0c6c7689eef243d7e05b246f2dd148df84f21048
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-07-27  Mark Lam  <mark.lam@apple.com>
2
3         The second argument for Function.prototype.apply should be array-like or null/undefined.
4         https://bugs.webkit.org/show_bug.cgi?id=160212
5         <rdar://problem/27328525>
6
7         Reviewed by Filip Pizlo.
8
9         The spec for Function.prototype.apply says its second argument can only be null,
10         undefined, or must be array-like.  See
11         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
12         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
13
14         Our previous implementation was not handling this correctly for SymbolType.
15         This is now fixed.
16
17         * interpreter/Interpreter.cpp:
18         (JSC::sizeOfVarargs):
19         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
20
21 2016-07-27  Saam Barati  <sbarati@apple.com>
22
23         MathICs should be able to emit only a jump along the inline path when they don't have any type data
24         https://bugs.webkit.org/show_bug.cgi?id=160110
25
26         Reviewed by Mark Lam.
27
28         This patch allows for MathIC fast-path generation to be delayed.
29         We delay when we don't see any observed type information for
30         the lhs/rhs operand, which implies that the MathIC has never
31         executed. This is profitable for two main reasons:
32         1. If the math operation never executes, we emit much less code.
33         2. Once we get type information for the lhs/rhs, we can emit better code.
34
35         To implement this, we just emit a jump to the slow path call
36         that will repatch on first execution.
37
38         New data for add:
39                    |   JetStream  |  Unity 3D  |
40              ------| -------------|--------------
41               Old  |   148 bytes  |  143 bytes |
42              ------| -------------|--------------
43               New  |   116  bytes |  113 bytes |
44              ------------------------------------
45
46         New data for mul:
47                    |   JetStream  |  Unity 3D  |
48              ------| -------------|--------------
49               Old  |   210 bytes  |  185 bytes |
50              ------| -------------|--------------
51               New  |   170  bytes |  137 bytes |
52              ------------------------------------
53
54         * jit/JITAddGenerator.cpp:
55         (JSC::JITAddGenerator::generateInline):
56         * jit/JITAddGenerator.h:
57         (JSC::JITAddGenerator::isLeftOperandValidConstant):
58         (JSC::JITAddGenerator::isRightOperandValidConstant):
59         (JSC::JITAddGenerator::arithProfile):
60         * jit/JITMathIC.h:
61         (JSC::JITMathIC::generateInline):
62         (JSC::JITMathIC::generateOutOfLine):
63         (JSC::JITMathIC::finalizeInlineCode):
64         * jit/JITMathICInlineResult.h:
65         * jit/JITMulGenerator.cpp:
66         (JSC::JITMulGenerator::generateInline):
67         * jit/JITMulGenerator.h:
68         (JSC::JITMulGenerator::isLeftOperandValidConstant):
69         (JSC::JITMulGenerator::isRightOperandValidConstant):
70         (JSC::JITMulGenerator::arithProfile):
71         * jit/JITOperations.cpp:
72
73 2016-07-26  Saam Barati  <sbarati@apple.com>
74
75         rollout r203666
76         https://bugs.webkit.org/show_bug.cgi?id=160226
77
78         Unreviewed rollout.
79
80         * b3/B3BasicBlock.h:
81         (JSC::B3::BasicBlock::successorBlock):
82         * b3/B3LowerToAir.cpp:
83         (JSC::B3::Air::LowerToAir::createGenericCompare):
84         * b3/B3LowerToAir.h:
85         * b3/air/AirArg.cpp:
86         (JSC::B3::Air::Arg::isRepresentableAs):
87         (JSC::B3::Air::Arg::usesTmp):
88         * b3/air/AirArg.h:
89         (JSC::B3::Air::Arg::isRepresentableAs):
90         (JSC::B3::Air::Arg::asNumber):
91         (JSC::B3::Air::Arg::castToType): Deleted.
92         * b3/air/AirCode.h:
93         (JSC::B3::Air::Code::size):
94         (JSC::B3::Air::Code::at):
95         * b3/air/AirOpcode.opcodes:
96         * b3/air/AirValidate.h:
97         * b3/air/opcode_generator.rb:
98         * b3/testb3.cpp:
99         (JSC::B3::compileAndRun):
100         (JSC::B3::testSomeEarlyRegister):
101         (JSC::B3::zero):
102         (JSC::B3::run):
103         (JSC::B3::lowerToAirForTesting): Deleted.
104         (JSC::B3::testBranchBitAndImmFusion): Deleted.
105
106 2016-07-26  Caitlin Potter  <caitp@igalia.com>
107
108         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
109         https://bugs.webkit.org/show_bug.cgi?id=159409
110
111         Reviewed by Geoffrey Garen.
112
113         * runtime/ObjectConstructor.cpp:
114         (JSC::objectConstructorGetOwnPropertyDescriptors):
115         * tests/es6.yaml:
116         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
117         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
118         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
119         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
120         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
121
122 2016-07-26  Mark Lam  <mark.lam@apple.com>
123
124         Remove unused DEBUG_WITH_BREAKPOINT configuration.
125         https://bugs.webkit.org/show_bug.cgi?id=160203
126
127         Reviewed by Keith Miller.
128
129         * bytecompiler/BytecodeGenerator.cpp:
130         (JSC::BytecodeGenerator::emitDebugHook):
131
132 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
133
134         Unreviewed, rolling out r203703.
135
136         It breaks some internal tests
137
138         Reverted changeset:
139
140         "[JSC] DFG::Node should not have its own allocator"
141         https://bugs.webkit.org/show_bug.cgi?id=160098
142         http://trac.webkit.org/changeset/203703
143
144 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
145
146         [JSC] DFG::Node should not have its own allocator
147         https://bugs.webkit.org/show_bug.cgi?id=160098
148
149         Reviewed by Geoffrey Garen.
150
151         We need some design changes for DFG::Node:
152         -Accessing the index must be fast. B3 uses indices for sets
153          and maps, it is a lot faster than hashing pointers.
154         -We should be able to subclass DFG::Node to specialize it.
155
156         * CMakeLists.txt:
157         * JavaScriptCore.xcodeproj/project.pbxproj:
158         * dfg/DFGAllocator.h: Removed.
159         (JSC::DFG::Allocator::Region::size): Deleted.
160         (JSC::DFG::Allocator::Region::headerSize): Deleted.
161         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
162         (JSC::DFG::Allocator::Region::data): Deleted.
163         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
164         (JSC::DFG::Allocator::Region::regionFor): Deleted.
165         (JSC::DFG::Allocator<T>::Allocator): Deleted.
166         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
167         (JSC::DFG::Allocator<T>::allocate): Deleted.
168         (JSC::DFG::Allocator<T>::free): Deleted.
169         (JSC::DFG::Allocator<T>::freeAll): Deleted.
170         (JSC::DFG::Allocator<T>::reset): Deleted.
171         (JSC::DFG::Allocator<T>::indexOf): Deleted.
172         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
173         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
174         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
175         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
176         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
177         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
178         * dfg/DFGByteCodeParser.cpp:
179         (JSC::DFG::ByteCodeParser::addToGraph):
180         * dfg/DFGCPSRethreadingPhase.cpp:
181         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
182         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
183         * dfg/DFGCleanUpPhase.cpp:
184         (JSC::DFG::CleanUpPhase::run):
185         * dfg/DFGConstantFoldingPhase.cpp:
186         (JSC::DFG::ConstantFoldingPhase::run):
187         * dfg/DFGConstantHoistingPhase.cpp:
188         * dfg/DFGDCEPhase.cpp:
189         (JSC::DFG::DCEPhase::fixupBlock):
190         * dfg/DFGDriver.cpp:
191         (JSC::DFG::compileImpl):
192         * dfg/DFGGraph.cpp:
193         (JSC::DFG::Graph::Graph):
194         (JSC::DFG::Graph::deleteNode):
195         (JSC::DFG::Graph::killBlockAndItsContents):
196         (JSC::DFG::Graph::~Graph): Deleted.
197         * dfg/DFGGraph.h:
198         (JSC::DFG::Graph::addNode):
199         * dfg/DFGLICMPhase.cpp:
200         (JSC::DFG::LICMPhase::attemptHoist):
201         * dfg/DFGLongLivedState.cpp: Removed.
202         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
203         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
204         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
205         * dfg/DFGLongLivedState.h: Removed.
206         * dfg/DFGNode.cpp:
207         (JSC::DFG::Node::index): Deleted.
208         * dfg/DFGNode.h:
209         (JSC::DFG::Node::index):
210         * dfg/DFGNodeAllocator.h: Removed.
211         (operator new ): Deleted.
212         * dfg/DFGObjectAllocationSinkingPhase.cpp:
213         * dfg/DFGPlan.cpp:
214         (JSC::DFG::Plan::compileInThread):
215         (JSC::DFG::Plan::compileInThreadImpl):
216         * dfg/DFGPlan.h:
217         * dfg/DFGSSAConversionPhase.cpp:
218         (JSC::DFG::SSAConversionPhase::run):
219         * dfg/DFGWorklist.cpp:
220         (JSC::DFG::Worklist::runThread):
221         * runtime/VM.cpp:
222         (JSC::VM::VM): Deleted.
223         * runtime/VM.h:
224
225 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
226
227         AssemblyHelpers should own all of the cell allocation methods
228         https://bugs.webkit.org/show_bug.cgi?id=160171
229
230         Reviewed by Saam Barati.
231         
232         Prior to this change we had some code in DFGSpeculativeJIT.h and some code in JIT.h that
233         did cell allocation.
234         
235         This change moves all of that code into AssemblyHelpers.h.
236
237         * dfg/DFGSpeculativeJIT.h:
238         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
239         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
240         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
241         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
242         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
243         * jit/AssemblyHelpers.h:
244         (JSC::AssemblyHelpers::emitAllocate):
245         (JSC::AssemblyHelpers::emitAllocateJSCell):
246         (JSC::AssemblyHelpers::emitAllocateJSObject):
247         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
248         (JSC::AssemblyHelpers::emitAllocateVariableSized):
249         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
250         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
251         * jit/JIT.h:
252         * jit/JITInlines.h:
253         (JSC::JIT::isOperandConstantChar):
254         (JSC::JIT::emitValueProfilingSite):
255         (JSC::JIT::emitAllocateJSObject): Deleted.
256         * jit/JITOpcodes.cpp:
257         (JSC::JIT::emit_op_new_object):
258         (JSC::JIT::emit_op_create_this):
259         * jit/JITOpcodes32_64.cpp:
260         (JSC::JIT::emit_op_new_object):
261         (JSC::JIT::emit_op_create_this):
262
263 2016-07-25  Saam Barati  <sbarati@apple.com>
264
265         MathICs should be able to take and dump stats about code size
266         https://bugs.webkit.org/show_bug.cgi?id=160148
267
268         Reviewed by Filip Pizlo.
269
270         This will make testing changes on MathIC going forward much easier.
271         We will be able to easily see if modifications to MathIC will lead
272         to us generating smaller code. We now only dump average size when we
273         regenerate any MathIC. This works out for large tests/pages, but is not
274         great for testing small programs. We can add more dump points later if
275         we find that we want to dump stats while running small small programs.
276
277         * bytecode/CodeBlock.cpp:
278         (JSC::CodeBlock::jitSoon):
279         (JSC::CodeBlock::dumpMathICStats):
280         * bytecode/CodeBlock.h:
281         (JSC::CodeBlock::isStrictMode):
282         (JSC::CodeBlock::ecmaMode):
283         * dfg/DFGSpeculativeJIT.cpp:
284         (JSC::DFG::SpeculativeJIT::compileMathIC):
285         * ftl/FTLLowerDFGToB3.cpp:
286         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
287         * jit/JITArithmetic.cpp:
288         (JSC::JIT::emitMathICFast):
289         (JSC::JIT::emitMathICSlow):
290         * jit/JITMathIC.h:
291         (JSC::JITMathIC::finalizeInlineCode):
292         (JSC::JITMathIC::codeSize):
293         * jit/JITOperations.cpp:
294
295 2016-07-25  Saam Barati  <sbarati@apple.com>
296
297         op_mul/ArithMul(Untyped,Untyped) should be an IC
298         https://bugs.webkit.org/show_bug.cgi?id=160108
299
300         Reviewed by Mark Lam.
301
302         This patch makes Mul a type based IC in much the same way that we made
303         Add a type-based IC. I implemented Mul in the same way. I abstracted the
304         implementation of the Add IC in the various JITs to allow for it to
305         work over arbitrary IC snippets. This will make adding Div/Sub/Pow in the
306         future easy. This patch also adds a new boolean argument to the various
307         snippet generateFastPath() methods to indicate if we should emit result profiling.
308         I added this because we want this profiling to be emitted for Mul in
309         the baseline, but not in the DFG. We used to indicate this through passing
310         in a nullptr for the ArithProfile, but we no longer do that in the upper
311         JIT tiers. So we are passing an explicit request from the JIT tier about
312         whether or not it's worth it for the IC to emit profiling.
313
314         We now emit much less code for Mul. Here is some data on the average
315         Mul snippet/IC size:
316
317                    |   JetStream  |  Unity 3D  |
318              ------| -------------|--------------
319               Old  |  ~280 bytes  | ~280 bytes |
320              ------| -------------|--------------
321               New  |   210  bytes |  185 bytes |
322              ------------------------------------
323
324         * bytecode/CodeBlock.cpp:
325         (JSC::CodeBlock::addJITAddIC):
326         (JSC::CodeBlock::addJITMulIC):
327         (JSC::CodeBlock::findStubInfo):
328         * bytecode/CodeBlock.h:
329         (JSC::CodeBlock::stubInfoBegin):
330         (JSC::CodeBlock::stubInfoEnd):
331         * dfg/DFGSpeculativeJIT.cpp:
332         (JSC::DFG::GPRTemporary::adopt):
333         (JSC::DFG::FPRTemporary::FPRTemporary):
334         (JSC::DFG::SpeculativeJIT::compileValueAdd):
335         (JSC::DFG::SpeculativeJIT::compileMathIC):
336         (JSC::DFG::SpeculativeJIT::compileArithMul):
337         * dfg/DFGSpeculativeJIT.h:
338         (JSC::DFG::SpeculativeJIT::callOperation):
339         (JSC::DFG::GPRTemporary::GPRTemporary):
340         (JSC::DFG::GPRTemporary::operator=):
341         (JSC::DFG::FPRTemporary::~FPRTemporary):
342         (JSC::DFG::FPRTemporary::fpr):
343         * ftl/FTLLowerDFGToB3.cpp:
344         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
345         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
346         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
347         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
348         * jit/JIT.h:
349         (JSC::JIT::getSlowCase):
350         * jit/JITAddGenerator.cpp:
351         (JSC::JITAddGenerator::generateInline):
352         (JSC::JITAddGenerator::generateFastPath):
353         * jit/JITAddGenerator.h:
354         (JSC::JITAddGenerator::JITAddGenerator):
355         (JSC::JITAddGenerator::isLeftOperandValidConstant):
356         (JSC::JITAddGenerator::isRightOperandValidConstant):
357         * jit/JITArithmetic.cpp:
358         (JSC::JIT::emit_op_add):
359         (JSC::JIT::emitSlow_op_add):
360         (JSC::JIT::emitMathICFast):
361         (JSC::JIT::emitMathICSlow):
362         (JSC::JIT::emit_op_mul):
363         (JSC::JIT::emitSlow_op_mul):
364         (JSC::JIT::emit_op_sub):
365         * jit/JITInlines.h:
366         (JSC::JIT::callOperation):
367         * jit/JITMathIC.h:
368         (JSC::JITMathIC::slowPathStartLocation):
369         (JSC::JITMathIC::slowPathCallLocation):
370         (JSC::JITMathIC::isLeftOperandValidConstant):
371         (JSC::JITMathIC::isRightOperandValidConstant):
372         (JSC::JITMathIC::generateInline):
373         (JSC::JITMathIC::generateOutOfLine):
374         * jit/JITMathICForwards.h:
375         * jit/JITMulGenerator.cpp:
376         (JSC::JITMulGenerator::generateInline):
377         (JSC::JITMulGenerator::generateFastPath):
378         * jit/JITMulGenerator.h:
379         (JSC::JITMulGenerator::JITMulGenerator):
380         (JSC::JITMulGenerator::isLeftOperandValidConstant):
381         (JSC::JITMulGenerator::isRightOperandValidConstant):
382         (JSC::JITMulGenerator::didEmitFastPath): Deleted.
383         (JSC::JITMulGenerator::endJumpList): Deleted.
384         (JSC::JITMulGenerator::slowPathJumpList): Deleted.
385         * jit/JITOperations.cpp:
386         * jit/JITOperations.h:
387
388 2016-07-25  Darin Adler  <darin@apple.com>
389
390         Speed up make process slightly by improving "list of files" idiom
391         https://bugs.webkit.org/show_bug.cgi?id=160164
392
393         Reviewed by Mark Lam.
394
395         * DerivedSources.make: Change rules that build lists of files to only run when
396         DerivedSources.make has been modified since the last time they were run. Since the
397         list of files are inside this file, this is safe, and this is faster than always
398         comparing and regenerating the file containing the list of files each time.
399
400 2016-07-24  Youenn Fablet  <youenn@apple.com>
401
402         [Fetch API] Request should be created with any HeadersInit data
403         https://bugs.webkit.org/show_bug.cgi?id=159672
404
405         Reviewed by Sam Weinig.
406
407         * Scripts/builtins/builtins_generator.py:
408         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
409
410 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
411
412         B3 should support multiple entrypoints
413         https://bugs.webkit.org/show_bug.cgi?id=159391
414
415         Reviewed by Saam Barati.
416         
417         This teaches B3 how to compile procedures with multiple entrypoints in the best way ever.
418         
419         Multiple entrypoints are useful. We could use them to reduce the cost of compiling OSR
420         entrypoints. We could use them to implement better try/catch.
421         
422         Multiple entrypoints are hard to support. All of the code that assumed that the root block
423         is the entrypoint would have to be changed. Transformations like moveConstants() would have
424         to do crazy things if the existence of multiple entrypoints prevented it from finding a
425         single common dominator.
426         
427         Therefore, we want to add multiple entrypoints without actually teaching the compiler that
428         there is such a thing. That's sort of what this change does.
429         
430         This adds a new opcode to both B3 and Air called EntrySwitch. It's a terminal that takes
431         one or more successors and no value children. The number of successors must match
432         Procedure::numEntrypoints(), which could be arbitrarily large. The semantics of EntrySwitch
433         are:
434         
435         - Each of the entrypoints sets a hidden Entry variable to that entrypoint's index and jumps
436           to the procedure's root block.
437         
438         - An EntrySwitch is a switch statement over this hidden Entry variable.
439         
440         The way that we actually implement this is that Air has a very late phase - after all
441         register and stack layout - that clones all code where the Entry variable is live; i.e all
442         code in the closure over predecessors of all blocks that do EntrySwitch.
443         
444         Usually, you would use this by creating an EntrySwitch in the root block, but you don't
445         have to do that. Just remember that the code before EntrySwitch gets cloned for each
446         entrypoint. We allow cloning of an arbitrarily large amount of code because restricting it,
447         and so restricing the placement of EntrySwitches, would be unelegant. It would be hard to
448         preserve this invariant. For example we wouldn't be able to lower any value before an
449         EntrySwitch to a control flow diamond.
450         
451         This patch gives us an easy-to-use way to use B3 to compile code with multiple entrypoints.
452         Inside the compiler, only code that runs very late in Air has to know about this feature.
453         We get the best of both worlds!
454         
455         Also, I finally got rid of the requirement that you explicitly cast BasicBlock* to
456         FrequentedBlock. I can no longer remember why I thought that was a good idea. Removing it
457         doesn't cause any problems and it makes code easier to write.
