/super-in-lexical-scope.js:
941         (testSyntaxError):
942         (testSyntaxError.test):
943         * tests/stress/tagged-templates-syntax.js: Updated for error message
944         changes. See Parser.cpp.
945
946 2016-04-22  Filip Pizlo  <fpizlo@apple.com>
947
948         ASSERT(m_stack.last().isTailDeleted) at ShadowChicken.cpp:127 inspecting the inspector
949         https://bugs.webkit.org/show_bug.cgi?id=156930
950
951         Reviewed by Joseph Pecoraro.
952         
953         The loop that prunes the stack from the top should preserve the invariant that the top frame
954         cannot be tail-deleted.
955
956         * interpreter/ShadowChicken.cpp:
957         (JSC::ShadowChicken::update):
958
959 2016-04-22  Benjamin Poulain  <benjamin@webkit.org>
960
961         Attempt to fix the CLoop after r199866
962
963         * runtime/MathCommon.h:
964
965 2016-04-22  Benjamin Poulain  <bpoulain@apple.com>
966
967         [JSC] Integer Multiply of a number by itself does not need negative zero support
968         https://bugs.webkit.org/show_bug.cgi?id=156895
969
970         Reviewed by Saam Barati.
971
972         You cannot produce negative zero by squaring an integer.
973
974         * dfg/DFGFixupPhase.cpp:
975         (JSC::DFG::FixupPhase::fixupNode):
976         * dfg/DFGSpeculativeJIT.cpp:
977         (JSC::DFG::SpeculativeJIT::compileArithMul):
978         Minor codegen fixes:
979         -Use the right form of multiply for ARM.
980         -Use a sign-extended 32bit immediates, that's the one with fast forms
981          in the MacroAssembler.
982
983 2016-04-21  Darin Adler  <darin@apple.com>
984
985         Follow-on to the build fix.
986
987         * runtime/MathCommon.h: Use the C++ std namespace version of the
988         frexp function too.
989
990 2016-04-21  Joonghun Park  <jh718.park@samsung.com>
991
992         [JSC] Fix build break since r199866. Unreviewed.
993         https://bugs.webkit.org/show_bug.cgi?id=156892
994
995         * runtime/MathCommon.h: Add namespace std to isnormal invoking.
996
997 2016-04-21  Benjamin Poulain  <bpoulain@apple.com>
998
999         [JSC] Add primitive String support to compare operators
1000         https://bugs.webkit.org/show_bug.cgi?id=156783
1001
1002         Reviewed by Geoffrey Garen.
1003
1004         Just the basics.
1005         We should eventually inline some of the simplest cases.
1006
1007         This is a 2% improvement on Longspider. It is unfortunately neutral
1008         for Sunspider on my machine because most of the comparison are from
1009         baseline.
1010
1011         * dfg/DFGAbstractInterpreterInlines.h:
1012         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1013         * dfg/DFGClobberize.h:
1014         (JSC::DFG::clobberize):
1015         * dfg/DFGFixupPhase.cpp:
1016         (JSC::DFG::FixupPhase::fixupNode):
1017         * dfg/DFGOperations.cpp:
1018         * dfg/DFGOperations.h:
1019         * dfg/DFGSpeculativeJIT.cpp:
1020         (JSC::DFG::SpeculativeJIT::compare):
1021         (JSC::DFG::SpeculativeJIT::compileStringCompare):
1022         (JSC::DFG::SpeculativeJIT::compileStringIdentCompare):
1023         * dfg/DFGSpeculativeJIT.h:
1024         (JSC::DFG::SpeculativeJIT::callOperation):
1025         * ftl/FTLCapabilities.cpp:
1026         (JSC::FTL::canCompile):
1027         * ftl/FTLLowerDFGToB3.cpp:
1028         (JSC::FTL::DFG::LowerDFGToB3::compileCompareLess):
1029         (JSC::FTL::DFG::LowerDFGToB3::compileCompareLessEq):
1030         (JSC::FTL::DFG::LowerDFGToB3::compileCompareGreater):
1031         (JSC::FTL::DFG::LowerDFGToB3::compileCompareGreaterEq):
1032         (JSC::FTL::DFG::LowerDFGToB3::compare):
1033         * ftl/FTLOutput.h:
1034         (JSC::FTL::Output::callWithoutSideEffects):
1035         * jit/JITOperations.h:
1036         * tests/stress/string-compare.js: Added.
1037         (makeRope):
1038         (makeString):
1039         (let.operator.of.operators.eval.compareStringIdent):
1040         (let.operator.of.operators.compareStringString):
1041         (let.operator.of.operators.compareStringIdentString):
1042         (let.operator.of.operators.compareStringStringIdent):
1043         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval):
1044
1045 2016-04-21  Benjamin Poulain  <bpoulain@webkit.org>
1046
1047         [JSC] Commute FDiv-by-constant into FMul-by-reciprocal when it is safe
1048         https://bugs.webkit.org/show_bug.cgi?id=156871
1049
1050         Reviewed by Filip Pizlo.
1051
1052         FMul is significantly faster than FDiv.
1053         For example, on Haswell, FMul has a latency of 5, a throughput of 1
1054         while FDiv has latency 10-24, throughput 8-18.
1055
1056         Fortunately for us, Sunspider and Kraken have plenty of division
1057         by a simple power of 2 constant. Those are just exponent operations
1058         and can be easily reversed to use FMul instead of FDiv.
1059
1060         LLVM does something similar in InstCombine.
1061
1062         * dfg/DFGStrengthReductionPhase.cpp:
1063         (JSC::DFG::StrengthReductionPhase::handleNode):
1064         * jit/JITDivGenerator.cpp:
1065         (JSC::JITDivGenerator::loadOperand):
1066         (JSC::JITDivGenerator::generateFastPath):
1067         * jit/SnippetOperand.h:
1068         (JSC::SnippetOperand::asConstNumber):
1069         * runtime/MathCommon.h:
1070         (JSC::safeReciprocalForDivByConst):
1071         * tests/stress/floating-point-div-to-mul.js: Added.
1072         (opaqueDivBy2):
1073         (opaqueDivBy3):
1074         (opaqueDivBy4):
1075         (opaqueDivBySafeMaxMinusOne):
1076         (opaqueDivBySafeMax):
1077         (opaqueDivBySafeMaxPlusOne):
1078         (opaqueDivBySafeMin):
1079         (opaqueDivBySafeMinMinusOne):
1080         (i.catch):
1081         (i.result.opaqueDivBySafeMin.valueOf):
1082
1083 2016-04-21  Benjamin Poulain  <benjamin@webkit.org>
1084
1085         [JSC] Improve the absThunkGenerator() for 64bit
1086         https://bugs.webkit.org/show_bug.cgi?id=156888
1087
1088         Reviewed by Michael Saboff.
1089
1090         A few tests spend a lot of time in this abs() with double argument.
1091
1092         This patch adds custom handling for the JSValue64 representation.
1093         In particular:
1094         -Do not load the value twice. Unbox the GPR if it is not an Int32.
1095         -Deal with IntMin inline instead of falling back to the C function call.
1096         -Box the values ourself to avoid a duplicate function tail and return.
1097
1098         * jit/ThunkGenerators.cpp:
1099         (JSC::absThunkGenerator):
1100
1101 2016-04-21  Saam barati  <sbarati@apple.com>
1102
1103         LLInt CallSiteIndex off by 1
1104         https://bugs.webkit.org/show_bug.cgi?id=156886
1105
1106         Reviewed by Benjamin Poulain.
1107
1108         I think was done for historical reasons but isn't needed anymore.
1109
1110         * llint/LLIntSlowPaths.cpp:
1111
1112 2016-04-21  Keith Miller  <keith_miller@apple.com>
1113
1114         FTL should handle exceptions in operationInOptimize
1115         https://bugs.webkit.org/show_bug.cgi?id=156885
1116
1117         Reviewed by Michael Saboff.
1118
1119         For some reasone we didn't handle any exceptions in "in" when we called
1120         operationInOptimize in the FTL.
1121
1122         * bytecode/CodeBlock.cpp:
1123         (JSC::CodeBlock::dumpAssumingJITType):
1124         * ftl/FTLCapabilities.cpp:
1125         (JSC::FTL::canCompile):
1126         * ftl/FTLLowerDFGToB3.cpp:
1127         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1128         * ftl/FTLPatchpointExceptionHandle.h: Add comments explaining which
1129         function to use for different exception types.
1130
1131         * jsc.cpp:
1132         (GlobalObject::finishCreation):
1133         (functionNoFTL):
1134         * runtime/Executable.cpp:
1135         (JSC::ScriptExecutable::ScriptExecutable):
1136         * runtime/Executable.h:
1137         (JSC::ScriptExecutable::setNeverFTLOptimize):
1138         (JSC::ScriptExecutable::neverFTLOptimize):
1139         * tests/stress/in-ftl-exception-check.js: Added.
1140         (foo):
1141         (bar):
1142         (catch):
1143
1144 2016-04-21  Filip Pizlo  <fpizlo@apple.com>
1145
1146         JSC virtual call thunk shouldn't do a structure->classInfo lookup
1147         https://bugs.webkit.org/show_bug.cgi?id=156874
1148
1149         Reviewed by Keith Miller.
1150         
1151         This lookup was unnecessary because we can just test the inlined type field.
1152
1153         But also, this meant that we were exempting JSBoundFunction from the virtual call optimization.
1154         That's pretty bad.
1155
1156         * jit/ThunkGenerators.cpp:
1157         (JSC::virtualThunkFor):
1158
1159 2016-04-21  Joseph Pecoraro  <pecoraro@apple.com>
1160
1161         Web Inspector: sourceMappingURL not loaded in generated script
1162         https://bugs.webkit.org/show_bug.cgi?id=156022
1163         <rdar://problem/25438595>
1164
1165         Reviewed by Geoffrey Garen.
1166
1167         * inspector/JSGlobalObjectInspectorController.cpp:
1168         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1169         Synthetic CallFrames for native code will not have script identifiers.
1170
1171         * inspector/ScriptCallFrame.cpp:
1172         (Inspector::ScriptCallFrame::ScriptCallFrame):
1173         (Inspector::ScriptCallFrame::isEqual):
1174         (Inspector::ScriptCallFrame::buildInspectorObject):
1175         * inspector/ScriptCallFrame.h:
1176         * inspector/protocol/Console.json:
1177         Include the script identifier in ScriptCallFrame so we can correlate this
1178         to the exactly script, even if there isn't a URL. The Script may have a
1179         sourceURL, so the Web Inspector frontend may decide to show / link to it.
1180
1181         * inspector/ScriptCallStackFactory.cpp:
1182         (Inspector::CreateScriptCallStackFunctor::operator()):
1183         (Inspector::createScriptCallStackFromException):
1184         Include SourceID when we have it.
1185
1186         * interpreter/Interpreter.cpp:
1187         (JSC::GetStackTraceFunctor::operator()):
1188         * interpreter/Interpreter.h:
1189         * interpreter/StackVisitor.cpp:
1190         (JSC::StackVisitor::Frame::sourceID):
1191         * interpreter/StackVisitor.h:
1192         Access the SourceID when we have it.
1193
1194 2016-04-21  Saam barati  <sbarati@apple.com>
1195
1196         Lets do less locking of symbol tables in the BytecodeGenerator where we don't have race conditions
1197         https://bugs.webkit.org/show_bug.cgi?id=156821
1198
1199         Reviewed by Filip Pizlo.
1200
1201         The BytecodeGenerator allocates all the SymbolTables that it uses.
1202         This is before any concurrent compiler thread can use that SymbolTable.
1203         This means we don't actually need to lock for any operations of the
1204         SymbolTable. This patch makes this change by removing all locking.
1205         To do this, I've introduced a new constructor for ConcurrentJITLocker
1206         which implies no locking is necessary. You instantiate such a ConcurrentJITLocker like so:
1207         `ConcurrentJITLocker locker(ConcurrentJITLocker::NoLockingNecessary);`
1208
1209         This patch also removes all uses of Strong<SymbolTable> from the bytecode
1210         generator and instead wraps bytecode generation in a DeferGC.
1211
1212         * bytecode/UnlinkedFunctionExecutable.cpp:
1213         (JSC::generateUnlinkedFunctionCodeBlock):
1214         * bytecompiler/BytecodeGenerator.cpp:
1215         (JSC::BytecodeGenerator::BytecodeGenerator):
1216         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1217         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1218         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1219         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
1220         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1221         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
1222         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
1223         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1224         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1225         (JSC::BytecodeGenerator::variable):
1226         (JSC::BytecodeGenerator::createVariable):
1227         (JSC::BytecodeGenerator::emitResolveScope):
1228         (JSC::BytecodeGenerator::emitPushWithScope):
1229         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1230         * bytecompiler/BytecodeGenerator.h:
1231         (JSC::BytecodeGenerator::constructorKind):
1232         (JSC::BytecodeGenerator::superBinding):
1233         (JSC::BytecodeGenerator::generate):
1234         * runtime/CodeCache.cpp:
1235         (JSC::CodeCache::getGlobalCodeBlock):
1236         * runtime/ConcurrentJITLock.h:
1237         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1238         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1239         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1240
1241 2016-04-21  Saam barati  <sbarati@apple.com>
1242
1243         Remove some unnecessary RefPtrs in the parser
1244         https://bugs.webkit.org/show_bug.cgi?id=156865
1245
1246         Reviewed by Filip Pizlo.
1247
1248         The IdentifierArena or the SourceProviderCacheItem will own these UniquedStringImpls
1249         while we are using them. There is no need for us to reference count them.
