Added new port JSCOnly.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-13  Konstantin Tokarev  <annulen@yandex.ru>
2
3         Added new port JSCOnly.
4         https://bugs.webkit.org/show_bug.cgi?id=154512
5
6         Reviewed by Michael Catanzaro.
7
8         This port allows to build JavaScriptCore engine with minimal
9         dependencies.
10
11         * PlatformJSCOnly.cmake: Added.
12
13 2016-03-12  Mark Lam  <mark.lam@apple.com>
14
15         http://kangax.github.io/compat-table/esnext/ crashes reliably.
16         https://bugs.webkit.org/show_bug.cgi?id=155404
17
18         Reviewed by Yusuke Suzuki.
19
20         constructObjectFromPropertyDescriptor() was incorrectly assuming that either
21         both getter and setter will be set or unset.  It did not consider that only one
22         of the getter or setter may be set.  This patch fixes that.
23
24         * runtime/ObjectConstructor.h:
25         (JSC::constructObjectFromPropertyDescriptor):
26         * tests/stress/proxy-with-unbalanced-getter-setter.js: Added.
27         (assert):
28         (let.handler.defineProperty):
29         (i.):
30         (i.assert):
31         (i.get assert):
32         (set assert):
33
34 2016-03-12  Brian Burg  <bburg@apple.com>
35
36         When generating Objective-C protocol types, getters for objects need to synthesize a new object instance
37         https://bugs.webkit.org/show_bug.cgi?id=155389
38         <rdar://problem/25125821>
39
40         Reviewed by Timothy Hatcher.
41
42         Currently, in object property getters for Objective-C protocol types, we use
43         a C-style cast of the member's RWIProtocolJSONObject * to the type of the property.
44         However, at runtime the class of `self` is going to be RWIProtocolJSONObject *,
45         not MemberType *, so any subsequent calls to MemberType properties on the return value
46         will fail as the selectors will not be recognized.
47
48         Instead of doing a C-style pointer cast, we need to create a new MemberType object
49         that's backed by the InspectorObject retrieved from the parent object by key.
50         This requires a new initWithJSONObject initializer for each object protocol type.
51
52         * inspector/scripts/codegen/generate_objc_header.py:
53         (ObjCHeaderGenerator._generate_type_interface): Add new declaration.
54
55         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
56         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
57         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Added.
58         Forward through to the super class initializer who assigns the underlying InspectorObject.
59
60         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
61         Drive-by cleanup to use the more compact [super init] form.
62
63         * inspector/scripts/codegen/objc_generator.py:
64         (ObjCGenerator.protocol_to_objc_expression_for_member):
65         For property getters of objects, use initWithJSONObject: rather than a C-style cast.
66
67         Rebaseline relevant test results.
68
69         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
70         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
71         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
72         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
73         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
74         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
75         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
76
77 2016-03-12  Konstantin Tokarev  <annulen@yandex.ru>
78
79         Removed variable names from default constructor declarations.
80         https://bugs.webkit.org/show_bug.cgi?id=155397
81
82         Reviewed by Mark Lam.
83
84         They carry no information and generate unused variable warning with GCC
85         4.8 in a lot of source files.
86
87         * parser/VariableEnvironment.h:
88
89 2016-03-12  Myles C. Maxfield  <mmaxfield@apple.com>
90
91         Delete dead SVG Font code
92         https://bugs.webkit.org/show_bug.cgi?id=154718
93
94         Reviewed by Antti Koivisto.
95
96         * Configurations/FeatureDefines.xcconfig:
97
98 2016-03-11  Benjamin Poulain  <bpoulain@apple.com>
99
100         [JSC] Remove a few jumps from DFG
101         https://bugs.webkit.org/show_bug.cgi?id=155347
102
103         Reviewed by Mark Lam.
104
105         Usually, setting ValueTrue or ValueFalse is set
106         by Compare+Or. There are 3 places in DFG with branches instead.
107
108         This patch changes them to the usual pattern.
109
110         * dfg/DFGSpeculativeJIT64.cpp:
111         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
112         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
113
114 2016-03-11  Saam barati  <sbarati@apple.com>
115
116         [ES6] Make Object.assign spec compliant
117         https://bugs.webkit.org/show_bug.cgi?id=155375
118
119         Reviewed by Michael Saboff.
120
121         This is a straight forward implementation of Object.assign
122         in the spec.
123         https://tc39.github.io/ecma262/#sec-object.assign
124         Before, weren't performing all of the specified operations.
125         Now, we are.
126
127         * builtins/ObjectConstructor.js:
128         (assign):
129         * runtime/CommonIdentifiers.h:
130         * runtime/JSGlobalObject.cpp:
131         (JSC::JSGlobalObject::init):
132         * tests/es6.yaml:
133
134 2016-03-11  Mark Lam  <mark.lam@apple.com>
135
136         Implement Function.name and Function#toString for ES6 class.
137         https://bugs.webkit.org/show_bug.cgi?id=155336
138
139         Reviewed by Geoffrey Garen.
140
141         The only thing that the ES6 spec says about toString with regards to class
142         objects is:
143
144         "The string representation must have the syntax of a FunctionDeclaration,
145         FunctionExpression, GeneratorDeclaration, GeneratorExpression, ClassDeclaration,
146         ClassExpression, ArrowFunction, MethodDefinition, or GeneratorMethod depending
147         upon the actual characteristics of the object."
148
149         Previously, invoking toString() on a class object will return the function
150         source string of the class' constructor function.  This does not conform to the
151         spec in that the toString string for a class does not have the syntax of a
152         ClassDeclaration or ClassExpression.
153
154         This is now fixed by doing the following:
155
156         1. Added "m_classSource" to FunctionExecutable (and correspondingly to
157            UnlinkedFunctionExecutable, FunctionMetadataNode, and ClassExprNode).
158            m_classSource is the SourceCode for the code range "class ... { ... }".
159
160            Since the class constructor function is the in memory representation of the
161            class object, only class constructor functions will have its m_classSource
162            set.  m_classSource will be "null" (by default) for all other functions.
163            This is how we know if a FunctionExecutable is for a class.
164
165            Note: FunctionExecutable does not have its own m_classSource.  It always gets
166            it from its UnlinkedFunctionExecutable.  This is ok to do because our CodeCache
167            currently does not cache UnlinkedFunctionExecutables for class constructors.
168
169         2. The ClassExprNode now tracks the SourceCode range for the class expression.
170            This is used to set m_classSource in the UnlinkedFunctionExecutable at
171            bytecode generation time, and the FunctionExecutable later at bytecode
172            linking time.
173
174         3. Function.prototype.toString() now checks if the function is for a class.
175            If so, it returns the string for the class source instead of just the
176            function source for the class constructor.
177
178            Note: the class source is static from the time the class was parsed.  This
179            can introduces some weirdness at runtime.  Consider the following:
180
181                var v1 = class {}
182                v1.toString(); // yields "class {}".
183
184                class c2 extends v1 {}
185
186                c2.__proto__ === v1; // yields true i.e. c2 extends v1.
187                c2.toString(); // yields "class c2 extends v1 {}" which is fine.
188
189                v1 = {}; // point v1 to something else now.
190
191                c2.__proto__ === v1; // now yields false i.e. c2 no longer extends v1.
192                                     // c2 actually extends the class that v1 used to
193                                     // point to, but ...
194                c2.toString(); // still yields "class c2 extends v1 {}" which is no longer true.
195
196            It is unclear how we can best implement toString() to avoid this issue.
197            The above behavior is how Chrome (Version 51.0.2671.0 canary (64-bit))
198            currently implements toString() of a class, and we do the same in this patch.
199            In Firefox (45.0), toString() of a class will yield the function source of it
200            constructor function, which is not better.
201
202         In this patch, we also added ES6 compliance for Function.name on class objects:
203
204         4. The ClassExprNode now has a m_ecmaName string for tracking the inferred
205            name of a class according to the ES6 spec.  The ASTBuilder now mirrors its
206            handling of FuncExprNodes to ClassExprNodes in setting the nodes' m_ecmaName
207            where relevant.
208
209            The m_ecmaName is later used to set the m_ecmaName of the FunctionExecutable
210            of the class constructor, which in turn is used to populate the initial value
211            of the Function.name property.
212
213         5. Also renamed some variable names (/m_metadata/metadata/) to be consistent with
214            webkit naming convention.
215
216         * bytecode/UnlinkedFunctionExecutable.cpp:
217         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
218         * bytecode/UnlinkedFunctionExecutable.h:
219         * bytecompiler/BytecodeGenerator.cpp:
220         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
221         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
222         * bytecompiler/BytecodeGenerator.h:
223         * bytecompiler/NodesCodegen.cpp:
224         (JSC::ClassExprNode::emitBytecode):
225         * parser/ASTBuilder.h:
226         (JSC::ASTBuilder::createAssignResolve):
227         (JSC::ASTBuilder::createYield):
228         (JSC::ASTBuilder::createClassExpr):
229         (JSC::ASTBuilder::createFunctionExpr):
230         (JSC::ASTBuilder::createProperty):
231         (JSC::ASTBuilder::makeAssignNode):
232         * parser/NodeConstructors.h:
233         (JSC::FunctionParameters::FunctionParameters):
234         (JSC::BaseFuncExprNode::BaseFuncExprNode):
235         (JSC::FuncExprNode::FuncExprNode):
236         (JSC::FuncDeclNode::FuncDeclNode):
237         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
238         (JSC::ClassDeclNode::ClassDeclNode):
239         (JSC::ClassExprNode::ClassExprNode):
240         * parser/Nodes.h:
241         (JSC::ExpressionNode::isDestructuringNode):
242         (JSC::ExpressionNode::isFuncExprNode):
243         (JSC::ExpressionNode::isArrowFuncExprNode):
244         (JSC::ExpressionNode::isClassExprNode):
245         (JSC::ExpressionNode::isCommaNode):
246         (JSC::ExpressionNode::isSimpleArray):
247         (JSC::ExpressionNode::isAdd):
248         * parser/Parser.cpp:
249         (JSC::stringForFunctionMode):
250         (JSC::Parser<LexerType>::parseFunctionInfo):
251         (JSC::Parser<LexerType>::parseClass):
252         * parser/ParserFunctionInfo.h:
253         * parser/SyntaxChecker.h:
254         (JSC::SyntaxChecker::createEmptyLetExpression):
255         (JSC::SyntaxChecker::createYield):
256         (JSC::SyntaxChecker::createClassExpr):
257         (JSC::SyntaxChecker::createFunctionExpr):
258         (JSC::SyntaxChecker::createFunctionMetadata):
259         (JSC::SyntaxChecker::createArrowFunctionExpr):
260         * runtime/Executable.cpp:
261         (JSC::FunctionExecutable::FunctionExecutable):
262         (JSC::FunctionExecutable::finishCreation):
263         * runtime/Executable.h:
264         * runtime/FunctionPrototype.cpp:
265         (JSC::functionProtoFuncToString):
266         * tests/es6.yaml:
267
268 2016-03-11  Commit Queue  <commit-queue@webkit.org>
269
270         Unreviewed, rolling out r197994.
271         https://bugs.webkit.org/show_bug.cgi?id=155368
272
273         Broke several ARM tests (Requested by msaboff on #webkit).
274
275         Reverted changeset:
276
277         "[JSC] Add register reuse for ArithAdd of an Int32 and
278         constant in DFG"
279         https://bugs.webkit.org/show_bug.cgi?id=155164
280         http://trac.webkit.org/changeset/197994
281
282 2016-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
283
284         [ES6] Implement Reflect.set without receiver support
285         https://bugs.webkit.org/show_bug.cgi?id=155024
286
287         Reviewed by Geoffrey Garen.
288
289         This patch implements Reflect.set.
290         The challenge in this patch is Reflect.set requires boolean result of [[Set]],
291         this is not propagated in the previous JSC put implementation.
292
293         This patch changes the put and putByIndex signature from `void put(...)` and `void putByIndex(...)` to `bool put(...)` and `bool putByIndex(...)`,
294         more consistent style to the ECMA262 spec's [[Set]].
295
296         This patch modifies so many part of WebKit. But almost all the changes are mechanical ones.
297
298         Currently, this patch does not support receiver modification support.
299         This will be supported in the subsequent patch[1].
300
301         [1]: https://bugs.webkit.org/show_bug.cgi?id=155294
302
303         * API/JSCallbackObject.h:
304         * API/JSCallbackObjectFunctions.h:
305         (JSC::JSCallbackObject<Parent>::put):
306         (JSC::JSCallbackObject<Parent>::putByIndex):
307         * debugger/DebuggerScope.cpp:
308         (JSC::DebuggerScope::put):
309         * debugger/DebuggerScope.h:
310         * jsc.cpp:
311         (WTF::RuntimeArray::put):
312         * runtime/ClassInfo.h:
313         * runtime/ClonedArguments.cpp:
314         (JSC::ClonedArguments::put):
315         * runtime/ClonedArguments.h:
316         * runtime/CustomGetterSetter.cpp:
317         (JSC::callCustomSetter):
318         * runtime/CustomGetterSetter.h:
319         * runtime/GenericArguments.h:
320         * runtime/GenericArgumentsInlines.h:
321         (JSC::GenericArguments<Type>::put):
322         (JSC::GenericArguments<Type>::putByIndex):
323         * runtime/GetterSetter.cpp:
324         (JSC::callSetter):
325         * runtime/GetterSetter.h:
326         * runtime/JSArray.cpp:
327         (JSC::JSArray::defineOwnProperty):
328         (JSC::JSArray::put):
329         (JSC::JSArray::push):
330         * runtime/JSArray.h:
331         * runtime/JSArrayBuffer.cpp:
332         (JSC::JSArrayBuffer::put):
333         * runtime/JSArrayBuffer.h:
334         * runtime/JSArrayBufferView.cpp:
335         (JSC::JSArrayBufferView::put):
336         * runtime/JSArrayBufferView.h:
337         * runtime/JSCJSValue.cpp:
338         (JSC::JSValue::putToPrimitive):
339         (JSC::JSValue::putToPrimitiveByIndex):
340         * runtime/JSCJSValue.h:
341         * runtime/JSCJSValueInlines.h:
342         (JSC::JSValue::put):
343         (JSC::JSValue::putInline):
344         (JSC::JSValue::putByIndex):
345         * runtime/JSCell.cpp:
346         (JSC::JSCell::put):
347         (JSC::JSCell::putByIndex):
348         * runtime/JSCell.h:
349         * runtime/JSDataView.cpp:
350         (JSC::JSDataView::put):
351         * runtime/JSDataView.h:
352         * runtime/JSFunction.cpp:
353         (JSC::JSFunction::put):
354         (JSC::JSFunction::defineOwnProperty):
355         * runtime/JSFunction.h:
356         * runtime/JSGenericTypedArrayView.h:
357         * runtime/JSGenericTypedArrayViewInlines.h:
358         (JSC::JSGenericTypedArrayView<Adaptor>::put):
359         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
360         * runtime/JSGlobalLexicalEnvironment.cpp:
361         (JSC::JSGlobalLexicalEnvironment::put):
362         * runtime/JSGlobalLexicalEnvironment.h:
363         * runtime/JSGlobalObject.cpp:
364         (JSC::JSGlobalObject::put):
365         * runtime/JSGlobalObject.h:
366         * runtime/JSLexicalEnvironment.cpp:
367         (JSC::JSLexicalEnvironment::put):
368         * runtime/JSLexicalEnvironment.h:
369         * runtime/JSModuleEnvironment.cpp:
370         (JSC::JSModuleEnvironment::put):
371         * runtime/JSModuleEnvironment.h:
372         * runtime/JSModuleNamespaceObject.cpp:
373         (JSC::JSModuleNamespaceObject::put):
374         (JSC::JSModuleNamespaceObject::putByIndex):
375         * runtime/JSModuleNamespaceObject.h:
376         * runtime/JSModuleRecord.cpp:
377         (JSC::JSModuleRecord::instantiateDeclarations):
378         * runtime/JSObject.cpp:
379         (JSC::JSObject::put):
380         (JSC::JSObject::putInlineSlow):
381         (JSC::JSObject::putByIndex):
382         (JSC::JSObject::putGetter):
383         (JSC::JSObject::putSetter):
384         (JSC::JSObject::putDirectAccessor):
385         (JSC::JSObject::putDirectCustomAccessor):
386         (JSC::JSObject::putDirectNonIndexAccessor):
387         (JSC::JSObject::putIndexedDescriptor):
388         (JSC::JSObject::defineOwnIndexedProperty):
389         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
390         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
391         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
392         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
393         (JSC::JSObject::putByIndexBeyondVectorLength):
394         (JSC::JSObject::putDirectNativeIntrinsicGetter):
395         (JSC::JSObject::putDirectNativeFunction):
396         (JSC::JSObject::putDirectMayBeIndex):
397         (JSC::validateAndApplyPropertyDescriptor):
398         * runtime/JSObject.h:
399         (JSC::JSObject::putByIndexInline):
400         (JSC::JSObject::putDirect):
401         * runtime/JSObjectInlines.h:
402         (JSC::JSObject::putInline):
403         * runtime/JSProxy.cpp:
404         (JSC::JSProxy::put):
405         (JSC::JSProxy::putByIndex):
406         * runtime/JSProxy.h:
407         * runtime/JSSymbolTableObject.h:
408         (JSC::symbolTablePut):
409         (JSC::symbolTablePutTouchWatchpointSet):
410         (JSC::symbolTablePutInvalidateWatchpointSet):
411         (JSC::symbolTablePutWithAttributesTouchWatchpointSet):
412         * runtime/Lookup.h:
413         (JSC::putEntry):
414         (JSC::lookupPut):
415         * runtime/ProxyObject.cpp:
416         (JSC::ProxyObject::performPut):
417         (JSC::ProxyObject::put):
418         (JSC::ProxyObject::putByIndexCommon):
419         (JSC::ProxyObject::putByIndex):
420         * runtime/ProxyObject.h:
421         * runtime/PutPropertySlot.h:
422         * runtime/ReflectObject.cpp:
423         (JSC::reflectObjectSet):
424         * runtime/RegExpConstructor.cpp:
425         (JSC::setRegExpConstructorInput):
426         (JSC::setRegExpConstructorMultiline):
427         * runtime/RegExpObject.cpp:
428         (JSC::RegExpObject::defineOwnProperty):
429         (JSC::regExpObjectSetLastIndexStrict):
430         (JSC::regExpObjectSetLastIndexNonStrict):
431         (JSC::RegExpObject::put):
432         * runtime/RegExpObject.h:
433         * runtime/SparseArrayValueMap.cpp:
434         (JSC::SparseArrayValueMap::putEntry):
435         (JSC::SparseArrayEntry::put):
436         * runtime/SparseArrayValueMap.h:
437         * runtime/StringObject.cpp:
438         (JSC::StringObject::put):
439         (JSC::StringObject::putByIndex):
440         * runtime/StringObject.h:
441         * tests/es6.yaml:
442         * tests/modules/namespace.js:
443         * tests/stress/reflect-set.js: Added.