458
459         * CMakeLists.txt:
460         * JavaScriptCore.xcodeproj/project.pbxproj:
461         * b3/B3BasicBlockUtils.h:
462         (JSC::B3::updatePredecessorsAfter):
463         (JSC::B3::clearPredecessors):
464         (JSC::B3::recomputePredecessors):
465         * b3/B3FrequencyClass.h:
466         (JSC::B3::maxFrequency):
467         * b3/B3Generate.h:
468         * b3/B3LowerToAir.cpp:
469         (JSC::B3::Air::LowerToAir::lower):
470         * b3/B3MoveConstants.cpp:
471         * b3/B3Opcode.cpp:
472         (WTF::printInternal):
473         * b3/B3Opcode.h:
474         * b3/B3Procedure.cpp:
475         (JSC::B3::Procedure::isFastConstant):
476         (JSC::B3::Procedure::entrypointLabel):
477         (JSC::B3::Procedure::addDataSection):
478         * b3/B3Procedure.h:
479         (JSC::B3::Procedure::numEntrypoints):
480         (JSC::B3::Procedure::setNumEntrypoints):
481         (JSC::B3::Procedure::setLastPhaseName):
482         * b3/B3Validate.cpp:
483         * b3/B3Value.cpp:
484         (JSC::B3::Value::effects):
485         (JSC::B3::Value::typeFor):
486         * b3/B3Value.h:
487         * b3/air/AirCode.cpp:
488         (JSC::B3::Air::Code::cCallSpecial):
489         (JSC::B3::Air::Code::isEntrypoint):
490         (JSC::B3::Air::Code::resetReachability):
491         (JSC::B3::Air::Code::dump):
492         * b3/air/AirCode.h:
493         (JSC::B3::Air::Code::setFrameSize):
494         (JSC::B3::Air::Code::numEntrypoints):
495         (JSC::B3::Air::Code::entrypoints):
496         (JSC::B3::Air::Code::entrypoint):
497         (JSC::B3::Air::Code::setEntrypoints):
498         (JSC::B3::Air::Code::entrypointLabel):
499         (JSC::B3::Air::Code::setEntrypointLabels):
500         (JSC::B3::Air::Code::calleeSaveRegisters):
501         * b3/air/AirCustom.h:
502         (JSC::B3::Air::PatchCustom::isTerminal):
503         (JSC::B3::Air::PatchCustom::hasNonArgEffects):
504         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
505         (JSC::B3::Air::PatchCustom::generate):
506         (JSC::B3::Air::CommonCustomBase::hasNonArgEffects):
507         (JSC::B3::Air::CCallCustom::forEachArg):
508         (JSC::B3::Air::ColdCCallCustom::forEachArg):
509         (JSC::B3::Air::ShuffleCustom::forEachArg):
510         (JSC::B3::Air::EntrySwitchCustom::forEachArg):
511         (JSC::B3::Air::EntrySwitchCustom::isValidFormStatic):
512         (JSC::B3::Air::EntrySwitchCustom::isValidForm):
513         (JSC::B3::Air::EntrySwitchCustom::admitsStack):
514         (JSC::B3::Air::EntrySwitchCustom::isTerminal):
515         (JSC::B3::Air::EntrySwitchCustom::hasNonArgNonControlEffects):
516         (JSC::B3::Air::EntrySwitchCustom::generate):
517         * b3/air/AirGenerate.cpp:
518         (JSC::B3::Air::prepareForGeneration):
519         (JSC::B3::Air::generate):
520         * b3/air/AirLowerEntrySwitch.cpp: Added.
521         (JSC::B3::Air::lowerEntrySwitch):
522         * b3/air/AirLowerEntrySwitch.h: Added.
523         * b3/air/AirOpcode.opcodes:
524         * b3/air/AirOptimizeBlockOrder.cpp:
525         (JSC::B3::Air::blocksInOptimizedOrder):
526         * b3/air/AirSpecial.cpp:
527         (JSC::B3::Air::Special::isTerminal):
528         (JSC::B3::Air::Special::hasNonArgEffects):
529         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
530         * b3/air/AirSpecial.h:
531         * b3/air/AirValidate.cpp:
532         * b3/air/opcode_generator.rb:
533         * b3/testb3.cpp:
534
535 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
536
537         Unreviewed, fix broken test. I don't know why I goofed this up without seeing it before landing.
538
539         * b3/air/AirOpcode.opcodes:
540         * b3/testb3.cpp:
541         (JSC::B3::run):
542
543 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
544
545         [B3] Fusing immediates into test instructions should work again
546         https://bugs.webkit.org/show_bug.cgi?id=160073
547
548         Reviewed by Sam Weinig.
549
550         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
551         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
552         was still using Imm!  This meant that isValidForm() always returned false.
553         
554         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
555         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
556         with the scratch register).
557         
558         This is not an obvious progression on anything, so I added comprehensive tests to
559         testb3, which check that we selected the optimal instruction in a variety of situations.
560         We should add more tests like this!
561
562         * b3/B3BasicBlock.h:
563         (JSC::B3::BasicBlock::successorBlock):
564         * b3/B3LowerToAir.cpp:
565         (JSC::B3::Air::LowerToAir::createGenericCompare):
566         * b3/B3LowerToAir.h:
567         * b3/air/AirArg.cpp:
568         (JSC::B3::Air::Arg::isRepresentableAs):
569         (JSC::B3::Air::Arg::usesTmp):
570         * b3/air/AirArg.h:
571         (JSC::B3::Air::Arg::isRepresentableAs):
572         (JSC::B3::Air::Arg::castToType):
573         (JSC::B3::Air::Arg::asNumber):
574         * b3/air/AirCode.h:
575         (JSC::B3::Air::Code::size):
576         (JSC::B3::Air::Code::at):
577         * b3/air/AirOpcode.opcodes:
578         * b3/air/AirValidate.h:
579         * b3/air/opcode_generator.rb:
580         * b3/testb3.cpp:
581         (JSC::B3::compile):
582         (JSC::B3::compileAndRun):
583         (JSC::B3::lowerToAirForTesting):
584         (JSC::B3::testSomeEarlyRegister):
585         (JSC::B3::testBranchBitAndImmFusion):
586         (JSC::B3::zero):
587         (JSC::B3::run):
588
589 2016-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
590
591         Unreviewed, update the exponentiation expression error message
592         https://bugs.webkit.org/show_bug.cgi?id=159969
593
594         Follow up patch for r203499.
595
596         * parser/Parser.cpp:
597         (JSC::Parser<LexerType>::parseBinaryExpression):
598         * tests/stress/pow-expects-update-expression-on-lhs.js:
599         (throw.new.Error):
600
601 2016-07-24  Darin Adler  <darin@apple.com>
602
603         Adding a new WebCore JavaScript built-in source file does not trigger rebuild of WebCoreJSBuiltins*
604         https://bugs.webkit.org/show_bug.cgi?id=160115
605
606         Reviewed by Youenn Fablet.
607
608         * make-generated-sources.sh: Removed. Was unused.
609
610 2016-07-23  Commit Queue  <commit-queue@webkit.org>
611
612         Unreviewed, rolling out r203641.
613         https://bugs.webkit.org/show_bug.cgi?id=160116
614
615         It broke make-based builds (Requested by youenn on #webkit).
616
617         Reverted changeset:
618
619         "[Fetch API] Request should be created with any HeadersInit
620         data"
621         https://bugs.webkit.org/show_bug.cgi?id=159672
622         http://trac.webkit.org/changeset/203641
623
624 2016-07-23  Youenn Fablet  <youenn@apple.com>
625
626         [Fetch API] Request should be created with any HeadersInit data
627         https://bugs.webkit.org/show_bug.cgi?id=159672
628
629         Reviewed by Sam Weinig.
630
631         * Scripts/builtins/builtins_generator.py:
632         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
633
634 2016-07-21  Filip Pizlo  <fpizlo@apple.com>
635
636         Teach MarkedSpace how to allocate auxiliary storage
637         https://bugs.webkit.org/show_bug.cgi?id=160053
638
639         Reviewed by Sam Weinig.
640         
641         Previously, we had two kinds of subspaces in MarkedSpace: destructor and non-destructor. This
642         was described using "bool needsDestruction" that would get passed around. We'd iterate over
643         these spaces using duplicated code - one loop for destructors and one for non-destructors, or
644         a single loop that does one thing for destructors and one for non-destructors.
645         
646         But now we want a third subspace: non-destructor non-JSCell, aka Auxiliary.
647         
648         So, this changes all of the reflection and iteration over subspaces to use functors, so that
649         the looping is written once and reused. Most places don't even have to know that there is a
650         third subspace; they just know that they must do things for each subspace, for each
651         allocator, or for each block - and the functor magic handles it for you.
652         
653         To make this somewhat nice, this change also fixes how we describe subspaces. Instead of a
654         bool, we now have AllocatorAttributes, which is a struct. If we ever add more subspaces, we
655         can add fields to AllocatorAttributes to describe how those subspaces differ. For now it just
656         contains two properties: a DestructionMode and a HeapCell::Kind. The DesctructionMode
657         replaces bool needsDestruction. I deliberately used a non-class enum to avoid tautologies.
658         DestructionMode has two members: NeedsDestruction and DoesNotNeedDestruction. I almost went
659         with DestructionMode::Needed and DestructionMode::NotNeeded, but I felt like that involves
660         more typing and doesn't actually avoid any kind of namespace issues.
661         
662         This is intended to have no behavior change other than the addition of a totally unused
663         space, which should always be empty. So hopefully it doesn't cost anything.
664
665         * CMakeLists.txt:
666         * JavaScriptCore.xcodeproj/project.pbxproj:
667         * heap/AllocatorAttributes.cpp: Added.
668         (JSC::AllocatorAttributes::dump):
669         * heap/AllocatorAttributes.h: Added.
670         (JSC::AllocatorAttributes::AllocatorAttributes):
671         * heap/DestructionMode.cpp: Added.
672         (WTF::printInternal):
673         * heap/DestructionMode.h: Added.
674         * heap/Heap.h:
675         * heap/MarkedAllocator.cpp:
676         (JSC::MarkedAllocator::allocateBlock):
677         (JSC::MarkedAllocator::addBlock):
678         * heap/MarkedAllocator.h:
679         (JSC::MarkedAllocator::cellSize):
680         (JSC::MarkedAllocator::attributes):
681         (JSC::MarkedAllocator::needsDestruction):
682         (JSC::MarkedAllocator::destruction):
683         (JSC::MarkedAllocator::cellKind):
684         (JSC::MarkedAllocator::heap):
685         (JSC::MarkedAllocator::takeLastActiveBlock):
686         (JSC::MarkedAllocator::MarkedAllocator):
687         (JSC::MarkedAllocator::init):
688         (JSC::MarkedAllocator::allocate):
689         * heap/MarkedBlock.cpp:
690         (JSC::MarkedBlock::create):
691         (JSC::MarkedBlock::destroy):
692         (JSC::MarkedBlock::MarkedBlock):
693         (JSC::MarkedBlock::callDestructor):
694         (JSC::MarkedBlock::sweep):
695         (JSC::MarkedBlock::stopAllocating):
696         (JSC::MarkedBlock::didRetireBlock):
697         * heap/MarkedBlock.h:
698         (JSC::MarkedBlock::cellSize):
699         (JSC::MarkedBlock::attributes):
700         (JSC::MarkedBlock::needsDestruction):
701         (JSC::MarkedBlock::destruction):
702         (JSC::MarkedBlock::cellKind):
703         (JSC::MarkedBlock::size):
704         (JSC::MarkedBlock::forEachCell):
705         (JSC::MarkedBlock::forEachLiveCell):
706         (JSC::MarkedBlock::forEachDeadCell):
707         * heap/MarkedSpace.cpp:
708         (JSC::MarkedSpace::MarkedSpace):
709         (JSC::MarkedSpace::~MarkedSpace):
710         (JSC::MarkedSpace::lastChanceToFinalize):
711         (JSC::MarkedSpace::resetAllocators):
712         (JSC::MarkedSpace::forEachAllocator):
713         (JSC::MarkedSpace::stopAllocating):
714         (JSC::MarkedSpace::resumeAllocating):
715         (JSC::MarkedSpace::isPagedOut):
716         (JSC::MarkedSpace::freeBlock):
717         (JSC::MarkedSpace::shrink):
718         (JSC::MarkedSpace::clearNewlyAllocated):
719         (JSC::clearNewlyAllocatedInBlock): Deleted.
720         * heap/MarkedSpace.h:
721         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
722         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
723         (JSC::MarkedSpace::subspaceForAuxiliaryData):
724         (JSC::MarkedSpace::allocatorFor):
725         (JSC::MarkedSpace::destructorAllocatorFor):
726         (JSC::MarkedSpace::auxiliaryAllocatorFor):
727         (JSC::MarkedSpace::allocateWithoutDestructor):
728         (JSC::MarkedSpace::allocateWithDestructor):
729         (JSC::MarkedSpace::allocateAuxiliary):
730         (JSC::MarkedSpace::forEachBlock):
731         (JSC::MarkedSpace::didAddBlock):
732         (JSC::MarkedSpace::capacity):
733         (JSC::MarkedSpace::forEachSubspace):
734
735 2016-07-22  Saam Barati  <sbarati@apple.com>
736
737         REGRESSION(r203537): It made many tests crash on ARMv7 Linux platforms
738         https://bugs.webkit.org/show_bug.cgi?id=160082
739
740         Reviewed by Keith Miller.
741
742         We were improperly linking the Jump in the link buffer.
743         It caused us to be linking against the executable address
744         which always has bit 0 set. We shouldn't be doing that.
745         This patch fixes this, by using the same idiom that
746         PolymorphicAccess uses to link a jump to out of line code.
747
748         * jit/JITMathIC.h:
749         (JSC::JITMathIC::generateOutOfLine):
750
751 2016-07-22  Commit Queue  <commit-queue@webkit.org>
752
753         Unreviewed, rolling out r203603.
754         https://bugs.webkit.org/show_bug.cgi?id=160096
755
756         Caused CLoop tests to fail with assertions (Requested by
757         perarne on #webkit).
758
759         Reverted changeset:
760
761         "[Win] jsc.exe sometimes never exits."
762         https://bugs.webkit.org/show_bug.cgi?id=158073
763         http://trac.webkit.org/changeset/203603
764
765 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
766
767         [Win] jsc.exe sometimes never exits.
768         https://bugs.webkit.org/show_bug.cgi?id=158073
769
770         Reviewed by Mark Lam.
771
772         Make sure the VM is deleted after the test has finished. This will gracefully stop the sampling profiler thread,
773         and give the thread the opportunity to release the machine thread lock aquired in SamplingProfiler::takeSample.  
774         If the sampling profiler thread was terminated while holding the machine thread lock, the machine thread will
775         not be able to grab the lock afterwards. 
776  
777         * jsc.cpp:
778         (jscmain):
779
780 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
781
782         Fix the Windows 64-bit build after r203537
783         https://bugs.webkit.org/show_bug.cgi?id=160080
784
785         Reviewed by Csaba Osztrogonác.
786
787         Added new version of setupArgumentsWithExecState method.
788
789         * jit/CCallHelpers.h:
790         (JSC::CCallHelpers::setupArgumentsWithExecState):
791
792 2016-07-22  Csaba Osztrogonác  <ossy@webkit.org>
793
794         [ARM] Unreviewed EABI buildfix after r203537.
795
796         * jit/CCallHelpers.h:
797         (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
798
799 2016-07-22  Youenn Fablet  <youenn@apple.com>
800
801         run-builtins-generator-tests should be able to test WebCore builtins wrapper with more than one file
802         https://bugs.webkit.org/show_bug.cgi?id=159921
803
804         Reviewed by Brian Burg.
805
806         Updated built-in generator to generate only wrapper files when passed the --wrappers-only option.
807         When this option is used, wrapper files are generated but no individual file is generated.
808         When this option is not used, individual files are generated but not wrapper file is generated.
809         This allows the builtin generator test runner to generate a single WebCore-Wrappers.h-result generated for all
810         WebCore test files, like used for real in WebCore.
811         Previously wrapper code was generated individually for each WebCore test file.
812
813         Added new built-in test file to cover the case of concatenating several guards in generated WebCore wrapper files.
814
815         * Scripts/generate-js-builtins.py:
816         (concatenated_output_filename): Compute a decent name for wrapper files in case of test mode.
817         (generate_bindings_for_builtins_files): When --wrappers-only is activated, this generates only the wrapper files, not the individual files.
818         * Scripts/tests/builtins/WebCore-AnotherGuardedInternalBuiltin-Separate.js: Added.
819         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: Added.
820         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Removed wrapper code.
821         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
822         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
823         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
824         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Removed wrapper code.
825         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: Added, contains wrapper code for all WebCore valid test cases.
826
827 2016-07-21  Saam Barati  <sbarati@apple.com>
828
829         callOperation(.) variants in the DFG that explicitly take a tag/payload register should take a JSValueRegs instead
830         https://bugs.webkit.org/show_bug.cgi?id=160007
831
832         Reviewed by Filip Pizlo.
833
834         This patch is the first step in my plan to remove all callOperation(.) variants
835         in the various JITs and to unify them using a couple template variations.
836         The steps are as follows:
837         1. Replace all explicit tag/payload pairs with JSValueRegs in the DFG
838         2. Replace all explicit tag/payload pairs with JSValueRegs in the baseline
839         3. remove callOperation(.) variants and teach setupArgumentsWithExecState
840            about JSValueRegs.
841
842         * dfg/DFGSpeculativeJIT.cpp:
843         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
844         (JSC::DFG::SpeculativeJIT::compileValueAdd):
845         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
846         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
847         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
848         * dfg/DFGSpeculativeJIT.h:
849         (JSC::DFG::SpeculativeJIT::callOperation):
850         * dfg/DFGSpeculativeJIT32_64.cpp:
851         (JSC::DFG::SpeculativeJIT::cachedGetById):
852         (JSC::DFG::SpeculativeJIT::cachedPutById):
853         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
854         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal):
855         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
856         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
857         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
858         (JSC::DFG::SpeculativeJIT::emitCall):
859         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
860         (JSC::DFG::SpeculativeJIT::emitBranch):
861         (JSC::DFG::SpeculativeJIT::compile):
862
863 2016-07-21  Saam Barati  <sbarati@apple.com>
864
865         op_add/ValueAdd should be an IC in all JIT tiers
866         https://bugs.webkit.org/show_bug.cgi?id=159649
867
868         Reviewed by Benjamin Poulain.
869
870         This patch makes Add an IC inside all JIT tiers. It does so in a
871         simple, but effective, way. We will try to generate an int+int add
872         that will repatch itself if its type checks fail. Sometimes though,
873         we have runtime type data saying that the add won't be int+int.
874         In those cases, we will just generate a full snippet that doesn't patch itself.
875         Other times, we may generate no inline code and defer to making a C call. A lot
876         of this patch is just refactoring ResultProfile into what we're now calling ArithProfile.
877         ArithProfile does everything ResultProfile used to do, and more. It records simple type
878         data about the LHS/RHS operands it sees. This allows us to determine if an op_add
879         has only seen int+int operands, etc. ArithProfile will also contain the ResultType
880         for the LHS/RHS that the parser feeds into op_add. ArithProfile now fits into 32-bits.