1250
1251         This might be a 0.5% speedup on octane code-load.
1252
1253         * parser/Parser.cpp:
1254         (JSC::Parser<LexerType>::parseInner):
1255         * parser/Parser.h:
1256         (JSC::Scope::setIsLexicalScope):
1257         (JSC::Scope::isLexicalScope):
1258         (JSC::Scope::closedVariableCandidates):
1259         (JSC::Scope::declaredVariables):
1260         (JSC::Scope::lexicalVariables):
1261         (JSC::Scope::finalizeLexicalEnvironment):
1262         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
1263         (JSC::Scope::collectFreeVariables):
1264         (JSC::Scope::getCapturedVars):
1265         (JSC::Scope::setStrictMode):
1266         (JSC::Scope::isValidStrictMode):
1267         (JSC::Scope::shadowsArguments):
1268         (JSC::Scope::copyCapturedVariablesToVector):
1269         * parser/SourceProviderCacheItem.h:
1270         (JSC::SourceProviderCacheItem::usedVariables):
1271         (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
1272         (JSC::SourceProviderCacheItem::create):
1273         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1274         (JSC::SourceProviderCacheItem::writtenVariables): Deleted.
1275
1276 2016-04-21  Filip Pizlo  <fpizlo@apple.com>
1277
1278         PolymorphicAccess adds sizeof(CallerFrameAndPC) rather than subtracting it when calculating stack height
1279         https://bugs.webkit.org/show_bug.cgi?id=156872
1280
1281         Reviewed by Geoffrey Garen.
1282         
1283         The code that added sizeof(CallerFrameAndPC) emerged from a bad copy-paste in r189586. That was
1284         the revision that created the PolymorphicAccess class. It moved code for generating a
1285         getter/setter call from Repatch.cpp to PolymorphicAccess.cpp. You can see the code doing a
1286         subtraction here:
1287         
1288             http://trac.webkit.org/changeset/189586/trunk/Source/JavaScriptCore/jit/Repatch.cpp
1289         
1290         This makes the world right again.
1291
1292         * bytecode/PolymorphicAccess.cpp:
1293         (JSC::AccessCase::generateImpl):
1294
1295 2016-04-21  Geoffrey Garen  <ggaren@apple.com>
1296
1297         Build warning: CODE_SIGN_ENTITLEMENTS specified without specifying CODE_SIGN_IDENTITY
1298         https://bugs.webkit.org/show_bug.cgi?id=156862
1299
1300         Reviewed by Joseph Pecoraro.
1301
1302         * Configurations/Base.xcconfig: Specify the ad hoc signing identity by
1303         default. See <http://trac.webkit.org/changeset/143544>.
1304
1305 2016-04-21  Andy Estes  <aestes@apple.com>
1306
1307         REGRESSION (r199734): WebKit crashes loading numerous websites in iOS Simulator
1308         https://bugs.webkit.org/show_bug.cgi?id=156842
1309
1310         Reviewed by Daniel Bates.
1311
1312         Disable separated heap on iOS Simulator.
1313
1314         * runtime/Options.cpp:
1315         (JSC::recomputeDependentOptions):
1316
1317 2016-04-21  Michael Saboff  <msaboff@apple.com>
1318
1319         Align RegExp[@@match] with other @@ methods
1320         https://bugs.webkit.org/show_bug.cgi?id=156832
1321
1322         Reviewed by Mark Lam.
1323
1324         Various changes to align the RegExp[@@match] with [@@search] and [@@split].
1325
1326         Made RegExp.prototype.@exec a hidden property on the global object and
1327         called it @regExpBuiltinExec to match the name it has in the standard.
1328         Changed all places that used the old name to use the new one.
1329
1330         Made the match fast path function, which used to be call @match, to be called
1331         @regExpMatchFast and put it on the global object.  Changed it to also handle
1332         expressions both with and without the global flag.  Refactored the builtin
1333         @match accordingly.
1334
1335         Added the builtin function @hasObservableSideEffectsForRegExpMatch() that
1336         checks to see if we can use the fast path of if we need the explicit version.
1337
1338         Put the main RegExp functions @match, @search and @split in alphabetical
1339         order in RegExpPrototype.js.  Did the same for @match, @repeat, @search and 
1340         @split in StringPrototype.js.
1341         
1342         * builtins/RegExpPrototype.js:
1343         (regExpExec):
1344         (hasObservableSideEffectsForRegExpMatch): New.
1345         (match):
1346         (search):
1347         (hasObservableSideEffectsForRegExpSplit):
1348         Reordered in the file and updated to use @regExpBuiltinExec.
1349
1350         * builtins/StringPrototype.js:
1351         (match):
1352         (repeatSlowPath):
1353         (repeat):
1354         (search):
1355         (split):
1356         Reordered functions in the file.
1357
1358         * runtime/CommonIdentifiers.h:
1359         * runtime/JSGlobalObject.cpp:
1360         (JSC::JSGlobalObject::setGlobalThis):
1361         (JSC::getById):
1362         (JSC::getGetterById):
1363         (JSC::JSGlobalObject::init):
1364         * runtime/RegExpPrototype.cpp:
1365         (JSC::RegExpPrototype::finishCreation):
1366         (JSC::regExpProtoFuncExec):
1367         (JSC::regExpProtoFuncMatchFast):
1368         (JSC::regExpProtoFuncMatchPrivate): Deleted.
1369         * runtime/RegExpPrototype.h:
1370
1371 2016-04-20  Geoffrey Garen  <ggaren@apple.com>
1372
1373         JavaScriptCore garbage collection is missing an autorelease pool
1374         https://bugs.webkit.org/show_bug.cgi?id=156751
1375         <rdar://problem/25787802>
1376
1377         Reviewed by Mark Lam.
1378
1379         * heap/Heap.cpp:
1380         (JSC::Heap::releaseDelayedReleasedObjects): Add an autorelease pool to
1381         catch autoreleases when we call out to arbitrary ObjC code.
1382
1383         We use the C interface here because this is not an ObjC compilation unit.
1384
1385 2016-04-20  Filip Pizlo  <fpizlo@apple.com>
1386
1387         DFG del_by_id support forgets to set()
1388         https://bugs.webkit.org/show_bug.cgi?id=156830
1389
1390         Reviewed by Saam Barati.
1391
1392         * dfg/DFGByteCodeParser.cpp:
1393         (JSC::DFG::ByteCodeParser::parseBlock):
1394         * tests/stress/dfg-del-by-id.js: Added.
1395
1396 2016-04-20  Saam barati  <sbarati@apple.com>
1397
1398         Improve sampling profiler CLI JSC tool
1399         https://bugs.webkit.org/show_bug.cgi?id=156824
1400
1401         Reviewed by Mark Lam.
1402
1403         This patch enhances the Sampling Profiler CLI tool from the JSC shell
1404         to display the JITType of a particular CodeBlock. Because this happens
1405         once we process a log of stack frames, the data for a particular frame
1406         being in LLInt vs. Baseline could be wrong. For example, we may have taken 
1407         a stack trace of a CodeBlock while it was executing in the LLInt, then 
1408         it tiers up to the baseline, then we process the log. We will show such CodeBlocks
1409         as being in the baseline JIT. We could be smarter about this in the future if
1410         it turns out to truly be a problem.
1411
1412         This patch also adds a 'samplingProfilerTimingInterval' JSC option to allow
1413         CLI users to control the sleep time between stack traces.
1414
1415         * jsc.cpp:
1416         (jscmain):
1417         * runtime/Options.h:
1418         * runtime/SamplingProfiler.cpp:
1419         (JSC::SamplingProfiler::SamplingProfiler):
1420         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1421         (JSC::SamplingProfiler::reportTopBytecodes):
1422         * runtime/SamplingProfiler.h:
1423         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
1424
1425 2016-04-20  Benjamin Poulain  <bpoulain@apple.com>
1426
1427         [JSC] DFG should not generate two jumps when the target of DoubleBranch is the next block  
1428         https://bugs.webkit.org/show_bug.cgi?id=156815
1429
1430         Reviewed by Mark Lam.
1431
1432         * dfg/DFGSpeculativeJIT.cpp:
1433         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1434
1435 2016-04-20  Benjamin Poulain  <bpoulain@apple.com>
1436
1437         [JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG
1438         https://bugs.webkit.org/show_bug.cgi?id=155164
1439
1440         Reviewed by Mark Lam.
1441
1442         Every "inc" in loop was looking like this:
1443             move rX, rY
1444             inc rY
1445             jo 0x230f4a200580
1446
1447         This patch add register Reuse to that case to remove
1448         the extra "move".
1449
1450         * dfg/DFGOSRExit.h:
1451         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
1452         (JSC::DFG::SpeculationRecovery::immediate):
1453         * dfg/DFGOSRExitCompiler32_64.cpp:
1454         (JSC::DFG::OSRExitCompiler::compileExit):
1455         * dfg/DFGOSRExitCompiler64.cpp:
1456         (JSC::DFG::OSRExitCompiler::compileExit):
1457         * dfg/DFGSpeculativeJIT.cpp:
1458         (JSC::DFG::SpeculativeJIT::compileArithAdd):
1459         * tests/stress/arith-add-with-constant-overflow.js: Added.
1460         (opaqueAdd):
1461
1462 2016-04-20  Saam barati  <sbarati@apple.com>
1463
1464         We don't need a manual stack for an RAII object when the machine's stack will do just fine
1465         https://bugs.webkit.org/show_bug.cgi?id=156807
1466
1467         Reviewed by Mark Lam.
1468
1469         We kept around a vector for an RAII object to maintain
1470         the recursive nature of having these RAII objects on
1471         the stack as the parser recursed. Instead, the RAII object
1472         can just have a field with the value it wants to restore
1473         and use the machine's stack.
1474
1475         This is a 1% octane code-load progression.
1476
1477         * parser/SyntaxChecker.h:
1478         (JSC::SyntaxChecker::BinaryExprContext::BinaryExprContext):
1479         (JSC::SyntaxChecker::BinaryExprContext::~BinaryExprContext):
1480         (JSC::SyntaxChecker::UnaryExprContext::UnaryExprContext):
1481         (JSC::SyntaxChecker::UnaryExprContext::~UnaryExprContext):
1482         (JSC::SyntaxChecker::operatorStackPop):
1483
1484 2016-04-20  Michael Saboff  <msaboff@apple.com>
1485
1486         REGRESSION(r190289): Spin trying to view/sign in to hbogo.com
1487         https://bugs.webkit.org/show_bug.cgi?id=156765
1488
1489         Reviewed by Saam Barati.
1490
1491         In the op_get_by_val case, we were holding the lock on a profiled CodeBlock
1492         when we call into handleGetById(). Changed to drop the lock before calling
1493         handleGetById().
1494
1495         The bug here was that the call to handleGetById() may end up calling in to
1496         getPredictionWithoutOSRExit() for a tail call opcode. As part of that
1497         processing, we walk back up the stack to find the effective caller and when
1498         found, we lock the corresponding CodeBlock to get the predicition.
1499         That CodeBLock may be the same one locked above. There is no need anyway
1500         to hold the CodeBlock lock when calling handleGetById().
1501
1502         Added a new stress test.
1503
1504         * dfg/DFGByteCodeParser.cpp:
1505         (JSC::DFG::ByteCodeParser::parseBlock):
1506         * tests/stress/regress-156765.js: Added.
1507         (realValue):
1508         (object.get hello):
1509         (ok):
1510
1511 2016-04-20  Mark Lam  <mark.lam@apple.com>
1512
1513         Unindent an unnecessary block in stringProtoFuncSplitFast().
1514         https://bugs.webkit.org/show_bug.cgi?id=156802
1515
1516         Reviewed by Filip Pizlo.
1517
1518         In webkit.org/b/156013, I refactored stringProtoFuncSplit into
1519         stringProtoFuncSplitFast.  In that patch, I left an unnecessary block of code in
1520         its original block (with FIXMEs) to keep the diff for that patch minimal.  Now
1521         that the patch for webkit.org/b/156013 has landed, I will unindent that block and
1522         remove the FIXMEs.
1523
1524         * runtime/StringPrototype.cpp:
1525         (JSC::stringProtoFuncSplitFast):
1526
1527 2016-04-20  Brady Eidson  <beidson@apple.com>
1528
1529         Modern IDB (Workers): Enable INDEXED_DATABASE_IN_WORKERS compile time flag, but disabled in RuntimeEnabledFeatures.
1530         https://bugs.webkit.org/show_bug.cgi?id=156782
1531
1532         Reviewed by Alex Christensen.
1533
1534         * Configurations/FeatureDefines.xcconfig:
1535
1536 2016-04-20  Saam barati  <sbarati@apple.com>
1537
1538         Remove unused m_writtenVariables from the parser and related bits
1539         https://bugs.webkit.org/show_bug.cgi?id=156784
1540
1541         Reviewed by Yusuke Suzuki.
1542
1543         This isn't a octane/codeload speedup even though we're doing less work in
1544         collectFreeVariables. But it's good to get rid of things that are not used.