444         (shouldBe):
445         (shouldThrow):
446         (receiverCase.object2.set Cocoa):
447         (receiverCase):
448         (proxyCase):
449         (objectCase.set get shouldBe):
450         (objectCase.get shouldBe):
451         (arrayCase.set get shouldBe):
452         (arrayCase.get shouldBe):
453         (arrayBufferCase.set get shouldBe):
454         (arrayBufferCase.get shouldBe):
455         (set get shouldBe):
456         (get shouldBe):
457         (argumentCase.test1):
458         (argumentCase.test2):
459         (argumentCase.test3):
460         (argumentCase.test4.set get shouldBe):
461         (argumentCase.test5.get shouldBe):
462         (argumentStrictCase.test1):
463         (argumentStrictCase.test2):
464         (argumentStrictCase.test3):
465         (argumentStrictCase.test4.set get shouldBe):
466         (argumentStrictCase.test5.get shouldBe):
467         (stringObjectCase.set get shouldBe):
468         (stringObjectCase.get shouldBe):
469         (customSetter.test1):
470         (customSetter.test2):
471         (customSetter.test3):
472         (customSetter):
473         (regExpLastIndex):
474         (functionCase.func):
475
476 2016-03-10  Brian Burg  <bburg@apple.com>
477
478         Web Inspector: generated initWithPayload: protocol object initializers should recursively decode array and object members
479         https://bugs.webkit.org/show_bug.cgi?id=155337
480         <rdar://problem/25098357>
481
482         Reviewed by Timothy Hatcher.
483
484         In cases where an object member is itself an object or array, we were
485         not calling initWithPayload: on the object member itself. So, this caused
486         a runtime error when constructing the outer object because the generated
487         code casted the NSDictionary/NSArray into the member's protocol object type.
488
489         * inspector/scripts/codegen/objc_generator.py:
490         (ObjCGenerator.payload_to_objc_expression_for_member):
491         Do a straightforward call to initWithPayload: for objects. For arrays,
492         call a templated helper function which does the same thing. The helper
493         is used to make this array decoding fit into a single generated expression.
494
495         Rebaseline relevant test results.
496
497         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
498         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
499         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
500
501 2016-03-10  Keith Miller  <keith_miller@apple.com>
502
503         Unreviewed, fix Changelog. git merged poorly.
504
505 2016-03-10  Keith Miller  <keith_miller@apple.com>
506
507         Unreviewed, fix testapi.
508
509         * API/tests/TypedArrayCTest.cpp:
510         (testAccess):
511         (testConstructors):
512         (forEachTypedArrayType):
513         (testTypedArrayCAPI):
514
515 2016-03-10  Saam barati  <sbarati@apple.com>
516
517         [ES6] Make RegExp.prototype.toString spec compliant
518         https://bugs.webkit.org/show_bug.cgi?id=155341
519
520         Reviewed by Filip Pizlo.
521
522         Before we were directly calling into the flagsString
523         function. Instead, we must get the "flags" property
524         of the thisObject. This will usually call into the flags
525         getter, but not always. Specifically, you can you a Proxy
526         to observe this behavior.
527
528         * runtime/RegExpPrototype.cpp:
529         (JSC::regExpProtoFuncToString):
530         (JSC::regExpProtoGetterGlobal):
531         * tests/es6.yaml:
532         * tests/es6/Proxy_internal_get_calls_RegExp.prototype.toString.js: Added.
533         (test.get var):
534         (test.):
535         * tests/stress/regexp-prototype-tostring.js: Added.
536         (assert):
537         (test):
538         (test.get var):
539         (test.):
540         (let.handler.get switch):
541         (let.handler):
542         (get test):
543         (test.get RegExp):
544
545 2016-03-10  Benjamin Poulain  <bpoulain@apple.com>
546
547         [JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG
548         https://bugs.webkit.org/show_bug.cgi?id=155164
549
550         Reviewed by Geoffrey Garen.
551
552         Every "inc" in loop was looking like this:
553             move rX, rY
554             inc rY
555             jo 0x230f4a200580
556
557         This patch add register Reuse to that case to remove
558         the extra "move".
559
560         * dfg/DFGOSRExit.h:
561         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
562         (JSC::DFG::SpeculationRecovery::immediate):
563         * dfg/DFGOSRExitCompiler32_64.cpp:
564         (JSC::DFG::OSRExitCompiler::compileExit):
565         * dfg/DFGOSRExitCompiler64.cpp:
566         (JSC::DFG::OSRExitCompiler::compileExit):
567         * dfg/DFGSpeculativeJIT.cpp:
568         (JSC::DFG::SpeculativeJIT::compileArithAdd):
569         * tests/stress/arith-add-with-constant-overflow.js: Added.
570         (opaqueAdd):
571
572 2016-03-10  Keith Miller  <keith_miller@apple.com>
573
574         Unreviewed, build fix for r197983, hopefully.
575
576         * API/WebKitAvailability.h:
577
578 2016-03-10  Keith Miller  <keith_miller@apple.com>
579
580         Typed Arrays have no public facing API
581         https://bugs.webkit.org/show_bug.cgi?id=120112
582
583         Reviewed by Geoffrey Garen.
584
585         This patch adds a new C-API (an Obj-C API will follow in the future) for Typed Arrays. The API has two sets of
586         functions. One for Typed Arrays and another for Array Buffers. This API is intended to reflect the use of Typed
587         Array objects in JS code. There is a method for each of the core TypedArray and Array Buffer methods.
588         Originally, we were planning on using a separate non-JS object as the backing store instead of a JS Array Buffer
589         but we decide to defer that idea since there was no good CF/NS API that met all the constraints we needed
590         (Discussed further below). We also wanted to want until Shared Array Buffers had reached a more finished state
591         to see what impact they might have on an API.
592
593         The API has the following Typed Array construction methods:
594         1) Create with length (the backing buffer is zero initialized). -- JSObjectMakeTypedArray
595         2) Create with an existing pointer and a destructor. -- JSObjectMakeTypedArrayFromBytesNoCopy
596         3) Create with an Array Buffer object. -- JSObjectMakeTypedArrayFromArrayBuffer
597         4) Create with an Array Buffer object with a given offset and length. -- JSObjectMakeTypedArrayFromArrayBufferWithOffset
598
599         The API has the following functions on Typed Array JSObjectRefs:
600         5) Get access to a temporary void* of the backing store's data. -- JSObjectGetTypedArrayBytesPtr
601         6) Get the length of a Typed Array object (returns 0 if it is not a Typed Array object). -- JSObjectGetTypedArrayLength
602         7) Get the byte length of a Typed Array object (returns 0 if it is not a Typed Array object). -- JSObjectGetTypedArrayByteLength
603         8) Get the byte offset of a Typed Array object (returns 0 if it is not a Typed Array object). -- JSObjectGetTypedArrayByteOffset
604         9) Get a Typed Array object's Array Buffer  backing store. -- JSObjectGetTypedArrayBuffer
605
606         The API has the following Array Buffer construction method:
607         10) Create with an existing pointer and a destructor. -- JSObjectMakeArrayBufferWithBytesNoCopy
608
609         The API has the following functions on Array Buffer JSObjectRefs:
610         11) Get access to a temporary void* of the backing store's data. -- JSObjectGetArrayBufferBytesPtr
611         12) Get the byte length of an Array Buffer object (returns 0 if it is not an Array Buffer object). -- JSObjectGetArrayBufferByteLength
612
613         The API adds the following new typedefs and enumerations:
614         13) A typedef representing the function pointer type used to deallocate byte pointers provided to constructors. -- JSTypedArrayByesDeallocator
615         14) An enumeration indicating the Typed Array API type of a JSValueRef. -- JSTypedArrayType
616
617         Finally, The API has the following function to get Typed Array Types:
618         15)  Get the Typed Array type of a JS value. -- JSValueGetTypedArrayType
619
620         There are a couple of things to note about these functions. Calling JSObjectGetTypedArrayBytesPtr (5) or
621         JSObjectGetArrayBufferBytesPtr (12) will pin and lock the ArrayBuffer's data for the remaining lifetime of that
622         ArrayBuffer. This is because, currently, we do not have finalizers for our Array Buffers or Typed Arrays with a
623         backing ArrayBuffer and adding one would likely incur a non-trivial cost to GC. Also, we do not have a direct
624         way to make a Typed Array from a pointer with an offset as we do not expect using offsets to be a common use
625         case of the API.
626
627         While it would have been nice to integrate our backing store with CFData or one of its subclasses, it is not
628         possible to force a CFData/CFMutableData to be both writable and have a fixed size/backing store pointer.
629         NSData is not writable and CFMutableData can have a fixed pointer if it is allocated with a non-zero capacity
630         but there is no way for us to force an existing CFMutableData into this state.
631
632         * API/APIUtils.h: Copied from Source/JavaScriptCore/runtime/ArrayBuffer.cpp.
633         (handleExceptionIfNeeded):
634         (setException):
635         * API/JSBase.h:
636         * API/JSObjectRef.cpp:
637         (handleExceptionIfNeeded): Deleted.
638         * API/JSTypedArray.cpp: Added.
639         (toJSTypedArrayType):
640         (toTypedArrayType):
641         (createTypedArray):
642         (JSValueGetTypedArrayType):
643         (JSObjectMakeTypedArray):
644         (JSObjectMakeTypedArrayWithBytesNoCopy):
645         (JSObjectMakeTypedArrayWithArrayBuffer):
646         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
647         (JSObjectGetTypedArrayBytesPtr):
648         (JSObjectGetTypedArrayLength):
649         (JSObjectGetTypedArrayByteLength):
650         (JSObjectGetTypedArrayByteOffset):
651         (JSObjectGetTypedArrayBuffer):
652         (JSObjectMakeArrayBufferWithBytesNoCopy):
653         (JSObjectGetArrayBufferBytesPtr):
654         (JSObjectGetArrayBufferByteLength):
655         * API/JSTypedArray.h: Added.
656         * API/JSValueRef.cpp:
657         (handleExceptionIfNeeded): Deleted.
658         * API/JSValueRef.h:
659         * API/JavaScript.h:
660         * API/WebKitAvailability.h:
661         * API/tests/TypedArrayCTest.cpp: Added.
662         (id):
663         (freePtr):
664         (assertEqualsAsNumber):
665         (testAccess):
666         (testConstructors):
667         (forEachTypedArrayType):
668         (testTypedArrayCAPI):
669         * API/tests/TypedArrayCTest.h: Added.
670         * API/tests/testapi.c:
671         (main):
672         * CMakeLists.txt:
673         * ForwardingHeaders/JavaScriptCore/JSTypedArray.h: Added.
674         * JavaScriptCore.xcodeproj/project.pbxproj:
675         * PlatformEfl.cmake:
676         * PlatformGTK.cmake:
677         * runtime/ArrayBuffer.cpp:
678         (JSC::ArrayBuffer::transfer):
679         * runtime/ArrayBuffer.h:
680         (JSC::arrayBufferDestructorNull):
681         (JSC::arrayBufferDestructorDefault):
682         (JSC::ArrayBufferContents::ArrayBufferContents):
683         (JSC::ArrayBufferContents::transfer):
684         (JSC::ArrayBuffer::createAdopted):
685         (JSC::ArrayBuffer::createFromBytes):
686         (JSC::ArrayBuffer::ArrayBuffer):
687         (JSC::ArrayBuffer::pinAndLock):
688         (JSC::ArrayBufferContents::tryAllocate):
689         (JSC::ArrayBufferContents::~ArrayBufferContents):
690         * shell/PlatformWin.cmake:
691
692 2016-03-10  Saam barati  <sbarati@apple.com>
693
694         [ES6] Instanceof isn't spec compliant when the RHS is a Proxy with a target that is a function
695         https://bugs.webkit.org/show_bug.cgi?id=155329
696
697         Reviewed by Mark Lam.
698
699         We use type info flags on the structure to dictate whether or not 
700         the RHS of an instanceof is a valid RHS (i.e, a function). The solution
701         to make Proxy a valid RHS when the Proxy's target is callable is to have
702         two different structures for ProxyObject: one for a non-callable target 
703         and one for a callable target.
704
705         * runtime/JSGlobalObject.cpp:
706         (JSC::JSGlobalObject::init):
707         (JSC::JSGlobalObject::visitChildren):
708         * runtime/JSGlobalObject.h:
709         (JSC::JSGlobalObject::moduleRecordStructure):
710         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
711         (JSC::JSGlobalObject::proxyObjectStructure):
712         (JSC::JSGlobalObject::callableProxyObjectStructure):
713         (JSC::JSGlobalObject::proxyRevokeStructure):
714         (JSC::JSGlobalObject::wasmModuleStructure):
715         * runtime/ProxyConstructor.cpp:
716         (JSC::makeRevocableProxy):
717         (JSC::constructProxyObject):
718         (JSC::ProxyConstructor::getConstructData):
719         * runtime/ProxyObject.cpp:
720         (JSC::ProxyObject::ProxyObject):
721         (JSC::ProxyObject::structureForTarget):
722         (JSC::ProxyObject::finishCreation):
723         * runtime/ProxyObject.h:
724         (JSC::ProxyObject::create):
725         (JSC::ProxyObject::createStructure):
726         * tests/es6.yaml:
727         * tests/stress/proxy-instanceof.js: Added.
728         (assert):
729         (test):
730         (C):
731         (test.let.handler.get if):
732         (test.let.handler):
733
734 2016-03-10  Michael Saboff  <msaboff@apple.com>
735
736         [ES6] RegExp sticky flag should be ignored in String.match when global flag is given
737         https://bugs.webkit.org/show_bug.cgi?id=155332
738
739         Reviewed by Saam Barati.
740
741         Removed logic from stringProtoFuncMatch that handles the case where both global and sticky flags are set.
742
743         * runtime/StringPrototype.cpp:
744         (JSC::stringProtoFuncMatch):
745
746 2016-03-10  Michael Saboff  <msaboff@apple.com>
747
748         [ES6] Allow RegExp constructor to take pattern from an existing RegExp with new flags
749         https://bugs.webkit.org/show_bug.cgi?id=155315
750
751         Reviewed by Saam Barati.
752
753         Changed to comply with section 21.2.3.1, step 5.  Eliminated syntax error.
754
755         In the process, change to get the VM at the top of the function.
756
757         Updated tests accordingly.
758
759         * runtime/RegExpConstructor.cpp:
760         (JSC::constructRegExp):
761         * tests/es6.yaml: Changed miscellaneous_RegExp_constructor_can_alter_flags.js to normal.
762         * tests/mozilla/mozilla-tests.yaml: Disabled ecma_3/RegExp/15.10.4.1-5-n.js as it checks
763         for the old behavior of throwing a syntax error.
764
765 2016-03-10  Saam barati  <sbarati@apple.com>
766
767         [ES6] Make ToPropertyDescriptor spec compliant
768         https://bugs.webkit.org/show_bug.cgi?id=155313
769
770         Reviewed by Mark Lam.
771
772         We were performing HasProperty(.) and Get(.) in the same operation.
773         This isn't valid according to the spec and it's user observable
774         behavior with Proxy. This patch fixes ToPropertyDescriptor to use
775         two distinct operations for HasProperty(.) and Get(.).
776
777         * runtime/ObjectConstructor.cpp:
778         (JSC::ownEnumerablePropertyKeys):
779         (JSC::toPropertyDescriptor):
780         * tests/es6.yaml:
781         * tests/stress/to-property-key-correctness.js: Added.
782         (assert):
783         (test):
784         (test.let.handler.has):
785         (arrayEq):
786         (let.handler.has):
787         (let.target):
788         (set get let):
789
790 2016-03-10  Brian Burg  <bburg@apple.com>
791
792         Web Inspector: report the underlying parser error message when JSON parsing fails
793         https://bugs.webkit.org/show_bug.cgi?id=155303
794         <rdar://problem/25088939>
795
796         Reviewed by Timothy Hatcher.
797
798         * inspector/scripts/generate-inspector-protocol-bindings.py:
799         (generate_from_specification.load_specification):
800         Stringize the underlying error so we can see what it says.
801
802 2016-03-09  Joseph Pecoraro  <pecoraro@apple.com>
803
804         Web Inspector: JavaScript Heap Allocations Timeline
805         https://bugs.webkit.org/show_bug.cgi?id=155287
806         <rdar://problem/25078088>
807
808         Reviewed by Timothy Hatcher.
809
810         * inspector/InjectedScriptSource.js:
811         (InjectedScript.prototype._describe):
812         (InjectedScript.prototype._nodeDescription):
813         Provide the nicer node preview more often.
814
815 2016-03-10  Saam barati  <sbarati@apple.com>
816
817         Assignment to new.target should be an early error
818         https://bugs.webkit.org/show_bug.cgi?id=151148
819
820         Reviewed by Mark Lam.
821
822         This patch makes it so that any form of assignment to new.target
823         is an early syntax error.
824
825         * parser/ASTBuilder.h:
826         (JSC::ASTBuilder::createNewTargetExpr):
827         (JSC::ASTBuilder::isNewTarget):
828         (JSC::ASTBuilder::createResolve):
829         * parser/Parser.cpp:
830         (JSC::Parser<LexerType>::parseAssignmentExpression):
831         (JSC::Parser<LexerType>::parseUnaryExpression):
832         * parser/SyntaxChecker.h:
833         (JSC::SyntaxChecker::createThisExpr):
834         (JSC::SyntaxChecker::createSuperExpr):
835         (JSC::SyntaxChecker::createNewTargetExpr):
836         (JSC::SyntaxChecker::isNewTarget):
837         (JSC::SyntaxChecker::createResolve):
838         (JSC::SyntaxChecker::createObjectLiteral):
839         * tests/es6.yaml:
840         * tests/stress/new-target-syntax-errors.js: Added.