881         This means instead of having a side table like we did for ResultProfile, we just
882         inject the ArithProfile into the bytecode instruction stream. This makes asking
883         for ArithProfile faster; we no longer need to lock around this operation.
884
885         The size of an Add has gone down on average, but we can still do better.
886         We still generate a lot of code because we generate calls to the slow path.
887         I think we can make this better by moving the slow path to a shared thunk
888         system. This patch mostly lays the foundation for future improvements to Add,
889         and a framework to move all other arithmetic operations to be typed-based ICs.
890
891         Here is some data I took on the average op_add/ValueAdd size on various benchmarks:
892                    |   JetStream  |  Speedometer |  Unity 3D  |
893              ------| -------------|-----------------------------
894               Old  |  189 bytes   |  169 bytes   |  192 bytes |
895              ------| -------------|-----------------------------
896               New  |  148 bytes   |  124 bytes   |  143 bytes |
897              ---------------------------------------------------
898
899         Making an arithmetic IC is now easy. The JITMathIC class will hold a snippet
900         generator as a member variable. To make a snippet an IC, you need to implement
901         a generateInline(.) method, which generates the inline IC. Then, you need to
902         generate the IC where you used to generate the snippet. When generating the
903         IC, we need to inform JITMathIC of various data like we do with StructureStubInfo.
904         We need to tell it about where the slow path starts, where the slow path call is, etc.
905         When generating a JITMathIC, it may tell you that it didn't generate any code inline.
906         This is a request to the user of JITMathIC to just generate a C call along the
907         fast path. JITMathIC may also have the snippet tell it to just generate the full
908         snippet instead of the int+int path along the fast path.
909
910         In subsequent patches, we can improve upon how we decide to generate int+int or
911         the full snippet. I tried to get clever by having double+double, double+int, int+double,
912         fast paths, but they didn't work out nearly as well as the int+int fast path. I ended up
913         generating a lot of code when I did this and ended up using more memory than just generating
914         the full snippet. There is probably some way we can be clever and generate specialized fast
915         paths that are more successful than what I tried implementing, but I think that's worth deferring
916         this to follow up patches once the JITMathIC foundation has landed.
917
918         This patch also fixes a bug inside the slow path lambdas in the DFG.
919         Before, it was not legal to emit an exception check inside them. Now,
920         it is. So it's now easy to define arbitrary late paths using the DFG
921         slow path lambda API.
922
923         * CMakeLists.txt:
924         * JavaScriptCore.xcodeproj/project.pbxproj:
925         * bytecode/ArithProfile.cpp: Added.
926         (JSC::ArithProfile::emitObserveResult):
927         (JSC::ArithProfile::shouldEmitSetDouble):
928         (JSC::ArithProfile::emitSetDouble):
929         (JSC::ArithProfile::shouldEmitSetNonNumber):
930         (JSC::ArithProfile::emitSetNonNumber):
931         (WTF::printInternal):
932         * bytecode/ArithProfile.h: Added.
933         (JSC::ObservedType::ObservedType):
934         (JSC::ObservedType::sawInt32):
935         (JSC::ObservedType::isOnlyInt32):
936         (JSC::ObservedType::sawNumber):
937         (JSC::ObservedType::isOnlyNumber):
938         (JSC::ObservedType::sawNonNumber):
939         (JSC::ObservedType::isOnlyNonNumber):
940         (JSC::ObservedType::isEmpty):
941         (JSC::ObservedType::bits):
942         (JSC::ObservedType::withInt32):
943         (JSC::ObservedType::withNumber):
944         (JSC::ObservedType::withNonNumber):
945         (JSC::ObservedType::withoutNonNumber):
946         (JSC::ObservedType::operator==):
947         (JSC::ArithProfile::ArithProfile):
948         (JSC::ArithProfile::fromInt):
949         (JSC::ArithProfile::lhsResultType):
950         (JSC::ArithProfile::rhsResultType):
951         (JSC::ArithProfile::lhsObservedType):
952         (JSC::ArithProfile::rhsObservedType):
953         (JSC::ArithProfile::setLhsObservedType):
954         (JSC::ArithProfile::setRhsObservedType):
955         (JSC::ArithProfile::tookSpecialFastPath):
956         (JSC::ArithProfile::didObserveNonInt32):
957         (JSC::ArithProfile::didObserveDouble):
958         (JSC::ArithProfile::didObserveNonNegZeroDouble):
959         (JSC::ArithProfile::didObserveNegZeroDouble):
960         (JSC::ArithProfile::didObserveNonNumber):
961         (JSC::ArithProfile::didObserveInt32Overflow):
962         (JSC::ArithProfile::didObserveInt52Overflow):
963         (JSC::ArithProfile::setObservedNonNegZeroDouble):
964         (JSC::ArithProfile::setObservedNegZeroDouble):
965         (JSC::ArithProfile::setObservedNonNumber):
966         (JSC::ArithProfile::setObservedInt32Overflow):
967         (JSC::ArithProfile::setObservedInt52Overflow):
968         (JSC::ArithProfile::addressOfBits):
969         (JSC::ArithProfile::observeResult):
970         (JSC::ArithProfile::lhsSawInt32):
971         (JSC::ArithProfile::lhsSawNumber):
972         (JSC::ArithProfile::lhsSawNonNumber):
973         (JSC::ArithProfile::rhsSawInt32):
974         (JSC::ArithProfile::rhsSawNumber):
975         (JSC::ArithProfile::rhsSawNonNumber):
976         (JSC::ArithProfile::observeLHSAndRHS):
977         (JSC::ArithProfile::bits):
978         (JSC::ArithProfile::hasBits):
979         (JSC::ArithProfile::setBit):
980         * bytecode/CodeBlock.cpp:
981         (JSC::CodeBlock::dumpRareCaseProfile):
982         (JSC::CodeBlock::dumpArithProfile):
983         (JSC::CodeBlock::dumpBytecode):
984         (JSC::CodeBlock::addStubInfo):
985         (JSC::CodeBlock::addJITAddIC):
986         (JSC::CodeBlock::findStubInfo):
987         (JSC::CodeBlock::resetJITData):
988         (JSC::CodeBlock::shrinkToFit):
989         (JSC::CodeBlock::dumpValueProfiles):
990         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
991         (JSC::CodeBlock::arithProfileForBytecodeOffset):
992         (JSC::CodeBlock::arithProfileForPC):
993         (JSC::CodeBlock::couldTakeSpecialFastCase):
994         (JSC::CodeBlock::dumpResultProfile): Deleted.
995         (JSC::CodeBlock::resultProfileForBytecodeOffset): Deleted.
996         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset): Deleted.
997         (JSC::CodeBlock::ensureResultProfile): Deleted.
998         * bytecode/CodeBlock.h:
999         (JSC::CodeBlock::stubInfoBegin):
1000         (JSC::CodeBlock::stubInfoEnd):
1001         (JSC::CodeBlock::couldTakeSlowCase):
1002         (JSC::CodeBlock::numberOfResultProfiles): Deleted.
1003         * bytecode/MethodOfGettingAValueProfile.cpp:
1004         (JSC::MethodOfGettingAValueProfile::emitReportValue):
1005         * bytecode/MethodOfGettingAValueProfile.h:
1006         (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
1007         * bytecode/ValueProfile.cpp:
1008         (JSC::ResultProfile::emitDetectNumericness): Deleted.
1009         (JSC::ResultProfile::emitSetDouble): Deleted.
1010         (JSC::ResultProfile::emitSetNonNumber): Deleted.
1011         (WTF::printInternal): Deleted.
1012         * bytecode/ValueProfile.h:
1013         (JSC::getRareCaseProfileBytecodeOffset):
1014         (JSC::ResultProfile::ResultProfile): Deleted.
1015         (JSC::ResultProfile::bytecodeOffset): Deleted.
1016         (JSC::ResultProfile::specialFastPathCount): Deleted.
1017         (JSC::ResultProfile::didObserveNonInt32): Deleted.
1018         (JSC::ResultProfile::didObserveDouble): Deleted.
1019         (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
1020         (JSC::ResultProfile::didObserveNegZeroDouble): Deleted.
1021         (JSC::ResultProfile::didObserveNonNumber): Deleted.
1022         (JSC::ResultProfile::didObserveInt32Overflow): Deleted.
1023         (JSC::ResultProfile::didObserveInt52Overflow): Deleted.
1024         (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
1025         (JSC::ResultProfile::setObservedNegZeroDouble): Deleted.
1026         (JSC::ResultProfile::setObservedNonNumber): Deleted.
1027         (JSC::ResultProfile::setObservedInt32Overflow): Deleted.
1028         (JSC::ResultProfile::setObservedInt52Overflow): Deleted.
1029         (JSC::ResultProfile::addressOfFlags): Deleted.
1030         (JSC::ResultProfile::addressOfSpecialFastPathCount): Deleted.
1031         (JSC::ResultProfile::detectNumericness): Deleted.
1032         (JSC::ResultProfile::hasBits): Deleted.
1033         (JSC::ResultProfile::setBit): Deleted.
1034         (JSC::getResultProfileBytecodeOffset): Deleted.
1035         * bytecompiler/BytecodeGenerator.cpp:
1036         (JSC::BytecodeGenerator::emitBinaryOp):
1037         * dfg/DFGByteCodeParser.cpp:
1038         (JSC::DFG::ByteCodeParser::makeSafe):
1039         * dfg/DFGGraph.cpp:
1040         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1041         * dfg/DFGJITCompiler.cpp:
1042         (JSC::DFG::JITCompiler::exceptionCheck):
1043         * dfg/DFGSlowPathGenerator.h:
1044         (JSC::DFG::SlowPathGenerator::generate):
1045         * dfg/DFGSpeculativeJIT.cpp:
1046         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
1047         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1048         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1049         * dfg/DFGSpeculativeJIT.h:
1050         (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
1051         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1052         (JSC::DFG::SpeculativeJIT::callOperation):
1053         * ftl/FTLLowerDFGToB3.cpp:
1054         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1055         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
1056         * jit/CCallHelpers.h:
1057         (JSC::CCallHelpers::setupArgumentsWithExecState):
1058         (JSC::CCallHelpers::setupArguments):
1059         * jit/JIT.h:
1060         * jit/JITAddGenerator.cpp:
1061         (JSC::JITAddGenerator::generateInline):
1062         (JSC::JITAddGenerator::generateFastPath):
1063         * jit/JITAddGenerator.h:
1064         (JSC::JITAddGenerator::JITAddGenerator):
1065         (JSC::JITAddGenerator::didEmitFastPath): Deleted.
1066         (JSC::JITAddGenerator::endJumpList): Deleted.
1067         (JSC::JITAddGenerator::slowPathJumpList): Deleted.
1068         * jit/JITArithmetic.cpp:
1069         (JSC::JIT::emit_op_jless):
1070         (JSC::JIT::emitSlow_op_urshift):
1071         (JSC::getOperandTypes):
1072         (JSC::JIT::emit_op_add):
1073         (JSC::JIT::emitSlow_op_add):
1074         (JSC::JIT::emit_op_div):
1075         (JSC::JIT::emit_op_mul):
1076         (JSC::JIT::emitSlow_op_mul):
1077         (JSC::JIT::emit_op_sub):
1078         (JSC::JIT::emitSlow_op_sub):
1079         * jit/JITDivGenerator.cpp:
1080         (JSC::JITDivGenerator::generateFastPath):
1081         * jit/JITDivGenerator.h:
1082         (JSC::JITDivGenerator::JITDivGenerator):
1083         * jit/JITInlines.h:
1084         (JSC::JIT::callOperation):
1085         * jit/JITMathIC.h: Added.
1086         (JSC::JITMathIC::doneLocation):
1087         (JSC::JITMathIC::slowPathStartLocation):
1088         (JSC::JITMathIC::slowPathCallLocation):
1089         (JSC::JITMathIC::generateInline):
1090         (JSC::JITMathIC::generateOutOfLine):
1091         (JSC::JITMathIC::finalizeInlineCode):
1092         * jit/JITMathICForwards.h: Added.
1093         * jit/JITMathICInlineResult.h: Added.
1094         * jit/JITMulGenerator.cpp:
1095         (JSC::JITMulGenerator::generateFastPath):
1096         * jit/JITMulGenerator.h:
1097         (JSC::JITMulGenerator::JITMulGenerator):
1098         * jit/JITOperations.cpp:
1099         * jit/JITOperations.h:
1100         * jit/JITSubGenerator.cpp:
1101         (JSC::JITSubGenerator::generateFastPath):
1102         * jit/JITSubGenerator.h:
1103         (JSC::JITSubGenerator::JITSubGenerator):
1104         * jit/Repatch.cpp:
1105         (JSC::readCallTarget):
1106         (JSC::ftlThunkAwareRepatchCall):
1107         (JSC::tryCacheGetByID):
1108         (JSC::repatchGetByID):
1109         (JSC::appropriateGenericPutByIdFunction):
1110         (JSC::tryCachePutByID):
1111         (JSC::repatchPutByID):
1112         (JSC::tryRepatchIn):
1113         (JSC::repatchIn):
1114         (JSC::linkSlowFor):
1115         (JSC::resetGetByID):
1116         (JSC::resetPutByID):
1117         (JSC::repatchCall): Deleted.
1118         * jit/Repatch.h:
1119         * llint/LLIntData.cpp:
1120         (JSC::LLInt::Data::performAssertions):
1121         * llint/LowLevelInterpreter.asm:
1122         * llint/LowLevelInterpreter32_64.asm:
1123         * llint/LowLevelInterpreter64.asm:
1124         * parser/ResultType.h:
1125         (JSC::ResultType::ResultType):
1126         (JSC::ResultType::isInt32):
1127         (JSC::ResultType::definitelyIsNumber):
1128         (JSC::ResultType::definitelyIsString):
1129         (JSC::ResultType::definitelyIsBoolean):
1130         (JSC::ResultType::mightBeNumber):
1131         (JSC::ResultType::isNotNumber):
1132         (JSC::ResultType::forBitOp):
1133         (JSC::ResultType::bits):
1134         (JSC::OperandTypes::OperandTypes):
1135         * runtime/CommonSlowPaths.cpp:
1136         (JSC::SLOW_PATH_DECL):
1137         (JSC::updateArithProfileForBinaryArithOp):
1138         (JSC::updateResultProfileForBinaryArithOp): Deleted.
1139         * tests/stress/op-add-exceptions.js: Added.
1140         (assert):
1141         (f1):
1142         (f2):
1143         (f3):
1144         (let.oException.valueOf):
1145         (foo):
1146         (ident):
1147         (bar):
1148
1149 2016-07-21  Csaba Osztrogonác  <ossy@webkit.org>
1150
1151         Clarify testing mode names in run-jsc-stress-tests
1152         https://bugs.webkit.org/show_bug.cgi?id=160021
1153
1154         Reviewed by Mark Lam.
1155
1156         Default should mean really default, not default with disabled FTL, renamed
1157         - runMozillaTestDefault to runMozillaTestNoFTL
1158         - runMozillaTestDefaultFTL to runMozillaTestDefault
1159         - runDefault to runNoFTL
1160         - runDefaultFTL to runDefault
1161         - runLayoutTestDefault to runLayoutTestNoFTL
1162         - runLayoutTestDefaultFTL to runLayoutTestDefault
1163         - runNoisyTestDefault to runNoisyTestNoFTL
1164         - runNoisyTestDefaultFTL to runNoisyTestDefault
1165
1166         * tests/mozilla/mozilla-tests.yaml:
1167         * tests/stress/lift-tdz-bypass-catch.js:
1168         * tests/stress/obscure-error-message-dont-crash.js:
1169         * tests/stress/shadow-chicken-disabled.js:
1170
1171 2016-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1172
1173         [ES7] Introduce exponentiation expression
1174         https://bugs.webkit.org/show_bug.cgi?id=159969
1175
1176         Reviewed by Saam Barati.
1177
1178         This patch implements the exponentiation expression, e.g. `x ** y`.
1179         The exponentiation expression is introduced in ECMA262 2016 and ECMA262 2016
1180         is already released. So this is not the draft spec.
1181
1182         The exponentiation expression has 2 interesting points.
1183
1184         1. Right associative
1185
1186             To follow the Math expression, ** operator is right associative.
1187             When we execute `x ** y ** z`, this is handled as `x ** (y ** z)`, not `(x ** y) ** z`.
1188             This patch introduces the right associativity to the binary operator and handles it
1189             in the operator precedence parser in Parser.cpp.
1190
1191         2. LHS of the exponentiation expression is UpdateExpression
1192
1193             ExponentiationExpression[Yield]:
1194                 UnaryExpression[?Yield]
1195                 UpdateExpression[?Yield] ** ExponentiationExpression[?Yield]
1196
1197             As we can see, the left hand side of the ExponentiationExpression is UpdateExpression, not UnaryExpression.
1198             It means that `+x ** y` becomes a syntax error. This is intentional. Without superscript in JS,
1199             `-x**y` is confusing between `-(x ** y)` and `(-x) ** y`. So ECMA262 intentionally avoids UnaryExpression here.
1200             If we need to use a negated value, we need to write parentheses explicitly e.g. `(-x) ** y`.
1201             In this patch, we ensure that the left hand side is not an unary expression by checking an operator in
1202             parseBinaryExpression. This works since `**` has the highest operator precedence in the binary operators.
1203
1204         We introduce a new bytecode, op_pow. That simply works as similar as the other binary operators.
1205         And it is converted to ArithPow in DFG and handled in DFG and FTL.
1206         In this patch, we take the approach just introducing a new bytecode instead of calling Math.pow.
1207         This is because we would like to execute ToNumber in the caller side, not in the callee (Math.pow) side.
1208         And we don't want to compile ** into the following.
1209
1210             lhsNumber = to_number (lhs)
1211             rhsNumber = to_number (rhs)
1212             call Math.pow(lhsNumber, rhsNumber)
1213
1214         We ensure that this patch passes all the test262 tests related to the exponentiation expression.
1215
1216         The only sensitive part to the performance is the parser changes.
1217         So we measured the code-load performance and it is neutral in my x64 Linux box (hanayamata).
1218
1219             Collected 30 samples per benchmark/VM, with 30 VM invocations per benchmark. Emitted a call to
1220             gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used
1221             the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark
1222             execution times with 95% confidence intervals in milliseconds.
1223
1224                                      baseline                  patched
1225
1226             closure              0.60499+-0.00250          0.60180+-0.00244
1227             jquery               7.89175+-0.02433    ?     7.91287+-0.04759       ?
1228
1229             <geometric>          2.18499+-0.00523          2.18207+-0.00689         might be 1.0013x faster
1230
1231         * bytecode/BytecodeList.json:
1232         * bytecode/BytecodeUseDef.h:
1233         (JSC::computeUsesForBytecodeOffset):
1234         (JSC::computeDefsForBytecodeOffset):
1235         * bytecode/CodeBlock.cpp:
1236         (JSC::CodeBlock::dumpBytecode):
1237         * bytecompiler/NodesCodegen.cpp:
1238         (JSC::emitReadModifyAssignment):
1239         * dfg/DFGByteCodeParser.cpp:
1240         (JSC::DFG::ByteCodeParser::parseBlock):
1241         * dfg/DFGCapabilities.cpp:
1242         (JSC::DFG::capabilityLevel):
1243         * jit/JIT.cpp:
1244         (JSC::JIT::privateCompileMainPass):
1245         * jit/JIT.h:
1246         * jit/JITArithmetic.cpp:
1247         (JSC::JIT::emit_op_pow):
1248         * llint/LowLevelInterpreter.asm:
1249         * parser/ASTBuilder.h:
1250         (JSC::ASTBuilder::operatorStackShouldReduce):
1251         (JSC::ASTBuilder::makePowNode):
1252         (JSC::ASTBuilder::makeMultNode):
1253         (JSC::ASTBuilder::makeDivNode):
1254         (JSC::ASTBuilder::makeModNode):
1255         (JSC::ASTBuilder::makeSubNode):
1256         (JSC::ASTBuilder::makeBinaryNode):
1257         (JSC::ASTBuilder::operatorStackHasHigherPrecedence): Deleted.