1545
1546         * parser/Nodes.h:
1547         (JSC::ScopeNode::usesEval):
1548         (JSC::ScopeNode::usesArguments):
1549         (JSC::ScopeNode::usesArrowFunction):
1550         (JSC::ScopeNode::isStrictMode):
1551         (JSC::ScopeNode::setUsesArguments):
1552         (JSC::ScopeNode::usesThis):
1553         (JSC::ScopeNode::modifiesParameter): Deleted.
1554         (JSC::ScopeNode::modifiesArguments): Deleted.
1555         * parser/Parser.cpp:
1556         (JSC::Parser<LexerType>::parseInner):
1557         (JSC::Parser<LexerType>::parseAssignmentExpression):
1558         * parser/Parser.h:
1559         (JSC::Scope::Scope):
1560         (JSC::Scope::hasDeclaredParameter):
1561         (JSC::Scope::preventAllVariableDeclarations):
1562         (JSC::Scope::collectFreeVariables):
1563         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1564         (JSC::Scope::getSloppyModeHoistedFunctions):
1565         (JSC::Scope::getCapturedVars):
1566         (JSC::Scope::setStrictMode):
1567         (JSC::Scope::strictMode):
1568         (JSC::Scope::fillParametersForSourceProviderCache):
1569         (JSC::Scope::restoreFromSourceProviderCache):
1570         (JSC::Parser::hasDeclaredParameter):
1571         (JSC::Parser::exportName):
1572         (JSC::Scope::declareWrite): Deleted.
1573         (JSC::Parser::declareWrite): Deleted.
1574         * parser/ParserModes.h:
1575
1576 2016-04-19  Saam barati  <sbarati@apple.com>
1577
1578         Unreviewed, fix cloop build after r199754.
1579
1580         * jsc.cpp:
1581         (jscmain):
1582
1583 2016-04-19  Michael Saboff  <msaboff@apple.com>
1584
1585         iTunes crashing JavaScriptCore.dll
1586         https://bugs.webkit.org/show_bug.cgi?id=156647
1587
1588         Reviewed by Filip Pizlo.
1589
1590         Given that there there are only 128 FLS indices compared to over a 1000 for TLS,
1591         I eliminated the thread specific m_threadSpecificForThread and instead we look
1592         for the current thread in m_registeredThreads list when we need it.
1593         In most cases there will only be one thread.
1594
1595         Added THREAD_SPECIFIC_CALL to signature of ThreadSpecific remove callbacks
1596         to set the calling convention correctly for Windows 32 bit.
1597
1598         * heap/MachineStackMarker.cpp:
1599         (JSC::ActiveMachineThreadsManager::remove):
1600         (JSC::MachineThreads::MachineThreads):
1601         (JSC::MachineThreads::~MachineThreads):
1602         (JSC::MachineThreads::addCurrentThread):
1603         (JSC::MachineThreads::machineThreadForCurrentThread):
1604         (JSC::MachineThreads::removeThread):
1605         * heap/MachineStackMarker.h:
1606
1607 2016-04-19  Benjamin Poulain  <bpoulain@webkit.org>
1608
1609         [JSC] Small cleanup of RegisterAtOffsetList
1610         https://bugs.webkit.org/show_bug.cgi?id=156779
1611
1612         Reviewed by Mark Lam.
1613
1614         I was wondering why RegisterAtOffsetList always cache-miss.
1615         It looks like it is doing more than it needs to.
1616
1617         We do not need to sort the values. The total order of
1618         RegisterAtOffset is:
1619         1) Order of Reg.
1620         2) Order of offsets.
1621         We already generate the list in order.
1622
1623         Also allocate the right array size ahead of filling the array.
1624
1625         * jit/RegisterAtOffsetList.cpp:
1626         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
1627         (JSC::RegisterAtOffsetList::sort): Deleted.
1628         * jit/RegisterAtOffsetList.h:
1629         (JSC::RegisterAtOffsetList::append): Deleted.
1630
1631 2016-04-19  Saam barati  <sbarati@apple.com>
1632
1633         Add a couple UNLIKELY macros in parseMemberExpression
1634         https://bugs.webkit.org/show_bug.cgi?id=156775
1635
1636         Reviewed by Filip Pizlo.
1637
1638         These UNLIKELY macros have to do with the base of the
1639         member expression being 'super'. I think it's safe to
1640         argue that this is truly UNLIKELY. I am seeing speedups
1641         sometimes on Octane codeload. Usually around 0.5%. Sometimes 1%.
1642
1643         * parser/Parser.cpp:
1644         (JSC::Parser<LexerType>::parseMemberExpression):
1645
1646 2016-04-19  Saam barati  <sbarati@apple.com>
1647
1648         allow jsc shell to dump sampling profiler data
1649         https://bugs.webkit.org/show_bug.cgi?id=156725
1650
1651         Reviewed by Benjamin Poulain.
1652
1653         This patch adds a '--reportSamplingProfilerData' option to the
1654         JSC shell which will enable the sampling profiler and dump
1655         its data at the end of execution. The dump will include the
1656         40 hottest functions and the 80 hottest bytecode locations.
1657         If you're using this option to debug, it's easy to just hack
1658         on the code to make it dump more or less information.
1659
1660         * jsc.cpp:
1661         (CommandLine::parseArguments):
1662         (jscmain):
1663         * runtime/Options.h:
1664         * runtime/SamplingProfiler.cpp:
1665         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1666         (JSC::SamplingProfiler::stackTracesAsJSON):
1667         (JSC::SamplingProfiler::reportTopFunctions):
1668         (JSC::SamplingProfiler::reportTopBytecodes):
1669         * runtime/SamplingProfiler.h:
1670         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
1671         (JSC::SamplingProfiler::StackFrame::hasBytecodeIndex):
1672         (JSC::SamplingProfiler::StackFrame::hasCodeBlockHash):
1673         (JSC::SamplingProfiler::setStopWatch):
1674
1675 2016-04-19  Mark Lam  <mark.lam@apple.com>
1676
1677         Re-landing: ES6: Implement RegExp.prototype[@@search].
1678         https://bugs.webkit.org/show_bug.cgi?id=156331
1679
1680         Reviewed by Keith Miller.
1681
1682         What changed?
1683         1. Implemented search builtin in RegExpPrototype.js.
1684            The native path is now used as a fast path.
1685         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
1686            IsJSArrayIntrinsic).
1687         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
1688         4. Change the esSpecIsRegExpObject() implementation to check if the object's
1689            JSType is RegExpObjectType instead of walking the classinfo chain.
1690
1691         * builtins/RegExpPrototype.js:
1692         (search):
1693         * builtins/StringPrototype.js:
1694         (search):
1695         - fixed some indentation.
1696
1697         * dfg/DFGAbstractInterpreterInlines.h:
1698         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1699         * dfg/DFGByteCodeParser.cpp:
1700         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1701         * dfg/DFGClobberize.h:
1702         (JSC::DFG::clobberize):
1703         * dfg/DFGDoesGC.cpp:
1704         (JSC::DFG::doesGC):
1705         * dfg/DFGFixupPhase.cpp:
1706         (JSC::DFG::FixupPhase::fixupNode):
1707         * dfg/DFGNodeType.h:
1708         * dfg/DFGPredictionPropagationPhase.cpp:
1709         (JSC::DFG::PredictionPropagationPhase::propagate):
1710         * dfg/DFGSafeToExecute.h:
1711         (JSC::DFG::safeToExecute):
1712         * dfg/DFGSpeculativeJIT.cpp:
1713         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1714         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
1715         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1716         * dfg/DFGSpeculativeJIT.h:
1717         * dfg/DFGSpeculativeJIT32_64.cpp:
1718         (JSC::DFG::SpeculativeJIT::compile):
1719         * dfg/DFGSpeculativeJIT64.cpp:
1720         (JSC::DFG::SpeculativeJIT::compile):
1721         * ftl/FTLCapabilities.cpp:
1722         (JSC::FTL::canCompile):
1723         * ftl/FTLLowerDFGToB3.cpp:
1724         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1725         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1726         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
1727         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1728         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
1729         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
1730         (JSC::FTL::DFG::LowerDFGToB3::isType):
1731         * runtime/Intrinsic.h:
1732         - Added IsRegExpObjectIntrinsic.
1733
1734         * runtime/CommonIdentifiers.h:
1735
1736         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1737         (JSC::esSpecIsConstructor):
1738         - Changed to use uncheckedArgument since this is only called from internal code.
1739         (JSC::esSpecIsRegExpObject):
1740         (JSC::esSpecIsRegExp): Deleted.
1741         * runtime/ECMAScriptSpecInternalFunctions.h:
1742         - Changed to check the object for a JSType of RegExpObjectType.
1743
1744         * runtime/JSGlobalObject.cpp:
1745         (JSC::JSGlobalObject::init):
1746         - Added split fast path.
1747
1748         * runtime/RegExpPrototype.cpp:
1749         (JSC::RegExpPrototype::finishCreation):
1750         (JSC::regExpProtoFuncSearchFast):
1751         (JSC::regExpProtoFuncSearch): Deleted.
1752         * runtime/RegExpPrototype.h:
1753
1754         * tests/es6.yaml:
1755         * tests/stress/regexp-search.js:
1756         - Rebased test.
1757
1758 2016-04-19  Mark Lam  <mark.lam@apple.com>
1759
1760         Replace $vm.printValue() with $vm.value().
1761         https://bugs.webkit.org/show_bug.cgi?id=156767
1762
1763         Reviewed by Saam Barati.
1764
1765         When debugging with $vm, this change allows us to do this:
1766
1767             $vm.print("myObj = " + $vm.value(myObj) + "\n");
1768
1769         ... instead of having to do this:
1770
1771             $vm.print("myObj = ");
1772             $vm.printValue(myObj);
1773             $vm.print("\n");
1774
1775         * tools/JSDollarVMPrototype.cpp:
1776         (JSC::JSDollarVMPrototype::printValue):
1777         (JSC::functionValue):
1778         (JSC::JSDollarVMPrototype::finishCreation):
1779         (JSC::functionPrintValue): Deleted.
1780
1781 2016-04-19  Mark Lam  <mark.lam@apple.com>
1782
1783         Re-landing: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1784         https://bugs.webkit.org/show_bug.cgi?id=156013
1785
1786         Reviewed by Keith Miller.
1787
1788         * CMakeLists.txt:
1789         * JavaScriptCore.xcodeproj/project.pbxproj:
1790         * builtins/GlobalObject.js:
1791         (speciesConstructor):
1792         * builtins/PromisePrototype.js:
1793         - refactored to use the @speciesConstructor internal function.
1794
1795         * builtins/RegExpPrototype.js:
1796         (advanceStringIndex):
1797         - refactored from @advanceStringIndexUnicode() to be match the spec.
1798           Benchmarks show that there's no advantage in doing the unicode check outside
1799           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
1800           spec (especially since @@split needs to call advanceStringIndex from more than
1801           1 location).
1802         (match):
1803         - Removed an unnecessary call to @Object because it was already proven above.
1804         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
1805           Again, there's no perf regression for this.
1806         (regExpExec):
1807         (hasObservableSideEffectsForRegExpSplit):
1808         (split):
1809         (advanceStringIndexUnicode): Deleted.
1810
1811         * builtins/StringPrototype.js:
1812         (split):
1813         - Modified to use RegExp.prototype[@@split].
1814
1815         * bytecode/BytecodeIntrinsicRegistry.cpp:
1816         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1817         (JSC::BytecodeIntrinsicRegistry::lookup):
1818         * bytecode/BytecodeIntrinsicRegistry.h:
1819         - Added the @@split symbol.
1820
1821         * runtime/CommonIdentifiers.h:
1822         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
1823         (JSC::esSpecIsConstructor):
1824         (JSC::esSpecIsRegExp):
1825         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
1826
1827         * runtime/JSGlobalObject.cpp:
1828         (JSC::getGetterById):
1829         (JSC::JSGlobalObject::init):
1830
1831         * runtime/PropertyDescriptor.cpp:
1832         (JSC::PropertyDescriptor::setDescriptor):
1833         - Removed an assert that is no longer valid.
1834
1835         * runtime/RegExpObject.h:
1836         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
1837           fast path.
1838
1839         * runtime/RegExpPrototype.cpp:
1840         (JSC::RegExpPrototype::finishCreation):
1841         (JSC::regExpProtoFuncExec):
1842         (JSC::regExpProtoFuncSearch):
1843         (JSC::advanceStringIndex):
1844         (JSC::regExpProtoFuncSplitFast):
1845         * runtime/RegExpPrototype.h:
1846
1847         * runtime/StringObject.h:
1848         (JSC::jsStringWithReuse):
1849         (JSC::jsSubstring):
1850         - Hoisted some utility functions from StringPrototype.cpp so that they can be
1851           reused by the regexp split fast path.