841         (shouldBeSyntaxError):
842         (shouldNotBeSyntaxError):
843         * tests/stress/new-target.js:
844         (Constructor):
845         (doWeirdThings):
846         (noAssign): Deleted.
847         (catch): Deleted.
848
849 2016-03-08  Skachkov Oleksandr  <gskachkov@gmail.com>
850
851         How we load new.target in arrow functions is broken
852         https://bugs.webkit.org/show_bug.cgi?id=155153
853
854         Reviewed by Saam Barati.
855
856         Fixed not correct approach of caching new.target. In current patch was added code feature
857         flag that shows that current function is using new.target, when generating byte code an arrow 
858         function we are loading new.target value to its register from arrow function lexical environment. 
859
860         * bytecompiler/BytecodeGenerator.cpp:
861         (JSC::BytecodeGenerator::BytecodeGenerator):
862         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
863         * bytecompiler/BytecodeGenerator.h:
864         (JSC::BytecodeGenerator::newTarget):
865         * parser/ASTBuilder.h:
866         (JSC::ASTBuilder::createNewTargetExpr):
867         (JSC::ASTBuilder::usesNewTarget):
868         * parser/Nodes.h:
869         (JSC::ScopeNode::usesNewTarget):
870         * parser/ParserModes.h:
871         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
872
873 2016-03-09  Joseph Pecoraro  <pecoraro@apple.com>
874
875         Web Inspector: Get a RemoteObject or ObjectPreview from HeapSnapshot Object Identifier
876         https://bugs.webkit.org/show_bug.cgi?id=155264
877         <rdar://problem/25070716>
878
879         Reviewed by Timothy Hatcher.
880
881         * inspector/InjectedScript.h:
882         * inspector/InjectedScript.cpp:
883         (Inspector::InjectedScript::functionDetails):
884         (Inspector::InjectedScript::previewValue):
885         New InjectedScript methods for building Debugger.FunctionDetails
886         or Runtime.ObjectPreview protocol objects from a JSValue.
887
888         * inspector/InjectedScriptSource.js:
889         (InjectedScript.prototype.previewValue):
890         (InjectedScript.prototype.functionDetails):
891         (InjectedScript.prototype.getFunctionDetails):
892         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
893         (InjectedScript.RemoteObject.prototype._createObjectPreviewForValue): Deleted.
894         (InjectedScript.RemoteObject.prototype._appendEntryPreviews): Deleted.
895         Share code around creating function details or object preview objects.
896
897         * inspector/agents/InspectorHeapAgent.cpp:
898         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
899         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
900         (Inspector::InspectorHeapAgent::getPreview):
901         (Inspector::InspectorHeapAgent::getRemoteObject):
902         * inspector/agents/InspectorHeapAgent.h:
903         * inspector/protocol/Heap.json:
904         New protocol methods that go from heap object identifier to a
905         remote object or some kind of preview.
906
907         * inspector/scripts/codegen/generator.py:
908         Allow runtime casts for ObjectPreview.
909
910 2016-03-09  Andy VanWagoner  <thetalecrafter@gmail.com>
911
912         [INTL] Intl Constructors not web compatible with Object.create usage
913         https://bugs.webkit.org/show_bug.cgi?id=153679
914
915         Reviewed by Darin Adler.
916
917         Add workaround for initializing NumberFormat and DateTimeFormat objects
918         using Object.create followed by constructor.call. This is necessary for
919         backwards compatibility with libraries relying on v1 behavior of Intl
920         constructors.
921
922         Collator does not get the workaround, since polyfills do not include it,
923         and there are not any known instances of v2 incompatible libraries.
924
925         The workaround involves checking for an object that inherits from the
926         *Format constructor, but was not actually initialized with that type. A
927         substitute instance is created and attached to the object using a private
928         name. The prototype functions then check for the private property to use
929         in place of the original object.
930
931         Since this behavior is not part of the v2 spec, it should be removed as
932         soon as the incompatible behavior is no longer in common use.
933
934         * runtime/CommonIdentifiers.h:
935         * runtime/IntlDateTimeFormatConstructor.cpp:
936         (JSC::callIntlDateTimeFormat):
937         * runtime/IntlDateTimeFormatPrototype.cpp:
938         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
939         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
940         * runtime/IntlNumberFormatConstructor.cpp:
941         (JSC::callIntlNumberFormat):
942         * runtime/IntlNumberFormatPrototype.cpp:
943         (JSC::IntlNumberFormatPrototypeGetterFormat):
944         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
945
946 2016-03-09  Saam barati  <sbarati@apple.com>
947
948         Add proper JSON.stringify support for Proxy when the target is an array
949         https://bugs.webkit.org/show_bug.cgi?id=155180
950
951         Reviewed by Darin Adler.
952
953         This patch makes the following type of program true:
954         `JSON.stringify(new Proxy([25], {})) === "[25]"`
955
956         We need to change the JSON stringifier to use the IsArray test
957         in section 7.2.2 of ES6 spec instead of the JSC inherits(JSArray::info())
958         test.
959
960         This patch also adds tests for general JSON.stringify support
961         of Proxy.
962
963         * runtime/ArrayConstructor.cpp:
964         (JSC::arrayConstructorIsArray):
965         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
966         * runtime/ArrayConstructor.h:
967         (JSC::isArray):
968         * runtime/JSONObject.cpp:
969         (JSC::Stringifier::Holder::object):
970         (JSC::Stringifier::appendStringifiedValue):
971         (JSC::Stringifier::startNewLine):
972         (JSC::Stringifier::Holder::Holder):
973         * tests/es6.yaml:
974         * tests/stress/proxy-json.js: Added.
975         (assert):
976         (test):
977
978 2016-03-09  Saam Barati  <sbarati@apple.com>
979
980         ES6: Implement lexical scoping for function definitions in strict mode
981         https://bugs.webkit.org/show_bug.cgi?id=152844
982
983         Reviewed by Geoffrey Garen.
984
985         This patch implements block scoping for function definitions
986         in strict mode. The implementation works as follows:
987         
988         - If we're in sloppy mode, function declarations work exactly
989           as they did before this patch. I.e, function declarations are hoisted
990           and declared like "var" variables.
991         
992         - If you're in strict mode and at the top of a function scope or program
993           scope, function declarations still work like they used to. They are defined
994           like "var" variables. This is necessary for backwards compatibility
995           because ES5 strict mode allowed duplicate function declarations at the
996           top-most scope of a program/function.
997         
998         - If you're in strict mode and inside a block statement or a switch statement,
999           function declarations are now block scoped. All function declarations within
1000           a block are hoisted to the beginning of the block. They are not hoisted out of the 
1001           block like they are in sloppy mode. This allows for the following types of
1002           programs:
1003           ```
1004           function foo() {
1005               function bar() { return 20; }
1006               {
1007                   function bar() { return 30; }
1008                   bar(); // 30
1009               }
1010               bar(); // 20
1011           }
1012           ```
1013
1014         * bytecompiler/BytecodeGenerator.cpp:
1015         (JSC::BytecodeGenerator::BytecodeGenerator):
1016         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1017         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
1018         (JSC::BytecodeGenerator::pushLexicalScope):
1019         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1020         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
1021         (JSC::BytecodeGenerator::popLexicalScope):
1022         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
1023         (JSC::BytecodeGenerator::pushTDZVariables):
1024         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1025         (JSC::BytecodeGenerator::emitNewRegExp):
1026         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
1027         (JSC::BytecodeGenerator::emitNewFunctionExpression):
1028         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
1029         * bytecompiler/BytecodeGenerator.h:
1030         * parser/ASTBuilder.h:
1031         (JSC::ASTBuilder::createSourceElements):
1032         (JSC::ASTBuilder::features):
1033         (JSC::ASTBuilder::numConstants):
1034         (JSC::ASTBuilder::createFuncDeclStatement):
1035         (JSC::ASTBuilder::createClassDeclStatement):
1036         (JSC::ASTBuilder::createBlockStatement):
1037         (JSC::ASTBuilder::createTryStatement):
1038         (JSC::ASTBuilder::createSwitchStatement):
1039         (JSC::ASTBuilder::Scope::Scope):
1040         (JSC::ASTBuilder::funcDeclarations): Deleted.
1041         * parser/NodeConstructors.h:
1042         (JSC::CaseBlockNode::CaseBlockNode):
1043         (JSC::SwitchNode::SwitchNode):
1044         (JSC::BlockNode::BlockNode):
1045         * parser/Nodes.cpp:
1046         (JSC::ScopeNode::ScopeNode):
1047         (JSC::ScopeNode::singleStatement):
1048         (JSC::ProgramNode::ProgramNode):
1049         (JSC::ModuleProgramNode::ModuleProgramNode):
1050         (JSC::EvalNode::EvalNode):
1051         (JSC::FunctionNode::FunctionNode):
1052         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1053         * parser/Nodes.h:
1054         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1055         (JSC::VariableEnvironmentNode::lexicalVariables):
1056         (JSC::VariableEnvironmentNode::functionStack):
1057         (JSC::ScopeNode::captures):
1058         (JSC::ScopeNode::varDeclarations):
1059         (JSC::ScopeNode::neededConstants):
1060         (JSC::ProgramNode::startColumn):
1061         (JSC::ProgramNode::endColumn):
1062         (JSC::EvalNode::startColumn):
1063         (JSC::EvalNode::endColumn):
1064         (JSC::ModuleProgramNode::startColumn):
1065         (JSC::ModuleProgramNode::endColumn):
1066         (JSC::ScopeNode::functionStack): Deleted.
1067         * parser/Parser.cpp:
1068         (JSC::Parser<LexerType>::parseInner):
1069         (JSC::Parser<LexerType>::didFinishParsing):
1070         (JSC::Parser<LexerType>::parseStatementListItem):
1071         (JSC::Parser<LexerType>::parseSwitchStatement):
1072         (JSC::Parser<LexerType>::parseBlockStatement):
1073         (JSC::Parser<LexerType>::parseStatement):
1074         (JSC::Parser<LexerType>::parseFunctionInfo):
1075         (JSC::getMetadata):
1076         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1077         (JSC::Parser<LexerType>::parseExportDeclaration):
1078         * parser/Parser.h:
1079         (JSC::Scope::declareVariable):
1080         (JSC::Scope::declareFunction):
1081         (JSC::Scope::appendFunction):
1082         (JSC::Scope::takeFunctionDeclarations):
1083         (JSC::Scope::declareLexicalVariable):
1084         (JSC::Parser::currentVariableScope):
1085         (JSC::Parser::currentLexicalDeclarationScope):
1086         (JSC::Parser::currentFunctionScope):
1087         (JSC::Parser::pushScope):
1088         (JSC::Parser::popScopeInternal):
1089         (JSC::Parser::declareVariable):
1090         (JSC::Parser::declareFunction):
1091         (JSC::Parser::hasDeclaredVariable):
1092         (JSC::Parser::isFunctionMetadataNode):
1093         (JSC::Parser<LexerType>::parse):
1094         * parser/SyntaxChecker.h:
1095         (JSC::SyntaxChecker::createFuncDeclStatement):
1096         (JSC::SyntaxChecker::createClassDeclStatement):
1097         (JSC::SyntaxChecker::createBlockStatement):
1098         (JSC::SyntaxChecker::createExprStatement):
1099         (JSC::SyntaxChecker::createIfStatement):
1100         (JSC::SyntaxChecker::createContinueStatement):
1101         (JSC::SyntaxChecker::createTryStatement):
1102         (JSC::SyntaxChecker::createSwitchStatement):
1103         (JSC::SyntaxChecker::createWhileStatement):
1104         (JSC::SyntaxChecker::createWithStatement):
1105         (JSC::SyntaxChecker::createDoWhileStatement):
1106         * parser/VariableEnvironment.h:
1107         (JSC::VariableEnvironmentEntry::isExported):
1108         (JSC::VariableEnvironmentEntry::isImported):
1109         (JSC::VariableEnvironmentEntry::isImportedNamespace):
1110         (JSC::VariableEnvironmentEntry::isFunction):
1111         (JSC::VariableEnvironmentEntry::setIsCaptured):
1112         (JSC::VariableEnvironmentEntry::setIsConst):
1113         (JSC::VariableEnvironmentEntry::setIsExported):
1114         (JSC::VariableEnvironmentEntry::setIsImported):
1115         (JSC::VariableEnvironmentEntry::setIsImportedNamespace):
1116         (JSC::VariableEnvironmentEntry::setIsFunction):
1117         (JSC::VariableEnvironmentEntry::clearIsVar):
1118         (JSC::VariableEnvironment::VariableEnvironment):
1119         (JSC::VariableEnvironment::begin):
1120         (JSC::VariableEnvironment::end):
1121         * tests/es6.yaml:
1122         * tests/stress/block-scoped-function-declarations.js: Added.
1123         (assert):
1124         (test):
1125         (f.foo.bar):
1126         (f.foo.):
1127         (f.foo):
1128         (f):
1129         (assert.foo.):
1130         (assert.foo):
1131         (assert.foo.foo):
1132         (assert.foo.bar):
1133         (assert.foo.switch.case.1):
1134         (assert.foo.switch.case.2):
1135         (assert.foo.switch.foo):
1136         (assert.foo.switch.bar):
1137
1138 2016-03-09  Saam barati  <sbarati@apple.com>
1139
1140         Array.isArray support for Proxy
1141         https://bugs.webkit.org/show_bug.cgi?id=155179
1142
1143         Reviewed by Mark Lam.
1144
1145         This patch implements Array.isArray to be compliant
1146         with the ES6 spec. Specifically, it needs to interface
1147         properly with Proxy arguments.
1148         https://tc39.github.io/ecma262/#sec-isarray
1149
1150         * runtime/ArrayConstructor.cpp:
1151         (JSC::ArrayConstructor::getCallData):
1152         (JSC::arrayConstructorIsArray):
1153         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
1154         * runtime/ArrayPrototype.cpp:
1155         (JSC::speciesConstructArray):
1156         * runtime/ProxyObject.cpp:
1157         (JSC::ProxyObject::revoke):
1158         (JSC::ProxyObject::isRevoked):
1159         (JSC::ProxyObject::visitChildren):
1160         * runtime/ProxyObject.h:
1161         (JSC::ProxyObject::target):
1162         (JSC::ProxyObject::handler):
1163         * tests/es6.yaml:
1164         * tests/stress/proxy-is-array.js: Added.
1165         (assert):
1166         (test):
1167
1168 2016-03-09  Benjamin Poulain  <bpoulain@apple.com>
1169
1170         [JSC] Fix the ARM64 MacroAssembler after r197816
1171         https://bugs.webkit.org/show_bug.cgi?id=155268
1172
1173         Reviewed by Mark Lam.
1174
1175         The patch tries to generate instructions that do not exist,
1176         causing quite fun stuff at runtime.
1177
1178         * assembler/MacroAssemblerARM64.h:
1179         (JSC::MacroAssemblerARM64::load8):
1180         (JSC::MacroAssemblerARM64::store16):
1181         (JSC::MacroAssemblerARM64::store8):
1182
1183 2016-03-09  Commit Queue  <commit-queue@webkit.org>
1184
1185         Unreviewed, rolling out r197873.
1186         https://bugs.webkit.org/show_bug.cgi?id=155262
1187
1188         "Crashes some JSC tests" (Requested by mlam on #webkit).
1189
1190         Reverted changeset:
1191
1192         "Add dumping of function expression names in CodeBlock
1193         bytecode dump."
1194         https://bugs.webkit.org/show_bug.cgi?id=155248
1195         http://trac.webkit.org/changeset/197873
1196
1197 2016-03-09  Oliver Hunt  <oliver@apple.com>
1198
1199         Fix old iOS
1200
1201         * jit/ExecutableAllocatorFixedVMPool.cpp:
1202         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1203
1204 2016-03-09  Oliver Hunt  <oliver@apple.com>
1205
1206         Wincairo buildfix
1207         https://bugs.webkit.org/show_bug.cgi?id=155245
1208
1209         Reviewed by Mark Lam.
1210
1211         Fix up exports for a few symbols
1212
1213         * jit/ExecutableAllocator.h:
1214         * jit/ExecutableAllocatorFixedVMPool.cpp:
1215
1216 2016-03-09  Mark Lam  <mark.lam@apple.com>
1217
1218         Add dumping of function expression names in CodeBlock bytecode dump.
1219         https://bugs.webkit.org/show_bug.cgi?id=155248
1220
1221         Reviewed by Filip Pizlo.
1222
1223         Because ...
1224         [  19] new_func_exp      loc5, loc3, f0:foo
1225
1226         ... is more informative than
1227         [  19] new_func_exp      loc5, loc3, f0
1228
1229         Anonymous functions will be dumped as <anon>.
1230
1231         * bytecode/CodeBlock.cpp:
1232         (JSC::CodeBlock::dumpFunctionExpr):
1233         (JSC::CodeBlock::dumpBytecode):
1234         * bytecode/CodeBlock.h:
1235
1236 2016-03-09  Michael Saboff  <msaboff@apple.com>
1237
1238         [ES6] Implement RegExp sticky flag and related functionality
1239         https://bugs.webkit.org/show_bug.cgi?id=155177
1240
1241         Reviewed by Saam Barati.
1242
1243         Implemented the ES6 RegExp sticky functionality.
1244
1245         There are two main behavior changes when the sticky flag is specified.
1246         1) Matching starts at lastIndex and lastIndex is updated after the match.
1247         2) The regular expression is only matched from the start position in the string.
1248         See ES6 section 21.2.5.2.2 for details.
1249
1250         Changed both the Yarr interpreter and jit to not loop to the next character for sticky RegExp's.
1251         Updated RegExp exec and match, and stringProtoFuncMatch to handle lastIndex changes.
1252
1253         Restructured the way flags are passed to and through YarrPatterns to use RegExpFlags instead of
1254         individual bools.