1258         * parser/Lexer.cpp:
1259         (JSC::Lexer<T>::lex):
1260         * parser/NodeConstructors.h:
1261         (JSC::PowNode::PowNode):
1262         * parser/Nodes.h:
1263         * parser/Parser.cpp:
1264         (JSC::Parser<LexerType>::parseAssignmentExpression):
1265         (JSC::isUnaryOpExcludingUpdateOp):
1266         (JSC::Parser<LexerType>::parseBinaryExpression):
1267         (JSC::isUnaryOp): Deleted.
1268         * parser/ParserTokens.h:
1269         (JSC::isUpdateOp):
1270         (JSC::isUnaryOp):
1271         * parser/SyntaxChecker.h:
1272         (JSC::SyntaxChecker::operatorStackPop):
1273         * runtime/CommonSlowPaths.cpp:
1274         (JSC::SLOW_PATH_DECL):
1275         * runtime/CommonSlowPaths.h:
1276         * tests/stress/pow-basics.js: Added.
1277         (valuesAreClose):
1278         (mathPowDoubleDouble1):
1279         (mathPowDoubleInt1):
1280         (test1):
1281         (mathPowDoubleDouble2):
1282         (mathPowDoubleInt2):
1283         (test2):
1284         (mathPowDoubleDouble3):
1285         (mathPowDoubleInt3):
1286         (test3):
1287         (mathPowDoubleDouble4):
1288         (mathPowDoubleInt4):
1289         (test4):
1290         (mathPowDoubleDouble5):
1291         (mathPowDoubleInt5):
1292         (test5):
1293         (mathPowDoubleDouble6):
1294         (mathPowDoubleInt6):
1295         (test6):
1296         (mathPowDoubleDouble7):
1297         (mathPowDoubleInt7):
1298         (test7):
1299         (mathPowDoubleDouble8):
1300         (mathPowDoubleInt8):
1301         (test8):
1302         (mathPowDoubleDouble9):
1303         (mathPowDoubleInt9):
1304         (test9):
1305         (mathPowDoubleDouble10):
1306         (mathPowDoubleInt10):
1307         (test10):
1308         (mathPowDoubleDouble11):
1309         (mathPowDoubleInt11):
1310         (test11):
1311         * tests/stress/pow-coherency.js: Added.
1312         (pow42):
1313         (build42AsDouble.opaqueAdd):
1314         (build42AsDouble):
1315         (powDouble42):
1316         (clobber):
1317         (pow42NoConstantFolding):
1318         (powDouble42NoConstantFolding):
1319         * tests/stress/pow-evaluation-order.js: Added.
1320         (shouldBe):
1321         (throw.new.Error):
1322         * tests/stress/pow-expects-update-expression-on-lhs.js: Added.
1323         (testSyntax):
1324         (testSyntaxError):
1325         (throw.new.Error):
1326         (let.token.of.tokens.testSyntax.pow):
1327         (testSyntax.pow):
1328         * tests/stress/pow-integer-exponent-fastpath.js: Added.
1329         (valuesAreClose):
1330         (mathPowDoubleDoubleTestExponentFifty):
1331         (mathPowDoubleIntTestExponentFifty):
1332         (testExponentFifty):
1333         (mathPowDoubleDoubleTestExponentTenThousands):
1334         (mathPowDoubleIntTestExponentTenThousands):
1335         (testExponentTenThousands):
1336         * tests/stress/pow-nan-behaviors.js: Added.
1337         (testIntegerBaseWithNaNExponentStatic):
1338         (mathPowIntegerBaseWithNaNExponentDynamic):
1339         (testIntegerBaseWithNaNExponentDynamic):
1340         (testFloatingPointBaseWithNaNExponentStatic):
1341         (mathPowFloatingPointBaseWithNaNExponentDynamic):
1342         (testFloatingPointBaseWithNaNExponentDynamic):
1343         (testNaNBaseStatic):
1344         (mathPowNaNBaseDynamic1):
1345         (mathPowNaNBaseDynamic2):
1346         (mathPowNaNBaseDynamic3):
1347         (mathPowNaNBaseDynamic4):
1348         (testNaNBaseDynamic):
1349         (infiniteExponentsStatic):
1350         (mathPowInfiniteExponentsDynamic1):
1351         (mathPowInfiniteExponentsDynamic2):
1352         (mathPowInfiniteExponentsDynamic3):
1353         (mathPowInfiniteExponentsDynamic4):
1354         (infiniteExponentsDynamic):
1355         * tests/stress/pow-simple.js: Added.
1356         (shouldBe):
1357         (throw.new.Error):
1358         * tests/stress/pow-stable-results.js: Added.
1359         (opaquePow):
1360         (isIdentical):
1361         * tests/stress/pow-to-number-should-be-executed-in-code-side.js: Added.
1362         (shouldBe):
1363         (throw.new.Error):
1364         * tests/stress/pow-with-constants.js: Added.
1365         (exponentIsZero):
1366         (testExponentIsZero):
1367         (exponentIsOne):
1368         (testExponentIsOne):
1369         (powUsedAsSqrt):
1370         (testPowUsedAsSqrt):
1371         (powUsedAsOneOverSqrt):
1372         (testPowUsedAsOneOverSqrt):
1373         (powUsedAsSquare):
1374         (testPowUsedAsSquare):
1375         (intIntConstantsSmallNumbers):
1376         (intIntConstantsLargeNumbers):
1377         (intIntSmallConstants):
1378         (intDoubleConstants):
1379         (doubleDoubleConstants):
1380         (doubleIntConstants):
1381         (testBaseAndExponentConstantLiterals):
1382         (exponentIsIntegerConstant):
1383         (testExponentIsIntegerConstant):
1384         (exponentIsDoubleConstant):
1385         (testExponentIsDoubleConstant):
1386         (exponentIsInfinityConstant):
1387         (testExponentIsInfinityConstant):
1388         (exponentIsNegativeInfinityConstant):
1389         (testExponentIsNegativeInfinityConstant):
1390         * tests/stress/pow-with-never-NaN-exponent.js: Added.
1391         (exponentIsNonNanDouble1):
1392         (exponentIsNonNanDouble2):
1393         (testExponentIsDoubleConstant):
1394         * tests/test262.yaml:
1395
1396 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
1397
1398         Switching on symbols should be fast
1399         https://bugs.webkit.org/show_bug.cgi?id=158892
1400
1401         Reviewed by Keith Miller.
1402         
1403         This does two things: fixes some goofs in our lowering of symbol equality and adds a new phase
1404         to B3 to infer switch statements from linear chains of branches.
1405         
1406         This changes how we compile equality to Symbols to constant-fold the load of the Symbol's UID.
1407         This is necessary for making switches on Symbols inferrable. This also gives us the ability to
1408         efficiently compile strict equality comparisons of SymbolUse and UntypedUse.
1409
1410         This adds a new phase to B3, which finds chains of branches that test for (in)equality on the
1411         same value and constants, and turns them into a Switch. This can turn O(n) code into
1412         O(log n) code, or even O(1) code if the switch cases are dense.
1413         
1414         This can make a big difference in JS. Say you write a switch in which the case statements are
1415         variable resolutions. The bytecode generator cannot use a bytecode switch in this case, since
1416         we're required to evaluate the resolutions in order. But in DFG IR, we will often turn those
1417         variable resolutions into constants, since we do that for any immutable singleton. This means
1418         that B3 will see a chain of Branches: the else case of one Branch will point to a basic block
1419         that does nothing but Branch on equality on the same value as the first Branch.
1420
1421         The inference algorithm is quite simple. The basic building block is the ability to summarize
1422         a block's switch behavior. For a block that ends in a switch, this is just the collection of
1423         switch cases. For a block that ends in a branch, we recognize Branch(Equal(value, const)),
1424         Branch(NotEqual(value, const)), and Branch(value). Each of these are summarized as if they
1425         were one-case switches. We infer a new switch if both some block and its sole predecessor
1426         can be described as switches on the same value, nothing shady is going on (like loops), and
1427         the block in question does no work other than this switch. In that case, the block is killed
1428         and its cases (which we get from the summary) are added to the predecessor's switch. This
1429         algorithm runs to fixpoint.
1430         
1431         * CMakeLists.txt:
1432         * JavaScriptCore.xcodeproj/project.pbxproj:
1433         * b3/B3Generate.cpp:
1434         (JSC::B3::generateToAir):
1435         * b3/B3InferSwitches.cpp: Added.
1436         (JSC::B3::inferSwitches):
1437         * b3/B3InferSwitches.h: Added.
1438         * b3/B3Procedure.h:
1439         (JSC::B3::Procedure::cfg):
1440         * b3/B3ReduceStrength.cpp:
1441         * b3/B3Value.cpp:
1442         (JSC::B3::Value::performSubstitution):
1443         (JSC::B3::Value::isFree):
1444         (JSC::B3::Value::dumpMeta):
1445         * b3/B3Value.h:
1446         * ftl/FTLLowerDFGToB3.cpp:
1447         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent):
1448         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1449         (JSC::FTL::DFG::LowerDFGToB3::lowSymbol):
1450         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID):
1451         (JSC::FTL::DFG::LowerDFGToB3::lowNonNullObject):
1452
1453 2016-07-20  Filip Pizlo  <fpizlo@apple.com>
1454
1455         FTL snippet generators should be able to request a different register for output and input
1456         https://bugs.webkit.org/show_bug.cgi?id=160010
1457         rdar://problem/27439330
1458
1459         Reviewed by Saam Barati.
1460         
1461         The BitOr and BitXor snippet generators have problems if the register for the right input is
1462         the same as the register for the result. We could fix those generators, but I'm not convinced
1463         that the other snippet generators don't have this bug. So, the approach that this patch takes
1464         is to teach the FTL to request that B3 to use a different register for the result than for
1465         any input to the snippet patchpoint.
1466         
1467         Air already has the ability to let any instruction do an EarlyDef, which means exactly this.
1468         But B3 did not expose this via ValueRep. This patch exposes this in ValueRep as
1469         SomeEarlyRegister. That's most of the change.
1470         
1471         This adds a testb3 test for SomeEarlyRegister and a regression test for this particular
1472         problem. The regression test failed on trunk JSC before this.
1473
1474         * b3/B3LowerToAir.cpp:
1475         (JSC::B3::Air::LowerToAir::lower):
1476         * b3/B3PatchpointSpecial.cpp:
1477         (JSC::B3::PatchpointSpecial::forEachArg):
1478         (JSC::B3::PatchpointSpecial::admitsStack):
1479         * b3/B3StackmapSpecial.cpp:
1480         (JSC::B3::StackmapSpecial::forEachArgImpl):
1481         (JSC::B3::StackmapSpecial::isArgValidForRep):
1482         * b3/B3Validate.cpp:
1483         * b3/B3ValueRep.cpp:
1484         (JSC::B3::ValueRep::addUsedRegistersTo):
1485         (JSC::B3::ValueRep::dump):
1486         (WTF::printInternal):
1487         * b3/B3ValueRep.h:
1488         (JSC::B3::ValueRep::ValueRep):
1489         (JSC::B3::ValueRep::reg):
1490         (JSC::B3::ValueRep::isAny):
1491         (JSC::B3::ValueRep::isReg):
1492         (JSC::B3::ValueRep::isSomeRegister): Deleted.
1493         * b3/testb3.cpp:
1494         * ftl/FTLLowerDFGToB3.cpp:
1495         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
1496         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
1497         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
1498         * tests/stress/ftl-bit-xor-right-result-interference.js: Added.
1499
1500 2016-07-20  Michael Saboff  <msaboff@apple.com>
1501
1502         CrashOnOverflow in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets
1503         https://bugs.webkit.org/show_bug.cgi?id=159954
1504
1505         Reviewed by Benjamin Poulain.
1506
1507         YarrPatternConstructor::setupAlternativeOffsets() is using the checked arithmetic class
1508         Checked<>, for offset calculations.  However the default use will just crash on
1509         overflow.  Instead we should stop processing and propagate the error up the call stack.
1510
1511         Consolidated explicit error string with the common RegExp parsing error logic.
1512         Moved that logic to YarrPattern as that seems like a better common place to put it.
1513
1514         * jit/JITOperations.cpp:
1515         * llint/LLIntSlowPaths.cpp:
1516         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1517         * tests/stress/regress-159954.js: New test.
1518         * yarr/YarrParser.h:
1519         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
1520         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
1521         (JSC::Yarr::Parser::Parser):
1522         (JSC::Yarr::Parser::isIdentityEscapeAnError):
1523         (JSC::Yarr::Parser::parseEscape):
1524         (JSC::Yarr::Parser::parseCharacterClass):
1525         (JSC::Yarr::Parser::parseParenthesesBegin):
1526         (JSC::Yarr::Parser::parseParenthesesEnd):
1527         (JSC::Yarr::Parser::parseQuantifier):
1528         (JSC::Yarr::Parser::parseTokens):
1529         (JSC::Yarr::Parser::parse):
1530         * yarr/YarrPattern.cpp:
1531         (JSC::Yarr::YarrPatternConstructor::disjunction):
1532         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
1533         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
1534         (JSC::Yarr::YarrPattern::errorMessage):
1535         (JSC::Yarr::YarrPattern::compile):
1536         * yarr/YarrPattern.h:
1537         (JSC::Yarr::YarrPattern::reset):
1538
1539 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
1540
1541         The default testing mode should not involve disabling the FTL JIT
1542         https://bugs.webkit.org/show_bug.cgi?id=159929
1543
1544         Rubber stamped by Mark Lam and Saam Barati.
1545         
1546         Use the new powers to make some tests run only in the default configuration (i.e. FTL,
1547         concurrent JIT).
1548
1549         * tests/mozilla/mozilla-tests.yaml:
1550
1551 2016-07-19  Keith Miller  <keith_miller@apple.com>
1552
1553         Test262 should have a file with the revision and url
1554         https://bugs.webkit.org/show_bug.cgi?id=159937
1555
1556         Reviewed by Mark Lam.
1557
1558         The file.
1559
1560         * tests/test262/test262-Revision.txt: Added.
1561
1562 2016-07-19  Anders Carlsson  <andersca@apple.com>
1563
1564         WebCore-7602.1.42 fails to build: error: private field 'm_vm' is not used
1565         https://bugs.webkit.org/show_bug.cgi?id=159944
1566         rdar://problem/27420308
1567
1568         Reviewed by Dan Bernstein.
1569
1570         Wrap the m_vm declaration and initialization in conditional guards.
1571
1572         * Scripts/builtins/builtins_generate_internals_wrapper_header.py:
1573         (generate_members):
1574         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
1575         (BuiltinsInternalsWrapperImplementationGenerator.generate_constructor):
1576         Add guards.
1577
1578         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1579         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1580         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1581         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1582         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1583         Update expected results.
1584
1585 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
1586
1587         REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
1588         https://bugs.webkit.org/show_bug.cgi?id=159930
1589
1590         Reviewed by Geoffrey Garen.
1591         
1592         The problem is that the 32-bit DFG can flush the scope register as an unboxed cell, but the
1593         Register::scope() method was causing us to assert that it's a JSValue with proper cell
1594         boxing. We could have forced the DFG to flush it as a boxed JSValue, but I don't think that
1595         would have made anything better. This fixes the issue by teaching Register::scope() that it
1596         might see unboxed cells.
1597
1598         * runtime/JSScope.h:
1599         (JSC::Register::scope):
1600         (JSC::ExecState::lexicalGlobalObject):
1601
1602 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
1603
1604         B3 methods that mutate the successors array should take FrequentedBlock by value
1605         https://bugs.webkit.org/show_bug.cgi?id=159935
1606
1607         Reviewed by Michael Saboff.
1608         
1609         This bug was found by ASan testing. setSuccessors() takes a const FrequentedBlock&, and the
1610         caller that caused the ASan crash was doing:
1611
1612         block->setSuccessors(block->notTaken())
1613
1614         So, inside setSuccessors(), after we resize() the successors array, the const
1615         FrequentedBlock& points to nonsense.
1616
1617         The fix is to pass FrequentedBlock by value in all of these kinds of methods.
1618         
1619         No new tests, but ASan testing catches this instantly for anything that triggers CFG
1620         simplification in B3. So like half of our tests.
1621
1622         * b3/B3BasicBlock.cpp:
1623         (JSC::B3::BasicBlock::clearSuccessors):
1624         (JSC::B3::BasicBlock::appendSuccessor):
1625         (JSC::B3::BasicBlock::setSuccessors):
1626         * b3/B3BasicBlock.h:
1627         (JSC::B3::BasicBlock::successors):
1628         (JSC::B3::BasicBlock::successorBlock):
1629         * b3/B3Value.cpp:
1630         (JSC::B3::Value::replaceWithPhi):
1631         (JSC::B3::Value::replaceWithJump):
1632         (JSC::B3::Value::replaceWithOops):
1633         * b3/B3Value.h:
1634
1635 2016-07-18  Joseph Pecoraro  <pecoraro@apple.com>
1636
1637         Make builtin TypeErrors consistent
1638         https://bugs.webkit.org/show_bug.cgi?id=159899
1639
1640         Reviewed by Keith Miller.
1641
1642         Converge on the single TypeError for non-coercible this objects in builtins.
1643         Also update some other style to be more consistent with-in builtins.
1644
1645         * builtins/ArrayIteratorPrototype.js:
1646         (next):
1647         * builtins/ArrayPrototype.js:
1648         (values):
1649         (keys):
1650         (entries):
1651         (reduce):
1652         (reduceRight):
1653         (every):
1654         (forEach):
1655         (filter):
1656         (map):
1657         (some):
1658         (fill):
1659         (find):
1660         (findIndex):
1661         (includes):
1662         (sort):
1663         (concatSlowPath):
1664         (copyWithin):
1665         * builtins/StringPrototype.js:
1666         (match):
1667         (repeat):
1668         (padStart):
1669         (padEnd):
1670         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
1671         (localeCompare):
1672         (search):
1673         (split):
1674         * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
1675         * tests/es6/String.prototype_methods_String.prototype.padStart.js:
1676         * tests/stress/array-iterators-next-error-messages.js:
1677         (catch):
1678         * tests/stress/array-iterators-next-with-call.js:
1679         * tests/stress/regexp-match.js:
1680         (shouldThrow):
1681         * tests/stress/regexp-search.js:
1682         (shouldThrow):
1683
1684 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
1685
1686         Implement table-based switches in B3/Air
1687         https://bugs.webkit.org/show_bug.cgi?id=151141
1688
1689         Reviewed by Benjamin Poulain.
1690
1691         If a switch statement gets large, it's better to express it as an indirect jump rather than
1692         using a binary switch (divide-and-conquer tree of comparisons leading to O(log n) branches to
1693         get to the switch case). When dealing with integer switches, FTL will already use the B3
1694         Switch and expect this to get lowered as efficiently as possible; it's a bug that B3 will
1695         always use a binary switch rather than indirect jumps. When dealing with switches over some
1696         more sophisticated types, we'd want FTL to build an indirect jump table itself and use
1697         something like a hashtable to feed it. In that case, there will be no B3 Switch; we'll want
1698         some way for the FTL to directly express an indirection jump when emitting B3.