1852
1853         * runtime/StringPrototype.cpp:
1854         (JSC::StringPrototype::finishCreation):
1855         (JSC::stringProtoFuncSplitFast):
1856         (JSC::stringProtoFuncSubstr):
1857         (JSC::builtinStringSubstrInternal):
1858         (JSC::stringProtoFuncSubstring):
1859         (JSC::stringIncludesImpl):
1860         (JSC::stringProtoFuncIncludes):
1861         (JSC::builtinStringIncludesInternal):
1862         (JSC::jsStringWithReuse): Deleted.
1863         (JSC::jsSubstring): Deleted.
1864         (JSC::stringProtoFuncSplit): Deleted.
1865         * runtime/StringPrototype.h:
1866
1867         * tests/es6.yaml:
1868
1869 2016-04-19  Commit Queue  <commit-queue@webkit.org>
1870
1871         Unreviewed, rolling out r199726.
1872         https://bugs.webkit.org/show_bug.cgi?id=156748
1873
1874         WebKit tests crash on Windows 32 (Requested by msaboff on
1875         #webkit).
1876
1877         Reverted changeset:
1878
1879         "iTunes crashing JavaScriptCore.dll"
1880         https://bugs.webkit.org/show_bug.cgi?id=156647
1881         http://trac.webkit.org/changeset/199726
1882
1883 2016-04-19  Michael Saboff  <msaboff@apple.com>
1884
1885         iTunes crashing JavaScriptCore.dll
1886         https://bugs.webkit.org/show_bug.cgi?id=156647
1887
1888         Reviewed by Saam Barati.
1889
1890         Given that there there are only 128 FLS indices compared to over a 1000 for TLS, I
1891         eliminated the thread specific m_threadSpecificForThread and instead we look for the
1892         current thread in m_registeredThreads list when we need it.  In most cases there
1893         will only be one thread.
1894
1895         * heap/MachineStackMarker.cpp:
1896         (JSC::MachineThreads::MachineThreads):
1897         (JSC::MachineThreads::~MachineThreads):
1898         (JSC::MachineThreads::addCurrentThread):
1899         (JSC::MachineThreads::machineThreadForCurrentThread):
1900         (JSC::MachineThreads::removeThread):
1901         * heap/MachineStackMarker.h:
1902
1903 2016-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1904
1905         [INTL] Use @thisNumberValue instead of `instanceof @Number`
1906         https://bugs.webkit.org/show_bug.cgi?id=156680
1907
1908         Reviewed by Saam Barati.
1909
1910         Use @thisNumberValue instead of `instanceof @Number`.
1911         `instanceof @Number` is not enough;
1912         For example, given 2 realms, the object created in one realm does not
1913         inherit the Number of another realm.
1914         Another example is that the object which does not inherit Number.
1915
1916         ```
1917         var number = new Number(42);
1918         number.__proto__ = null;
1919         ```
1920
1921         * builtins/NumberPrototype.js:
1922         (toLocaleString):
1923         * runtime/CommonIdentifiers.h:
1924         * runtime/JSGlobalObject.cpp:
1925         (JSC::JSGlobalObject::init):
1926         * runtime/NumberPrototype.cpp:
1927         (JSC::numberProtoFuncValueOf):
1928         * runtime/NumberPrototype.h:
1929         * tests/stress/number-to-locale-string-should-accept-strange-number-objects.js: Added.
1930         (shouldBe):
1931
1932 2016-04-19  Commit Queue  <commit-queue@webkit.org>
1933
1934         Unreviewed, rolling out r199712.
1935         https://bugs.webkit.org/show_bug.cgi?id=156741
1936
1937         It caused a serious regression on 32 bit platform (Requested
1938         by gskachkov on #webkit).
1939
1940         Reverted changeset:
1941
1942         "calling super() a second time in a constructor should throw"
1943         https://bugs.webkit.org/show_bug.cgi?id=151113
1944         http://trac.webkit.org/changeset/199712
1945
1946 2016-04-09  Skachkov Oleksandr  <gskachkov@gmail.com>
1947
1948         calling super() a second time in a constructor should throw
1949         https://bugs.webkit.org/show_bug.cgi?id=151113
1950
1951         Reviewed by Saam Barati and Keith Miller.
1952
1953         Currently, our implementation checks if 'super()' was called in a constructor more 
1954         than once and raises a RuntimeError before the second call. According to the spec 
1955         we need to raise an error just after the second super() is finished and before 
1956         the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
1957         To implement this behavior this patch adds a new op code, op_is_empty, that is used 
1958         to check if 'this' is empty.
1959
1960         * bytecode/BytecodeList.json:
1961         * bytecode/BytecodeUseDef.h:
1962         (JSC::computeUsesForBytecodeOffset):
1963         (JSC::computeDefsForBytecodeOffset):
1964         * bytecode/CodeBlock.cpp:
1965         (JSC::CodeBlock::dumpBytecode):
1966         * bytecompiler/BytecodeGenerator.cpp:
1967         (JSC::BytecodeGenerator::emitIsEmpty):
1968         * bytecompiler/BytecodeGenerator.h:
1969         * bytecompiler/NodesCodegen.cpp:
1970         (JSC::FunctionCallValueNode::emitBytecode):
1971         * dfg/DFGAbstractInterpreterInlines.h:
1972         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1973         * dfg/DFGByteCodeParser.cpp:
1974         (JSC::DFG::ByteCodeParser::parseBlock):
1975         * dfg/DFGCapabilities.cpp:
1976         (JSC::DFG::capabilityLevel):
1977         * dfg/DFGClobberize.h:
1978         (JSC::DFG::clobberize):
1979         * dfg/DFGDoesGC.cpp:
1980         (JSC::DFG::doesGC):
1981         * dfg/DFGFixupPhase.cpp:
1982         (JSC::DFG::FixupPhase::fixupNode):
1983         * dfg/DFGNodeType.h:
1984         * dfg/DFGPredictionPropagationPhase.cpp:
1985         (JSC::DFG::PredictionPropagationPhase::propagate):
1986         * dfg/DFGSafeToExecute.h:
1987         (JSC::DFG::safeToExecute):
1988         * dfg/DFGSpeculativeJIT32_64.cpp:
1989         (JSC::DFG::SpeculativeJIT::compile):
1990         * dfg/DFGSpeculativeJIT64.cpp:
1991         (JSC::DFG::SpeculativeJIT::compile):
1992         * ftl/FTLCapabilities.cpp:
1993         (JSC::FTL::canCompile):
1994         * ftl/FTLLowerDFGToB3.cpp:
1995         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1996         (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
1997         * jit/JIT.cpp:
1998         (JSC::JIT::privateCompileMainPass):
1999         * jit/JIT.h:
2000         * jit/JITOpcodes.cpp:
2001         (JSC::JIT::emit_op_is_empty):
2002         * jit/JITOpcodes32_64.cpp:
2003         (JSC::JIT::emit_op_is_empty):
2004         * llint/LowLevelInterpreter32_64.asm:
2005         * llint/LowLevelInterpreter64.asm:
2006         * tests/stress/class-syntax-double-constructor.js: Added.
2007
2008 2016-04-18  Benjamin Poulain  <bpoulain@apple.com>
2009
2010         [JSC] Fix some overhead affecting small codegen
2011         https://bugs.webkit.org/show_bug.cgi?id=156728
2012
2013         Reviewed by Filip Pizlo.
2014
2015         * assembler/AbstractMacroAssembler.h:
2016         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
2017         (JSC::AbstractMacroAssembler::random):
2018         cryptographicallyRandomNumber() is very costly.
2019         We only need it in lowering some very particular cases
2020         of non-trusted immediates. No inline cache needs that.
2021
2022         * assembler/LinkBuffer.h:
2023         (JSC::LinkBuffer::link):
2024         * jit/JIT.h:
2025         * jit/JITInlines.h:
2026         (JSC::JIT::addSlowCase):
2027         Do not copy the JumpList to access its elements.
2028
2029 2016-04-18  Saam barati  <sbarati@apple.com>
2030
2031         implement dynamic scope accesses in the DFG/FTL
2032         https://bugs.webkit.org/show_bug.cgi?id=156567
2033
2034         Reviewed by Geoffrey Garen.
2035
2036         This patch adds dynamic scope operations to the DFG/FTL.
2037         This patch adds three new DFG nodes: ResolveScope, PutDynamicVar and GetDynamicVar.
2038         When we encounter a Dynamic/UnresolvedProperty/UnresolvedPropertyWithVarInjectionChecks
2039         resolve type, we will compile dynamic scope resolution nodes. When we encounter
2040         a resolve type that needs var injection checks and the var injection
2041         watchpoint has already been fired, we will compile dynamic scope resolution
2042         nodes.
2043
2044         This patch also adds a new value to the InitializationMode enum: ConstInitialization.
2045         There was a subtle bug where we used to never compile the var injection variant of the 
2046         resolve type for an eval that injected a var where there was also a global lexical variable with the same name. 
2047         For example, the store compiled in this eval("var foo = 20;") wouldn't be compiled 
2048         with var injection checks if there was global let/const variable named "foo".
2049         So there was the potential for the injected var to store to the GlobalLexicalObject.
2050         I found this bug because my initial implementation in the DFG/FTL ran into it.
2051         The reason this bug existed is because when we compile a const initialization,
2052         we never need a var injections check. The const initialization always
2053         knows where to store its value. This same logic leaked into the above eval's 
2054         "var foo = 20" store. This new enum value allows us to distinguish const
2055         initialization stores from non-const initialization stores.
2056
2057         (I also changed InitializationMode to be an enum class instead of an enum).
2058
2059         * bytecode/CodeBlock.cpp:
2060         (JSC::CodeBlock::finishCreation):
2061         * bytecompiler/BytecodeGenerator.cpp:
2062         (JSC::BytecodeGenerator::generate):
2063         (JSC::BytecodeGenerator::BytecodeGenerator):
2064         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2065         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
2066         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
2067         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2068         (JSC::BytecodeGenerator::emitGetFromScope):
2069         (JSC::BytecodeGenerator::initializeVariable):
2070         (JSC::BytecodeGenerator::emitInstanceOf):
2071         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2072         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
2073         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
2074         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2075         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
2076         * bytecompiler/NodesCodegen.cpp:
2077         (JSC::PostfixNode::emitResolve):
2078         (JSC::PrefixNode::emitResolve):
2079         (JSC::ReadModifyResolveNode::emitBytecode):
2080         (JSC::initializationModeForAssignmentContext):
2081         (JSC::AssignResolveNode::emitBytecode):
2082         (JSC::EmptyLetExpression::emitBytecode):
2083         (JSC::ForInNode::emitLoopHeader):
2084         (JSC::ForOfNode::emitBytecode):
2085         (JSC::ClassExprNode::emitBytecode):
2086         (JSC::BindingNode::bindValue):
2087         (JSC::AssignmentElementNode::bindValue):
2088         (JSC::RestParameterNode::emit):
2089         * dfg/DFGAbstractInterpreterInlines.h:
2090         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2091         * dfg/DFGByteCodeParser.cpp:
2092         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2093         (JSC::DFG::ByteCodeParser::promoteToConstant):
2094         (JSC::DFG::ByteCodeParser::needsDynamicLookup):
2095         (JSC::DFG::ByteCodeParser::planLoad):
2096         (JSC::DFG::ByteCodeParser::parseBlock):
2097         * dfg/DFGCapabilities.cpp:
2098         (JSC::DFG::capabilityLevel):
2099         * dfg/DFGClobberize.h:
2100         (JSC::DFG::clobberize):
2101         * dfg/DFGDoesGC.cpp:
2102         (JSC::DFG::doesGC):
2103         * dfg/DFGFixupPhase.cpp:
2104         (JSC::DFG::FixupPhase::fixupNode):
2105         * dfg/DFGNode.h:
2106         (JSC::DFG::Node::hasIdentifier):
2107         (JSC::DFG::Node::identifierNumber):
2108         (JSC::DFG::Node::hasGetPutInfo):
2109         (JSC::DFG::Node::getPutInfo):
2110         (JSC::DFG::Node::hasAccessorAttributes):
2111         * dfg/DFGNodeType.h:
2112         * dfg/DFGOperations.cpp:
2113         * dfg/DFGOperations.h:
2114         * dfg/DFGPredictionPropagationPhase.cpp:
2115         (JSC::DFG::PredictionPropagationPhase::propagate):
2116         * dfg/DFGSafeToExecute.h:
2117         (JSC::DFG::safeToExecute):
2118         * dfg/DFGSpeculativeJIT.cpp:
2119         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
2120         (JSC::DFG::SpeculativeJIT::compileResolveScope):
2121         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
2122         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
2123         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2124         * dfg/DFGSpeculativeJIT.h:
2125         (JSC::DFG::SpeculativeJIT::callOperation):
2126         * dfg/DFGSpeculativeJIT32_64.cpp:
2127         (JSC::DFG::SpeculativeJIT::compile):
2128         * dfg/DFGSpeculativeJIT64.cpp:
2129         (JSC::DFG::SpeculativeJIT::compile):
2130         * ftl/FTLCapabilities.cpp:
2131         (JSC::FTL::canCompile):
2132         * ftl/FTLLowerDFGToB3.cpp:
2133         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2134         (JSC::FTL::DFG::LowerDFGToB3::compare):
2135         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
2136         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
2137         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
2138         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
2139         * jit/CCallHelpers.h:
2140         (JSC::CCallHelpers::setupArgumentsWithExecState):
2141         * jit/JITOperations.cpp:
2142         * jit/JITOperations.h:
2143         * jit/JITPropertyAccess.cpp:
2144         (JSC::JIT::emit_op_put_to_scope):
2145         (JSC::JIT::emitSlow_op_put_to_scope):
2146         * jit/JITPropertyAccess32_64.cpp:
2147         (JSC::JIT::emit_op_put_to_scope):
2148         (JSC::JIT::emitSlow_op_put_to_scope):
2149         * llint/LLIntData.cpp:
2150         (JSC::LLInt::Data::performAssertions):
2151         * llint/LLIntSlowPaths.cpp:
2152         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2153         * llint/LowLevelInterpreter.asm:
2154         * llint/LowLevelInterpreter64.asm:
2155         * runtime/GetPutInfo.h:
2156         (JSC::resolveModeName):
2157         (JSC::initializationModeName):
2158         (JSC::isInitialization):
2159         (JSC::makeType):
2160         (JSC::GetPutInfo::GetPutInfo):
2161         * runtime/JSScope.cpp:
2162         (JSC::abstractAccess):
2163
2164 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
2165
2166         Disable AVX.
2167
2168         Rubber stampted by Benjamin Poulain.
2169
2170         AVX is silly. If you use it and some of your other code isn't careful with float register bits, you
2171         will run 10x slower. We could fix the underlying issue, but it's better to stay away from this odd
2172         instruction subset.