1255
1256         Updated tests for 'y' flag and new behavior.
1257
1258         * bytecode/CodeBlock.cpp:
1259         (JSC::regexpToSourceString):
1260         * inspector/ContentSearchUtilities.cpp:
1261         (Inspector::ContentSearchUtilities::findMagicComment):
1262         * runtime/CommonIdentifiers.h:
1263         * runtime/RegExp.cpp:
1264         (JSC::regExpFlags):
1265         (JSC::RegExpFunctionalTestCollector::outputOneTest):
1266         (JSC::RegExp::finishCreation):
1267         (JSC::RegExp::compile):
1268         (JSC::RegExp::compileMatchOnly):
1269         * runtime/RegExp.h:
1270         * runtime/RegExpKey.h:
1271         * runtime/RegExpObjectInlines.h:
1272         (JSC::RegExpObject::execInline):
1273         (JSC::RegExpObject::matchInline):
1274         * runtime/RegExpPrototype.cpp:
1275         (JSC::regExpProtoFuncCompile):
1276         (JSC::flagsString):
1277         (JSC::regExpProtoGetterMultiline):
1278         (JSC::regExpProtoGetterSticky):
1279         (JSC::regExpProtoGetterUnicode):
1280         * runtime/StringPrototype.cpp:
1281         (JSC::stringProtoFuncMatch):
1282         * tests/es6.yaml:
1283         * tests/stress/static-getter-in-names.js:
1284         (shouldBe):
1285         * yarr/RegularExpression.cpp:
1286         (JSC::Yarr::RegularExpression::Private::compile):
1287         * yarr/YarrInterpreter.cpp:
1288         (JSC::Yarr::Interpreter::tryConsumeBackReference):
1289         (JSC::Yarr::Interpreter::matchAssertionBOL):
1290         (JSC::Yarr::Interpreter::matchAssertionEOL):
1291         (JSC::Yarr::Interpreter::matchAssertionWordBoundary):
1292         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1293         (JSC::Yarr::Interpreter::matchDisjunction):
1294         (JSC::Yarr::Interpreter::Interpreter):
1295         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
1296         * yarr/YarrInterpreter.h:
1297         (JSC::Yarr::BytecodePattern::BytecodePattern):
1298         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
1299         (JSC::Yarr::BytecodePattern::ignoreCase):
1300         (JSC::Yarr::BytecodePattern::multiline):
1301         (JSC::Yarr::BytecodePattern::sticky):
1302         (JSC::Yarr::BytecodePattern::unicode):
1303         * yarr/YarrJIT.cpp:
1304         (JSC::Yarr::YarrGenerator::matchCharacterClass):
1305         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
1306         (JSC::Yarr::YarrGenerator::generateAssertionBOL):
1307         (JSC::Yarr::YarrGenerator::generateAssertionEOL):
1308         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1309         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
1310         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1311         (JSC::Yarr::YarrGenerator::backtrack):
1312         * yarr/YarrPattern.cpp:
1313         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
1314         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
1315         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
1316         (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
1317         (JSC::Yarr::YarrPattern::compile):
1318         (JSC::Yarr::YarrPattern::YarrPattern):
1319         * yarr/YarrPattern.h:
1320         (JSC::Yarr::YarrPattern::reset):
1321         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
1322         (JSC::Yarr::YarrPattern::ignoreCase):
1323         (JSC::Yarr::YarrPattern::multiline):
1324         (JSC::Yarr::YarrPattern::sticky):
1325         (JSC::Yarr::YarrPattern::unicode):
1326
1327 2016-03-09  Mark Lam  <mark.lam@apple.com>
1328
1329         FunctionExecutable::ecmaName() should not be based on inferredName().
1330         https://bugs.webkit.org/show_bug.cgi?id=155203
1331
1332         Reviewed by Michael Saboff.
1333
1334         The ES6 rules for how a function name should be inferred closely matches JSC's
1335         implementation with one exception:
1336             var o = {}
1337             o.foo = function() {}
1338
1339         JSC's inferredName for o.foo would be "foo".
1340         ES6 specifies that o.foo.name is "".
1341
1342         The fix is to add a distinct FunctionExecutable::ecmaName() which applies the ES6
1343         rules for inferring the initial value of Function.name.
1344
1345         * bytecode/UnlinkedFunctionExecutable.cpp:
1346         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1347         * bytecode/UnlinkedFunctionExecutable.h:
1348         * parser/ASTBuilder.h:
1349         (JSC::ASTBuilder::createAssignResolve):
1350         (JSC::ASTBuilder::createGetterOrSetterProperty):
1351         (JSC::ASTBuilder::createProperty):
1352         (JSC::ASTBuilder::makeAssignNode):
1353         * parser/Nodes.h:
1354         * runtime/Executable.h:
1355         * runtime/JSFunction.cpp:
1356         (JSC::JSFunction::reifyName):
1357         * tests/es6.yaml:
1358
1359 2016-03-09  Michael Saboff  <msaboff@apple.com>
1360
1361         Harden JSC Root element functions from bad values
1362         https://bugs.webkit.org/show_bug.cgi?id=155234
1363
1364         Reviewed by Saam Barati.
1365
1366         Changed jsCast() to jsDynamicCast() in Root related function to protect against being
1367         called with non-Root arguments.
1368
1369         * jsc.cpp:
1370         (functionCreateElement):
1371         (functionGetElement):
1372         (functionSetElementRoot):
1373
1374 2016-03-09  Benjamin Poulain  <benjamin@webkit.org>
1375
1376         [JSC] Pick how to OSR Enter to FTL at runtime instead of compile time
1377         https://bugs.webkit.org/show_bug.cgi?id=155217
1378
1379         Reviewed by Filip Pizlo.
1380
1381         This patch addresses 2 types of problems with tiering up to FTL
1382         with OSR Entry in a loop:
1383         -When there are nested loops, it is generally valuable to enter
1384          an outer loop rather than an inner loop.
1385         -When tiering up at a point that cannot OSR Enter, we are at
1386          the mercy of the outer loop frequency to compile the right
1387          entry point.
1388
1389         The first case is significant in the test "gaussian-blur".
1390         That test has 4 nested loops. When we have an OSR Entry,
1391         the analysis phases have to be pesimistic where we enter:
1392         we do not really know what constraint can be proven from
1393         the DFG code that was running.
1394
1395         In "gaussian-blur", integer-range analysis removes pretty
1396         much all overflow checks in the inner loops of where we entered.
1397         The more outside we enter, the better code we generate.
1398
1399         Since we spend the most iterations in the inner loop, we naturally
1400         tend to OSR Enter into the 2 most inner loops, making the most
1401         pessimistic assumptions.
1402
1403         To avoid such problems, I changed how we decide where to OSR Enter.
1404         Previously, the last CheckTierUpAndOSREnter to cross the threshold
1405         was where we take the entry point for FTL.
1406
1407         What happens now is that the entry point is not decied when
1408         compiling the CheckTierUp variants. Instead, all the information
1409         we need is gathered during compilation and keept on the JITCode
1410         to be used at runtime.
1411
1412         When we try to tier up and decide to OSR Enter, we use the information
1413         we have to pick a good outer loop for OSR Entry.
1414
1415         Now the problem is outer loop do not CheckTierUpAndOSREnter often,
1416         wasting several miliseconds before entering the newly compiled FTL code.
1417
1418         To solve that, every CheckTierUpAndOSREnter has its own trigger that
1419         bypass the counter. When the FTL Code is compiled, the trigger is set
1420         and we enter through the right CheckTierUpAndOSREnter immediately.
1421
1422         ---
1423
1424         This new mechanism also solves a problem of ai-astar.
1425         When we try to tier up in ai-astar, we had nothing to compile until
1426         the outer loop is reached.
1427
1428         To make sure we reached the CheckTierUpAndOSREnter in a reasonable time,
1429         we had CheckTierUpWithNestedTriggerAndOSREnter with a special trigger.
1430
1431         With the new mechanism, we can do much better:
1432         -When we keep hitting CheckTierUpInLoop, we now have all the information
1433          we need to already start compiling the outer loop.
1434          Instead of waiting for the outer loop to be reached a few times, we compile
1435          it as soon as the inner loop is hammering CheckTierUpInLoop.
1436         -With the new triggers, the very next time we hit the outer loop, we OSR Enter.
1437
1438         This allow us to compile what we need sooner and enter sooner.
1439
1440         * dfg/DFGAbstractInterpreterInlines.h:
1441         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
1442         * dfg/DFGClobberize.h:
1443         (JSC::DFG::clobberize): Deleted.
1444         * dfg/DFGDoesGC.cpp:
1445         (JSC::DFG::doesGC): Deleted.
1446         * dfg/DFGFixupPhase.cpp:
1447         (JSC::DFG::FixupPhase::fixupNode): Deleted.
1448         * dfg/DFGJITCode.h:
1449         * dfg/DFGJITCompiler.cpp:
1450         (JSC::DFG::JITCompiler::JITCompiler):
1451         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
1452         * dfg/DFGNodeType.h:
1453         * dfg/DFGOperations.cpp:
1454         * dfg/DFGOperations.h:
1455         * dfg/DFGPlan.h:
1456         (JSC::DFG::Plan::canTierUpAndOSREnter):
1457         * dfg/DFGPredictionPropagationPhase.cpp:
1458         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
1459         * dfg/DFGSafeToExecute.h:
1460         (JSC::DFG::safeToExecute): Deleted.
1461         * dfg/DFGSpeculativeJIT32_64.cpp:
1462         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1463         * dfg/DFGSpeculativeJIT64.cpp:
1464         (JSC::DFG::SpeculativeJIT::compile):
1465         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1466         (JSC::DFG::TierUpCheckInjectionPhase::run):
1467         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
1468         (JSC::DFG::TierUpCheckInjectionPhase::findLoopsContainingLoopHintWithoutOSREnter): Deleted.
1469         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1470         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
1471         (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
1472         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
1473         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
1474         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
1475
1476 2016-03-08  Filip Pizlo  <fpizlo@apple.com>
1477
1478         DFG should be able to constant-fold strings
1479         https://bugs.webkit.org/show_bug.cgi?id=155200
1480
1481         Reviewed by Geoffrey Garen.
1482
1483         This adds constant-folding of string1 + string2 and string.length. The actual folding
1484         rule is easy, but there are some gotchas.
1485
1486         The problem is that the DFG cannot allocate new JSString objects until we are on the
1487         main thread. So, DFG IR must have a node for a JSValue string constant that hasn't been
1488         created yet - i.e. it doesn't have any concrete JSValue bits yet.
1489
1490         We have the ability to speak of such things, using LazyJSValue. But that's a class, not
1491         a node type. This patch now adds a node type, LazyJSConstant, which is a Node that holds
1492         a LazyJSValue.
1493
1494         This puts us in a weird situation: AI uses JSValue to represent constants. It would take
1495         a lot of work to change it to use LazyJSValue. So, this implements the constant folding
1496         in StrengthReductionPhase. I created a bug and put a FIXME about moving these rules into
1497         AI.
1498
1499         OTOH, our experience in B3 shows that constant folding in strength reduction is quite
1500         nice. It would totally make sense to have strength reduction have constant folding rules
1501         that mirror the rules in AI, or to factor out the AI constant folding rules, the same
1502         way that B3 factors out those rules into Value methods.
1503
1504         Another issue is how to represent the cumulative result of possibly many foldings. I
1505         initially considered adding LazyJSValue kinds that represented concatenation. Folding
1506         the concatenation to a constant meand that this constant was actually a LazyJSValue that
1507         represented the concatenation of two other things. But this would get super messy if we
1508         wanted to fold an operation that uses the results of another folded operation.
1509
1510         So, the JIT thread folds string operations by creating a WTF::String that contains the
1511         result. The DFG::Graph holds a +1 on the underlying StringImpl, so we can pass the
1512         StringImpl* around without reference counting. The LazyJSValue now has a special kind
1513         that means: we created this StringImpl* on the JIT thread, and once the JIT is done, we
1514         will relinquish ownership of it. LazyJSValue has some magic to emit code for these
1515         to-be-created-JSStrings while also transferring ownership of the StringImpl from the JIT
1516         thread to the main thread and registering the JSString with the GC.
1517
1518         This just implements folding for concatenation and GetArrayLength. It's just a proof of
1519         concept for evil things I want to do later.
1520
1521         This change is a 2.5x speed-up on the string concatenation microbenchmarks I added in
1522         this patch.
1523
1524         * dfg/DFGAbstractInterpreterInlines.h:
1525         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1526         * dfg/DFGClobberize.h:
1527         (JSC::DFG::clobberize):
1528         * dfg/DFGDoesGC.cpp:
1529         (JSC::DFG::doesGC):
1530         * dfg/DFGFixupPhase.cpp:
1531         (JSC::DFG::FixupPhase::fixupNode):
1532         * dfg/DFGFrozenValue.cpp:
1533         (JSC::DFG::FrozenValue::emptySingleton):
1534         (JSC::DFG::FrozenValue::tryGetString):
1535         (JSC::DFG::FrozenValue::dumpInContext):
1536         * dfg/DFGFrozenValue.h:
1537         (JSC::DFG::FrozenValue::strength):
1538         * dfg/DFGGraph.h:
1539         * dfg/DFGLazyJSValue.cpp:
1540         (JSC::DFG::LazyJSValue::newString):
1541         (JSC::DFG::LazyJSValue::getValue):
1542         (JSC::DFG::equalToStringImpl):
1543         (JSC::DFG::LazyJSValue::tryGetStringImpl):
1544         (JSC::DFG::LazyJSValue::tryGetString):
1545         (JSC::DFG::LazyJSValue::strictEqual):
1546         (JSC::DFG::LazyJSValue::switchLookupValue):
1547         (JSC::DFG::LazyJSValue::emit):
1548         (JSC::DFG::LazyJSValue::dumpInContext):
1549         * dfg/DFGLazyJSValue.h:
1550         (JSC::DFG::LazyJSValue::LazyJSValue):
1551         (JSC::DFG::LazyJSValue::knownStringImpl):
1552         (JSC::DFG::LazyJSValue::kind):
1553         (JSC::DFG::LazyJSValue::tryGetValue):
1554         (JSC::DFG::LazyJSValue::character):
1555         (JSC::DFG::LazyJSValue::stringImpl):
1556         * dfg/DFGMayExit.cpp:
1557         (JSC::DFG::mayExit):
1558         * dfg/DFGNode.cpp:
1559         (JSC::DFG::Node::convertToIdentityOn):
1560         (JSC::DFG::Node::convertToLazyJSConstant):
1561         (JSC::DFG::Node::convertToPutHint):
1562         (JSC::DFG::Node::convertToPutClosureVarHint):
1563         (JSC::DFG::Node::tryGetString):
1564         (JSC::DFG::Node::promotedLocationDescriptor):
1565         * dfg/DFGNode.h:
1566         (JSC::DFG::Node::convertToConstant):
1567         (JSC::DFG::Node::convertToConstantStoragePointer):
1568         (JSC::DFG::Node::castConstant):
1569         (JSC::DFG::Node::hasLazyJSValue):
1570         (JSC::DFG::Node::lazyJSValue):
1571         (JSC::DFG::Node::initializationValueForActivation):
1572         * dfg/DFGNodeType.h:
1573         * dfg/DFGPredictionPropagationPhase.cpp:
1574         (JSC::DFG::PredictionPropagationPhase::propagate):
1575         * dfg/DFGSafeToExecute.h:
1576         (JSC::DFG::safeToExecute):
1577         * dfg/DFGSpeculativeJIT.cpp:
1578         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
1579         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
1580         * dfg/DFGSpeculativeJIT.h:
1581         * dfg/DFGSpeculativeJIT32_64.cpp:
1582         (JSC::DFG::SpeculativeJIT::compile):
1583         * dfg/DFGSpeculativeJIT64.cpp:
1584         (JSC::DFG::SpeculativeJIT::compile):
1585         * dfg/DFGStrengthReductionPhase.cpp:
1586         (JSC::DFG::StrengthReductionPhase::handleNode):
1587         * ftl/FTLCapabilities.cpp:
1588         (JSC::FTL::canCompile):
1589         * ftl/FTLLowerDFGToB3.cpp:
1590         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1591         (JSC::FTL::DFG::LowerDFGToB3::compileInt52Constant):
1592         (JSC::FTL::DFG::LowerDFGToB3::compileLazyJSConstant):
1593         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1594
1595 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
1596
1597         Web Inspector: Memory Timeline should show MemoryPressure events
1598         https://bugs.webkit.org/show_bug.cgi?id=155158
1599         <rdar://problem/25026610>
1600
1601         Reviewed by Brian Burg.
1602
1603         * inspector/protocol/Memory.json:
1604
1605 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
1606
1607         Web Inspector: Add Heap domain start/stop tracking commands
1608         https://bugs.webkit.org/show_bug.cgi?id=155190
1609
1610         Reviewed by Brian Burg.
1611
1612         * inspector/agents/InspectorHeapAgent.cpp:
1613         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
1614         (Inspector::InspectorHeapAgent::startTracking):
1615         (Inspector::InspectorHeapAgent::stopTracking):
1616         * inspector/agents/InspectorHeapAgent.h:
1617         * inspector/protocol/Heap.json:
1618
1619 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
1620
1621         Web Inspector: Add a way to create a Heap Snapshot
1622         https://bugs.webkit.org/show_bug.cgi?id=155188
1623
1624         Reviewed by Brian Burg.
1625
1626         * inspector/agents/InspectorHeapAgent.h:
1627         * inspector/protocol/Heap.json:
1628         * inspector/agents/InspectorHeapAgent.cpp:
1629         (Inspector::InspectorHeapAgent::snapshot):
1630         Take a heap snapshot and return the JSON string result.
1631
1632         * inspector/protocol/Debugger.json:
1633         Remove unused optional inferredName. Our displayName would be inferred.
1634
1635 2016-03-08  Oliver Hunt  <oliver@apple.com>
1636
1637         Fix ios bot build.
1638
1639         * jit/ExecutableAllocatorFixedVMPool.cpp:
1640         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1641
1642 2016-03-08  Mark Lam  <mark.lam@apple.com>
1643
1644         Implement Function.name support for getters/setters and inferring name of function properties.
1645         https://bugs.webkit.org/show_bug.cgi?id=154865
1646
1647         Rubber-stamped by Joseph Pecoraro.
1648
1649         Follow up to the fix for this bug: adding a few small clean-ups for issues Joe
1650         pointed out in the bug.