1699         
1700         This implies that we want B3 to have the ability to lower Switch to indirect jumps and to
1701         expose those indirect jumps in IR so that the FTL could do its own indirect jumps for
1702         switches over more complicated things like strings. But indirect jumps are tough to express
1703         in IR. For example, the LLVM approach ("indirectbr" and "blockaddress", see
1704         http://blog.llvm.org/2010/01/address-of-label-and-indirect-branches.html) means that some
1705         control flow edges cannot be split. Indirectbr takes an address as input and jumps to it, and
1706         blockaddress lets you build jump tables out of basic block addresses. This means that the
1707         compiler can never change any successor of an indirectbr, since the client will have already
1708         arranged for that indirectbr to jump to exactly those successors. We don't want such
1709         restrictions in B3, since B3 relies on being able to break critical edges for SSA conversion.
1710         Also, indirectbr is not cloneable, which would break any hope of doing specialization-based
1711         transformations like we want to do for multiple entrypoints (bug 159391). The goal of this
1712         change is to let clients do indirect jumps without placing any restrictions on IR.
1713         
1714         The trick is to allow Patchpoints to be used as block terminals. Patchpoints already allow
1715         clients of B3 to emit whatever code they like. Patchpoints are friendly to B3's other
1716         transformations because the client of the patchpoint has to play along with whatever
1717         decisions B3 had made around the patchpoint: what registers got used, what the control flow
1718         looks like, etc. Patchpoints can even be cloned by B3, and the client has to accommodate this
1719         in their patchpoint generator. It turns out that using Patchpoints as terminals is quite
1720         natural. We accomplish this by moving the successor edges out of ControlValue and into
1721         BasicBlock, and removing ControlValue entirely. This way, any Value subclass can be a
1722         terminal. It was already true that a Value is a terminal if value->effects().terminal, which
1723         works great with Patchpoints since they control their effects via PatchpointValue::effects.
1724         You can make your Patchpoint into a terminal by placing it at the end of a block and doing:
1725         
1726         patchpoint->effects.terminal = true;
1727         
1728         A Patchpoints in terminal position gets access to additional API in StackmapGenerationParams.
1729         The generator can get a Box<Label> for each successor to its owning block. For example, to
1730         implement a jump-table-based switch, you would make your patchpoint take the table index as
1731         its sole input. Inside the generator, you allocate the jump table and emit a BaseIndex jump
1732         that uses the jump table pointer (which will be a constant known to the generator since it
1733         just allocated it) as the base and the patchpoint input as an index. The jump table can be
1734         populated by MacroAssemblerCodePtr's computed by installing a link task to resolve the labels
1735         to concrete locations. This change makes LowerMacros do such a lowering for Switches that can
1736         benefit from jump tables. This happens recursively: if the original Switch is too sparse, we
1737         will divide-and-conquer as before. If at any recursion step we find that the remaining cases
1738         are dense and large enough to profit from a jump table, then those cases will be lowered to a
1739         Patchpoint that does the table jump. This is a fun way to do stepwise lowering: LowerMacros
1740         is essentially pre-lowering the Switch directly to machine code, and wrapping that machine
1741         code in a Patchpoint so that the rest of the compiler doesn't have to know anything about
1742         what happened. I suspect that in the future we will want to do other pre-lowerings this way,
1743         whenever the B3 IR phases have some special knowledge about what machine code should be
1744         emitted and it would be annoying to drag that knowledge through the rest of the compiler.
1745         
1746         One downside of this change is that we used ControlValue in so many places. Most of this
1747         patch involves removing references to ControlValue. It would be less than 100kb if it wasn't
1748         for that. To make this a bit easier, I added "appendNewControlValue" methods to BasicBlock,
1749         which allocate a Value and set the successors as if you had done "appendNew<ControlValue>".
1750         This made for an easy search-and-replace in testb3 and FTLOutput. I filed bug 159440 to
1751         remove this ugly stopgap method.
1752         
1753         I think that we will also end up using this facility to extend our use of snippets. We
1754         already use shared snippet generators for the generic forms of arithmetic. We will probably
1755         also want to do this for generic forms of branches. This wouldn't have been possible prior to
1756         this change, since there would have been no way to emit a control snippet in FTL. Now we can
1757         emit control snippets using terminal patchpoints.
1758
1759         This is a ~30% speed-up on microbenchmarks that have big switch statements (~60 cases). It's
1760         not a speed-up on mainstream benchmarks.
1761         
1762         This also adds a new test to testb3 for terminal Patchpoints, Get, and Set. The FTL does not
1763         currently use terminal Patchpoints directly, but we want this to be possible. It also doesn't
1764         use Get/Set directly even though we want this to be possible. It's important to test these
1765         since opcodes that result from lowering don't affect early phases, so we could have
1766         regressions in early phases related to these opcodes that wouldn't be caught by any JS test.
1767         So, this adds a very basic threaded interpreter to testb3 for a Brainfuck-style language, and
1768         tests it by having it run a program that prints the numbers 1..100 in a loop. Unlike a real
1769         threaded interpreter, it uses a common dispatch block rather than having dispatch at the
1770         terminus of each opcode. That's necessary because PolyJump is not cloneable. The state of the
1771         interpreter is represented using Variables that we Get and Set, so it tests Get/Set as well.
1772
1773         * CMakeLists.txt:
1774         * JavaScriptCore.xcodeproj/project.pbxproj:
1775         * assembler/MacroAssemblerARM64.h:
1776         (JSC::MacroAssemblerARM64::jump):
1777         * assembler/MacroAssemblerX86Common.h:
1778         (JSC::MacroAssemblerX86Common::jump):
1779         * assembler/X86Assembler.h:
1780         (JSC::X86Assembler::jmp_m):
1781         * b3/B3BasicBlock.cpp:
1782         (JSC::B3::BasicBlock::append):
1783         (JSC::B3::BasicBlock::appendNonTerminal):
1784         (JSC::B3::BasicBlock::removeLast):
1785         (JSC::B3::BasicBlock::appendIntConstant):
1786         (JSC::B3::BasicBlock::clearSuccessors):
1787         (JSC::B3::BasicBlock::appendSuccessor):
1788         (JSC::B3::BasicBlock::setSuccessors):
1789         (JSC::B3::BasicBlock::replaceSuccessor):
1790         (JSC::B3::BasicBlock::addPredecessor):
1791         (JSC::B3::BasicBlock::deepDump):
1792         (JSC::B3::BasicBlock::appendNewControlValue):
1793         * b3/B3BasicBlock.h:
1794         (JSC::B3::BasicBlock::numSuccessors):
1795         (JSC::B3::BasicBlock::successor):
1796         (JSC::B3::BasicBlock::successors):
1797         (JSC::B3::BasicBlock::successorBlock):
1798         (JSC::B3::BasicBlock::successorBlocks):
1799         (JSC::B3::BasicBlock::numPredecessors):
1800         (JSC::B3::BasicBlock::predecessor):
1801         (JSC::B3::BasicBlock::frequency):
1802         * b3/B3BasicBlockInlines.h:
1803         (JSC::B3::BasicBlock::replaceLastWithNew):
1804         (JSC::B3::BasicBlock::taken):
1805         (JSC::B3::BasicBlock::notTaken):
1806         (JSC::B3::BasicBlock::fallThrough):
1807         (JSC::B3::BasicBlock::numSuccessors): Deleted.
1808         (JSC::B3::BasicBlock::successor): Deleted.
1809         (JSC::B3::BasicBlock::successors): Deleted.
1810         (JSC::B3::BasicBlock::successorBlock): Deleted.
1811         (JSC::B3::BasicBlock::successorBlocks): Deleted.
1812         * b3/B3BlockInsertionSet.cpp:
1813         (JSC::B3::BlockInsertionSet::splitForward):
1814         * b3/B3BreakCriticalEdges.cpp:
1815         (JSC::B3::breakCriticalEdges):
1816         * b3/B3CaseCollection.cpp: Added.
1817         (JSC::B3::CaseCollection::dump):
1818         * b3/B3CaseCollection.h: Added.
1819         (JSC::B3::CaseCollection::CaseCollection):
1820         (JSC::B3::CaseCollection::operator[]):
1821         (JSC::B3::CaseCollection::iterator::iterator):
1822         (JSC::B3::CaseCollection::iterator::operator*):
1823         (JSC::B3::CaseCollection::iterator::operator++):
1824         (JSC::B3::CaseCollection::iterator::operator==):
1825         (JSC::B3::CaseCollection::iterator::operator!=):
1826         (JSC::B3::CaseCollection::begin):
1827         (JSC::B3::CaseCollection::end):
1828         * b3/B3CaseCollectionInlines.h: Added.
1829         (JSC::B3::CaseCollection::fallThrough):
1830         (JSC::B3::CaseCollection::size):
1831         (JSC::B3::CaseCollection::at):
1832         * b3/B3CheckSpecial.cpp:
1833         (JSC::B3::CheckSpecial::CheckSpecial):
1834         (JSC::B3::CheckSpecial::hiddenBranch):
1835         * b3/B3Common.h:
1836         (JSC::B3::is64Bit):
1837         * b3/B3ControlValue.cpp: Removed.
1838         * b3/B3ControlValue.h: Removed.
1839         * b3/B3DataSection.cpp:
1840         (JSC::B3::DataSection::DataSection):
1841         * b3/B3DuplicateTails.cpp:
1842         * b3/B3FixSSA.cpp:
1843         * b3/B3FoldPathConstants.cpp:
1844         * b3/B3LowerMacros.cpp:
1845         * b3/B3LowerToAir.cpp:
1846         (JSC::B3::Air::LowerToAir::run):
1847         (JSC::B3::Air::LowerToAir::lower):
1848         * b3/B3MathExtras.cpp:
1849         (JSC::B3::powDoubleInt32):
1850         * b3/B3Opcode.h:
1851         (JSC::B3::isConstant):
1852         (JSC::B3::isDefinitelyTerminal):
1853         * b3/B3PatchpointSpecial.cpp:
1854         (JSC::B3::PatchpointSpecial::generate):
1855         (JSC::B3::PatchpointSpecial::isTerminal):
1856         (JSC::B3::PatchpointSpecial::dumpImpl):
1857         * b3/B3PatchpointSpecial.h:
1858         * b3/B3Procedure.cpp:
1859         (JSC::B3::Procedure::resetReachability):
1860         * b3/B3Procedure.h:
1861         (JSC::B3::Procedure::lastPhaseName):
1862         (JSC::B3::Procedure::byproducts):
1863         * b3/B3ReduceStrength.cpp:
1864         * b3/B3StackmapGenerationParams.cpp:
1865         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
1866         (JSC::B3::StackmapGenerationParams::successorLabels):
1867         (JSC::B3::StackmapGenerationParams::fallsThroughToSuccessor):
1868         (JSC::B3::StackmapGenerationParams::proc):
1869         * b3/B3StackmapGenerationParams.h:
1870         (JSC::B3::StackmapGenerationParams::gpScratch):
1871         (JSC::B3::StackmapGenerationParams::fpScratch):
1872         * b3/B3SwitchValue.cpp:
1873         (JSC::B3::SwitchValue::~SwitchValue):
1874         (JSC::B3::SwitchValue::removeCase):
1875         (JSC::B3::SwitchValue::hasFallThrough):
1876         (JSC::B3::SwitchValue::setFallThrough):
1877         (JSC::B3::SwitchValue::appendCase):
1878         (JSC::B3::SwitchValue::dumpSuccessors):
1879         (JSC::B3::SwitchValue::dumpMeta):
1880         (JSC::B3::SwitchValue::cloneImpl):
1881         (JSC::B3::SwitchValue::SwitchValue):
1882         * b3/B3SwitchValue.h:
1883         (JSC::B3::SwitchValue::accepts):
1884         (JSC::B3::SwitchValue::caseValues):
1885         (JSC::B3::SwitchValue::cases):
1886         (JSC::B3::SwitchValue::fallThrough): Deleted.
1887         (JSC::B3::SwitchValue::size): Deleted.
1888         (JSC::B3::SwitchValue::at): Deleted.
1889         (JSC::B3::SwitchValue::operator[]): Deleted.
1890         (JSC::B3::SwitchValue::iterator::iterator): Deleted.
1891         (JSC::B3::SwitchValue::iterator::operator*): Deleted.
1892         (JSC::B3::SwitchValue::iterator::operator++): Deleted.
1893         (JSC::B3::SwitchValue::iterator::operator==): Deleted.
1894         (JSC::B3::SwitchValue::iterator::operator!=): Deleted.
1895         (JSC::B3::SwitchValue::begin): Deleted.
1896         (JSC::B3::SwitchValue::end): Deleted.
1897         * b3/B3Validate.cpp:
1898         * b3/B3Value.cpp:
1899         (JSC::B3::Value::replaceWithPhi):
1900         (JSC::B3::Value::replaceWithJump):
1901         (JSC::B3::Value::replaceWithOops):
1902         (JSC::B3::Value::dump):
1903         (JSC::B3::Value::deepDump):
1904         (JSC::B3::Value::dumpSuccessors):
1905         (JSC::B3::Value::negConstant):
1906         (JSC::B3::Value::typeFor):
1907         * b3/B3Value.h:
1908         * b3/air/AirCode.cpp:
1909         (JSC::B3::Air::Code::addFastTmp):
1910         (JSC::B3::Air::Code::addDataSection):
1911         (JSC::B3::Air::Code::jsHash):
1912         * b3/air/AirCode.h:
1913         (JSC::B3::Air::Code::isFastTmp):
1914         (JSC::B3::Air::Code::setLastPhaseName):
1915         * b3/air/AirCustom.h:
1916         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
1917         (JSC::B3::Air::PatchCustom::isTerminal):
1918         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
1919         (JSC::B3::Air::PatchCustom::generate):
1920         (JSC::B3::Air::CCallCustom::admitsStack):
1921         (JSC::B3::Air::CCallCustom::isTerminal):
1922         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1923         (JSC::B3::Air::ShuffleCustom::admitsStack):
1924         (JSC::B3::Air::ShuffleCustom::isTerminal):
1925         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1926         * b3/air/AirGenerate.cpp:
1927         (JSC::B3::Air::generate):
1928         * b3/air/AirGenerationContext.h:
1929         * b3/air/AirInst.h:
1930         (JSC::B3::Air::Inst::hasNonControlEffects):
1931         * b3/air/AirSimplifyCFG.cpp:
1932         (JSC::B3::Air::simplifyCFG):
1933         * b3/air/AirSpecial.cpp:
1934         (JSC::B3::Air::Special::shouldTryAliasingDef):
1935         (JSC::B3::Air::Special::isTerminal):
1936         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
1937         * b3/air/AirSpecial.h:
1938         * b3/air/AirValidate.cpp:
1939         * b3/air/opcode_generator.rb:
1940         * b3/testb3.cpp:
1941         * ftl/FTLLowerDFGToB3.cpp:
1942         * ftl/FTLOutput.cpp:
1943         (JSC::FTL::Output::jump):
1944         (JSC::FTL::Output::branch):
1945         (JSC::FTL::Output::ret):
1946         (JSC::FTL::Output::unreachable):
1947         (JSC::FTL::Output::speculate):
1948         (JSC::FTL::Output::trap):
1949         (JSC::FTL::Output::anchor):
1950         (JSC::FTL::Output::decrementSuperSamplerCount):
1951         (JSC::FTL::Output::addIncomingToPhi):
1952         * ftl/FTLOutput.h:
1953         (JSC::FTL::Output::constIntPtr):
1954         (JSC::FTL::Output::callWithoutSideEffects):
1955         (JSC::FTL::Output::switchInstruction):
1956         (JSC::FTL::Output::phi):
1957         (JSC::FTL::Output::addIncomingToPhi):
1958
1959 2016-07-18  Anders Carlsson  <andersca@apple.com>
1960
1961         WebKit nightly fails to build on macOS Sierra
1962         https://bugs.webkit.org/show_bug.cgi?id=159902
1963         rdar://problem/27365672
1964
1965         Reviewed by Tim Horton.
1966
1967         * icu/unicode/ucurr.h: Added.
1968         Add ucurr.h from ICU.
1969
1970 2016-07-18  Michael Saboff  <msaboff@apple.com>
1971
1972         ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp
1973         https://bugs.webkit.org/show_bug.cgi?id=159883
1974
1975         Reviewed by Filip Pizlo.
1976
1977         New test.
1978
1979         * tests/stress/regress-159883.js: Added.
1980
1981 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
1982
1983         MarkedBlocks should know that they can be used for more than JSCells
1984         https://bugs.webkit.org/show_bug.cgi?id=159643
1985
1986         Reviewed by Geoffrey Garen.
1987         
1988         This teaches the Heap that a MarkedBlock may hold either JSCells, or Auxiliary, which is
1989         not a JSCell. It teaches the heap and all of the things that walk the heap to ignore
1990         non-JSCells whenever they are looking for global objects, JSObjects, and things to trace
1991         for debugging or profiling. The idea is that we will be able to allocate butterflies and
1992         typed array backing stores as Auxiliary in MarkedSpace rather than allocating those things
1993         in CopiedSpace. That's what bug 159658 is all about.
1994         
1995         This gives us a new type, called HeapCell, which is just meant to be a class distinct from
1996         JSCell or any type we would use for Auxiliary. For convenience, JSCell is a subclass of
1997         HeapCell. HeapCell has an enum called HeapCell::Kind, which is either HeapCell::JSCell or
1998         HeapCell::Auxiliary. MarkedSpace no longer speaks of JSCells directly except when dealing
1999         with destruction.
2000         
2001         This change required doing a lot of stuff to all of those functor callbacks, since they
2002         now take HeapCell* instead of JSCell* and they take an extra HeapCell::Kind argument to
2003         tell them if they are dealing with JSCells or Auxiliary. I figured that this would be as
2004         good a time as any to convert those functors to being lambda-compatible. This means that
2005         operator() must be const. In some cases, converting the operator() to be const would have
2006         taken more work than just turning the whole thing into a lambda. Whenever this was the
2007         case, I converted the code to use lambdas. I left a lot of functors alone. In cases where
2008         the functor would benefit from being a lambda, for example because it would get rid of
2009         const_casts or mutables, I put in a FIXME referencing bug 159644.
2010
2011         * CMakeLists.txt:
2012         * JavaScriptCore.xcodeproj/project.pbxproj:
2013         * debugger/Debugger.cpp:
2014         (JSC::Debugger::SetSteppingModeFunctor::SetSteppingModeFunctor):
2015         (JSC::Debugger::SetSteppingModeFunctor::operator()):
2016         (JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor):
2017         (JSC::Debugger::ToggleBreakpointFunctor::operator()):
2018         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::ClearCodeBlockDebuggerRequestsFunctor):
2019         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator()):
2020         (JSC::Debugger::ClearDebuggerRequestsFunctor::ClearDebuggerRequestsFunctor):
2021         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator()):
2022         * heap/CodeBlockSet.h:
2023         (JSC::CodeBlockSet::iterate):
2024         * heap/HandleSet.h:
2025         (JSC::HandleNode::next):
2026         (JSC::HandleSet::forEachStrongHandle):
2027         * heap/Heap.cpp:
2028         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
2029         (JSC::GatherHeapSnapshotData::operator()):
2030         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
2031         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
2032         (JSC::Heap::protectedGlobalObjectCount):
2033         (JSC::Heap::globalObjectCount):
2034         (JSC::Heap::protectedObjectCount):
2035         (JSC::Heap::protectedObjectTypeCounts):
2036         (JSC::Heap::objectTypeCounts):
2037         (JSC::Heap::deleteAllCodeBlocks):
2038         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
2039         (JSC::MarkedBlockSnapshotFunctor::operator()):
2040         (JSC::Zombify::visit):
2041         (JSC::Zombify::operator()):
2042         (JSC::Heap::zombifyDeadObjects):
2043         (JSC::Heap::flushWriteBarrierBuffer):
2044         * heap/Heap.h:
2045         (JSC::Heap::handleSet):
2046         (JSC::Heap::handleStack):
2047         * heap/HeapCell.cpp: Added.