2173
2174         This fixes a massive regression on some real code.
2175
2176         * assembler/MacroAssemblerX86Common.h:
2177         (JSC::MacroAssemblerX86Common::supportsAVX):
2178         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
2179
2180 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
2181
2182         ToThis should have a fast path based on type info flags
2183         https://bugs.webkit.org/show_bug.cgi?id=156712
2184
2185         Reviewed by Geoffrey Garen.
2186
2187         Prior to this change, if we couldn't nail down the type of ToThis to something easy, we'd emit code
2188         that would take slow path if the argument was not a final object. We'd end up taking that slow path
2189         a lot.
2190
2191         This adds a type info flag for ToThis having non-obvious behavior and changes the DFG and FTL paths
2192         to test this flag. This is a sub-1% speed-up on SunSpider and Octane.
2193
2194         * dfg/DFGSpeculativeJIT32_64.cpp:
2195         (JSC::DFG::SpeculativeJIT::compile):
2196         * dfg/DFGSpeculativeJIT64.cpp:
2197         (JSC::DFG::SpeculativeJIT::compile):
2198         * ftl/FTLLowerDFGToB3.cpp:
2199         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
2200         * runtime/JSGlobalObject.h:
2201         (JSC::JSGlobalObject::create):
2202         * runtime/JSLexicalEnvironment.h:
2203         (JSC::JSLexicalEnvironment::create):
2204         * runtime/JSString.h:
2205         * runtime/JSTypeInfo.h:
2206         (JSC::TypeInfo::overridesGetOwnPropertySlot):
2207         (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
2208         (JSC::TypeInfo::structureIsImmortal):
2209         (JSC::TypeInfo::overridesToThis):
2210         (JSC::TypeInfo::overridesGetPropertyNames):
2211         (JSC::TypeInfo::prohibitsPropertyCaching):
2212         (JSC::TypeInfo::getOwnPropertySlotIsImpure):
2213         * runtime/StrictEvalActivation.h:
2214         (JSC::StrictEvalActivation::create):
2215         * runtime/Symbol.h:
2216
2217 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
2218
2219         Check to see how the perf bots react to megamorphic load being disabled.
2220
2221         Rubber stamped by Chris Dumez.
2222
2223         * runtime/Options.h:
2224
2225 2016-04-18  Keith Miller  <keith_miller@apple.com>
2226
2227         We should support delete in the DFG
2228         https://bugs.webkit.org/show_bug.cgi?id=156607
2229
2230         Reviewed by Benjamin Poulain.
2231
2232         This patch adds support for the delete in the DFG as it appears that
2233         some major frameworks use the operation in particularly hot functions.
2234         As a result, even if the function rarely ever calls delete we would never
2235         tier up to the DFG. This patch also changes operationDeleteById to take a
2236         UniquedStringImpl and return a size_t.
2237
2238         * dfg/DFGAbstractInterpreterInlines.h:
2239         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2240         * dfg/DFGByteCodeParser.cpp:
2241         (JSC::DFG::ByteCodeParser::parseBlock):
2242         * dfg/DFGCapabilities.cpp:
2243         (JSC::DFG::capabilityLevel):
2244         * dfg/DFGClobberize.h:
2245         (JSC::DFG::clobberize):
2246         * dfg/DFGDoesGC.cpp:
2247         (JSC::DFG::doesGC):
2248         * dfg/DFGFixupPhase.cpp:
2249         (JSC::DFG::FixupPhase::fixupNode):
2250         * dfg/DFGNode.h:
2251         (JSC::DFG::Node::hasIdentifier):
2252         * dfg/DFGNodeType.h:
2253         * dfg/DFGPredictionPropagationPhase.cpp:
2254         (JSC::DFG::PredictionPropagationPhase::propagate):
2255         * dfg/DFGSafeToExecute.h:
2256         (JSC::DFG::safeToExecute):
2257         * dfg/DFGSpeculativeJIT.cpp:
2258         (JSC::DFG::SpeculativeJIT::compileDeleteById):
2259         * dfg/DFGSpeculativeJIT.h:
2260         (JSC::DFG::SpeculativeJIT::callOperation):
2261         * dfg/DFGSpeculativeJIT32_64.cpp:
2262         (JSC::DFG::SpeculativeJIT::compile):
2263         * dfg/DFGSpeculativeJIT64.cpp:
2264         (JSC::DFG::SpeculativeJIT::compile):
2265         * jit/JIT.h:
2266         * jit/JITInlines.h:
2267         (JSC::JIT::callOperation):
2268         * jit/JITOperations.cpp:
2269         * jit/JITOperations.h:
2270         * jit/JITPropertyAccess.cpp:
2271         (JSC::JIT::emit_op_del_by_id):
2272         * jit/JITPropertyAccess32_64.cpp:
2273         (JSC::JIT::emit_op_del_by_id):
2274
2275 2016-04-17  Filip Pizlo  <fpizlo@apple.com>
2276
2277         FTL should pin the tag registers at inline caches
2278         https://bugs.webkit.org/show_bug.cgi?id=156678
2279
2280         Reviewed by Saam Barati.
2281
2282         This is a long-overdue fix to our inline caches. Back when we had LLVM, we couldn't rely on the tags
2283         being pinned to any registers. So, if the inline caches needed tags, they'd have to materialize them.
2284         
2285         This removes those materializations. This should reduce the amount of code generated in inline caches
2286         and it should make inline caches faster. The effect appears to be small.
2287
2288         It may be that after this change, we'll even be able to kill the
2289         HaveTagRegisters/DoNotHaveTagRegisters logic.
2290
2291         * bytecode/PolymorphicAccess.cpp:
2292         (JSC::AccessCase::generateWithGuard):
2293         (JSC::AccessCase::generateImpl):
2294         * ftl/FTLLowerDFGToB3.cpp:
2295         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2296         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2297         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2298         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2299         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2300         (JSC::FTL::DFG::LowerDFGToB3::getById):
2301         * jit/Repatch.cpp:
2302         (JSC::readCallTarget):
2303         (JSC::linkPolymorphicCall):
2304         * jit/ThunkGenerators.cpp:
2305         (JSC::virtualThunkFor):
2306
2307 2016-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2308
2309         [ES7] yield star should not return if the inner iterator.throw returns { done: true }
2310         https://bugs.webkit.org/show_bug.cgi?id=156576
2311
2312         Reviewed by Saam Barati.
2313
2314         This is slight generator fix in ES7. When calling generator.throw(),
2315         the yield-star should call the throw() of the inner generator. At that
2316         time, when the result of throw() is { done: true}, the generator should
2317         not stop itself.
2318
2319             function * gen()
2320             {
2321                 yield * (function * () {
2322                     try {
2323                         yield 42;
2324                     } catch (error) { }
2325                 }());
2326                 // Continue executing.
2327                 yield 42;
2328             }
2329
2330             let g = gen();
2331             g.next();
2332             shouldBe(g.throw().value, 42);
2333
2334
2335         * builtins/GeneratorPrototype.js:
2336         (generatorResume):
2337         (next):
2338         (return):
2339         (throw):
2340         * bytecode/BytecodeIntrinsicRegistry.cpp:
2341         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2342         * bytecode/BytecodeIntrinsicRegistry.h:
2343         * bytecompiler/BytecodeGenerator.cpp:
2344         (JSC::BytecodeGenerator::emitDelegateYield):
2345         * runtime/JSGeneratorFunction.h:
2346         * tests/stress/generator-yield-star.js:
2347         (gen):
2348         * tests/stress/yield-star-throw-continue.js: Added.
2349         (shouldBe):
2350         (generator):
2351         (shouldThrow):
2352
2353 2016-04-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
2354
2355         Fix incorrect assumption that APPLE implies Mac.
2356         https://bugs.webkit.org/show_bug.cgi?id=156683
2357     
2358         Addresses build failure introduced in r199094
2359
2360         Reviewed by Alex Christensen.
2361
2362         * CMakeLists.txt:
2363
2364 2016-04-17  Benjamin Poulain  <bpoulain@apple.com>
2365
2366         [JSC] ReduceDoubleToFloat should work accross Phis
2367         https://bugs.webkit.org/show_bug.cgi?id=156603
2368         <rdar://problem/25736205>
2369
2370         Reviewed by Saam Barati and Filip Pizlo.
2371
2372         This patch extends B3's ReduceDoubleToFloat phase to work accross
2373         Upsilon-Phis. This is important to optimize loops and some crazy cases.
2374
2375         In its simplest form, we can have conversion propagated from something
2376         like this:
2377             Double @1 = Phi()
2378             Float @2 = DoubleToFloat(@1)
2379
2380         When that happens, we just need to propagate that the result only
2381         need float precision accross all values coming to this Phi.
2382
2383
2384         There are more complicated cases when the value produced is effectively Float
2385         but the user of the value does not do DoubleToFloat.
2386
2387         Typically, we have something like:
2388             #1
2389                 @1 = ConstDouble(1)
2390                 @2 = Upsilon(@1, ^5)
2391             #2
2392                 @3 = FloatToDouble(@x)
2393                 @4 = Upsilon(@3, ^5)
2394             #3
2395                 @5 = Phi()
2396                 @6 = Add(@5, @somethingFloat)
2397                 @7 = DoubleToFloat(@6)
2398
2399         Here with a Phi-Upsilon that is a Double but can be represented
2400         as Float without loss of precision.
2401
2402         It is valuable to convert such Phis to float if and only if the value
2403         is used as float. Otherwise, you may be just adding useless conversions
2404         (for example, two double constants that flow into a double Add should not
2405         turn into two float constant flowing into a FloatToDouble then Add).
2406
2407
2408         ReduceDoubleToFloat do two analysis passes to gather the necessary
2409         meta information. Then we have a simplify() phase to actually reduce
2410         operation. Finally, the cleanup() pass put the graph into a valid
2411         state again.
2412
2413         The two analysis passes work by disproving that something is float.
2414         -findCandidates() accumulates anything used as Double.
2415         -findPhisContainingFloat() accumulates phis that would lose precision
2416          by converting the input to float.
2417
2418         With this change, Unity3D improves by ~1.5%, box2d-f32 improves
2419         by ~2.8% (on Haswell).
2420
2421         * b3/B3ReduceDoubleToFloat.cpp:
2422         (JSC::B3::reduceDoubleToFloat):
2423         * b3/testb3.cpp:
2424         (JSC::B3::testCompareTwoFloatToDouble):
2425         (JSC::B3::testCompareOneFloatToDouble):
2426         (JSC::B3::testCompareFloatToDoubleThroughPhi):
2427         (JSC::B3::testDoubleToFloatThroughPhi):
2428         (JSC::B3::testDoubleProducerPhiToFloatConversion):
2429         (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
2430         (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
2431         (JSC::B3::testStoreDoubleConstantAsFloat):
2432         (JSC::B3::run):
2433         * tests/stress/double-compare-to-float.js: Added.
2434         (canSimplifyToFloat):
2435         (canSimplifyToFloatWithConstant):
2436         (cannotSimplifyA):
2437         (cannotSimplifyB):
2438         * tests/stress/double-to-float.js: Added.
2439         (upsilonReferencingItsPhi):
2440         (upsilonReferencingItsPhiAllFloat):
2441         (upsilonReferencingItsPhiWithoutConversion):
2442         (conversionPropagages):
2443         (chainedUpsilonBothConvert):
2444         (chainedUpsilonFirstConvert):
2445
2446 2016-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2447
2448         [ES6] Use @isObject to check Object Type instead of using instanceof
2449         https://bugs.webkit.org/show_bug.cgi?id=156676
2450
2451         Reviewed by Darin Adler.
2452
2453         Use @isObject instead of `instanceof @Object`.
2454         The `instanceof` check is not enough to check Object Type.
2455         For example, given 2 realms, the object created in one realm does not inherit the Object of another realm.
2456         Another example is that the object which does not inherit Object.
2457         This object can be easily created by calling `Object.create(null)`.
2458
2459         * builtins/RegExpPrototype.js:
2460         (match):
2461         * jsc.cpp:
2462         (GlobalObject::finishCreation):
2463         (functionCreateGlobalObject):
2464         * tests/stress/regexp-match-in-other-realm-should-work.js: Added.