1651
1652         * runtime/JSBoundSlotBaseFunction.cpp:
1653         (JSC::JSBoundSlotBaseFunction::create):
1654         * runtime/JSCJSValue.cpp:
1655         (JSC::JSValue::putToPrimitiveByIndex):
1656
1657 2016-03-08  Oliver Hunt  <oliver@apple.com>
1658
1659         Start moving to separated writable and executable mappings in the JIT
1660         https://bugs.webkit.org/show_bug.cgi?id=155178
1661
1662         Reviewed by Fil Pizlo.
1663
1664         Start moving to a separate writable and executable heap for the various
1665         JITs.
1666
1667         As part of our work to harden the JIT against various attacks, we're
1668         moving away from our current RWX heap and on to using separate RW and X
1669         mappings. This means that simply leaking the location of the executable
1670         mapping is not sufficient to compromise JSC, so we can continue to
1671         use direct executable pointers in our GC objects (which we need for
1672         performance), but keep the writable pointer in only a single location
1673         so that we are less likely to leak the address. To further obscure the
1674         address of the writable region we place it in an execute only region
1675         of memory so that it is not possible to read the location from 
1676         anywhere. That means an attacker must have at least partial control
1677         of PC (to call jitMemCopy) before they can start to attack the JIT.
1678
1679         This work is initially ARM64 only, as we use as the jitMemCopy is
1680         currently specific to that platform's calling conventions and layout.
1681         We're just landing it in the current form so that we can at least
1682         ensure it doesn't regress.
1683
1684         * Configurations/FeatureDefines.xcconfig:
1685         * assembler/ARM64Assembler.h:
1686         (JSC::ARM64Assembler::ldp):
1687         (JSC::ARM64Assembler::ldnp):
1688         (JSC::ARM64Assembler::fillNops):
1689         (JSC::ARM64Assembler::stp):
1690         (JSC::ARM64Assembler::stnp):
1691         (JSC::ARM64Assembler::replaceWithJump):
1692         (JSC::ARM64Assembler::replaceWithLoad):
1693         (JSC::ARM64Assembler::replaceWithAddressComputation):
1694         (JSC::ARM64Assembler::setPointer):
1695         (JSC::ARM64Assembler::repatchInt32):
1696         (JSC::ARM64Assembler::repatchCompact):
1697         (JSC::ARM64Assembler::linkJumpOrCall):
1698         (JSC::ARM64Assembler::linkCompareAndBranch):
1699         (JSC::ARM64Assembler::linkConditionalBranch):
1700         (JSC::ARM64Assembler::linkTestAndBranch):
1701         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
1702         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
1703         * assembler/LinkBuffer.cpp:
1704         (JSC::LinkBuffer::copyCompactAndLinkCode):
1705         (JSC::LinkBuffer::allocate):
1706         * assembler/LinkBuffer.h:
1707         (JSC::LinkBuffer::LinkBuffer):
1708         * assembler/MacroAssemblerARM64.h:
1709         (JSC::MacroAssemblerARM64::sub64):
1710         (JSC::MacroAssemblerARM64::load64):
1711         (JSC::MacroAssemblerARM64::loadPair64):
1712         (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
1713         (JSC::MacroAssemblerARM64::load8):
1714         (JSC::MacroAssemblerARM64::store64):
1715         (JSC::MacroAssemblerARM64::storePair64):
1716         (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
1717         (JSC::MacroAssemblerARM64::store8):
1718         (JSC::MacroAssemblerARM64::branchAdd64):
1719         (JSC::MacroAssemblerARM64::branchSub64):
1720         * jit/ExecutableAllocator.h:
1721         (JSC::performJITMemcpy):
1722         * jit/ExecutableAllocatorFixedVMPool.cpp:
1723         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1724         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1725         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1726         * runtime/Options.cpp:
1727         (JSC::recomputeDependentOptions):
1728         * runtime/Options.h:
1729
1730 2016-03-08  Mark Lam  <mark.lam@apple.com>
1731
1732         Implement Function.name support for getters/setters and inferring name of function properties.
1733         https://bugs.webkit.org/show_bug.cgi?id=154865
1734
1735         Reviewed by Geoffrey Garen.
1736
1737         1. toString() no longer uses the value of Function.name as the name of the
1738            function in the returned string, because ...
1739
1740             i. Function.name is supposed to be configurable.  Hence, it can be made
1741                writable and can be set to any JSValue, or deleted.
1742            ii. Function.prototype.toString() is supposed to produce a string that can be
1743                eval'ed.  Hence, for JS functions, the function name in the produced
1744                string must be a legal function name (and not some arbitrary value set in
1745                Function.name).  For example, while a number is a legal value for
1746                Function.name, it is not legal as the function name in the toString()
1747                string.
1748
1749            Instead, we'll always use the original name from the JS source that the
1750            function was parsed from.
1751
1752         2. JSFunction::name() now always return the original name, not the value of
1753            the Function.name property.  As a result, it also no longer needs an
1754            ExecState* arg.
1755
1756            If the original name is an empty string, JSFunction::name() will use the
1757            inferred name.
1758
1759         3. For JS functions, the original name can be attained from their
1760            FunctionExecutable object.
1761
1762            For host/native functions (which do not have a FunctionExecutable), we get the
1763            "original" name from its NativeExecutable.
1764
1765         4. The m_hostFunctionStubMap now keys its NativeExecutable pointers using the
1766            original name, in addition to the native function and constructor pointers.
1767
1768            This is needed because we want a different NativeExecutable for functions with
1769            a different name (to satisfy (3) above).
1770
1771         5. Changed JSBoundFunction to store the name of its bound function in its
1772            NativeExecutable.  This will later be used to generate the toString() string.
1773            It's Function.name value is eagerly initialized at construction time.
1774
1775         6. Function.name for getters/setters are now prefixed with "get"/"set".
1776            This was done both for the JSBoundSlotBaseFunctions and JS definable get/set
1777            functions.
1778
1779         7. Added InternalFunction::m_originalName so that we can use it to generate the
1780            toString() string.  We're storing it as a JSString instead of a WTF::String
1781            only because we want InternalFunction to be continue to be trivially
1782            destructible.
1783
1784         * inspector/JSInjectedScriptHost.cpp:
1785         (Inspector::JSInjectedScriptHost::functionDetails):
1786         * jit/JITThunks.cpp:
1787         (JSC::JITThunks::finalize):
1788         (JSC::JITThunks::hostFunctionStub):
1789         * jit/JITThunks.h:
1790         * runtime/Executable.h:
1791         * runtime/FunctionPrototype.cpp:
1792         (JSC::functionProtoFuncToString):
1793         * runtime/InternalFunction.cpp:
1794         (JSC::InternalFunction::finishCreation):
1795         (JSC::InternalFunction::visitChildren):
1796         (JSC::InternalFunction::name):
1797         (JSC::InternalFunction::displayName):
1798         * runtime/InternalFunction.h:
1799         * runtime/JSBoundFunction.cpp:
1800         (JSC::JSBoundFunction::create):
1801         (JSC::JSBoundFunction::visitChildren):
1802         (JSC::JSBoundFunction::toStringName): Deleted.
1803         * runtime/JSBoundFunction.h:
1804         (JSC::JSBoundFunction::boundThis):
1805         (JSC::JSBoundFunction::boundArgs):
1806         (JSC::JSBoundFunction::createStructure):
1807         * runtime/JSBoundSlotBaseFunction.cpp:
1808         (JSC::boundSlotBaseFunctionCall):
1809         (JSC::JSBoundSlotBaseFunction::create):
1810         * runtime/JSFunction.cpp:
1811         (JSC::JSFunction::initializeRareData):
1812         (JSC::JSFunction::name):
1813         (JSC::JSFunction::displayName):
1814         (JSC::JSFunction::calculatedDisplayName):
1815         (JSC::JSFunction::reifyName):
1816         * runtime/JSFunction.h:
1817         * tests/es6.yaml:
1818
1819 2016-03-08  Commit Queue  <commit-queue@webkit.org>
1820
1821         Unreviewed, rolling out r197793 and r197799.
1822         https://bugs.webkit.org/show_bug.cgi?id=155195
1823
1824         something weird happened while landing this and everything
1825         broke (Requested by olliej on #webkit).
1826
1827         Reverted changesets:
1828
1829         "Start moving to separated writable and executable mappings in
1830         the JIT"
1831         https://bugs.webkit.org/show_bug.cgi?id=155178
1832         http://trac.webkit.org/changeset/197793
1833
1834         "arm64 build fix after r197793."
1835         http://trac.webkit.org/changeset/197799
1836
1837 2016-03-08  Alex Christensen  <achristensen@webkit.org>
1838
1839         arm64 build fix after r197793.
1840
1841         * jit/ExecutableAllocatorFixedVMPool.cpp:
1842         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1843         (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
1844         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1845         Use consistent ENABLE macro.  It looks like it was partially renamed.
1846
1847 2016-03-08  Filip Pizlo  <fpizlo@apple.com>
1848
1849         Regexp matching should incur less call overhead
1850         https://bugs.webkit.org/show_bug.cgi?id=155181
1851
1852         Reviewed by Geoffrey Garen.
1853
1854         Previously we had DFG/FTL code call into the DFGOperation, which then called in to
1855         RegExpObject, which then called into createRegExpMatchesArray, which then called into
1856         RegExp, which then called the code generated by Yarr.
1857
1858         Now we have DFG/FTL code call into the DFGOperation, which does all of the things and calls
1859         into code generated by Yarr.
1860
1861         This is another tiny Octane/regexp speed-up.
1862
1863         * JavaScriptCore.xcodeproj/project.pbxproj:
1864         * dfg/DFGOperations.cpp:
1865         * runtime/RegExp.cpp:
1866         (JSC::regExpFlags):
1867         (JSC::RegExp::compile):
1868         (JSC::RegExp::match):
1869         (JSC::RegExp::compileMatchOnly):
1870         (JSC::RegExp::deleteCode):
1871         (JSC::RegExpFunctionalTestCollector::clearRegExp): Deleted.
1872         (JSC::RegExp::compileIfNecessary): Deleted.
1873         (JSC::RegExp::compileIfNecessaryMatchOnly): Deleted.
1874         * runtime/RegExp.h:
1875         * runtime/RegExpInlines.h: Added.
1876         (JSC::RegExpFunctionalTestCollector::clearRegExp):
1877         (JSC::RegExp::compileIfNecessary):
1878         (JSC::RegExp::matchInline):
1879         (JSC::RegExp::compileIfNecessaryMatchOnly):
1880         * runtime/RegExpMatchesArray.cpp:
1881         (JSC::createEmptyRegExpMatchesArray):
1882         (JSC::createStructureImpl):
1883         (JSC::tryCreateUninitializedRegExpMatchesArray): Deleted.
1884         (JSC::createRegExpMatchesArray): Deleted.
1885         * runtime/RegExpMatchesArray.h:
1886         (JSC::tryCreateUninitializedRegExpMatchesArray):
1887         (JSC::createRegExpMatchesArray):
1888         * runtime/RegExpObject.cpp:
1889         (JSC::RegExpObject::put):
1890         (JSC::RegExpObject::exec):
1891         (JSC::RegExpObject::match):
1892         (JSC::getLastIndexAsUnsigned): Deleted.
1893         * runtime/RegExpObject.h:
1894         (JSC::RegExpObject::getLastIndex):
1895         (JSC::RegExpObject::test):
1896         (JSC::RegExpObject::testInline):
1897         * runtime/RegExpObjectInlines.h: Added.
1898         (JSC::getRegExpObjectLastIndexAsUnsigned):
1899         (JSC::RegExpObject::execInline):
1900         (JSC::RegExpObject::matchInline):
1901
1902 2016-03-08  Mark Lam  <mark.lam@apple.com>
1903
1904         synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
1905         https://bugs.webkit.org/show_bug.cgi?id=155169
1906
1907         Reviewed by Geoffrey Garen.
1908
1909         With the exception checks, we may end up throwing new exceptions over an existing
1910         one that has been thrown but not handled yet, thereby obscuring it.  It may also
1911         mean that the VM will continue running on potentially unstable state, which may
1912         have undesirable consequences.
1913
1914         I first observed this in some failed assertion while running tests on a patch for
1915         https://bugs.webkit.org/show_bug.cgi?id=154865.
1916
1917         Performance is neutral with this patch (tested on x86_64).
1918
1919         1. Deleted JSNotAnObject, and removed all uses of it.
1920
1921         2. Added exception checks, when needed, following calls to synthesizePrototype()
1922            and JSValue::toObject().
1923
1924            The cases that do not need an exception check are the ones that already ensures
1925            that JSValue::toObject() is only called on a value that is convertible to an
1926            object.  In those cases, I added an assertion that no exception was thrown
1927            after the call.
1928
1929         * CMakeLists.txt:
1930         * JavaScriptCore.xcodeproj/project.pbxproj:
1931         * inspector/ScriptCallStackFactory.cpp:
1932         (Inspector::createScriptCallStackFromException):
1933         * interpreter/Interpreter.cpp:
1934         * jit/JITOperations.cpp:
1935         * llint/LLIntSlowPaths.cpp:
1936         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1937         * runtime/ArrayPrototype.cpp:
1938         (JSC::arrayProtoFuncJoin):
1939         (JSC::arrayProtoFuncConcat):
1940         (JSC::arrayProtoFuncPop):
1941         (JSC::arrayProtoFuncPush):
1942         (JSC::arrayProtoFuncReverse):
1943         (JSC::arrayProtoFuncShift):
1944         (JSC::arrayProtoFuncSlice):
1945         (JSC::arrayProtoFuncSplice):
1946         (JSC::arrayProtoFuncUnShift):
1947         (JSC::arrayProtoFuncIndexOf):
1948         (JSC::arrayProtoFuncLastIndexOf):
1949         (JSC::arrayProtoFuncValues):
1950         (JSC::arrayProtoFuncEntries):
1951         (JSC::arrayProtoFuncKeys):
1952         * runtime/CommonSlowPaths.cpp:
1953         (JSC::SLOW_PATH_DECL):
1954         * runtime/ExceptionHelpers.cpp:
1955         * runtime/JSCJSValue.cpp:
1956         (JSC::JSValue::toObjectSlowCase):
1957         (JSC::JSValue::toThisSlowCase):
1958         (JSC::JSValue::synthesizePrototype):
1959         (JSC::JSValue::putToPrimitive):
1960         (JSC::JSValue::putToPrimitiveByIndex):
1961         * runtime/JSCJSValueInlines.h:
1962         (JSC::JSValue::getPropertySlot):
1963         (JSC::JSValue::get):
1964         * runtime/JSFunction.cpp:
1965         * runtime/JSGlobalObjectFunctions.cpp:
1966         (JSC::globalFuncProtoGetter):
1967         * runtime/JSNotAnObject.cpp: Removed.
1968         * runtime/JSNotAnObject.h: Removed.
1969         * runtime/ObjectConstructor.cpp:
1970         (JSC::objectConstructorDefineProperties):
1971         (JSC::objectConstructorCreate):
1972         * runtime/ObjectPrototype.cpp:
1973         (JSC::objectProtoFuncValueOf):
1974         (JSC::objectProtoFuncHasOwnProperty):
1975         (JSC::objectProtoFuncIsPrototypeOf):
1976         (JSC::objectProtoFuncToString):
1977         * runtime/VM.cpp:
1978         (JSC::VM::VM):
1979         * runtime/VM.h:
1980
1981 2016-03-08  Oliver Hunt  <oliver@apple.com>
1982
1983         Start moving to separated writable and executable mappings in the JIT
1984         https://bugs.webkit.org/show_bug.cgi?id=155178
1985
1986         Reviewed by Filip Pizlo.
1987
1988         Start moving to a separate writable and executable heap for the various
1989         JITs.
1990
1991         As part of our work to harden the JIT against various attacks, we're
1992         moving away from our current RWX heap and on to using separate RW and X
1993         mappings. This means that simply leaking the location of the executable
1994         mapping is not sufficient to compromise JSC, so we can continue to
1995         use direct executable pointers in our GC objects (which we need for
1996         performance), but keep the writable pointer in only a single location
1997         so that we are less likely to leak the address. To further obscure the
1998         address of the writable region we place it in an execute only region
1999         of memory so that it is not possible to read the location from 
2000         anywhere. That means an attacker must have at least partial control
2001         of PC (to call jitMemCopy) before they can start to attack the JIT.
2002
2003         This work is initially ARM64 only, as we use as the jitMemCopy is
2004         currently specific to that platform's calling conventions and layout.
2005         We're just landing it in the current form so that we can at least
2006         ensure it doesn't regress.
2007
2008         * Configurations/FeatureDefines.xcconfig:
2009         * assembler/ARM64Assembler.h:
2010         (JSC::ARM64Assembler::ldp):
2011         (JSC::ARM64Assembler::ldnp):
2012         (JSC::ARM64Assembler::fillNops):
2013         (JSC::ARM64Assembler::stp):
2014         (JSC::ARM64Assembler::stnp):
2015         (JSC::ARM64Assembler::replaceWithJump):
2016         (JSC::ARM64Assembler::replaceWithLoad):
2017         (JSC::ARM64Assembler::replaceWithAddressComputation):
2018         (JSC::ARM64Assembler::setPointer):
2019         (JSC::ARM64Assembler::repatchInt32):
2020         (JSC::ARM64Assembler::repatchCompact):
2021         (JSC::ARM64Assembler::linkJumpOrCall):
2022         (JSC::ARM64Assembler::linkCompareAndBranch):
2023         (JSC::ARM64Assembler::linkConditionalBranch):
2024         (JSC::ARM64Assembler::linkTestAndBranch):
2025         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
2026         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
2027         * assembler/LinkBuffer.cpp:
2028         (JSC::LinkBuffer::copyCompactAndLinkCode):
2029         (JSC::LinkBuffer::allocate):
2030         * assembler/LinkBuffer.h:
2031         (JSC::LinkBuffer::LinkBuffer):
2032         * assembler/MacroAssemblerARM64.h:
2033         (JSC::MacroAssemblerARM64::sub64):
2034         (JSC::MacroAssemblerARM64::load64):
2035         (JSC::MacroAssemblerARM64::loadPair64):
2036         (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
2037         (JSC::MacroAssemblerARM64::load8):
2038         (JSC::MacroAssemblerARM64::store64):
2039         (JSC::MacroAssemblerARM64::storePair64):
2040         (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
2041         (JSC::MacroAssemblerARM64::store8):
2042         (JSC::MacroAssemblerARM64::branchAdd64):
2043         (JSC::MacroAssemblerARM64::branchSub64):
2044         * jit/ExecutableAllocator.h:
2045         (JSC::performJITMemcpy):
2046         * jit/ExecutableAllocatorFixedVMPool.cpp:
2047         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2048         (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
2049         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2050         * runtime/Options.cpp:
2051         (JSC::recomputeDependentOptions):
2052         * runtime/Options.h:
2053
2054 2016-03-08  Michael Saboff  <msaboff@apple.com>
2055
2056         [ES6] Regular Expression canonicalization tables for Unicode need to be updated to use Unicode CaseFolding.txt
2057         https://bugs.webkit.org/show_bug.cgi?id=155114
2058
2059         Reviewed by Darin Adler.
2060
2061         Extracted out the Unicode canonicalization table creation from
2062         YarrCanonicalizeUnicode.js into a new Python script, generateYarrCanonicalizeUnicode.
2063         That script generates the Unicode tables as the file YarrCanonicalizeUnicode.cpp in
2064         DerivedSources/JavaScriptCore.
2065
2066         Updated the processing of ignore case to make the ASCII short cuts dependent on whether
2067         or not we are a Unicode pattern.