2048         (WTF::printInternal):
2049         * heap/HeapCell.h: Added.
2050         (JSC::HeapCell::HeapCell):
2051         (JSC::HeapCell::zap):
2052         (JSC::HeapCell::isZapped):
2053         * heap/HeapInlines.h:
2054         (JSC::Heap::deprecatedReportExtraMemory):
2055         (JSC::Heap::forEachCodeBlock):
2056         (JSC::Heap::forEachProtectedCell):
2057         (JSC::Heap::allocateWithDestructor):
2058         * heap/HeapStatistics.cpp:
2059         (JSC::StorageStatistics::visit):
2060         (JSC::StorageStatistics::operator()):
2061         * heap/HeapVerifier.cpp:
2062         (JSC::GatherLiveObjFunctor::visit):
2063         (JSC::GatherLiveObjFunctor::operator()):
2064         * heap/MarkedAllocator.cpp:
2065         (JSC::MarkedAllocator::allocateBlock):
2066         (JSC::MarkedAllocator::addBlock):
2067         (JSC::MarkedAllocator::reset):
2068         (JSC::MarkedAllocator::lastChanceToFinalize):
2069         (JSC::LastChanceToFinalize::operator()): Deleted.
2070         * heap/MarkedAllocator.h:
2071         (JSC::MarkedAllocator::takeLastActiveBlock):
2072         (JSC::MarkedAllocator::resumeAllocating):
2073         (JSC::MarkedAllocator::forEachBlock):
2074         * heap/MarkedBlock.cpp:
2075         (JSC::MarkedBlock::create):
2076         (JSC::MarkedBlock::destroy):
2077         (JSC::MarkedBlock::MarkedBlock):
2078         (JSC::MarkedBlock::callDestructor):
2079         (JSC::MarkedBlock::specializedSweep):
2080         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
2081         (JSC::SetNewlyAllocatedFunctor::operator()):
2082         (JSC::MarkedBlock::stopAllocating):
2083         (JSC::MarkedBlock::didRetireBlock):
2084         * heap/MarkedBlock.h:
2085         (JSC::MarkedBlock::CountFunctor::CountFunctor):
2086         (JSC::MarkedBlock::CountFunctor::count):
2087         (JSC::MarkedBlock::CountFunctor::returnValue):
2088         (JSC::MarkedBlock::needsDestruction):
2089         (JSC::MarkedBlock::cellKind):
2090         (JSC::MarkedBlock::size):
2091         (JSC::MarkedBlock::clearNewlyAllocated):
2092         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
2093         (JSC::MarkedBlock::isLive):
2094         (JSC::MarkedBlock::isLiveCell):
2095         (JSC::MarkedBlock::forEachCell):
2096         (JSC::MarkedBlock::forEachLiveCell):
2097         (JSC::MarkedBlock::forEachDeadCell):
2098         * heap/MarkedSpace.cpp:
2099         (JSC::MarkedSpace::MarkedSpace):
2100         (JSC::MarkedSpace::~MarkedSpace):
2101         (JSC::MarkedSpace::lastChanceToFinalize):
2102         (JSC::MarkedSpace::sweep):
2103         (JSC::MarkedSpace::zombifySweep):
2104         (JSC::MarkedSpace::resetAllocators):
2105         (JSC::MarkedSpace::visitWeakSets):
2106         (JSC::MarkedSpace::reapWeakSets):
2107         (JSC::MarkedSpace::forEachAllocator):
2108         (JSC::MarkedSpace::stopAllocating):
2109         (JSC::MarkedSpace::resumeAllocating):
2110         (JSC::MarkedSpace::isPagedOut):
2111         (JSC::MarkedSpace::shrink):
2112         (JSC::clearNewlyAllocatedInBlock):
2113         (JSC::MarkedSpace::clearNewlyAllocated):
2114         (JSC::MarkedSpace::clearMarks):
2115         (JSC::Free::Free): Deleted.
2116         (JSC::Free::operator()): Deleted.
2117         (JSC::FreeOrShrink::FreeOrShrink): Deleted.
2118         (JSC::FreeOrShrink::operator()): Deleted.
2119         (JSC::VisitWeakSet::VisitWeakSet): Deleted.
2120         (JSC::VisitWeakSet::operator()): Deleted.
2121         (JSC::ReapWeakSet::operator()): Deleted.
2122         (JSC::LastChanceToFinalize::operator()): Deleted.
2123         (JSC::StopAllocatingFunctor::operator()): Deleted.
2124         (JSC::ResumeAllocatingFunctor::operator()): Deleted.
2125         (JSC::ClearNewlyAllocated::operator()): Deleted.
2126         (JSC::VerifyNewlyAllocated::operator()): Deleted.
2127         * heap/MarkedSpace.h:
2128         (JSC::MarkedSpace::forEachLiveCell):
2129         (JSC::MarkedSpace::forEachDeadCell):
2130         (JSC::MarkedSpace::allocatorFor):
2131         (JSC::MarkedSpace::allocateWithDestructor):
2132         (JSC::MarkedSpace::forEachBlock):
2133         (JSC::MarkedSpace::didAddBlock):
2134         (JSC::MarkedSpace::objectCount):
2135         (JSC::MarkedSpace::size):
2136         (JSC::MarkedSpace::capacity):
2137         (JSC::ClearMarks::operator()): Deleted.
2138         (JSC::Sweep::operator()): Deleted.
2139         (JSC::ZombifySweep::operator()): Deleted.
2140         (JSC::MarkCount::operator()): Deleted.
2141         (JSC::Size::operator()): Deleted.
2142         * runtime/JSCell.h:
2143         (JSC::JSCell::zap): Deleted.
2144         (JSC::JSCell::isZapped): Deleted.
2145         * runtime/JSCellInlines.h:
2146         (JSC::allocateCell):
2147         (JSC::JSCell::isObject):
2148         (JSC::isZapped): Deleted.
2149         * runtime/JSGlobalObject.cpp:
2150         * tools/JSDollarVMPrototype.cpp:
2151         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
2152         (JSC::CellAddressCheckFunctor::operator()):
2153
2154 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
2155
2156         Repeatedly creating and destroying workers that enqueue DFG plans can outpace the DFG worklist, which then causes VM shutdown to stall, which then causes memory growth
2157         https://bugs.webkit.org/show_bug.cgi?id=159754
2158
2159         Reviewed by Geoffrey Garen.
2160         
2161         If you create and destroy workers at a high rate and those workers enqueue some DFG plans
2162         that are still not compiled at the time that the worker is closed, then the closed workers
2163         end up stalling in VM::~VM waiting for the DFG worklist thread to finish those plans. Since
2164         we don't actually cancel the plans, it's easy to create a situation where the workers
2165         outpace the DFG worklist, especially if you create many workers at a time and each one
2166         finishes just after enqueueing those plans.
2167         
2168         The solution is to allow VM::~VM to remove plans from the DFG worklist that are related to
2169         that VM but aren't currently being worked on. That turns out to be an easy change.
2170         
2171         I have a test that repros this, but it's quite long-running. I call it workers/bomb.html. We
2172         may want to exclude it from test runs because of how long it takes.
2173
2174         * dfg/DFGWorklist.cpp:
2175         (JSC::DFG::Worklist::removeDeadPlans):
2176         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
2177         (JSC::DFG::Worklist::queueLength):
2178         (JSC::DFG::Worklist::runThread):
2179         * dfg/DFGWorklist.h:
2180         * runtime/VM.cpp:
2181         (JSC::VM::~VM):
2182
2183 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
2184
2185         Object.preventExtensions/seal/freeze makes code much slower
2186         https://bugs.webkit.org/show_bug.cgi?id=143247
2187
2188         Reviewed by Michael Saboff.
2189         
2190         This has been a huge pet peeve of mine for a long time, but I was always afraid of fixing
2191         it because I thought that it would be hard. Well, it looks like it's not hard at all.
2192         
2193         The problem is that you cannot mutate a structure that participates in transition caching.
2194         You can only clone the structure and mutate that one. But if you do this, you have to make
2195         a hard choice:
2196         
2197         1) Clone the structure without caching the transition. This is what the code did before
2198            this change. It's the most obvious choice, but it introduces an uncacheable transition
2199            that leads to an explosion of structures, which then breaks all inline caches.
2200         
2201         2) Perform one of the existing cacheable transitions. Cacheable transitions can either add
2202            properties or they can do one of the NonPropertyTransitions, which until now have been
2203            restricted to just IndexingType transitions. So, only adding transitions or making
2204            certain prescribed changes to the indexing type count as cacheable transitions.
2205         
2206         This change decouples NonPropertyTransition from IndexingType and adds three new kinds of
2207         transitions: PreventExtensions, Seal, and Freeze. We have to give any cacheable transition
2208         a name that fully disambiguates this transition from any other, so that the transition can
2209         be cached. Since we're already giving them names in an enum, I figured that the most
2210         pragmatic way to implement them is to have Structure::nonPropertyTransition() case on the
2211         NonPropertyTransition and implement all of the mutations associated with that transition.
2212         The alternative would have been to allow callers of nonPropertyTransition() to supply
2213         something like a lambda that describes the mutation, but this seemed awkward since each
2214         set of mutations has to anyway be tied to one of the NonPropertyTransition members.
2215         
2216         This is an enormous speed-up on microbenchmarks that use Object.preventExtensions(),
2217         Object.seal(), or Object.freeze(). I don't know if "real" benchmarks use these features
2218         and I don't really care. This should be fast.
2219
2220         * runtime/JSObject.cpp:
2221         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2222         (JSC::JSObject::createInitialUndecided):
2223         (JSC::JSObject::createInitialInt32):
2224         (JSC::JSObject::createInitialDouble):
2225         (JSC::JSObject::createInitialContiguous):
2226         (JSC::JSObject::convertUndecidedToInt32):
2227         (JSC::JSObject::convertUndecidedToDouble):
2228         (JSC::JSObject::convertUndecidedToContiguous):
2229         (JSC::JSObject::convertInt32ToDouble):
2230         (JSC::JSObject::convertInt32ToContiguous):
2231         (JSC::JSObject::convertDoubleToContiguous):
2232         (JSC::JSObject::switchToSlowPutArrayStorage):
2233         * runtime/Structure.cpp:
2234         (JSC::Structure::suggestedArrayStorageTransition):
2235         (JSC::Structure::addPropertyTransition):
2236         (JSC::Structure::toUncacheableDictionaryTransition):
2237         (JSC::Structure::sealTransition):
2238         (JSC::Structure::freezeTransition):
2239         (JSC::Structure::preventExtensionsTransition):
2240         (JSC::Structure::takePropertyTableOrCloneIfPinned):
2241         (JSC::Structure::nonPropertyTransition):
2242         (JSC::Structure::pin):
2243         (JSC::Structure::pinForCaching):
2244         (JSC::Structure::allocateRareData):
2245         * runtime/Structure.h:
2246         * runtime/StructureTransitionTable.h:
2247         (JSC::toAttributes):
2248         (JSC::changesIndexingType):
2249         (JSC::newIndexingType):
2250         (JSC::preventsExtensions):
2251         (JSC::setsDontDeleteOnAllProperties):
2252         (JSC::setsReadOnlyOnAllProperties):
2253
2254 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
2255
2256         RegisterSet should use a Bitmap instead of a BitVector so that it never allocates memory and is trivial to copy
2257         https://bugs.webkit.org/show_bug.cgi?id=159863
2258
2259         Reviewed by Saam Barati.
2260         
2261         Switch RegisterSet set to Bitmap because Bitmap doesn't ever allocate memory and can be
2262         assigned by memcpy. This should be a performance improvement for compiler code that does a
2263         lot of things with RegisterSet. For example, it's one of the fundamental data structures in
2264         Air. The previous use of BitVector meant that almost every operation on RegisterSet would
2265         have a slow path call. On ARM64, it would mean memory allocation for any RegisterSet that
2266         used all available registers.
2267         
2268         This meant adding even more GPR/FPR reflection to the MacroAssembler API: we now have consts
2269         called numGPRs and numFPRs. This is necessary to statically size the Bitmap in RegisterSet.
2270         
2271         Here's the breakdown of sizes of RegisterSet on different CPUs:
2272         
2273         x86-32: 8 bits (GPRs) + 8 bits (FPRs) + 1 bit (is deleted) = 1x uint32_t.
2274         x86-64: 16 bits + 16 bits + 1 bit = 2x uint32_t.
2275         ARMv7: 16 bits + 16 bits + 1 bit = 2x uint32_t.
2276         ARM64: 32 bits + 32 bits + 1 bit = 3x uint32_t.
2277
2278         * assembler/MacroAssemblerARM.h:
2279         * assembler/MacroAssemblerARM64.h:
2280         * assembler/MacroAssemblerARMv7.h:
2281         * assembler/MacroAssemblerX86.h:
2282         * assembler/MacroAssemblerX86Common.h:
2283         (JSC::MacroAssemblerX86Common::scratchRegister):
2284         * assembler/MacroAssemblerX86_64.h:
2285         * jit/RegisterSet.h:
2286         (JSC::RegisterSet::set):
2287         (JSC::RegisterSet::get):
2288         (JSC::RegisterSet::setAll):
2289         (JSC::RegisterSet::merge):
2290         (JSC::RegisterSet::filter):
2291         (JSC::RegisterSet::exclude):
2292         (JSC::RegisterSet::numberOfSetRegisters):
2293         (JSC::RegisterSet::RegisterSet):
2294         (JSC::RegisterSet::isEmptyValue):
2295         (JSC::RegisterSet::isDeletedValue):
2296         (JSC::RegisterSet::operator==):
2297         (JSC::RegisterSet::operator!=):
2298         (JSC::RegisterSet::hash):
2299         (JSC::RegisterSet::forEach):
2300         (JSC::RegisterSet::setMany):
2301
2302 2016-07-15  Filip Pizlo  <fpizlo@apple.com>
2303
2304         DFG and FTL should support op_call_eval
2305         https://bugs.webkit.org/show_bug.cgi?id=159786
2306
2307         Reviewed by Saam Barati.
2308         
2309         This adds support for op_call_eval in DFG and FTL by brute force:
2310         
2311         - There is now a CallEval() node type, which compiles exactly the same way that we do in
2312           baseline.
2313         
2314         - We teach the DFG and bytecode liveness that the scope register and 'this' are read by
2315           CallEval()/op_call_eval.
2316         
2317         We can compile eval quite well, except that right now we cannot inline functions that use
2318         eval. It would be nice to do that, but the payoff is probably smaller. "Don't inline users
2319         of eval" may even be an OK inlining heuristic. Not inlining users of eval allows me to
2320         reuse the baseline implementation, which is really great. Otherwise, I'd have to get rid
2321         of things like the rogue reads of scope register and 'this'.
2322         
2323         The goal here is to produce speed-ups for code that has functions that do both eval and
2324         some computational stuff. Obviously, we're not producing any benefit for the eval itself.
2325         But now the other stuff in a function that uses eval will get to participate in
2326         optimization.
2327         
2328         This is a huge speed-up on microbenchmarks.
2329
2330         * bytecode/BytecodeUseDef.h:
2331         (JSC::computeUsesForBytecodeOffset):
2332         * bytecode/CodeBlock.cpp:
2333         (JSC::CodeBlock::printCallOp):
2334         (JSC::CodeBlock::dumpBytecode):
2335         * dfg/DFGAbstractInterpreterInlines.h:
2336         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2337         * dfg/DFGByteCodeParser.cpp:
2338         (JSC::DFG::ByteCodeParser::setLocal):
2339         (JSC::DFG::ByteCodeParser::setArgument):
2340         (JSC::DFG::ByteCodeParser::flush):
2341         (JSC::DFG::ByteCodeParser::parseBlock):
2342         * dfg/DFGCapabilities.cpp:
2343         (JSC::DFG::capabilityLevel):
2344         * dfg/DFGClobberize.h:
2345         (JSC::DFG::clobberize):
2346         * dfg/DFGDoesGC.cpp:
2347         (JSC::DFG::doesGC):
2348         * dfg/DFGFixupPhase.cpp:
2349         (JSC::DFG::FixupPhase::fixupNode):
2350         * dfg/DFGGraph.h:
2351         (JSC::DFG::Graph::needsScopeRegister):
2352         (JSC::DFG::Graph::needsFlushedThis):
2353         * dfg/DFGHeapLocation.cpp:
2354         (WTF::printInternal):
2355         * dfg/DFGHeapLocation.h:
2356         * dfg/DFGMayExit.cpp:
2357         * dfg/DFGNode.h:
2358         (JSC::DFG::Node::hasHeapPrediction):
2359         * dfg/DFGNodeType.h:
2360         * dfg/DFGOSRExitCompiler.cpp:
2361         * dfg/DFGPredictionPropagationPhase.cpp:
2362         * dfg/DFGSafeToExecute.h:
2363         (JSC::DFG::safeToExecute):
2364         * dfg/DFGSpeculativeJIT32_64.cpp:
2365         (JSC::DFG::SpeculativeJIT::emitCall):
2366         (JSC::DFG::SpeculativeJIT::compile):
2367         * dfg/DFGSpeculativeJIT64.cpp:
2368         (JSC::DFG::SpeculativeJIT::emitCall):
2369         (JSC::DFG::SpeculativeJIT::compile):
2370         * dfg/DFGStackLayoutPhase.cpp:
2371         (JSC::DFG::StackLayoutPhase::run):
2372         * dfg/DFGWatchpointCollectionPhase.cpp:
2373         (JSC::DFG::WatchpointCollectionPhase::handle):
2374         * ftl/FTLCapabilities.cpp:
2375         (JSC::FTL::canCompile):
2376         * ftl/FTLCompile.cpp:
2377         (JSC::FTL::compile):
2378         * ftl/FTLLowerDFGToB3.cpp:
2379         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2380         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2381         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2382         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2383         * jit/AssemblyHelpers.cpp:
2384         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2385         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2386         * jit/AssemblyHelpers.h:
2387         (JSC::AssemblyHelpers::emitTypeOf):
2388         * jit/JITCall.cpp:
2389         (JSC::JIT::compileCallEvalSlowCase):
2390         * jit/JITCall32_64.cpp:
2391         (JSC::JIT::compileCallEvalSlowCase):
2392         * jit/JITOperations.cpp:
2393         * tests/stress/exit-then-eval.js: Added.
2394         (foo):
2395         * tests/stress/force-exit-then-eval-dfg.js: Added.
2396         (foo):
2397         * tests/stress/force-exit-then-eval.js: Added.
2398         (foo):
2399
2400 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
2401
2402         DFG should really support jneq_ptr
2403         https://bugs.webkit.org/show_bug.cgi?id=159700
2404
2405         Reviewed by Keith Miller.
2406         
2407         Prior to this change, DFG statically speculated that jneq_ptr would always fall through. This
2408         meant that programs that called o.apply() or o.call() where apply or call weren't the
2409         expected ones (i.e. the function.prototype.apply/call) would rage-recompile forever.