2465         (shouldBe):
2466         * tests/stress/regexp-match-should-work-with-objects-not-inheriting-object-prototype.js: Added.
2467         (shouldBe):
2468         (regexp.exec):
2469
2470 2016-04-17  Darin Adler  <darin@apple.com>
2471
2472         Remove more uses of Deprecated::ScriptXXX
2473         https://bugs.webkit.org/show_bug.cgi?id=156660
2474
2475         Reviewed by Antti Koivisto.
2476
2477         * bindings/ScriptFunctionCall.cpp:
2478         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted
2479         unneeded overloads that take a ScriptObject and ScriptValue.
2480         * bindings/ScriptFunctionCall.h: Ditto.
2481
2482         * bindings/ScriptObject.h: Added operator so this can change
2483         itself into a JSObject*. Helps while phasing this class out.
2484
2485         * bindings/ScriptValue.h: Export toInspectorValue so it can be
2486         used in WebCore.
2487
2488         * inspector/InjectedScriptManager.cpp:
2489         (Inspector::InjectedScriptManager::createInjectedScript): Changed
2490         return value from Deprecated::ScriptObject to JSObject*.
2491         (Inspector::InjectedScriptManager::injectedScriptFor): Updated for
2492         the return value change above.
2493         * inspector/InjectedScriptManager.h: Ditto.
2494
2495 2016-04-16  Benjamin Poulain  <bpoulain@webkit.org>
2496
2497         [JSC] DFG should support relational comparisons of Number and Other
2498         https://bugs.webkit.org/show_bug.cgi?id=156669
2499
2500         Reviewed by Darin Adler.
2501
2502         In Sunspider/3d-raytrace, DFG falls back to JSValue in some important
2503         relational compare because profiling sees "undefined" from time to time.
2504
2505         This case is fairly common outside Sunspider too because of out-of-bounds array access.
2506         Unfortunately for us, our fallback for compare is really inefficient.
2507
2508         Fortunately, relational comparison with null/undefined/true/false are trival.
2509         We can just convert both side to Double. That's what this patch adds.
2510
2511         I also extended constant folding for those cases because I noticed
2512         a bunch of "undefined" constant going through DoubleRep at runtime.
2513
2514         * dfg/DFGAbstractInterpreterInlines.h:
2515         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2516         * dfg/DFGFixupPhase.cpp:
2517         (JSC::DFG::FixupPhase::fixupNode):
2518         * tests/stress/compare-number-and-other.js: Added.
2519         (opaqueSideEffect):
2520         (let.operator.of.operators.eval.testPolymorphic):
2521         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval.testMonomorphic):
2522         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicLeftConstant):
2523         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicRightConstant):
2524         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.i.testPolymorphic):
2525
2526 2016-04-16  Benjamin Poulain  <bpoulain@apple.com>
2527
2528         [JSC] FRound/Negate can produce an impure NaN out of a pure NaN
2529         https://bugs.webkit.org/show_bug.cgi?id=156528
2530
2531         Reviewed by Filip Pizlo.
2532
2533         If you fround a double with the bits 0xfff7000000000000
2534         you get 0xfffe000000000000. The first is a pure NaN, the second isn't.
2535
2536         This is without test because I could not find a way to create a 0xfff7000000000000
2537         while convincing DFG that its pure.
2538         When we purify NaNs from typed array, we use a specific value of NaN if the input
2539         is any NaN, making testing tricky.
2540
2541         * bytecode/SpeculatedType.cpp:
2542         (JSC::typeOfDoubleNegation):
2543
2544 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
2545
2546         JS::DFG::nodeValuePairListDump does not compile with libstdc++ 4.8
2547         https://bugs.webkit.org/show_bug.cgi?id=156670
2548
2549         Reviewed by Darin Adler.
2550
2551         * dfg/DFGNode.h:
2552         (JSC::DFG::nodeValuePairListDump): Modified to use lambda as comparator.
2553
2554 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
2555
2556         [mips] Implemented moveZeroToDouble.
2557         https://bugs.webkit.org/show_bug.cgi?id=155429
2558
2559         Reviewed by Darin Adler.
2560
2561         This function is required to fix compilation after r197687.
2562
2563         * assembler/MacroAssemblerMIPS.h:
2564         (JSC::MacroAssemblerMIPS::moveZeroToDouble):
2565
2566 2016-04-15  Darin Adler  <darin@apple.com>
2567
2568         Reduce use of Deprecated::ScriptXXX classes
2569         https://bugs.webkit.org/show_bug.cgi?id=156632
2570
2571         Reviewed by Alex Christensen.
2572
2573         * bindings/ScriptFunctionCall.cpp:
2574         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted version that takes a Deprecated::ScriptValue.
2575         (Deprecated::ScriptFunctionCall::call): Changed to return a JSValue.
2576         * bindings/ScriptFunctionCall.h: Updated for the above.
2577
2578         * bindings/ScriptValue.cpp:
2579         (Inspector::jsToInspectorValue): Moved from Deprecated namespace to Inspector namespace. Later, we should
2580         move this to another source file in the inspector directory.
2581         (Inspector::toInspectorValue): Added.
2582         (Deprecated::ScriptValue::toInspectorValue): Updated for change to underlying function.
2583         * bindings/ScriptValue.h: Update for the above.
2584
2585         * inspector/InjectedScript.cpp:
2586         (Inspector::InjectedScript::evaluateOnCallFrame): Changed arguments and return values from
2587         Deprecated::ScriptValue to JSC::JSValue.
2588         (Inspector::InjectedScript::functionDetails): Ditto.
2589         (Inspector::InjectedScript::wrapCallFrames): Ditto.
2590         (Inspector::InjectedScript::wrapObject): Ditto.
2591         (Inspector::InjectedScript::wrapTable): Ditto.
2592         (Inspector::InjectedScript::previewValue): Ditto.
2593         (Inspector::InjectedScript::setExceptionValue): Ditto.
2594         (Inspector::InjectedScript::findObjectById): Ditto.
2595         (Inspector::InjectedScript::inspectObject): Ditto.
2596         * inspector/InjectedScript.h: Ditto.
2597         * inspector/InjectedScriptBase.cpp:
2598         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): Ditto.
2599         (Inspector::InjectedScriptBase::makeCall): Ditto.
2600         * inspector/InjectedScriptBase.h: Ditto.
2601         * inspector/InjectedScriptModule.cpp:
2602         (Inspector::InjectedScriptModule::ensureInjected): Ditto.
2603         * inspector/ScriptDebugListener.h: Ditto.
2604         * inspector/ScriptDebugServer.cpp:
2605         (Inspector::ScriptDebugServer::evaluateBreakpointAction): Ditto.
2606         (Inspector::ScriptDebugServer::dispatchDidPause): Ditto.
2607         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
2608         (Inspector::ScriptDebugServer::exceptionOrCaughtValue): Ditto.
2609         * inspector/ScriptDebugServer.h: Ditto.
2610         * inspector/agents/InspectorDebuggerAgent.cpp:
2611         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason): Ditto.
2612         (Inspector::InspectorDebuggerAgent::didPause): Ditto.
2613         (Inspector::InspectorDebuggerAgent::breakpointActionProbe): Ditto.
2614         (Inspector::InspectorDebuggerAgent::didContinue): Ditto.
2615         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): Ditto.
2616         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
2617         * inspector/agents/InspectorHeapAgent.cpp:
2618         (Inspector::InspectorHeapAgent::getPreview): Ditto.
2619         (Inspector::InspectorHeapAgent::getRemoteObject): Ditto.
2620
2621 2016-04-15  Keith Miller  <keith_miller@apple.com>
2622
2623         Some JIT/DFG operations need NativeCallFrameTracers
2624         https://bugs.webkit.org/show_bug.cgi?id=156650
2625
2626         Reviewed by Michael Saboff.
2627
2628         Some of our operation functions did not have native call frame
2629         tracers. This meant that we would crash occasionally on some
2630         of our tests when they triggered a GC in one of the functions
2631         without a tracer. In particular, this was exemplified by another
2632         upcoming patch when calling operationSetFunctionName.
2633
2634         This patch does not add tests since this happens consistently in
2635         the patch adding delete_by_id to the DFG.
2636
2637         * dfg/DFGOperations.cpp:
2638         * jit/JITOperations.cpp:
2639
2640 2016-04-15  Joseph Pecoraro  <pecoraro@apple.com>
2641
2642         Web Inspector: sourceMappingURL not used when sourceURL is set
2643         https://bugs.webkit.org/show_bug.cgi?id=156021
2644         <rdar://problem/25438417>
2645
2646         Reviewed by Timothy Hatcher.
2647
2648         Clean up Debugger.sourceParsed to separately include:
2649
2650             - url ("resource URL", "source url" in JSC APIs)
2651             - sourceURL - //# sourceURL directive
2652
2653         By always having the resource URL the Web Inspector frontend
2654         can better match this Script to a Resource of the same URL,
2655         and decide to use the sourceURL if it is available when
2656         appropriate.
2657
2658         * inspector/protocol/Debugger.json:
2659         * inspector/agents/InspectorDebuggerAgent.cpp:
2660         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2661         (Inspector::InspectorDebuggerAgent::didParseSource):
2662         Send the new sourceParsed parameters.
2663
2664 2016-04-14  Joseph Pecoraro  <pecoraro@apple.com>
2665
2666         Web Inspector: Cleanup inspector/debugger tests
2667         https://bugs.webkit.org/show_bug.cgi?id=156619
2668
2669         Reviewed by Brian Burg.
2670
2671         While cleaning up the tests it exposed the fact that breakpoints
2672         were not getting disabled when the inspector closes. This means
2673         that opening the inspector, with breakpoints, and closing the
2674         inspector, would leave the JSC::Debugger thinking breakpoints
2675         are active. The JSC::Debugger should be reset.
2676
2677         * inspector/agents/InspectorDebuggerAgent.cpp:
2678         (Inspector::InspectorDebuggerAgent::disable):
2679
2680 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
2681
2682         CopiedBlock should be 64kB
2683
2684         Reviewed by Benjamin Poulain.
2685
2686         Let's try another value.
2687
2688         This is 25% faster on kraken-audio-beat-detection on Mac Pro.
2689
2690         * heap/CopiedBlock.h:
2691
2692 2016-04-15  Zan Dobersek  <zdobersek@igalia.com>
2693
2694         Tail call optimizations lead to crashes on ARM Thumb + Linux
2695         https://bugs.webkit.org/show_bug.cgi?id=150083
2696
2697         Reviewed by Csaba Osztrogon√°c.
2698
2699         * assembler/AbstractMacroAssembler.h:
2700         (JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
2701         data location of the destination, and not the executable address. This is needed for
2702         the ARM Thumb2 platform where both the source and destination addresses of a jump relink
2703         must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
2704         * jit/Repatch.cpp:
2705         (JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
2706         address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().
2707
2708 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
2709
2710         Unreviewed, rolling out r199567.
2711
2712         performance regression on kraken on macbook*
2713
2714         Reverted changeset:
2715
2716         "CopiedBlock should be 8kB"
2717         https://bugs.webkit.org/show_bug.cgi?id=156610
2718         http://trac.webkit.org/changeset/199567
2719
2720 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
2721
2722         CopiedBlock should be 8kB
2723         https://bugs.webkit.org/show_bug.cgi?id=156610
2724
2725         Reviewed by Michael Saboff.
2726
2727         On Mac Pro, this is:
2728
2729             15% faster on kraken-audio-beat-detection
2730
2731             5% faster on v8-splay
2732
2733         Hopefully, this will be OK on MacBook* bots as well.
2734
2735         32kB is the full size of L1 cache on x86. So, allocating and zero-filling
2736         a 32kB CopiedBlock would basically flush the L1 cache. We can ameliorate
2737         this problem by using smaller blocks -- or, if that doesn't work, we can
2738         use larger blocks to amortize the cost.
2739
2740         * heap/CopiedBlock.h:
2741
2742 2016-04-14  Filip Pizlo  <fpizlo@apple.com>
2743
2744         PolymorphicAccess should try to generate a stub only once
2745         https://bugs.webkit.org/show_bug.cgi?id=156555
2746
2747         Reviewed by Geoffrey Garen.
2748         
2749         This changes the PolymorphicAccess heuristics to reduce the amount of code generation even
2750         more than before. We used to always generate a monomorphic stub for the first case we saw.
2751         This change disables that. This change also increases the buffering countdown to match the
2752         cool-down repatch count. This means that we will allow for ten slow paths for adding cases,
2753         then we will generate a stub, and then we will go into cool-down and the repatching slow
2754         paths will not even attempt repatching for a while. After we emerge from cool-down - which
2755         requires a bunch of slow path calls - we will again wait for ten slow paths to get new
2756         cases. Note that it only takes 13 cases to cause the stub to give up on future repatching
2757         entirely. Also, most stubs don't ever get to 10 cases. Therefore, for most stubs this change
2758         means that each IC will repatch once. If they make it to two repatching, then the likelihood
2759         of a third becomes infinitesimal because of all of the rules that come into play at that
2760         point (the size limit being 13, the fact that we go into exponential cool-down every time we
2761         generate code, and the fact that if we have lots of self cases then we will create a
2762         catch-all megamorphic load case).