2068
2069         Renamed yarr/YarrCanonicalizeUnicode.{cpp,js} back to their prior names,
2070         YarrCanonicalizeUCS2.{cpp,js}.
2071         Renamed yarr/YarrCanonicalizeUnicode.h to YarrCanonicalize.h as it declares both the
2072         legacy UCS2 and Unicode tables.
2073
2074         * CMakeLists.txt:
2075         * DerivedSources.make:
2076         * JavaScriptCore.xcodeproj/project.pbxproj:
2077         * generateYarrCanonicalizeUnicode: Added.
2078         * ucd: Added.
2079         * ucd/CaseFolding.txt: Added.  The current verion, 8.0, of the Unicode CaseFolding table.
2080         * yarr/YarrCanonicalizeUCS2.cpp: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.cpp.
2081         * yarr/YarrCanonicalize.h: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.h.
2082         * yarr/YarrCanonicalizeUCS2.js: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.js.
2083         (printHeader):
2084         * yarr/YarrCanonicalizeUnicode.cpp: Removed.
2085         * yarr/YarrCanonicalizeUnicode.h: Removed.
2086         * yarr/YarrCanonicalizeUnicode.js: Removed.
2087         * yarr/YarrInterpreter.cpp:
2088         (JSC::Yarr::Interpreter::tryConsumeBackReference):
2089         * yarr/YarrJIT.cpp:
2090         * yarr/YarrPattern.cpp:
2091         (JSC::Yarr::CharacterClassConstructor::putChar):
2092
2093 2016-03-08  Andreas Kling  <akling@apple.com>
2094
2095         WeakBlock::visit() should check for a WeakHandleOwner before consulting mark bits.
2096         <https://webkit.org/b/155154>
2097
2098         Reviewed by Darin Adler.
2099
2100         Reorder the checks in WeakBlock::visit() so we don't look at the mark bits in MarkedBlock
2101         unless the current WeakImpl has a WeakHandleOwner we need to consult.
2102
2103         I was originally hoping to make an optimization that could skip over entire WeakBlocks
2104         if they didn't have a single WeakHandleOwner, but it turns out that scenario is not as
2105         common as I suspected.
2106
2107         * heap/WeakBlock.cpp:
2108         (JSC::WeakBlock::visit):
2109
2110 2016-03-07  Saam barati  <sbarati@apple.com>
2111
2112         [ES6] Implement revocable proxies
2113         https://bugs.webkit.org/show_bug.cgi?id=154321
2114
2115         Reviewed by Mark Lam.
2116
2117         This patch is a straight forward implementation of Proxy.revocable
2118         with respect to section 26.2.2.1 of the ECMAScript spec.
2119         https://tc39.github.io/ecma262/#sec-proxy.revocable
2120
2121         This patch also fixes a bug in Proxy where we
2122         were incorrectly caching "in", i.e, `"x" in proxy`.
2123         We should never blatantly cache this because caching is observable
2124         behavior by users of the language. We could come up with
2125         a smarter caching scheme that caches only if the Proxy's
2126         handler doesn't have a "has" property, i.e, we don't have
2127         to call out to JS code. But for now, it's easiest to disable
2128         caching.
2129
2130         * CMakeLists.txt:
2131         * JavaScriptCore.xcodeproj/project.pbxproj:
2132         * runtime/JSGlobalObject.cpp:
2133         (JSC::JSGlobalObject::init):
2134         (JSC::JSGlobalObject::visitChildren):
2135         * runtime/JSGlobalObject.h:
2136         (JSC::JSGlobalObject::moduleRecordStructure):
2137         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2138         (JSC::JSGlobalObject::proxyObjectStructure):
2139         (JSC::JSGlobalObject::proxyRevokeStructure):
2140         (JSC::JSGlobalObject::wasmModuleStructure):
2141         * runtime/ProxyConstructor.cpp:
2142         (JSC::ProxyConstructor::create):
2143         (JSC::ProxyConstructor::ProxyConstructor):
2144         (JSC::makeRevocableProxy):
2145         (JSC::proxyRevocableConstructorThrowError):
2146         (JSC::ProxyConstructor::finishCreation):
2147         (JSC::constructProxyObject):
2148         * runtime/ProxyConstructor.h:
2149         (JSC::ProxyConstructor::createStructure):
2150         * runtime/ProxyObject.cpp:
2151         (JSC::ProxyObject::finishCreation):
2152         (JSC::performProxyGet):
2153         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2154         (JSC::ProxyObject::performHasProperty):
2155         (JSC::ProxyObject::performPut):
2156         (JSC::performProxyCall):
2157         (JSC::performProxyConstruct):
2158         (JSC::ProxyObject::performDelete):
2159         (JSC::ProxyObject::performPreventExtensions):
2160         (JSC::ProxyObject::performIsExtensible):
2161         (JSC::ProxyObject::performDefineOwnProperty):
2162         (JSC::ProxyObject::performGetOwnPropertyNames):
2163         (JSC::ProxyObject::performSetPrototype):
2164         (JSC::ProxyObject::performGetPrototype):
2165         (JSC::ProxyObject::getPrototype):
2166         (JSC::ProxyObject::revoke):
2167         (JSC::ProxyObject::visitChildren):
2168         * runtime/ProxyObject.h:
2169         (JSC::ProxyObject::create):
2170         * runtime/ProxyRevoke.cpp: Added.
2171         (JSC::ProxyRevoke::create):
2172         (JSC::ProxyRevoke::ProxyRevoke):
2173         (JSC::ProxyRevoke::finishCreation):
2174         (JSC::performProxyRevoke):
2175         (JSC::ProxyRevoke::getCallData):
2176         (JSC::ProxyRevoke::visitChildren):
2177         * runtime/ProxyRevoke.h: Added.
2178         (JSC::ProxyRevoke::createStructure):
2179         (JSC::ProxyRevoke::proxy):
2180         (JSC::ProxyRevoke::setProxyToNull):
2181         * tests/stress/proxy-has-property.js:
2182         (assert):
2183         (assert.let.handler.has):
2184         (assert.let.foo):
2185         * tests/stress/proxy-revoke.js: Added.
2186         (assert):
2187         (throw.new.Error.):
2188         (throw.new.Error):
2189         (callAllHandlers):
2190         (shouldThrowNullHandler):
2191         (allHandlersShouldThrow):
2192         (i.let.trap.of.traps.trap.string_appeared_here.func):
2193         (i.let.trap.of.traps.else.func):
2194         (i.Proxy.revocable):
2195
2196 2016-03-07  Csaba Osztrogon√°c  <ossy@webkit.org>
2197
2198         Fix the ARM build after r197687
2199         https://bugs.webkit.org/show_bug.cgi?id=155128
2200
2201         Reviewed by Saam Barati.
2202
2203         * assembler/MacroAssemblerARM.h:
2204         (JSC::MacroAssemblerARM::moveZeroToDouble):
2205
2206 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
2207
2208         Reduce the number of instructions needed to record the last regexp result
2209         https://bugs.webkit.org/show_bug.cgi?id=155161
2210
2211         Reviewed by Sam Weinig.
2212
2213         This tightens up RegExpCachedResult::record(). My profiling shows that we spend just
2214         over 1% of the time in Octane/regexp in this function. This function had two obvious
2215         redundancies:
2216
2217         1) It executed the write barrier on owner twice. It only needs to execute it once. Since
2218            the same RegExpConstructor is likely to be used many times, it makes sense to do the
2219            barrier without looking at the 'to' objects at all. In steady state, this means that
2220            the RegExpConstructor will simply be OldGrey so this one barrier will always skip the
2221            slow path.
2222
2223         2) It cleared some fields that didn't need to be cleared, since we can just use
2224            m_reified to indicate that the fields are not meaningful anymore.
2225
2226         This is meant to be a microscopic regexp speed-up.
2227
2228         * runtime/RegExpCachedResult.cpp:
2229         (JSC::RegExpCachedResult::visitChildren):
2230         (JSC::RegExpCachedResult::lastResult):
2231         * runtime/RegExpCachedResult.h:
2232         (JSC::RegExpCachedResult::record):
2233
2234 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
2235
2236         createRegExpMatchesArray should allocate substrings more quickly
2237         https://bugs.webkit.org/show_bug.cgi?id=155160
2238
2239         Reviewed by Sam Weinig.
2240
2241         This was calling a version of jsSubstring() that isn't inlineable because it was doing a lot
2242         of checks in finishCreation(). In particular, it was checking that the base string is not
2243         itself a substring and that it's been resolved. We don't need those checks here, since the
2244         string must have been resolved prior to regexp processing.
2245
2246         This patch is also smart about whether to do checks for the empty and full substrings. In
2247         the matches array loop, these checks are super unlikely to be profitable, so we just
2248         unconditionally allocate the substring.
2249
2250         This removes those checks and makes the allocation inlineable. It looks like a 1% speed-up
2251         on Octane/regexp.
2252
2253         * runtime/JSString.h:
2254         (JSC::jsSubstring):
2255         (JSC::jsSubstringOfResolved):
2256         * runtime/RegExpMatchesArray.cpp:
2257         (JSC::createRegExpMatchesArray):
2258
2259 2016-03-07  Benjamin Poulain  <bpoulain@apple.com>
2260
2261         [JSC] Small clean up of how we use SSA's valuesAtHead
2262         https://bugs.webkit.org/show_bug.cgi?id=155152
2263
2264         Reviewed by Filip Pizlo.
2265
2266         liveAtHead and valuesAtHead contain the same nodes,
2267         we do not need the extra look up.
2268
2269         This also opens the way to use the same kind of liveness
2270         analysis as Air (where live values at head do not use a set).
2271
2272         * dfg/DFGInPlaceAbstractState.cpp:
2273         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2274         (JSC::DFG::InPlaceAbstractState::merge):
2275
2276 2016-03-07  Brian Burg  <bburg@apple.com>
2277
2278         Web Inspector: the protocol generator should generate factory method stubs for protocol types
2279         https://bugs.webkit.org/show_bug.cgi?id=155103
2280         <rdar://problem/25002772>
2281
2282         Reviewed by Timothy Hatcher.
2283
2284         Generate stubs with unique names so that parsing methods can be used
2285         reflectively at runtime, based on the protocol version that's loaded.
2286
2287         * JavaScriptCore.xcodeproj/project.pbxproj:
2288         * inspector/scripts/codegen/__init__.py:
2289         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2290         Added. For each type in a domain, add a method of the form
2291         -[ProtocolTypeConversions _parseXXX:fromPayload]. This is in a category
2292         method, and the selector is only ever looked up at runtime.
2293
2294         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
2295         * inspector/scripts/generate-inspector-protocol-bindings.py:
2296         (generate_from_specification):
2297
2298         Rebaseline test results with new generator output.
2299
2300         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2301         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2302         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2303         * inspector/scripts/tests/expected/enum-values.json-result:
2304         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2305         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2306         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2307         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2308         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2309         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2310         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2311         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2312         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2313
2314 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
2315
2316         RegExp.prototype.exec() should call into Yarr at most once
2317         https://bugs.webkit.org/show_bug.cgi?id=155139
2318
2319         Reviewed by Saam Barati.
2320
2321         For apparently no good reason, RegExp.prototype.match() was calling into Yarr twice, almost
2322         as if it was hoping that the non-matching case was so common that it was best to have the
2323         matching case do the work all over again.
2324
2325         This is a 4% speed-up on Octane/regexp. It's also a matter of common sense: we should not be
2326         in the business of presuming whether someone's match will succeed or fail. The increased
2327         cost of running Yarr twice is so much larger than whatever savings we were getting from
2328         running a match-only regexp that this is just not a good overall deal for the engine.
2329
2330         Also, it's interesting that we are seeing a 4% speed-up on regexp despite the fact that a
2331         majority (almost a supermajority, I think) of calls into RegExp.prototype.match() are failed
2332         matches. So, this change is a 4% speed-up despite being a slow down on the common case. That
2333         tells you just how bad the old behavior was on the uncommon case.
2334
2335         * runtime/MatchResult.h:
2336         (MatchResult::MatchResult):
2337         (MatchResult::failed):
2338         (MatchResult::operator bool):
2339         * runtime/RegExpCachedResult.cpp:
2340         (JSC::RegExpCachedResult::lastResult):
2341         * runtime/RegExpConstructor.h:
2342         (JSC::RegExpConstructor::setMultiline):
2343         (JSC::RegExpConstructor::multiline):
2344         (JSC::RegExpConstructor::performMatch):
2345         (JSC::RegExpConstructor::recordMatch):
2346         * runtime/RegExpMatchesArray.cpp:
2347         (JSC::createRegExpMatchesArray):
2348         (JSC::createEmptyRegExpMatchesArray):
2349         (JSC::createStructureImpl):
2350         * runtime/RegExpMatchesArray.h:
2351         (JSC::createRegExpMatchesArray):
2352         * runtime/RegExpObject.cpp:
2353         (JSC::RegExpObject::put):
2354         (JSC::getLastIndexAsUnsigned):
2355         (JSC::RegExpObject::exec):
2356         (JSC::RegExpObject::match):
2357         * runtime/RegExpObject.h:
2358         (JSC::RegExpObject::getLastIndex):
2359         (JSC::RegExpObject::test):
2360         * runtime/StringPrototype.cpp:
2361         (JSC::stringProtoFuncMatch):
2362
2363 2016-03-07  Joseph Pecoraro  <pecoraro@apple.com>
2364
2365         Heap Snapshot should include different Edge types and data (Property, Index, Variable)
2366         https://bugs.webkit.org/show_bug.cgi?id=154937
2367
2368         Reviewed by Geoffrey Garen.
2369
2370         * heap/SlotVisitor.cpp:
2371         (JSC::SlotVisitor::appendHidden):
2372         * heap/SlotVisitor.h:
2373         * heap/SlotVisitorInlines.h:
2374         (JSC::SlotVisitor::appendHidden):
2375         (JSC::SlotVisitor::appendValuesHidden):
2376         Add new visit methods to visit a reference without snapshotting the edge.
2377
2378         * heap/Heap.cpp:
2379         (JSC::AddExtraHeapSnapshotEdges::AddExtraHeapSnapshotEdges):
2380         (JSC::AddExtraHeapSnapshotEdges::operator()):
2381         (JSC::Heap::addHeapSnapshotEdges):
2382         (JSC::Heap::removeDeadHeapSnapshotNodes):
2383         (JSC::Heap::collectImpl):
2384         * heap/Heap.h:
2385         After marking, visit the live cells for a chance to record extra
2386         heap snapshotting information about the cell.
2387
2388         * heap/HeapSnapshotBuilder.cpp:
2389         (JSC::HeapSnapshotBuilder::appendNode):
2390         (JSC::HeapSnapshotBuilder::appendEdge):
2391         (JSC::HeapSnapshotBuilder::appendPropertyNameEdge):
2392         (JSC::HeapSnapshotBuilder::appendVariableNameEdge):
2393         (JSC::HeapSnapshotBuilder::appendIndexEdge):
2394         (JSC::HeapSnapshotBuilder::json):
2395         * heap/HeapSnapshotBuilder.h:
2396         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
2397         Construct edges with extra data.
2398
2399         * runtime/ClassInfo.h:
2400         * runtime/JSCell.cpp:
2401         (JSC::JSCell::heapSnapshot):
2402         * runtime/JSCell.h:
2403         Add a new method to provide cells with an opportunity to provide
2404         extra heap snapshotting information.
2405
2406         * runtime/JSObject.cpp:
2407         (JSC::JSObject::visitButterfly):
2408         (JSC::JSObject::visitChildren):
2409         (JSC::JSObject::heapSnapshot):
2410         (JSC::JSFinalObject::visitChildren):
2411         * runtime/JSObject.h:
2412         Capture object property names and index names when heap snapshotting.
2413         Do not include them as internal edges in normal visitChildren.
2414
2415         * runtime/JSEnvironmentRecord.cpp:
2416         (JSC::JSEnvironmentRecord::visitChildren):
2417         (JSC::JSEnvironmentRecord::heapSnapshot):
2418         * runtime/JSEnvironmentRecord.h:
2419         * runtime/JSSegmentedVariableObject.cpp:
2420         (JSC::JSSegmentedVariableObject::visitChildren):
2421         (JSC::JSSegmentedVariableObject::heapSnapshot):
2422         * runtime/JSSegmentedVariableObject.h:
2423         Capture scope variable names when heap snapshotting.
2424
2425         * runtime/Structure.cpp:
2426         (JSC::Structure::visitChildren):
2427         * runtime/Structure.h:
2428         * runtime/StructureInlines.h:
2429         (JSC::Structure::propertyTable):
2430         When performing a heap snapshotting collection, don't clear the
2431         property table so that accessing the table during this GC is okay.
2432
2433         * tests/heapProfiler/driver/driver.js:
2434         * tests/heapProfiler/property-edge-types.js: Added.
2435         * tests/heapProfiler/variable-edge-types.js: Added.