2410         
2411         This adds profiling to jneq_ptr. We now know if it always falls through or sometimes doesn't.
2412         If it sometimes doesn't, we now emit an actual control flow diamond. I decided to add a new
2413         NodeType for "equal pointer", since none of the existing ones really captured that. For
2414         example, there was no way to express "equal pointer" for strings or symbols. We don't use it
2415         for that right now, but we might, and if we did, then it would be hugely surprising that the
2416         DFG interpreted this as value equality. So, the DFG now has CompareEqPtr, which means exactly
2417         what jneq_ptr means by "equal pointer".
2418         
2419         This is an enormous speed-up on microbenchmarks. I would assume that it's a speed-up on some
2420         real things, too, but I don't know that for a fact.
2421
2422         * bytecode/BytecodeList.json:
2423         * bytecode/CodeBlock.cpp:
2424         (JSC::CodeBlock::dumpBytecode):
2425         * bytecompiler/BytecodeGenerator.cpp:
2426         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
2427         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
2428         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
2429         * dfg/DFGAbstractInterpreterInlines.h:
2430         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2431         * dfg/DFGByteCodeParser.cpp:
2432         (JSC::DFG::ByteCodeParser::parseBlock):
2433         * dfg/DFGClobberize.h:
2434         (JSC::DFG::clobberize):
2435         * dfg/DFGDoesGC.cpp:
2436         (JSC::DFG::doesGC):
2437         * dfg/DFGFixupPhase.cpp:
2438         (JSC::DFG::FixupPhase::fixupNode):
2439         * dfg/DFGNode.h:
2440         (JSC::DFG::Node::hasCellOperand):
2441         * dfg/DFGNodeType.h:
2442         * dfg/DFGSafeToExecute.h:
2443         (JSC::DFG::safeToExecute):
2444         * dfg/DFGSpeculativeJIT.cpp:
2445         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
2446         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
2447         * dfg/DFGSpeculativeJIT.h:
2448         * dfg/DFGSpeculativeJIT32_64.cpp:
2449         (JSC::DFG::SpeculativeJIT::compile):
2450         * dfg/DFGSpeculativeJIT64.cpp:
2451         (JSC::DFG::SpeculativeJIT::compile):
2452         * dfg/DFGValidate.cpp:
2453         * ftl/FTLCapabilities.cpp:
2454         (JSC::FTL::canCompile):
2455         * ftl/FTLLowerDFGToB3.cpp:
2456         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2457         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2458         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEqPtr):
2459         (JSC::FTL::DFG::LowerDFGToB3::compileCompareLess):
2460         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEqConstant): Deleted.
2461         * jit/JITOpcodes.cpp:
2462         (JSC::JIT::emit_op_jneq_ptr):
2463         (JSC::JIT::emit_op_eq):
2464         * jit/JITOpcodes32_64.cpp:
2465         (JSC::JIT::emit_op_jneq_ptr):
2466         (JSC::JIT::emit_op_eq):
2467         * llint/LowLevelInterpreter32_64.asm:
2468         * llint/LowLevelInterpreter64.asm:
2469
2470 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
2471
2472         OSR entry into DFG has problems with lexical scoping
2473         https://bugs.webkit.org/show_bug.cgi?id=159687
2474
2475         Reviewed by Saam Barati.
2476         
2477         What a fun bug! It turns out that uses of lexical scoping, like "let", may sometimes cause us
2478         to not be able to OSR enter into a loop from baseline to DFG. The bug is in a mitigation for
2479         a different bug, which in turn had a mitigation for yet another bug, so the story here is a
2480         long one.
2481         
2482         DFG OSR entry has long had a mitigation for the following bug: the DFG bytecode parser may
2483         choose to make us always OSR exit at some instruction if it thinks that it doesn't have
2484         enough profiling for that instruction. We will do this if some kinds of put_by_id only
2485         execute once, for example. This causes problems for loopy benchmarks like this:
2486         
2487             put_by_id(something crazy);
2488             for (var i = 0; i < bigNumber; ++i) simpleMath;
2489         
2490         In this case, the put_by_id will have only executed once, and since it did something crazy
2491         that one time, the bytecode parser will replace it with ForceOSRExit.
2492         
2493         This creates an OSR entry bug: DFG CFA will then prove that the loop is unreachable, and will
2494         tell OSR entry that it's impossible to enter into that loop.
2495         
2496         We mitigated this bug a long time ago by recording mustHandleValues for loops at which we
2497         want to enter. We inject these values into DFG CFA and we force CFA to recognize that the
2498         loop is reachable even if CFA wanted to prove that it wasn't.
2499         
2500         But this leads to another bug: we need to scrape the values from the stack inside
2501         operationOptimize() and then we need to reason about them in the compiler. Some of those
2502         values may be garbage, which would cause pandemonium inside the compiler. We also mitigated
2503         this bug, by only recording the "vars", since those are guaranteed to be reset by op_enter.
2504         
2505         And that's where the lexical scoping bug happens: "let" bound variables aren't part of the
2506         "vars". DFG will see that they are live, but mustHandleValues will not have anything for
2507         those variables, so CFA will prove that the values are Bottom. Then OSR entry will always
2508         fail because no value is ever a subset of Bottom.
2509         
2510         The first part of the fix is to ensure that mustHandleValues record all of the values on the
2511         stack (i.e. within m_numCalleeLocals, rather than just m_numVars). But this creates a second
2512         problem: we may record garbage. This patch includes a better fix for the garbage: before
2513         touching mustHandleValues we run the bytecode liveness analysis and clear any values that are
2514         not live. This ensures that we clear the garbage.
2515         
2516         This is an enormous speed-up on microbenchmarks that use lexical scoping and have some crazy
2517         put_by_id in the lead-up to the hot loop.
2518
2519         * dfg/DFGCFAPhase.cpp:
2520         (JSC::DFG::CFAPhase::run):
2521         * dfg/DFGOSREntry.cpp:
2522         (JSC::DFG::prepareOSREntry):
2523         * dfg/DFGPlan.cpp:
2524         (JSC::DFG::Plan::compileInThreadImpl):
2525         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2526         (JSC::DFG::Plan::cancel):
2527         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2528         * dfg/DFGPlan.h:
2529         (JSC::DFG::Plan::canTierUpAndOSREnter):
2530         * jit/JITOperations.cpp:
2531
2532 2016-07-18  Youenn Fablet  <youenn@apple.com>
2533
2534         REGRESSION(r202975): --minimal build is broken
2535         https://bugs.webkit.org/show_bug.cgi?id=159765
2536
2537         Reviewed by Chris Dumez.
2538
2539         Covered partially by builtin generated test code.
2540
2541         Updating generator to add a global compilation guard around the code that generates all global internal properties.
2542         Split the generate_methods function in two, one dedicated to the visit method and the second one dedicated to
2543         the initialize method.
2544
2545         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2546         (BuiltinsInternalsWrapperImplementationGenerator.generate_section_for_object): Use splitted generation functions.
2547         (BuiltinsInternalsWrapperImplementationGenerator.generate_visit_method): Response to generate the visit method.
2548         (BuiltinsInternalsWrapperImplementationGenerator._generate_initialize_static_globals): Responsible to generate
2549         the code to initialize the internal globals. This code is put in a global compilation guard in case all
2550         internals are compiled out by specific builds.
2551         (BuiltinsInternalsWrapperImplementationGenerator):
2552         (BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method): Responsible to generate the
2553         initialize method.
2554         (BuiltinsInternalsWrapperImplementationGenerator.generate_methods): Deleted.
2555         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Copyright change.
2556         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
2557         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
2558         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
2559         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Reflects partially the built-in
2560         generator change.
2561
2562 2016-07-18  Keith Miller  <keith_miller@apple.com>
2563
2564         Fix bad assertions in genericTypedArrayViewPrivateFuncSubarrayCreate
2565         https://bugs.webkit.org/show_bug.cgi?id=159882
2566         <rdar://problem/27327111>
2567
2568         Reviewed by Mark Lam.
2569
2570         According the spec toInteger can return values we don't consider ints.
2571         Such as, -0 and +/-Infinity. This broke some assertions in
2572         genericTypedArrayViewPrivateFuncSubarrayCreate.
2573
2574         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2575         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2576         * tests/stress/typedarray-subarray.js:
2577
2578 2016-07-16  Filip Pizlo  <fpizlo@apple.com>
2579
2580         DFG CSE is broken for MultiGetByOffset
2581         https://bugs.webkit.org/show_bug.cgi?id=159858
2582
2583         Reviewed by Saam Barati.
2584         
2585         This disabled CSE for MultiGetByOffset. I opened bug 159859 for the long-term fix, which
2586         would teach CSE (and other passes also) how to decay a removed MultiGetByOffset to a
2587         CheckStructure. Since we currently just decay MultiGetByOffset to Check, we forget the
2588         structure checks. So, if we CSE a MultiGetByOffset that checks for one set of structures with
2589         a heap access on the same property and base that checks for different structures, then we
2590         will forget some structure checks that we had previously. It's unsound to forget checks in
2591         DFG IR.
2592         
2593         This bug mostly manifested as a high-volume crash at Unreachable in FTL, because we'd prove
2594         that the code after the MultiGetByOffset was unreachable due to the structure checks and then
2595         CSE would remove everything but the Unreachable.
2596
2597         * dfg/DFGClobberize.h:
2598         (JSC::DFG::clobberize): Remove the def() for MultiGetByOffset to disable CSE for this node for now.
2599         * tests/stress/cse-multi-get-by-offset-remove-checks.js: Added. This used to fail with FTL enabled.
2600         (Cons1):
2601         (Cons2):
2602         (Cons3):
2603         (foo):
2604         (bar):
2605
2606 2016-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2607
2608         [JSC] Enable test262 module tests
2609         https://bugs.webkit.org/show_bug.cgi?id=159854
2610
2611         Reviewed by Saam Barati.
2612
2613         This patch enables test262 module tests. Before this patch, the modules tests in test262 do not work fine.
2614         This patch fixes the following 2 things.
2615
2616         1. Test harness
2617
2618             Before this patch, there is only one global switch "-m" in jsc shell. So we cannot load the test262 test harness before evaluating the module tests.
2619             This patch adds a new option, "--module-file=". It is similar to "--strict-file=". When we specify the file with "--module-file=", it is evaluated as
2620             a module, while the other files are evaluated by following the JSC's default manner. This option allows us to load the test harness files into the
2621             global context before loading the module tests.
2622
2623         2. Module's asynchronous errors
2624
2625             Before this patch, the errors caused in the module evaluation are not handled as the same to the usual sync files. In synchronous execution, we have
2626             "--exception=" option to pass the expected exception to the JSC shell. But this option does not work in the module evaluation.
2627             This patch correctly handles this expected exception in the module evaluation promise's fulfill and reject handlers.
2628
2629         And we fix the YAML file. Now the recorded :fail and :normal are the correct test results for the module tests.
2630
2631         * jsc.cpp:
2632         (Script::Script):
2633         (checkUncaughtException):
2634         (runWithScripts):
2635         (printUsageStatement):
2636         (CommandLine::parseArguments):
2637         (dumpException): Deleted.
2638         * tests/test262.yaml:
2639
2640 2016-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2641
2642         [JSC] Mask TrustedImm32 to 8bit in MacroAssembler for 8bit operations
2643         https://bugs.webkit.org/show_bug.cgi?id=159334
2644
2645         Reviewed by Filip Pizlo.
2646
2647         Previously, in 8bit operations (like add8, compare8, test8, branch8, branchTest8 etc.),
2648         we require that the given TrustedImm32 is in range of 8bit. While achieving this in
2649         the manual MacroAssembler calling is easy, in Air, we don't guarantee that the higher bit
2650         of the 8bit argument is cleared. So the current assertions are invalid.
2651
2652         This patch relaxes the above restriction. By removing this assertion,
2653         8bit operations can take arbitrary 32bit imms. And only lower 8bit are effective when
2654         emitting the code in these methods.
2655
2656         * assembler/MacroAssembler.h:
2657         (JSC::MacroAssembler::branchTest8):
2658         * assembler/MacroAssemblerARM.h:
2659         (JSC::MacroAssemblerARM::store8):
2660         (JSC::MacroAssemblerARM::branch8):
2661         (JSC::MacroAssemblerARM::branchTest8):
2662         (JSC::MacroAssemblerARM::compare8):
2663         (JSC::MacroAssemblerARM::test8):
2664         * assembler/MacroAssemblerARM64.h:
2665         (JSC::MacroAssemblerARM64::store8):
2666         (JSC::MacroAssemblerARM64::branch8):
2667         (JSC::MacroAssemblerARM64::branchTest8):
2668         (JSC::MacroAssemblerARM64::compare8):
2669         (JSC::MacroAssemblerARM64::test8):
2670         * assembler/MacroAssemblerARMv7.h:
2671         (JSC::MacroAssemblerARMv7::store8):
2672         (JSC::MacroAssemblerARMv7::branch8):
2673         (JSC::MacroAssemblerARMv7::branchTest8):
2674         (JSC::MacroAssemblerARMv7::compare8):
2675         (JSC::MacroAssemblerARMv7::test8):
2676         * assembler/MacroAssemblerMIPS.h:
2677         (JSC::MacroAssemblerMIPS::store8):
2678         (JSC::MacroAssemblerMIPS::branch8):
2679         (JSC::MacroAssemblerMIPS::compare8):
2680         (JSC::MacroAssemblerMIPS::branchTest8):
2681         (JSC::MacroAssemblerMIPS::test8):
2682         * assembler/MacroAssemblerSH4.h:
2683         (JSC::MacroAssemblerSH4::store8):
2684         (JSC::MacroAssemblerSH4::branchTest8):
2685         (JSC::MacroAssemblerSH4::branch8):
2686         (JSC::MacroAssemblerSH4::compare8):
2687         (JSC::MacroAssemblerSH4::test8):
2688         * assembler/MacroAssemblerX86.h:
2689         (JSC::MacroAssemblerX86::store8):
2690         (JSC::MacroAssemblerX86::branch8):
2691         (JSC::MacroAssemblerX86::branchTest8):
2692         * assembler/MacroAssemblerX86Common.h:
2693         (JSC::MacroAssemblerX86Common::add8):
2694         (JSC::MacroAssemblerX86Common::store8):
2695         (JSC::MacroAssemblerX86Common::branch8):
2696         (JSC::MacroAssemblerX86Common::branchTest8):
2697         (JSC::MacroAssemblerX86Common::compare8):
2698         (JSC::MacroAssemblerX86Common::test8):
2699         * assembler/MacroAssemblerX86_64.h:
2700         (JSC::MacroAssemblerX86_64::store8):
2701         (JSC::MacroAssemblerX86_64::branch8):
2702         (JSC::MacroAssemblerX86_64::branchTest8):
2703
2704 2016-07-16  Chris Dumez  <cdumez@apple.com>
2705
2706         Unreviewed, rolling out r203318.
2707
2708         Regressed most JS Benchmarks on MacBook Air by ~2% (7% on
2709         SunSpider)
2710
2711         Reverted changeset:
2712
2713         "[JSC] Change some parameters based on a random search"
2714         https://bugs.webkit.org/show_bug.cgi?id=158514
2715         http://trac.webkit.org/changeset/203318
2716
2717 2016-07-15  Benjamin Poulain  <bpoulain@apple.com>
2718
2719         [JSC] Convert the remaining createOutOfMemoryError()+throwException() into throwOutOfMemoryError()
2720         https://bugs.webkit.org/show_bug.cgi?id=159665
2721
2722         Reviewed by Saam Barati.
2723
2724         * API/JSTypedArray.cpp:
2725         (createTypedArray):
2726         * runtime/Error.cpp:
2727         (JSC::createOutOfMemoryError):
2728         * runtime/Error.h:
2729         * runtime/ExceptionHelpers.cpp:
2730         (JSC::throwOutOfMemoryError):
2731         * runtime/JSArrayBufferConstructor.cpp:
2732         (JSC::constructArrayBuffer):
2733         * runtime/JSArrayBufferPrototype.cpp:
2734         (JSC::arrayBufferProtoFuncSlice):
2735         * runtime/JSGenericTypedArrayViewInlines.h:
2736         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2737         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
2738
2739 2016-07-15  Benjamin Poulain  <bpoulain@apple.com>
2740
2741         [JSC] Change some parameters based on a random search
2742         https://bugs.webkit.org/show_bug.cgi?id=158514
2743
2744         Reviewed by Saam Barati.
2745
2746         * bytecode/CodeBlock.cpp:
2747         (JSC::CodeBlock::optimizationThresholdScalingFactor):
2748         * runtime/Options.h:
2749
2750 2016-07-15  Mark Lam  <mark.lam@apple.com>
2751
2752         Assertion failures and crashes with missing TDZ checks for catch-node bindings.
2753         https://bugs.webkit.org/show_bug.cgi?id=158797
2754
2755         Reviewed by Saam Barati.
2756
2757         * bytecompiler/BytecodeGenerator.cpp:
2758         (JSC::BytecodeGenerator::emitPushCatchScope):
2759         (JSC::BytecodeGenerator::emitPopCatchScope):
2760         * tests/stress/catch-clause-should-be-under-tdz1.js: Added.
2761         * tests/stress/catch-clause-should-be-under-tdz2.js: Added.
2762         * tests/stress/catch-clause-should-be-under-tdz3.js: Added.
2763         * tests/stress/catch-clause-should-be-under-tdz4.js: Added.
2764         * tests/stress/catch-clause-should-be-under-tdz5.js: Added.
2765
2766 2016-07-15  Geoffrey Garen  <ggaren@apple.com>
2767
2768         Added a makeRef<T> helper
2769         https://bugs.webkit.org/show_bug.cgi?id=159835
2770
2771         Reviewed by Andreas Kling.
2772
2773         Anders told me to!
2774
2775         * inspector/InjectedScriptHost.cpp:
2776         (Inspector::InjectedScriptHost::wrapper):
2777
2778 2016-07-15  Mark Lam  <mark.lam@apple.com>
2779
2780         FunctionOverride's parseClause() needs to keep the CString instance in scope while its data is being used.
2781         https://bugs.webkit.org/show_bug.cgi?id=159828
2782
2783         Reviewed by Saam Barati.
2784
2785         Otherwise, we'll have a use after free.  This issue was caught when running an
2786         ASan debug build of testapi.
2787
2788         * tools/FunctionOverrides.cpp:
2789         (JSC::parseClause):
2790
2791 2016-07-15  Keith Miller  <keith_miller@apple.com>
2792
2793         %TypedArray%.prototype.indexOf is coercing non-integers or non-floats to numbers wrongly
2794         https://bugs.webkit.org/show_bug.cgi?id=159400
2795
2796         Reviewed by Geoffrey Garen.
2797
2798         This patch fixes coercion of non-numbers in indexOf/lastIndexOf.
2799         Additionally, this patch fixes an issue with includes where it
2800         would not check that the buffer remained non-neutered after
2801         calling the toInteger() function. Lastly, some extra release
2802         asserts have been added in some places to inform us of any issues
2803         in the future.
2804
2805         Additionally, this patch changes bool toNativeFromDouble to
2806         Optional<Type> toNativeFromDoubleWithoutCoercion. This makes it a
2807         little clearer what the function does and also removes the return
2808         argument. The only behavior change is that the function no longer
2809         coerces non-numbers into numbers. That behavior was unused (maybe
2810         unintended), however.