2763
2764         This also undoes a change to the megamorphic optimization that I think was unintentional.
2765         As in the change that originally introduced megamorphic loads, we want to do this only if we
2766         would otherwise exhaust the max size of the IC. This is because megamorphic loads are pretty
2767         expensive and it's best to use them only if we know that the alternative is giving up on
2768         caching.
2769
2770         This is neutral on JS benchmarks, but looks like it's another speed-up for page loading.
2771
2772         * bytecode/PolymorphicAccess.cpp:
2773         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
2774         (JSC::AccessCase::canReplace):
2775         (JSC::AccessCase::dump):
2776         (JSC::PolymorphicAccess::regenerate):
2777         * bytecode/StructureStubInfo.cpp:
2778         (JSC::StructureStubInfo::StructureStubInfo):
2779         * runtime/Options.h:
2780
2781 2016-04-14  Mark Lam  <mark.lam@apple.com>
2782
2783         Update treatment of invoking RegExp.prototype methods on RegExp.prototype.
2784         https://bugs.webkit.org/show_bug.cgi?id=155922
2785
2786         Reviewed by Keith Miller.
2787
2788         According to the TC39 committee, when invoking the following RegExp.prototype
2789         methods on the RegExp.prototype:
2790         1. RegExp.prototype.flags yields ""
2791         2. RegExp.prototype.global yields undefined
2792         3. RegExp.prototype.ignoreCase yields undefined
2793         4. RegExp.prototype.multiline yields undefined
2794         5. RegExp.prototype.unicode yields undefined
2795         6. RegExp.prototype.source yields "(?:)"
2796         7. RegExp.prototype.sticky yields undefined
2797         8. RegExp.prototype.toString() yields "/(?:)/"
2798
2799         and RegExp.prototype is still NOT an instance of RegExp.  The above behavior
2800         changes is a special dispensation applicable only to RegExp.prototype.  The ES6
2801         spec of throwing errors still applies if those methods are applied to anything =
2802         else that is not a RegExp object.
2803
2804         * runtime/RegExpPrototype.cpp:
2805         (JSC::regExpProtoGetterGlobal):
2806         (JSC::regExpProtoGetterIgnoreCase):
2807         (JSC::regExpProtoGetterMultiline):
2808         (JSC::regExpProtoGetterSticky):
2809         (JSC::regExpProtoGetterUnicode):
2810         (JSC::regExpProtoGetterFlags):
2811         (JSC::regExpProtoGetterSource):
2812         - Implemented new behavior.
2813
2814         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
2815         (test):
2816         - Updated to match current kangax test.
2817
2818 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
2819
2820         Some imported ES6 tests are missing __createIterableObject
2821         https://bugs.webkit.org/show_bug.cgi?id=156584
2822
2823         Reviewed by Keith Miller.
2824
2825         These tests were failing because I neglected to include __createIterableObject
2826         when I first imported them. Now they pass.
2827
2828         * tests/es6.yaml:
2829         * tests/es6/Array_static_methods_Array.from_generic_iterables.js:
2830         (iterator.next):
2831         (iterable.Symbol.iterator):
2832         (__createIterableObject):
2833         (test):
2834         * tests/es6/Array_static_methods_Array.from_instances_of_generic_iterables.js:
2835         (iterator.next):
2836         (iterable.Symbol.iterator):
2837         (__createIterableObject):
2838         (test):
2839         * tests/es6/Array_static_methods_Array.from_iterator_closing.js:
2840         (iterator.next):
2841         (iterable.Symbol.iterator):
2842         (__createIterableObject):
2843         * tests/es6/Array_static_methods_Array.from_map_function_generic_iterables.js:
2844         (iterator.next):
2845         (iterable.Symbol.iterator):
2846         (__createIterableObject):
2847         (test):
2848         * tests/es6/Array_static_methods_Array.from_map_function_instances_of_iterables.js:
2849         (iterator.next):
2850         (iterable.Symbol.iterator):
2851         (__createIterableObject):
2852         (test):
2853         * tests/es6/Map_iterator_closing.js:
2854         (iterator.next):
2855         (iterable.Symbol.iterator):
2856         (__createIterableObject):
2857         * tests/es6/Promise_Promise.all_generic_iterables.js:
2858         (iterator.next):
2859         (iterable.Symbol.iterator):
2860         (__createIterableObject):
2861         (test.asyncTestPassed):
2862         * tests/es6/Promise_Promise.race_generic_iterables.js:
2863         (iterator.next):
2864         (iterable.Symbol.iterator):
2865         (__createIterableObject):
2866         (test.asyncTestPassed):
2867         * tests/es6/Set_iterator_closing.js:
2868         (iterator.next):
2869         (iterable.Symbol.iterator):
2870         (__createIterableObject):
2871         * tests/es6/WeakMap_iterator_closing.js:
2872         (iterator.next):
2873         (iterable.Symbol.iterator):
2874         (__createIterableObject):
2875         * tests/es6/WeakSet_iterator_closing.js:
2876         (iterator.next):
2877         (iterable.Symbol.iterator):
2878         (__createIterableObject):
2879         * tests/es6/destructuring_iterator_closing.js:
2880         (iterator.next):
2881         (iterable.Symbol.iterator):
2882         (__createIterableObject):
2883         * tests/es6/destructuring_with_generic_iterables.js:
2884         (iterator.next):
2885         (iterable.Symbol.iterator):
2886         (__createIterableObject):
2887         (test):
2888         * tests/es6/destructuring_with_instances_of_generic_iterables.js:
2889         (iterator.next):
2890         (iterable.Symbol.iterator):
2891         (__createIterableObject):
2892         (test):
2893         * tests/es6/for..of_loops_iterator_closing_break.js:
2894         (iterator.next):
2895         (iterable.Symbol.iterator):
2896         (__createIterableObject):
2897         * tests/es6/for..of_loops_iterator_closing_throw.js:
2898         (iterator.next):
2899         (iterable.Symbol.iterator):
2900         (__createIterableObject):
2901         * tests/es6/for..of_loops_with_generic_iterables.js:
2902         (iterator.next):
2903         (iterable.Symbol.iterator):
2904         (__createIterableObject):
2905         (test):
2906         * tests/es6/for..of_loops_with_instances_of_generic_iterables.js:
2907         (iterator.next):
2908         (iterable.Symbol.iterator):
2909         (__createIterableObject):
2910         (test):
2911         * tests/es6/generators_yield_star_generic_iterables.js:
2912         (iterator.next):
2913         (iterable.Symbol.iterator):
2914         (__createIterableObject):
2915         * tests/es6/generators_yield_star_iterator_closing_via_throw.js:
2916         (iterator.next):
2917         (iterable.Symbol.iterator):
2918         (__createIterableObject):
2919         * tests/es6/spread_..._operator_with_generic_iterables_in_arrays.js:
2920         (iterator.next):
2921         (iterable.Symbol.iterator):
2922         (__createIterableObject):
2923         (test):
2924         * tests/es6/spread_..._operator_with_generic_iterables_in_calls.js:
2925         (iterator.next):
2926         (iterable.Symbol.iterator):
2927         (__createIterableObject):
2928         (test):
2929         * tests/es6/spread_..._operator_with_instances_of_iterables_in_arrays.js:
2930         (iterator.next):
2931         (iterable.Symbol.iterator):
2932         (__createIterableObject):
2933         (test):
2934         * tests/es6/spread_..._operator_with_instances_of_iterables_in_calls.js:
2935         (iterator.next):
2936         (iterable.Symbol.iterator):
2937         (__createIterableObject):
2938         (test):
2939
2940 2016-04-13  Alex Christensen  <achristensen@webkit.org>
2941
2942         CMake MiniBrowser should be an app bundle
2943         https://bugs.webkit.org/show_bug.cgi?id=156521
2944
2945         Reviewed by Brent Fulgham.
2946
2947         * PlatformMac.cmake:
2948         Unreviewed build fix.  Define __STDC_WANT_LIB_EXT1__ so we can find memset_s.
2949
2950 2016-04-13  Joseph Pecoraro  <pecoraro@apple.com>
2951
2952         JSContext Inspector: Improve Class instances and JSC API Exported Values view in Console / ObjectTree
2953         https://bugs.webkit.org/show_bug.cgi?id=156566
2954         <rdar://problem/16392365>
2955
2956         Reviewed by Timothy Hatcher.
2957
2958         * inspector/InjectedScriptSource.js:
2959         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
2960         Treat non-basic object types as not lossless so they can be expanded.
2961         Show non-enumerable native getters in Object previews.
2962
2963 2016-04-13  Michael Saboff  <msaboff@apple.com>
2964
2965         Some tests fail with ES6 `u` (Unicode) flag for regular expressions
2966         https://bugs.webkit.org/show_bug.cgi?id=151597
2967
2968         Reviewed by Geoffrey Garen.
2969
2970         Added two new tables to handle the anomolies of \w and \W CharacterClassEscapes
2971         when specified in RegExp's with both the unicode and ignoreCase flags.  Given the
2972         case folding rules described in the standard vie the meta function Canonicalize(),
2973         which allow cross ASCII case folding when unicode is specified, the unicode characters
2974         \u017f (small sharp s) and \u212a (kelvin symbol) are part of the \w (word) characterClassEscape.
2975         This is true because they case fold to 's' and 'k' respectively.  Because they case fold
2976         to lower case letters, the corresponding letters, 'k', 'K', 's' and 'S', are also matched with
2977         \W with the unicode and ignoreCase flags.
2978
2979         * create_regex_tables:
2980         * yarr/YarrPattern.cpp:
2981         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
2982         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
2983         (JSC::Yarr::YarrPattern::YarrPattern):
2984         * yarr/YarrPattern.h:
2985         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
2986         (JSC::Yarr::YarrPattern::wordUnicodeIgnoreCaseCharCharacterClass):
2987         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
2988         (JSC::Yarr::YarrPattern::nonwordUnicodeIgnoreCaseCharCharacterClass):
2989
2990 2016-04-13  Commit Queue  <commit-queue@webkit.org>
2991
2992         Unreviewed, rolling out r199502 and r199511.
2993         https://bugs.webkit.org/show_bug.cgi?id=156557
2994
2995         Appears to have in-browser perf regression (Requested by mlam
2996         on #webkit).
2997
2998         Reverted changesets:
2999
3000         "ES6: Implement String.prototype.split and
3001         RegExp.prototype[@@split]."
3002         https://bugs.webkit.org/show_bug.cgi?id=156013
3003         http://trac.webkit.org/changeset/199502
3004
3005         "ES6: Implement RegExp.prototype[@@search]."
3006         https://bugs.webkit.org/show_bug.cgi?id=156331
3007         http://trac.webkit.org/changeset/199511
3008
3009 2016-04-13  Keith Miller  <keith_miller@apple.com>
3010
3011         isJSArray should use ArrayType rather than the ClassInfo
3012         https://bugs.webkit.org/show_bug.cgi?id=156551
3013
3014         Reviewed by Filip Pizlo.
3015
3016         Using the JSType rather than the ClassInfo should be slightly faster
3017         since the type is inline on the cell whereas the ClassInfo is only
3018         on the structure.
3019
3020         * runtime/JSArray.h:
3021         (JSC::isJSArray):
3022
3023 2016-04-13  Mark Lam  <mark.lam@apple.com>
3024
3025         ES6: Implement RegExp.prototype[@@search].
3026         https://bugs.webkit.org/show_bug.cgi?id=156331
3027
3028         Reviewed by Keith Miller.
3029
3030         What changed?
3031         1. Implemented search builtin in RegExpPrototype.js.
3032            The native path is now used as a fast path.
3033         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
3034            IsJSArrayIntrinsic).
3035         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
3036         4. Change the esSpecIsRegExpObject() implementation to check if the object's
3037            JSType is RegExpObjectType instead of walking the classinfo chain.
3038
3039         * builtins/RegExpPrototype.js:
3040         (search):
3041         * builtins/StringPrototype.js:
3042         (search):
3043         - fixed some indentation.
3044
3045         * dfg/DFGAbstractInterpreterInlines.h:
3046         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3047         * dfg/DFGByteCodeParser.cpp:
3048         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3049         * dfg/DFGClobberize.h:
3050         (JSC::DFG::clobberize):
3051         * dfg/DFGDoesGC.cpp:
3052         (JSC::DFG::doesGC):
3053         * dfg/DFGFixupPhase.cpp:
3054         (JSC::DFG::FixupPhase::fixupNode):
3055         * dfg/DFGNodeType.h:
3056         * dfg/DFGPredictionPropagationPhase.cpp:
3057         (JSC::DFG::PredictionPropagationPhase::propagate):
3058         * dfg/DFGSafeToExecute.h:
3059         (JSC::DFG::safeToExecute):
3060         * dfg/DFGSpeculativeJIT.cpp:
3061         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
3062         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
3063         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
3064         * dfg/DFGSpeculativeJIT.h:
3065         * dfg/DFGSpeculativeJIT32_64.cpp:
3066         (JSC::DFG::SpeculativeJIT::compile):
3067         * dfg/DFGSpeculativeJIT64.cpp:
3068         (JSC::DFG::SpeculativeJIT::compile):
3069         * ftl/FTLCapabilities.cpp:
3070         (JSC::FTL::canCompile):
3071         * ftl/FTLLowerDFGToB3.cpp:
3072         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3073         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
3074         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
3075         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
3076         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
3077         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
3078         (JSC::FTL::DFG::LowerDFGToB3::isType):
3079         * runtime/Intrinsic.h:
3080         - Added IsRegExpObjectIntrinsic.