2436         Tests covering the different edge types and data we capture.
2437
2438 2016-03-07  Saam barati  <sbarati@apple.com>
2439
2440         [ES6] Implement Proxy.[[GetPrototypeOf]]
2441         https://bugs.webkit.org/show_bug.cgi?id=155099
2442
2443         Reviewed by Mark Lam.
2444
2445         This patch is a straight forward implementation of Proxy.[[GetPrototypeOf]]
2446         with respect to section 9.5.1 of the ECMAScript spec.
2447         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-getprototypeof
2448
2449         * runtime/ProxyObject.cpp:
2450         (JSC::performProxyGet):
2451         (JSC::ProxyObject::setPrototype):
2452         (JSC::ProxyObject::performGetPrototype):
2453         (JSC::ProxyObject::getPrototype):
2454         (JSC::ProxyObject::visitChildren):
2455         * runtime/ProxyObject.h:
2456         * tests/es6.yaml:
2457         * tests/stress/proxy-get-prototype-of.js: Added.
2458         (assert):
2459         (throw.new.Error.let.handler.get getPrototypeOf):
2460         (throw.new.Error.get let):
2461         (throw.new.Error.get catch):
2462         (throw.new.Error):
2463         (assert.let.handler.getPrototypeOf):
2464         (assert.get let):
2465         (assert.get catch):
2466         (assert.):
2467         (let.handler.getPrototypeOf):
2468         (get let):
2469         (let.handler.has):
2470
2471 2016-03-07  Brian Burg  <bburg@apple.com>
2472
2473         Web Inspector: rename generated *EnumConversionHelpers.h to *TypeConversions.h
2474         https://bugs.webkit.org/show_bug.cgi?id=155121
2475         <rdar://problem/25010391>
2476
2477         Reviewed by Timothy Hatcher.
2478
2479         Split out this renaming from the work to generate factory method stubs for types.
2480
2481         * JavaScriptCore.xcodeproj/project.pbxproj:
2482         * inspector/scripts/codegen/__init__.py:
2483         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2484         (ObjCConfigurationImplementationGenerator.generate_output):
2485         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2486         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2487         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objc_conversion_helpers.py.
2488         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2489         (ObjCProtocolTypesImplementationGenerator.generate_output):
2490         * inspector/scripts/codegen/objc_generator_templates.py:
2491         * inspector/scripts/generate-inspector-protocol-bindings.py:
2492         (generate_from_specification):
2493
2494         Rebaseline tests after changing generator order.
2495
2496         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2497         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2498         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2499         * inspector/scripts/tests/expected/enum-values.json-result:
2500         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2501         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2502         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2503         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2504         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2505         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2506         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2507         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2508         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2509
2510 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
2511
2512         [JSC] Improve and64() and or64() with immediate on x86
2513         https://bugs.webkit.org/show_bug.cgi?id=155104
2514
2515         Reviewed by Geoffrey Garen.
2516
2517         GetButterflyReadOnly was doing:
2518             movq 0x8(%rbx), %r9
2519             movq $0xfffffffffffffffc, %r11
2520             andq %r11, %r9
2521         There is no need for the move to load the immediate,
2522         andq sign extend its immediate.
2523
2524         With this patch, we have:
2525             movq 0x8(%rbx), %r9
2526             andq $0xfffffffffffffffc, %r9
2527
2528         * assembler/MacroAssemblerX86_64.h:
2529         (JSC::MacroAssemblerX86_64::and64):
2530         (JSC::MacroAssemblerX86_64::or64):
2531
2532 2016-03-07  Brian Burg  <bburg@apple.com>
2533
2534         Web Inspector: It should be possible to initialize generated ObjC protocol types from an NSDictionary payload
2535         https://bugs.webkit.org/show_bug.cgi?id=155102
2536         <rdar://problem/25002015>
2537
2538         Reviewed by Timothy Hatcher.
2539
2540         In Objective-C code, we sometimes prefer to parse JSON using Cocoa rather
2541         than the InspectorValue classes. Support initializing protocol objects
2542         directly from an NSDictionary payload. This delegates validation of values to
2543         the setter methods that already exist on the protocol object classes.
2544
2545         * inspector/scripts/codegen/generate_objc_header.py:
2546         (ObjCHeaderGenerator._generate_type_interface):
2547         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2548         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2549         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
2550         * inspector/scripts/codegen/objc_generator.py:
2551         (ObjCGenerator.payload_to_objc_expression_for_member):
2552         Add a new helper method to generate an expression to unpack the value
2553         from an NSDictionary. If it's not a primitive, the setter performs
2554         validation of the value's kind using -[NSObject isKindOfClass:].
2555
2556         Rebaseline relevant tests.
2557
2558         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2559         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2560         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2561         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2562         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2563         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2564         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2565
2566 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
2567
2568         [JSC] Simplify the overflow check of ArithAbs
2569         https://bugs.webkit.org/show_bug.cgi?id=155063
2570
2571         Reviewed by Geoffrey Garen.
2572
2573         The only integer that overflow abs(int32) is INT_MIN.
2574         For some reason, our code testing for that case
2575         was checking the top bit of the result specifically.
2576
2577         The code required a large immediate on x86 and an extra
2578         register on ARM64.
2579
2580         This patch turns the overflow check into a branch on
2581         the sign of the result.
2582
2583         * dfg/DFGSpeculativeJIT32_64.cpp:
2584         (JSC::DFG::SpeculativeJIT::compile):
2585         * dfg/DFGSpeculativeJIT64.cpp:
2586         (JSC::DFG::SpeculativeJIT::compile):
2587         * ftl/FTLLowerDFGToB3.cpp:
2588         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
2589         * jit/ThunkGenerators.cpp:
2590         (JSC::absThunkGenerator):
2591         * tests/stress/arith-abs-overflow.js: Added.
2592         (opaqueAbs):
2593
2594 2016-03-07  Benjamin Poulain  <bpoulain@apple.com>
2595
2596         [JSC] Improve how DFG zero Floating Point registers
2597         https://bugs.webkit.org/show_bug.cgi?id=155096
2598
2599         Reviewed by Geoffrey Garen.
2600
2601         DFG had a weird way of zeroing a FPR:
2602             -zero a GP.
2603             -move that to a FP.
2604
2605         Filip added moveZeroToDouble() for B3. This patch
2606         uses that in the lower tiers.
2607
2608         * assembler/MacroAssemblerARMv7.h:
2609         (JSC::MacroAssemblerARMv7::moveZeroToDouble):
2610         * dfg/DFGSpeculativeJIT64.cpp:
2611         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2612         * jit/ThunkGenerators.cpp:
2613         (JSC::floorThunkGenerator):
2614         (JSC::roundThunkGenerator):
2615
2616 2016-03-07  Andreas Kling  <akling@apple.com>
2617
2618         REGRESSION (r197303): Web Inspector crashes web process when inspecting an element on TOT
2619         <https://webkit.org/b/154812>
2620
2621         Reviewed by Geoffrey Garen.
2622
2623         Guard against null pointer dereference for UnlinkedCodeBlocks that don't have any control flow
2624         profiling data.
2625
2626         * bytecode/CodeBlock.cpp:
2627         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2628         * bytecode/UnlinkedCodeBlock.h:
2629         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets):
2630
2631 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
2632
2633         [JSC] Remove a useless "Move" from baseline-JIT op_mul's fast path
2634         https://bugs.webkit.org/show_bug.cgi?id=155071
2635
2636         Reviewed by Geoffrey Garen.
2637
2638         We do not need to multiply to a scratch and then move the result
2639         to the destination. We can just multiply to the destination.
2640
2641         * jit/JITArithmetic.cpp:
2642         (JSC::JIT::emit_op_mul):
2643         * jit/JITMulGenerator.cpp:
2644         (JSC::JITMulGenerator::generateFastPath):
2645
2646 2016-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2647
2648         [JSC] StringObject.{put, defineOwnProperty} should realize indexed properties
2649         https://bugs.webkit.org/show_bug.cgi?id=155089
2650
2651         Reviewed by Geoffrey Garen.
2652
2653         Through implementing Reflect.set[1], we found StringObject does not obey the spec.
2654         StringObject::put should call putByIndex if the given propertyName is index.
2655         And StringObject::defineOwnProperty should recognize indexed properties since
2656         JSObject::defineOwnIndexedProperty is specialized to JSObject layout.
2657         Before calling JSObject::defineOwnProperty,
2658         StringObject should handle its special indexed own properties.
2659         It is responsibility of StringObject::defineOwnProperty.
2660
2661         And the logic is cleaned up by using validateAndApplyPropertyDescriptor.
2662
2663         [1]: https://bugs.webkit.org/show_bug.cgi?id=155024
2664
2665         * runtime/StringObject.cpp:
2666         (JSC::StringObject::put):
2667         (JSC::StringObject::putByIndex):
2668         (JSC::isStringOwnProperty):
2669         (JSC::StringObject::defineOwnProperty):
2670         (JSC::StringObject::deleteProperty):
2671         * tests/stress/string-object-define-own-property.js: Added.
2672         (shouldBe):
2673         (shouldThrow):
2674         * tests/stress/string-object-put-by-index.js: Added.
2675         (shouldBe):
2676         (shouldThrow):
2677         (testSloppy):
2678         (testStrict):
2679
2680 2016-03-06  Brian Burg  <bburg@apple.com>
2681
2682         Web Inspector: the protocol generator should have separate prefix options for Objective-C classes and filenames
2683         https://bugs.webkit.org/show_bug.cgi?id=155101
2684         <rdar://problem/25000053>
2685
2686         Reviewed by Timothy Hatcher.
2687
2688         It should be possible to generate Objective-C protocol types without prefixing all class names.
2689         The prefixes are only necessary when the generated files are part of a framework, but this isn't
2690         how the generated Objective-C frontend files are used.
2691
2692         Add a separate framework setting and switch over code to use the 'protocol_group' in filenames,
2693         and the 'objc_prefix' for Objective-C enum and class prefixes.
2694
2695         No tests need to be rebaselined because tests always set the protocol_group and objc_prefix
2696         to the same value.
2697
2698         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2699         (ObjCBackendDispatcherHeaderGenerator.output_filename):
2700         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2701         (ObjCConfigurationImplementationGenerator.output_filename):
2702         (ObjCConfigurationImplementationGenerator.generate_output):
2703         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2704         (ObjCConfigurationHeaderGenerator.output_filename):
2705         (ObjCConfigurationHeaderGenerator.generate_output):
2706         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
2707         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2708         (ObjCBackendDispatcherImplementationGenerator.output_filename):
2709         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2710         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
2711         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
2712         (ObjCConversionHelpersGenerator.output_filename):
2713         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2714         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
2715         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2716         * inspector/scripts/codegen/generate_objc_header.py:
2717         (ObjCHeaderGenerator.output_filename):
2718         * inspector/scripts/codegen/generate_objc_internal_header.py:
2719         (ObjCInternalHeaderGenerator.output_filename):
2720         (ObjCInternalHeaderGenerator.generate_output):
2721         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2722         (ObjCProtocolTypesImplementationGenerator.output_filename):
2723         (ObjCProtocolTypesImplementationGenerator.generate_output):
2724         * inspector/scripts/codegen/models.py:
2725         * inspector/scripts/codegen/objc_generator.py:
2726         (ObjCGenerator):
2727         (ObjCGenerator.protocol_name):
2728         (ObjCGenerator.objc_prefix):
2729
2730 2016-03-06  Brian Burg  <bburg@apple.com>
2731
2732         Unreviewed, rebaseline inspector protocol generator tests after r197563.
2733
2734         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2735         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2736         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2737         * inspector/scripts/tests/expected/enum-values.json-result:
2738         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2739
2740 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
2741
2742         [JSC] Improve DFG's Int32 ArithMul if one operand is a constant
2743         https://bugs.webkit.org/show_bug.cgi?id=155066
2744
2745         Reviewed by Filip Pizlo.
2746
2747         When multiplying an integer by a constant, DFG was doing quite
2748         a bit worse than baseline JIT.
2749         We were loading the constant into a register, doing the multiply,
2750         the checking the result and both operands for negative zero.
2751
2752         This patch changes:
2753         -Use the multiply-by-immediate form on x86.
2754         -Do as few checks as possible to detect negative-zero.
2755
2756         In most cases, this reduce the negative-zero checks
2757         to zero or one TEST+JUMP.
2758
2759         * assembler/MacroAssembler.h:
2760         (JSC::MacroAssembler::mul32):
2761         * dfg/DFGSpeculativeJIT.cpp:
2762         (JSC::DFG::SpeculativeJIT::compileArithMul):
2763
2764 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
2765
2766         [JSC] Remove a superfluous Move in front of every double unboxing
2767         https://bugs.webkit.org/show_bug.cgi?id=155064
2768
2769         Reviewed by Saam Barati.
2770
2771         Double unboxing was always doing:
2772             Move source, scratch
2773             Add64 tag, scratch
2774             IntToDouble scratch, fp
2775
2776         We do not need to "Move" to copy the source.
2777         Both x86 and ARM64 have an efficient 3 operands Add instruction.
2778
2779         * dfg/DFGSpeculativeJIT.cpp:
2780         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2781         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2782         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
2783         * dfg/DFGSpeculativeJIT.h:
2784         (JSC::DFG::SpeculativeJIT::unboxDouble):
2785         * jit/AssemblyHelpers.h:
2786         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
2787         (JSC::AssemblyHelpers::unboxDouble):
2788         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
2789
2790 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
2791
2792         [JSC] Use 3 operands Add in more places
2793         https://bugs.webkit.org/show_bug.cgi?id=155082
2794
2795         Reviewed by Filip Pizlo.
2796
2797         * assembler/MacroAssembler.h:
2798         (JSC::MacroAssembler::addPtr):
2799         (JSC::MacroAssembler::add32):
2800         * assembler/MacroAssemblerARMv7.h:
2801         (JSC::MacroAssemblerARMv7::add32):
2802         * dfg/DFGSpeculativeJIT.cpp:
2803         (JSC::DFG::SpeculativeJIT::compileArithAdd):
2804         The case with child1 constant is useless.
2805         The canonical form will have the constant as child2.
2806
2807         Also add register reuse for the fast-add.
2808         Registers are a scarce resource on x86.
2809
2810         * jit/CCallHelpers.h:
2811         (JSC::CCallHelpers::prepareForTailCallSlow):
2812         * yarr/YarrJIT.cpp:
2813         (JSC::Yarr::YarrGenerator::generate):
2814
2815 2016-03-06  Benjamin Poulain  <bpoulain@apple.com>
2816
2817         [JSC] Improve codegen of Compare and Test
2818         https://bugs.webkit.org/show_bug.cgi?id=155055
2819
2820         Reviewed by Filip Pizlo.
2821
2822         This patch introduces a few improvements on how we lower
2823         Compare and Test with immediates:
2824             -Add certain Immediate forms of ARM64.
2825             -Use CBZ/CBNZ when possible on ARM64.
2826             -When possible, convert a CMP into a TST
2827              On some hardware, we can issue more TST simultaneously.
2828
2829              On x86, any TST+Jump is candidate for macro-fusion.
2830              They are also smaller.
2831              (sections 3.4.2.2 and 3.5.1.9)
2832             -Do not load the mask immediate of a TST
2833              if it only contains ones (mostly useful for ARM64
2834              since that would not have been a valid immediate).
2835
2836         * assembler/MacroAssembler.h:
2837         (JSC::MacroAssembler::compare32):
2838         * assembler/MacroAssemblerARM64.h:
2839         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2840         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
2841         This is somewhat unrelated but I found that out while working
2842         on moveDoubleConditionallyTest32:
2843             If "thenCase" and "dest" are assigned the same register
2844             by the allocator, then the first (f)fcsel would override
2845             the "thenCase" and the second fcsel would always be "elseCase".
2846
2847         This is covered by testb3 but was only uncovered
2848         after recent "Move" removals in lowering.
2849
2850         (JSC::MacroAssemblerARM64::moveConditionally32):
2851         (JSC::MacroAssemblerARM64::moveConditionally64):
2852         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2853         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
2854         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
2855         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
2856         (JSC::MacroAssemblerARM64::branch32):
2857         (JSC::MacroAssemblerARM64::branch64):
2858         (JSC::MacroAssemblerARM64::branchTest32):
2859         (JSC::MacroAssemblerARM64::test32):
2860         The version taking an immediate was guarded by
2861         (cond == Zero) || (cond == NonZero). That is overzealous,
2862         and only needed for CBZ/CBNZ.
2863
2864         (JSC::MacroAssemblerARM64::branchTest64):
2865         (JSC::MacroAssemblerARM64::compare32):
2866         (JSC::MacroAssemblerARM64::compare64):
2867         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
2868         * assembler/MacroAssemblerX86Common.h:
2869         (JSC::MacroAssemblerX86Common::moveConditionally32):
2870         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2871         (JSC::MacroAssemblerX86Common::branch32):
2872         (JSC::MacroAssemblerX86Common::test32):
2873         (JSC::MacroAssemblerX86Common::branchTest32):
2874         (JSC::MacroAssemblerX86Common::compare32):
2875         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
2876         * assembler/MacroAssemblerX86_64.h:
2877         (JSC::MacroAssemblerX86_64::compare64):
2878         (JSC::MacroAssemblerX86_64::branch64):
2879         (JSC::MacroAssemblerX86_64::moveConditionally64):
2880         * b3/B3LowerToAir.cpp:
2881         (JSC::B3::Air::LowerToAir::createGenericCompare):
2882         Unfortunately this cannot be abstracted by the MacroAssembler.
2883         Those immediates are not valid, we have to pick the better
2884         for right away.
2885
2886         * b3/air/AirOpcode.opcodes:
2887         * b3/testb3.cpp:
2888         (JSC::B3::int64Operands):
2889         (JSC::B3::modelCompare):
2890         (JSC::B3::testCompareImpl):
2891         (JSC::B3::testCompare):
2892         (JSC::B3::b3Pow):
2893         (JSC::B3::testPowDoubleByIntegerLoop):
2894         Some versions of pow(double, int) do not return
2895         the exact same bits as our integer loop.
2896         Added a new version to have the same behavior
2897         as the B3 loop.
2898
2899         (JSC::B3::run):
2900         * dfg/DFGSpeculativeJIT.cpp:
2901         (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
2902         * dfg/DFGSpeculativeJIT64.cpp:
2903         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
2904         Comparing to an immediate is super common. Do not waste
2905         a register for that!
2906
2907 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
2908
2909         Unreviewed, fix build. This was a messed up merge.
2910
2911         * ftl/FTLLowerDFGToB3.cpp:
2912         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2913
2914 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
2915
2916         DFG should know how to speculate StringOrOther
2917         https://bugs.webkit.org/show_bug.cgi?id=155094
2918
2919         Reviewed by Saam Barati.
2920
2921         Any code that processes the regexp matches array was previously doing a relatively expensive
2922         Branch(Untyped:). This introduces a new use kind called StringOrOther, which is perfect for
2923         code that loops over the matches array and branches on the entries being non-empty.
2924
2925         To do this, I needed to introduce code into the FTL that creates new blocks. We still had that
2926         awful FTL_NEW_BLOCK idiom since the only way to debug LLVM IR was to ascribe names to basic
2927         blocks. B3 IR is inherently more debuggable since unlike LLVM, B3 knows how to always respect
2928         code origin, and it knows how to print the code origin nicely in the dumps. So, rather than
2929         continue using FTL_NEW_BLOCK(m_out, ("things")), I replaced all of that stuff with
2930         m_out.newBlock(). It's much nicer that way.
2931
2932         This is a tiny speed-up on Octane/regexp at best. I was hoping for more. Oh well.
2933
2934         * bytecode/SpeculatedType.h:
2935         (JSC::isStringSpeculation):
2936         (JSC::isStringOrOtherSpeculation):
2937         (JSC::isSymbolSpeculation):
2938         * dfg/DFGFixupPhase.cpp:
2939         (JSC::DFG::FixupPhase::fixupNode):
2940         * dfg/DFGNode.h:
2941         (JSC::DFG::Node::shouldSpeculateString):
2942         (JSC::DFG::Node::shouldSpeculateStringOrOther):
2943         (JSC::DFG::Node::shouldSpeculateStringObject):
2944         * dfg/DFGSafeToExecute.h:
2945         (JSC::DFG::SafeToExecuteEdge::operator()):
2946         * dfg/DFGSpeculativeJIT.cpp:
2947         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
2948         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2949         (JSC::DFG::SpeculativeJIT::emitStringBranch):
2950         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2951         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
2952         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2953         (JSC::DFG::SpeculativeJIT::speculateString):
2954         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
2955         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
2956         (JSC::DFG::SpeculativeJIT::speculate):
2957         * dfg/DFGSpeculativeJIT.h:
2958         * dfg/DFGSpeculativeJIT32_64.cpp:
2959         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2960         (JSC::DFG::SpeculativeJIT::emitBranch):
2961         * dfg/DFGSpeculativeJIT64.cpp:
2962         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2963         (JSC::DFG::SpeculativeJIT::emitBranch):
2964         * dfg/DFGUseKind.cpp:
2965         (WTF::printInternal):
2966         * dfg/DFGUseKind.h:
2967         (JSC::DFG::typeFilterFor):
2968         * ftl/FTLCapabilities.cpp:
2969         (JSC::FTL::canCompile):
2970         * ftl/FTLLowerDFGToB3.cpp:
2971         (JSC::FTL::DFG::LowerDFGToB3::lower):
2972         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
2973         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
2974         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
2975         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
2976         (JSC::FTL::DFG::LowerDFGToB3::compileArithDiv):
2977         (JSC::FTL::DFG::LowerDFGToB3::compileArithMod):
2978         (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax):
2979         (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
2980         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
2981         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructure):
2982         (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure):
2983         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2984         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2985         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
2986         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2987         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2988         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2989         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
2990         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
2991         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2992         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2993         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest):
2994         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
2995         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2996         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2997         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
2998         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
2999         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3000         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3001         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
3002         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
3003         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
3004         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3005         (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
3006         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3007         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3008         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
3009         (JSC::FTL::DFG::LowerDFGToB3::compileIsString):
3010         (JSC::FTL::DFG::LowerDFGToB3::compileIsObject):
3011         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
3012         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
3013         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
3014         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
3015         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3016         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3017         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
3018         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
3019         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
3020         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
3021         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3022         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3023         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
3024         (JSC::FTL::DFG::LowerDFGToB3::checkStructure):
3025         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
3026         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
3027         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3028         (JSC::FTL::DFG::LowerDFGToB3::loadVectorWithBarrier):
3029         (JSC::FTL::DFG::LowerDFGToB3::copyBarrier):
3030         (JSC::FTL::DFG::LowerDFGToB3::loadVectorReadOnly):
3031         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
3032         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
3033         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
3034         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
3035         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
3036         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd):
3037         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3038         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3039         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3040         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
3041         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
3042         (JSC::FTL::DFG::LowerDFGToB3::switchString):
3043         (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
3044         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
3045         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
3046         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
3047         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToJSValue):
3048         (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
3049         (JSC::FTL::DFG::LowerDFGToB3::convertDoubleToInt32):
3050         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3051         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
3052         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
3053         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
3054         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
3055         (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent):
3056         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
3057         (JSC::FTL::DFG::LowerDFGToB3::speculateRealNumber):
3058         (JSC::FTL::DFG::LowerDFGToB3::speculateNotStringVar):
3059         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3060         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
3061         * ftl/FTLOutput.cpp:
3062         (JSC::FTL::Output::initialize):
3063         (JSC::FTL::Output::newBlock):
3064         (JSC::FTL::Output::check):
3065         * ftl/FTLOutput.h:
3066         (JSC::FTL::Output::setFrequency):
3067         (JSC::FTL::Output::insertNewBlocksBefore):
3068
3069 2016-03-06  Saam Barati  <sbarati@apple.com>
3070
3071         [[GetPrototypeOf]] should be a fully virtual method in the method table
3072         https://bugs.webkit.org/show_bug.cgi?id=155002
3073
3074         Reviewed by Filip Pizlo.
3075
3076         This patch makes us more consistent with how the ES6 specification models the
3077         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
3078         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
3079         still allows directly accessing the prototype for situations where this
3080         is the desired behavior. This is equivalent to getting the internal
3081         [[Prototype]] field as described in the specification. 
3082
3083         * API/JSObjectRef.cpp:
3084         (JSObjectGetPrototype):
3085         (JSObjectSetPrototype):
3086         * dfg/DFGOperations.cpp:
3087         * dfg/DFGOperations.h:
3088         * dfg/DFGSpeculativeJIT.cpp:
3089         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
3090         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
3091         * ftl/FTLLowerDFGToB3.cpp:
3092         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3093         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
3094         * jit/JITOpcodes.cpp:
3095         (JSC::JIT::emit_op_instanceof):
3096         (JSC::JIT::emitSlow_op_instanceof):
3097         * jit/JITOpcodes32_64.cpp:
3098         (JSC::JIT::emit_op_instanceof):
3099         (JSC::JIT::emitSlow_op_instanceof):
3100         * jit/JITOperations.cpp:
3101         * jit/JITOperations.h:
3102         * jsc.cpp:
3103         (functionCreateProxy):
3104         * llint/LLIntSlowPaths.cpp:
3105         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3106         * llint/LowLevelInterpreter.asm:
3107         * llint/LowLevelInterpreter32_64.asm:
3108         * llint/LowLevelInterpreter64.asm:
3109         * runtime/ArrayPrototype.cpp:
3110         (JSC::speciesConstructArray):
3111         * runtime/ClassInfo.h:
3112         * runtime/FunctionPrototype.cpp:
3113         (JSC::functionProtoFuncBind):
3114         * runtime/IntlCollatorPrototype.cpp:
3115         (JSC::IntlCollatorPrototypeGetterCompare):
3116         * runtime/IntlDateTimeFormatPrototype.cpp:
3117         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3118         * runtime/IntlNumberFormatPrototype.cpp:
3119         (JSC::IntlNumberFormatPrototypeGetterFormat):
3120         * runtime/JSBoundFunction.cpp:
3121         (JSC::hasInstanceBoundFunction):
3122         (JSC::getBoundFunctionStructure):
3123         (JSC::JSBoundFunction::create):
3124         * runtime/JSBoundFunction.h:
3125         * runtime/JSCJSValue.cpp:
3126         (JSC::JSValue::putToPrimitive):
3127         * runtime/JSCell.cpp:
3128         (JSC::JSCell::setPrototype):
3129         (JSC::JSCell::getPrototype):
3130         * runtime/JSCell.h:
3131         * runtime/JSGlobalObject.cpp:
3132         (JSC::JSGlobalObject::init):
3133         (JSC::JSGlobalObject::hasLegacyProfiler):
3134         (JSC::lastInPrototypeChain):
3135         (JSC::JSGlobalObject::objectPrototypeIsSane):
3136         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
3137         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
3138         * runtime/JSGlobalObject.h:
3139         (JSC::JSGlobalObject::finishCreation):
3140         * runtime/JSGlobalObjectFunctions.cpp:
3141         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
3142         (JSC::GlobalFuncProtoGetterFunctor::operator()):
3143         (JSC::globalFuncProtoGetter):
3144         * runtime/JSLexicalEnvironment.cpp:
3145         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
3146         * runtime/JSObject.cpp:
3147         (JSC::JSObject::calculatedClassName):
3148         (JSC::JSObject::putInlineSlow):
3149         (JSC::JSObject::setPrototypeWithCycleCheck):
3150         (JSC::JSObject::setPrototype):
3151         (JSC::JSObject::getPrototype):
3152         (JSC::JSObject::defaultHasInstance):
3153         (JSC::objectPrivateFuncInstanceOf):
3154         (JSC::JSObject::getPropertyNames):
3155         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3156         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
3157         (JSC::JSObject::getGenericPropertyNames):
3158         * runtime/JSObject.h:
3159         (JSC::JSObject::finishCreation):
3160         (JSC::JSObject::JSObject):
3161         (JSC::JSObject::getPrototypeDirect):
3162         (JSC::JSObject::getPrototype):
3163         (JSC::JSObject::getOwnNonIndexPropertySlot):
3164         (JSC::JSObject::getPropertySlot):
3165         (JSC::JSObject::getNonIndexPropertySlot):
3166         (JSC::JSObject::prototype): Deleted.
3167         * runtime/JSObjectInlines.h:
3168         (JSC::JSObject::canPerformFastPutInline):
3169         * runtime/JSProxy.cpp:
3170         (JSC::JSProxy::setTarget):
3171         * runtime/JSTypedArrayViewConstructor.cpp:
3172         (JSC::constructTypedArrayView):
3173         * runtime/ObjectConstructor.cpp:
3174         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
3175         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
3176         (JSC::objectConstructorGetPrototypeOf):
3177         * runtime/ObjectPrototype.cpp:
3178         (JSC::objectProtoFuncIsPrototypeOf):
3179         * runtime/ProxyObject.cpp:
3180         (JSC::performProxyGet):
3181         (JSC::ProxyObject::performSetPrototype):
3182         * runtime/StructureInlines.h:
3183         (JSC::Structure::isValid):
3184         * tests/stress/proxy-has-property.js:
3185         (assert.let.h1.has):
3186         (assert.let.h2.has):
3187         (assert):
3188
3189 2016-03-06  Commit Queue  <commit-queue@webkit.org>
3190
3191         Unreviewed, rolling out r197645.
3192         https://bugs.webkit.org/show_bug.cgi?id=155097
3193
3194         "Doesn't build properly when building entire webkit"
3195         (Requested by saamyjoon on #webkit).
3196
3197         Reverted changeset:
3198
3199         "[[GetPrototypeOf]] should be a fully virtual method in the
3200         method table"
3201         https://bugs.webkit.org/show_bug.cgi?id=155002
3202         http://trac.webkit.org/changeset/197645
3203
3204 2016-03-06  Saam barati  <sbarati@apple.com>
3205
3206         [[GetPrototypeOf]] should be a fully virtual method in the method table
3207         https://bugs.webkit.org/show_bug.cgi?id=155002
3208
3209         Reviewed by Filip Pizlo.
3210
3211         This patch makes us more consistent with how the ES6 specification models the
3212         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
3213         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
3214         still allows directly accessing the prototype for situations where this
3215         is the desired behavior. This is equivalent to getting the internal
3216         [[Prototype]] field as described in the specification. 
3217
3218         * API/JSObjectRef.cpp:
3219         (JSObjectGetPrototype):
3220         (JSObjectSetPrototype):
3221         * dfg/DFGOperations.cpp:
3222         * dfg/DFGOperations.h:
3223         * dfg/DFGSpeculativeJIT.cpp:
3224         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
3225         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
3226         * ftl/FTLLowerDFGToB3.cpp:
3227         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3228         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
3229         * jit/JITOpcodes.cpp:
3230         (JSC::JIT::emit_op_instanceof):
3231         (JSC::JIT::emitSlow_op_instanceof):
3232         * jit/JITOpcodes32_64.cpp:
3233         (JSC::JIT::emit_op_instanceof):
3234         (JSC::JIT::emitSlow_op_instanceof):
3235         * jit/JITOperations.cpp:
3236         * jit/JITOperations.h:
3237         * jsc.cpp:
3238         (functionCreateProxy):
3239         * llint/LLIntSlowPaths.cpp:
3240         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3241         * llint/LowLevelInterpreter.asm:
3242         * llint/LowLevelInterpreter32_64.asm:
3243         * llint/LowLevelInterpreter64.asm:
3244         * runtime/ArrayPrototype.cpp:
3245         (JSC::speciesConstructArray):
3246         * runtime/ClassInfo.h:
3247         * runtime/FunctionPrototype.cpp:
3248         (JSC::functionProtoFuncBind):
3249         * runtime/IntlCollatorPrototype.cpp:
3250         (JSC::IntlCollatorPrototypeGetterCompare):
3251         * runtime/IntlDateTimeFormatPrototype.cpp:
3252         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3253         * runtime/IntlNumberFormatPrototype.cpp:
3254         (JSC::IntlNumberFormatPrototypeGetterFormat):
3255         * runtime/JSBoundFunction.cpp:
3256         (JSC::hasInstanceBoundFunction):
3257         (JSC::getBoundFunctionStructure):
3258         (JSC::JSBoundFunction::create):
3259         * runtime/JSBoundFunction.h:
3260         * runtime/JSCJSValue.cpp:
3261         (JSC::JSValue::putToPrimitive):
3262         * runtime/JSCell.cpp:
3263         (JSC::JSCell::setPrototype):
3264         (JSC::JSCell::getPrototype):
3265         * runtime/JSCell.h:
3266         * runtime/JSGlobalObject.cpp:
3267         (JSC::JSGlobalObject::init):
3268         (JSC::JSGlobalObject::hasLegacyProfiler):
3269         (JSC::lastInPrototypeChain):
3270         (JSC::JSGlobalObject::objectPrototypeIsSane):
3271         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
3272         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
3273         * runtime/JSGlobalObject.h:
3274         (JSC::JSGlobalObject::finishCreation):
3275         * runtime/JSGlobalObjectFunctions.cpp:
3276         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
3277         (JSC::GlobalFuncProtoGetterFunctor::operator()):
3278         (JSC::globalFuncProtoGetter):
3279         * runtime/JSLexicalEnvironment.cpp:
3280         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
3281         * runtime/JSObject.cpp:
3282         (JSC::JSObject::calculatedClassName):
3283         (JSC::JSObject::putInlineSlow):
3284         (JSC::JSObject::setPrototypeWithCycleCheck):
3285         (JSC::JSObject::setPrototype):
3286         (JSC::JSObject::getPrototype):
3287         (JSC::JSObject::defaultHasInstance):
3288         (JSC::objectPrivateFuncInstanceOf):
3289         (JSC::JSObject::getPropertyNames):
3290         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3291         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
3292         (JSC::JSObject::getGenericPropertyNames):
3293         * runtime/JSObject.h:
3294         (JSC::JSObject::finishCreation):
3295         (JSC::JSObject::JSObject):
3296         (JSC::JSObject::getPrototypeDirect):
3297         (JSC::JSObject::getPrototype):
3298         (JSC::JSObject::getOwnNonIndexPropertySlot):
3299         (JSC::JSObject::getPropertySlot):
3300         (JSC::JSObject::getNonIndexPropertySlot):
3301         (JSC::JSObject::prototype): Deleted.
3302         * runtime/JSObjectInlines.h:
3303         (JSC::JSObject::canPerformFastPutInline):
3304         * runtime/JSProxy.cpp:
3305         (JSC::JSProxy::setTarget):
3306         * runtime/JSTypedArrayViewConstructor.cpp:
3307         (JSC::constructTypedArrayView):
3308         * runtime/ObjectConstructor.cpp:
3309         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
3310         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
3311         (JSC::objectConstructorGetPrototypeOf):
3312         * runtime/ObjectPrototype.cpp:
3313         (JSC::objectProtoFuncIsPrototypeOf):
3314         * runtime/ProxyObject.cpp:
3315         (JSC::performProxyGet):
3316         (JSC::ProxyObject::performSetPrototype):
3317         * runtime/StructureInlines.h:
3318         (JSC::Structure::isValid):
3319         * tests/stress/proxy-has-property.js:
3320         (assert.let.h1.has):
3321         (assert.let.h2.has):
3322         (assert):
3323
3324 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
3325
3326         RegExpMatchesArray doesn't know how to have a bad time
3327         https://bugs.webkit.org/show_bug.cgi?id=155069
3328
3329         Reviewed by Yusuke Suzuki.
3330
3331         In trunk if we are having a bad time, the regexp matches array is still allocated with a
3332         non-slow-put indexing shape, which makes it have the wrong behavior on indexed setters on
3333         the prototype chain.
3334
3335         Getting this to work right requires introducing bad time code paths into the regexp matches
3336         array. It also requires something more drastic: making this code not play games with the
3337         global object. The code that creates the matches array needs to have the actual global
3338         object of the regexp native function that it's logically created by.
3339
3340         This is totally different from how we've handled global objects in the past because it means
3341         that the global object is not a constant. Normally we can make it a constant because a
3342         script executable will know its global object. But with native functions, it's the function
3343         instance that knows the global object - not the native executable. When we inline a native
3344         intrinsic, we are guaranteed to know the native executable but we're not guaranteed to know
3345         the functon instance. This means that the global object may be a variable that gets computed
3346         by looking at the instance at run-time. So, the RegExpExec/RegExpTest nodes in DFG IR now
3347         take a global object child. That also meant adding a new node type, GetGlobalObject, which
3348         does the thing to the callee that CallFrame::lexicalGlobalObject() would have done.
3349