3081
3082         * runtime/CommonIdentifiers.h:
3083
3084         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3085         (JSC::esSpecIsConstructor):
3086         - Changed to use uncheckedArgument since this is only called from internal code.
3087         (JSC::esSpecIsRegExpObject):
3088         (JSC::esSpecIsRegExp): Deleted.
3089         * runtime/ECMAScriptSpecInternalFunctions.h:
3090         - Changed to check the object for a JSType of RegExpObjectType.
3091
3092         * runtime/JSGlobalObject.cpp:
3093         (JSC::JSGlobalObject::init):
3094         - Added split fast path.
3095
3096         * runtime/RegExpPrototype.cpp:
3097         (JSC::RegExpPrototype::finishCreation):
3098         (JSC::regExpProtoFuncSearchFast):
3099         (JSC::regExpProtoFuncSearch): Deleted.
3100         * runtime/RegExpPrototype.h:
3101
3102         * tests/es6.yaml:
3103         * tests/stress/regexp-search.js:
3104         - Rebased test.
3105
3106 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
3107
3108         PolymorphicAccess::regenerate() shouldn't have to clone non-generated AccessCases
3109         https://bugs.webkit.org/show_bug.cgi?id=156493
3110
3111         Reviewed by Geoffrey Garen.
3112
3113         Cloning AccessCases is only necessary if they hold some artifacts that are used by code that
3114         they already generated. So, if the state is not Generated, we don't have to bother with
3115         cloning them.
3116
3117         This should speed up PolymorphicAccess regeneration a bit more.
3118
3119         * bytecode/PolymorphicAccess.cpp:
3120         (JSC::AccessCase::commit):
3121         (JSC::PolymorphicAccess::regenerate):
3122
3123 2016-04-13  Mark Lam  <mark.lam@apple.com>
3124
3125         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
3126         https://bugs.webkit.org/show_bug.cgi?id=156013
3127
3128         Reviewed by Keith Miller.
3129
3130         Re-landing r199393 now that the shadow chicken crash has been fixed.
3131
3132         * CMakeLists.txt:
3133         * JavaScriptCore.xcodeproj/project.pbxproj:
3134         * builtins/GlobalObject.js:
3135         (speciesConstructor):
3136         * builtins/PromisePrototype.js:
3137         - refactored to use the @speciesConstructor internal function.
3138
3139         * builtins/RegExpPrototype.js:
3140         (advanceStringIndex):
3141         - refactored from @advanceStringIndexUnicode() to be match the spec.
3142           Benchmarks show that there's no advantage in doing the unicode check outside
3143           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
3144           spec (especially since @@split needs to call advanceStringIndex from more than
3145           1 location).
3146         (match):
3147         - Removed an unnecessary call to @Object because it was already proven above.
3148         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
3149           Again, there's no perf regression for this.
3150         (regExpExec):
3151         (hasObservableSideEffectsForRegExpSplit):
3152         (split):
3153         (advanceStringIndexUnicode): Deleted.
3154
3155         * builtins/StringPrototype.js:
3156         (split):
3157         - Modified to use RegExp.prototype[@@split].
3158
3159         * bytecode/BytecodeIntrinsicRegistry.cpp:
3160         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3161         (JSC::BytecodeIntrinsicRegistry::lookup):
3162         * bytecode/BytecodeIntrinsicRegistry.h:
3163         - Added the @@split symbol.
3164
3165         * runtime/CommonIdentifiers.h:
3166         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
3167         (JSC::esSpecIsConstructor):
3168         (JSC::esSpecIsRegExp):
3169         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
3170
3171         * runtime/JSGlobalObject.cpp:
3172         (JSC::getGetterById):
3173         (JSC::JSGlobalObject::init):
3174
3175         * runtime/PropertyDescriptor.cpp:
3176         (JSC::PropertyDescriptor::setDescriptor):
3177         - Removed an assert that is no longer valid.
3178
3179         * runtime/RegExpObject.h:
3180         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
3181           fast path.
3182
3183         * runtime/RegExpPrototype.cpp:
3184         (JSC::RegExpPrototype::finishCreation):
3185         (JSC::regExpProtoFuncExec):
3186         (JSC::regExpProtoFuncSearch):
3187         (JSC::advanceStringIndex):
3188         (JSC::regExpProtoFuncSplitFast):
3189         * runtime/RegExpPrototype.h:
3190
3191         * runtime/StringObject.h:
3192         (JSC::jsStringWithReuse):
3193         (JSC::jsSubstring):
3194         - Hoisted some utility functions from StringPrototype.cpp so that they can be
3195           reused by the regexp split fast path.
3196
3197         * runtime/StringPrototype.cpp:
3198         (JSC::StringPrototype::finishCreation):
3199         (JSC::stringProtoFuncSplitFast):
3200         (JSC::stringProtoFuncSubstr):
3201         (JSC::builtinStringSubstrInternal):
3202         (JSC::stringProtoFuncSubstring):
3203         (JSC::stringIncludesImpl):
3204         (JSC::stringProtoFuncIncludes):
3205         (JSC::builtinStringIncludesInternal):
3206         (JSC::jsStringWithReuse): Deleted.
3207         (JSC::jsSubstring): Deleted.
3208         (JSC::stringProtoFuncSplit): Deleted.
3209         * runtime/StringPrototype.h:
3210
3211         * tests/es6.yaml:
3212
3213 2016-04-13  Mark Lam  <mark.lam@apple.com>
3214
3215         ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
3216         https://bugs.webkit.org/show_bug.cgi?id=156532
3217
3218         Reviewed by Saam Barati and Filip Pizlo.
3219
3220         ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
3221         the callee field of a log packet.  However, ShadowChicken::visitChildren()
3222         unconditionally visits the callee field of each packet as if they are real
3223         objects.  If visitChildren() encounters one of these markers in the log, we get a
3224         crash.
3225
3226         This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
3227         chicken when r199393 landed.  r199393 introduced tail calls to a RegExp split
3228         fast path, and the v8-regexp.js test exercised this fast path a lot.  Throw in
3229         some timely GCs, and we get a crash party.
3230
3231         The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
3232         throwMarker.
3233
3234         Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
3235         these markers so that ShadowChicken can continue to visit them.  For now, I'm
3236         going with the filter.
3237
3238         * interpreter/ShadowChicken.cpp:
3239         (JSC::ShadowChicken::visitChildren):
3240
3241 2016-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3242
3243         [ES6] Add @@toStringTag to GeneratorFunction
3244         https://bugs.webkit.org/show_bug.cgi?id=156499
3245
3246         Reviewed by Mark Lam.
3247
3248         GeneratorFunction.prototype has @@toStringTag property, "GeneratorFunction".
3249         https://tc39.github.io/ecma262/#sec-generatorfunction.prototype-@@tostringtag
3250
3251         * runtime/GeneratorFunctionPrototype.cpp:
3252         (JSC::GeneratorFunctionPrototype::finishCreation):
3253         * tests/es6.yaml:
3254         * tests/es6/well-known_symbols_Symbol.toStringTag_new_built-ins.js: Added.
3255         (test):
3256
3257 2016-04-13  Alberto Garcia  <berto@igalia.com>
3258
3259         Fix build in glibc-based BSD systems
3260         https://bugs.webkit.org/show_bug.cgi?id=156533
3261
3262         Reviewed by Carlos Garcia Campos.
3263
3264         Change the order of the #elif conditionals so glibc-based BSD
3265         systems (e.g. Debian GNU/kFreeBSD) use the code inside the
3266         OS(FREEBSD) blocks.
3267
3268         * heap/MachineStackMarker.cpp:
3269         (JSC::MachineThreads::Thread::Registers::stackPointer):
3270         (JSC::MachineThreads::Thread::Registers::framePointer):
3271         (JSC::MachineThreads::Thread::Registers::instructionPointer):
3272         (JSC::MachineThreads::Thread::Registers::llintPC):
3273
3274 2016-04-12  Keith Miller  <keith_miller@apple.com>
3275
3276         Unreviewed undo change from ArrayClass to ArrayWithUndecided, which
3277         was not intedend to land with r199397.
3278
3279         * runtime/ArrayPrototype.h:
3280         (JSC::ArrayPrototype::createStructure):
3281
3282 2016-04-12  Mark Lam  <mark.lam@apple.com>
3283
3284         Rollout: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
3285         https://bugs.webkit.org/show_bug.cgi?id=156013
3286
3287         Speculative rollout to fix 32-bit shadow-chicken.yaml/tests/v8-v6/v8-regexp.js.shadow-chicken test failure.
3288
3289         Not reviewed.
3290
3291         * CMakeLists.txt:
3292         * JavaScriptCore.xcodeproj/project.pbxproj:
3293         * builtins/GlobalObject.js:
3294         (speciesGetter):
3295         (speciesConstructor): Deleted.
3296         * builtins/PromisePrototype.js:
3297         * builtins/RegExpPrototype.js:
3298         (advanceStringIndexUnicode):
3299         (match):
3300         (advanceStringIndex): Deleted.
3301         (regExpExec): Deleted.
3302         (hasObservableSideEffectsForRegExpSplit): Deleted.
3303         (split): Deleted.
3304         * builtins/StringPrototype.js:
3305         (repeat):
3306         (split): Deleted.
3307         * bytecode/BytecodeIntrinsicRegistry.cpp:
3308         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3309         (JSC::BytecodeIntrinsicRegistry::lookup):
3310         * bytecode/BytecodeIntrinsicRegistry.h:
3311         * runtime/CommonIdentifiers.h:
3312         * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed.
3313         * runtime/ECMAScriptSpecInternalFunctions.h: Removed.
3314         * runtime/JSGlobalObject.cpp:
3315         (JSC::JSGlobalObject::setGlobalThis):
3316         (JSC::JSGlobalObject::init):
3317         (JSC::getGetterById): Deleted.
3318         * runtime/PropertyDescriptor.cpp:
3319         (JSC::PropertyDescriptor::setDescriptor):
3320         * runtime/RegExpObject.h:
3321         (JSC::RegExpObject::offsetOfLastIndexIsWritable):
3322         * runtime/RegExpPrototype.cpp:
3323         (JSC::RegExpPrototype::finishCreation):
3324         (JSC::regExpProtoFuncExec):
3325         (JSC::regExpProtoFuncSearch):
3326         (JSC::advanceStringIndex): Deleted.
3327         (JSC::regExpProtoFuncSplitFast): Deleted.
3328         * runtime/RegExpPrototype.h:
3329         * runtime/StringObject.h:
3330         (JSC::jsStringWithReuse): Deleted.
3331         (JSC::jsSubstring): Deleted.
3332         * runtime/StringPrototype.cpp:
3333         (JSC::StringPrototype::finishCreation):
3334         (JSC::jsStringWithReuse):
3335         (JSC::jsSubstring):
3336         (JSC::substituteBackreferencesSlow):
3337         (JSC::splitStringByOneCharacterImpl):
3338         (JSC::stringProtoFuncSplit):
3339         (JSC::stringProtoFuncSubstr):
3340         (JSC::stringProtoFuncSubstring):
3341         (JSC::stringProtoFuncEndsWith):
3342         (JSC::stringProtoFuncIncludes):
3343         (JSC::stringProtoFuncIterator):
3344         (JSC::stringProtoFuncSplitFast): Deleted.
3345         (JSC::builtinStringSubstrInternal): Deleted.
3346         (JSC::stringIncludesImpl): Deleted.
3347         (JSC::builtinStringIncludesInternal): Deleted.
3348         * runtime/StringPrototype.h:
3349         * tests/es6.yaml:
3350
3351 2016-04-12  Mark Lam  <mark.lam@apple.com>
3352
3353         Remove 2 unused JSC options.
3354         https://bugs.webkit.org/show_bug.cgi?id=156526
3355
3356         Reviewed by Benjamin Poulain.
3357
3358         The options JSC_assertICSizing and JSC_dumpFailedICSizing are no longer in use
3359         now that we have B3.
3360
3361         * runtime/Options.h:
3362
3363 2016-04-12  Keith Miller  <keith_miller@apple.com>
3364
3365         [ES6] Add support for Symbol.isConcatSpreadable.
3366         https://bugs.webkit.org/show_bug.cgi?id=155351
3367
3368         Reviewed by Saam Barati.
3369
3370         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
3371         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
3372         a builtin performant. First, four new DFG intrinsics were added.
3373
3374         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
3375            the Array.isArray function.
3376         2) IsJSArray: checks the first child is a JSArray object.
3377         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.