2811
2812         * runtime/JSGenericTypedArrayView.h:
2813         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
2814         (JSC::JSGenericTypedArrayView::sort):
2815         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
2816         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2817         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
2818         (JSC::genericTypedArrayViewProtoFuncIncludes):
2819         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2820         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2821         * runtime/ToNativeFromValue.h:
2822         (JSC::toNativeFromValueWithoutCoercion):
2823         (JSC::toNativeFromValue): Deleted.
2824         * runtime/TypedArrayAdaptors.h:
2825         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
2826         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
2827         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
2828         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
2829         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
2830         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
2831         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
2832         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32): Deleted.
2833         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32): Deleted.
2834         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble): Deleted.
2835         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32): Deleted.
2836         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble): Deleted.
2837         (JSC::Uint8ClampedAdaptor::toNativeFromInt32): Deleted.
2838         (JSC::Uint8ClampedAdaptor::toNativeFromDouble): Deleted.
2839         * tests/stress/resources/typedarray-test-helper-functions.js:
2840         * tests/stress/typedarray-functions-with-neutered.js:
2841         (callWithArgs):
2842         * tests/stress/typedarray-includes.js: Added.
2843         * tests/stress/typedarray-indexOf.js:
2844         * tests/stress/typedarray-lastIndexOf.js:
2845
2846 2016-07-15  Csaba Osztrogonác  <ossy@webkit.org>
2847
2848         Add new functions to ARMAssembler after r202214
2849         https://bugs.webkit.org/show_bug.cgi?id=159713
2850
2851         Reviewed by Saam Barati.
2852
2853         * assembler/ARMAssembler.h:
2854         (JSC::ARMAssembler::fillNops):
2855         * assembler/MacroAssemblerARM.h:
2856         (JSC::MacroAssemblerARM::patchableBranch32):
2857         (JSC::MacroAssemblerARM::internalCompare32):
2858
2859 2016-07-15  Mark Lam  <mark.lam@apple.com>
2860
2861         Stack overflow error for deeply nested classes.
2862         https://bugs.webkit.org/show_bug.cgi?id=157086
2863
2864         Reviewed by Geoffrey Garen.
2865
2866         Changed the StructureStubClearingWatchpoint destructor to iteratively destruct
2867         its chain of next StructureStubClearingWatchpoints instead of recursively doing
2868         so.
2869
2870         The added deep-StructureStubClearingWatchpoint-destructor-recursion.js test
2871         produces a crash before the fix is applied, but takes about 14 minutes to run.
2872         Hence, it is skipped.
2873
2874         * bytecode/StructureStubClearingWatchpoint.cpp:
2875         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
2876         * tests/stress/deep-StructureStubClearingWatchpoint-destructor-recursion.js: Added.
2877
2878 2016-07-15  Csaba Osztrogonác  <ossy@webkit.org>
2879
2880         Fix expectations in test262.yaml
2881         https://bugs.webkit.org/show_bug.cgi?id=159810
2882
2883         Reviewed by Keith Miller.
2884
2885         * tests/test262.yaml:
2886
2887 2016-07-15  Csaba Osztrogonác  <ossy@webkit.org>
2888
2889         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
2890         https://bugs.webkit.org/show_bug.cgi?id=159759
2891
2892         Reviewed by Saam Barati.
2893
2894         * jit/Repatch.cpp:
2895         (JSC::forceICFailure):
2896
2897 2016-07-14  Keith Miller  <keith_miller@apple.com>
2898
2899         Add Test262 test files and yaml
2900
2901         Rubber Stamped by Benjamin Poulain.
2902
2903         This patch adds all the test262 test files and the yaml that drives
2904         run-jsc-stress-tests.
2905
2906         * tests/test262.yaml: Added. Yaml file to drive the test262 test suite with our driver.
2907         * tests/test262/LICENSE: Added. License for the test262 test suite.
2908         * tests/test262/harness/: Added. Harness directory for the test262 tests.
2909         * tests/test262/test/: Added. Directory with all the actual test files.
2910
2911 2016-07-14  Joseph Pecoraro  <pecoraro@apple.com>
2912
2913         Return the correct value from Heap::externalMemorySize
2914         https://bugs.webkit.org/show_bug.cgi?id=159797
2915         <rdar://problem/27362446>
2916
2917         Reviewed by Timothy Hatcher.
2918
2919         * heap/Heap.h:
2920         (JSC::Heap::externalMemorySize):
2921         We should have been returning m_externalMemorySize which is a subset
2922         of m_extraMemorySize. In practice the difference can be small. A major
2923         difference in "extra memory size" may be from deprecated memory size
2924         and array buffer sizes.
2925
2926 2016-07-14  Saam Barati  <sbarati@apple.com>
2927
2928         It should be a syntax error to have a 'use strict' directive inside a function that has a non-simple parameter list
2929         https://bugs.webkit.org/show_bug.cgi?id=159790
2930         <rdar://problem/27171636>
2931
2932         Reviewed by Geoffrey Garen.
2933
2934         Is is a syntax error for a function's parameter list to be non-simple
2935         and for the function to also contain a 'use strict' directive.
2936
2937         See section 14.2.1 of the spec:
2938         https://tc39.github.io/ecma262/#sec-arrow-function-definitions-static-semantics-early-errors
2939
2940         * parser/Parser.cpp:
2941         (JSC::Parser<LexerType>::parseSourceElements):
2942         (JSC::Parser<LexerType>::parseFormalParameters):
2943         * parser/Parser.h:
2944         (JSC::Scope::Scope):
2945         (JSC::Scope::strictMode):
2946         (JSC::Scope::isValidStrictMode):
2947         (JSC::Scope::shadowsArguments):
2948         (JSC::Scope::setHasNonSimpleParameterList):
2949         (JSC::Scope::hasNonSimpleParameterList):
2950         (JSC::Scope::copyCapturedVariablesToVector):
2951
2952 2016-07-14  Geoffrey Garen  <ggaren@apple.com>
2953
2954         ASSERTION FAILED: : this != replacement()
2955         https://bugs.webkit.org/show_bug.cgi?id=159779
2956
2957         Reviewed by Michael Saboff.
2958
2959         * bytecode/CodeBlock.cpp:
2960         (JSC::CodeBlock::jettison): If we jettison during GC, and our owner
2961         is dead, we choose not to replace ourselves. (See
2962         https://bugs.webkit.org/show_bug.cgi?id=159588.) So, it's possible to
2963         invalidate and still be our owner's CodeBlock. Relax our ASSERT to allow
2964         for this.
2965
2966 2016-07-14  Mark Lam  <mark.lam@apple.com>
2967
2968         JSONObject Walker::walk must save array length before processing array elements.
2969         https://bugs.webkit.org/show_bug.cgi?id=153485
2970
2971         Reviewed by Darin Adler and Michael Saboff.
2972
2973         According to https://tc39.github.io/ecma262/#sec-internalizejsonproperty,
2974         JSON.parse() should cache the length of an array and use the cached length when
2975         iterating array elements (see section 24.3.1.1 2.b.iii).
2976
2977         * runtime/JSONObject.cpp:
2978         (JSC::Walker::walk):
2979         * tests/stress/JSON-parse-should-cache-array-lengths.js: Added.
2980         (toString):
2981         (shouldBe):
2982         (test):
2983         (test2):
2984
2985 2016-07-14  Julien Brianceau  <jbriance@cisco.com>
2986
2987         [mips] Handle properly unaligned halfword load
2988         https://bugs.webkit.org/show_bug.cgi?id=153226
2989
2990         Reviewed by Michael Catanzaro.
2991
2992         Waiting for the kernel to silently fix-up unaligned accesses is
2993         not efficient, so let's provide an implementation of load16Unaligned
2994         in mips macro assembler.
2995
2996         Performance improvement seen with SunSpider's regexp-dna test.
2997
2998         * assembler/MacroAssemblerMIPS.h:
2999         (JSC::MacroAssemblerMIPS::load16Unaligned):
3000         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
3001
3002 2016-07-14  Youenn Fablet  <youenn@apple.com>
3003
3004         DOM value iterable interfaces should use Array prototype methods
3005         https://bugs.webkit.org/show_bug.cgi?id=159296
3006
3007         Reviewed by Chris Dumez and Mark Lam.
3008
3009         * JavaScriptCore.xcodeproj/project.pbxproj: Marking some header files as private so that they can be included in
3010         WebCore.
3011         * runtime/ArrayPrototype.cpp:
3012         (JSC::ArrayPrototype::finishCreation): copying iterable methods (entries, forEach, keys and values) to private slots.
3013
3014 2016-07-13  Csaba Osztrogonác  <ossy@webkit.org>
3015
3016         Fix the magic numbers for ARM traditional in InlineAccess.h
3017         https://bugs.webkit.org/show_bug.cgi?id=159708
3018
3019         Reviewed by Saam Barati.
3020
3021         * bytecode/InlineAccess.h:
3022         (JSC::InlineAccess::sizeForPropertyAccess):
3023         (JSC::InlineAccess::sizeForPropertyReplace):
3024         (JSC::InlineAccess::sizeForLengthAccess):
3025
3026 2016-07-13  Michael Saboff  <msaboff@apple.com>
3027
3028         YARR uses mixture of int and unsigned values to index into subject string
3029         https://bugs.webkit.org/show_bug.cgi?id=159744
3030
3031         Reviewed by Benjamin Poulain.
3032
3033         In most cases, we refer to characters in subject strings using a negative index from the number of
3034         "checked" characters in a subject string.  The required length is compared against the actual length
3035         and then we use that required length as the checked amount.  For example, when matching the string of
3036         4 digits in the RegExp /abc \d{4}/, we know that need 8 characters in the subject string.  We refer
3037         to the digits part of the expression from an already checked index of 8 and use negative offsets of
3038         -4 through -1.  In many cases we used a signed int for the negative offsets.  There are other cases
3039         where we used unsigned values as the amount of negative offset to use when accessing subject characters.
3040
3041         Changed all occurrances of character offsets to unsigned or Checked Arithmetic unsigned values.  Note
3042         that the pre-existing Checked class is used in other places to check for under/overflow with arithmetic
3043         operations.  Those unsigned offsets are always the number of characters before (negative) from the
3044         current checked character offset.  Also added some asserts for cases where arithmetic is not protected
3045         by other checks or with Checked<> wrapped values.
3046
3047         In the case of the JIT, subject characters are accessed using base with scaled index and offset
3048         addressing.  The MacroAssembler provides this addressing using the BaseIndex struct.  The offset for
3049         this struct is a 32 bit signed quantity.  Since we only care about negative offsets, we really only
3050         have 31 bits.  Changed the generation of a BaseOffset address to handle the case when the offset and
3051         scaled combination will exceed the 31 bits of negative offset.  This is done by moving the base value
3052         into a temp register and biasing the temp base and offset to smaller values so that we can emit
3053         instructions that can reference characters without exceeding the 31 bits of negative offset.
3054
3055         To abstract the character address generation, put the base with scaled index and offset into
3056         one function and used that function everywhere the YARR JIT wants to access subject characters.
3057         Also consilidated a few cases where we were generating inline what readCharacter() does.  Usually
3058         this was due to using a different index register.
3059
3060         Added a new regression test.
3061
3062         * tests/stress/regress-159744.js: Added regression test.
3063         (testRegExp):
3064         * yarr/YarrInterpreter.cpp:
3065         (JSC::Yarr::Interpreter::recordParenthesesMatch):
3066         (JSC::Yarr::Interpreter::resetMatches):
3067         (JSC::Yarr::Interpreter::matchParenthesesOnceEnd):
3068         (JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd):
3069         (JSC::Yarr::ByteCompiler::closeBodyAlternative):
3070         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
3071         (JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
3072         (JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
3073         (JSC::Yarr::ByteCompiler::emitDisjunction):
3074         * yarr/YarrInterpreter.h:
3075         (JSC::Yarr::ByteTerm::ByteTerm):
3076         (JSC::Yarr::ByteTerm::BOL):
3077         (JSC::Yarr::ByteTerm::UncheckInput):
3078         (JSC::Yarr::ByteTerm::EOL):
3079         (JSC::Yarr::ByteTerm::WordBoundary):
3080         (JSC::Yarr::ByteTerm::BackReference):
3081         * yarr/YarrJIT.cpp:
3082         (JSC::Yarr::YarrGenerator::notAtEndOfInput):
3083         (JSC::Yarr::YarrGenerator::negativeOffsetIndexedAddress):
3084         (JSC::Yarr::YarrGenerator::readCharacter):
3085         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
3086         (JSC::Yarr::YarrGenerator::storeToFrame):
3087         (JSC::Yarr::YarrGenerator::generateAssertionBOL):
3088         (JSC::Yarr::YarrGenerator::backtrackAssertionBOL):
3089         (JSC::Yarr::YarrGenerator::generateAssertionEOL):
3090         (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
3091         (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
3092         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
3093         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
3094         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
3095         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
3096         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
3097         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
3098         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
3099         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3100         (JSC::Yarr::YarrGenerator::generate):
3101         (JSC::Yarr::YarrGenerator::backtrack):
3102         (JSC::Yarr::YarrGenerator::YarrGenerator):
3103         * yarr/YarrPattern.h:
3104         (JSC::Yarr::PatternTerm::PatternTerm):
3105
3106 2016-07-13  Keith Miller  <keith_miller@apple.com>
3107
3108         Crashes with detached ArrayBuffers
3109         https://bugs.webkit.org/show_bug.cgi?id=157088
3110         <rdar://problem/27327362>
3111
3112         Reviewed by Filip Pizlo.
3113
3114         TypedArray.prototype.fill was incorrect because it should perform
3115         ToNumber coercion each time it tries to store the
3116         object. Currently, we only perform the coercion once at the
3117         beginning of the loop. If we find that we need to improve the
3118         performance of this function, we can add a faster C++ path back
3119         that only handles the primitive case.
3120
3121         This patch also moves the isNeutered() checks from put and
3122         putByIndex into setIndex. This fixes an issue where setIndex might
3123         store to a no longer valid offset.
3124
3125         * builtins/TypedArrayPrototype.js:
3126         (globalPrivate.typedArrayClampArgumentToStartOrEnd):
3127         (fill):
3128         * runtime/JSGenericTypedArrayView.h:
3129         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3130         (JSC::JSGenericTypedArrayView::setIndex):
3131         (JSC::JSGenericTypedArrayView::setRangeToValue): Deleted.
3132         * runtime/JSGenericTypedArrayViewInlines.h:
3133         (JSC::JSGenericTypedArrayView<Adaptor>::put): Deleted.
3134         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): Deleted.
3135         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3136         (JSC::genericTypedArrayViewProtoFuncFill): Deleted.
3137         * runtime/JSTypedArrayViewPrototype.cpp:
3138         (JSC::JSTypedArrayViewPrototype::finishCreation):
3139         (JSC::typedArrayViewProtoFuncFill): Deleted.
3140         * tests/stress/typedarray-fill.js:
3141         * tests/stress/typedarray-functions-with-neutered.js:
3142         (defaultForArg):
3143         (test2):
3144         (checkArgumentsForType): Deleted.
3145         (checkArguments): Deleted.
3146
3147 2016-07-13  Michael Saboff  <msaboff@apple.com>
3148
3149         Some bad unicode regex escapes aren't flagged as errors
3150         https://bugs.webkit.org/show_bug.cgi?id=158080
3151
3152         Reviewed by Saam Barati.
3153
3154         If we have a partial unicode escape, eg /\u{1/u or /\u12|abc/u, we
3155         didn't check for the closing '}' and processed the unicode escape with
3156         the hex value provided.  
3157
3158         Added a check that we properly terminated a \u{} unicode escape.
3159         If we fail that check and there isn't a prior error, we record that we
3160         have an invalid unicode escape.  The next existing line in the code will
3161         terminate parsing and bubble up the error.
3162
3163         * yarr/YarrParser.h:
3164         (JSC::Yarr::Parser::parseEscape):
3165
3166 2016-07-13  Chris Dumez  <cdumez@apple.com>
3167
3168         Unreviewed, rolling out r203199.
3169
3170         Broke the build
3171
3172         Reverted changeset:
3173
3174         "Crashes with detached ArrayBuffers"
3175         https://bugs.webkit.org/show_bug.cgi?id=157088
3176         http://trac.webkit.org/changeset/203199
3177
3178 2016-07-13  Keith Miller  <keith_miller@apple.com>
3179
3180         Crashes with detached ArrayBuffers
3181         https://bugs.webkit.org/show_bug.cgi?id=157088
3182         <rdar://problem/27327362>
3183
3184         Reviewed by Filip Pizlo.
3185
3186         TypedArray.prototype.fill was incorrect because it should perform
3187         ToNumber coercion each time it tries to store the
3188         object. Currently, we only perform the coercion once at the
3189         beginning of the loop. If we find that we need to improve the
3190         performance of this function, we can add a faster C++ path back
3191         that only handles the primitive case.
3192
3193         This patch also moves the isNeutered() checks from put and
3194         putByIndex into setIndex. This fixes an issue where setIndex might
3195         store to a no longer valid offset.
3196
3197         * builtins/TypedArrayPrototype.js:
3198         (globalPrivate.typedArrayClampArgumentToStartOrEnd):
3199         (fill):
3200         * runtime/JSGenericTypedArrayView.h:
3201         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3202         (JSC::JSGenericTypedArrayView::setIndex):
3203         (JSC::JSGenericTypedArrayView::setRangeToValue): Deleted.
3204         * runtime/JSGenericTypedArrayViewInlines.h:
3205         (JSC::JSGenericTypedArrayView<Adaptor>::put): Deleted.
3206         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): Deleted.
3207         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3208         (JSC::genericTypedArrayViewProtoFuncFill): Deleted.
3209         * runtime/JSTypedArrayViewPrototype.cpp:
3210         (JSC::JSTypedArrayViewPrototype::finishCreation):
3211         (JSC::typedArrayViewProtoFuncFill): Deleted.
3212         * tests/stress/typedarray-fill.js:
3213         * tests/stress/typedarray-functions-with-neutered.js:
3214         (defaultForArg):
3215         (test2):
3216         (checkArgumentsForType): Deleted.
3217         (checkArguments): Deleted.
3218
3219 2016-07-13  Enrica Casucci  <enrica@apple.com>
3220
3221         Update supported platforms in xcconfig files to match the sdk names.
3222         https://bugs.webkit.org/show_bug.cgi?id=159728
3223
3224         Reviewed by Tim Horton.
3225
3226         * Configurations/Base.xcconfig:
3227
3228 2016-07-13  Csaba Osztrogonác  <ossy@webkit.org>
3229
3230         CLoop buildfix after r203142
3231         https://bugs.webkit.org/show_bug.cgi?id=159706
3232
3233         Unreviewed buildfix.
3234
3235         * interpreter/CLoopStack.cpp:
3236         (JSC::CLoopStack::isSafeToRecurse):
3237         * interpreter/CLoopStack.h:
3238         * interpreter/CLoopStackInlines.h:
3239         (JSC::CLoopStack::isSafeToRecurse): Deleted.
3240
3241 2016-07-12  Benjamin Poulain  <bpoulain@apple.com>
3242
3243         [JSC] Array.prototype.join() fails some conformance tests
3244         https://bugs.webkit.org/show_bug.cgi?id=159657
3245
3246         Reviewed by Saam Barati.
3247
3248         There were a couple of failures:
3249         -separator.toString() was called *before* we get the length
3250          and process ToLength() on it.
3251         -We were using toUInt32() on length instead of ToLength(),
3252          failing on big integers and various negative numbers.
3253
3254         Additionally, I replaced the "fast" ArrayStorage path
3255         by a fully generic implementation that does not depends on StringJoiner.
3256
3257         The reason is StringJoiner was doing poorly on sparse objects
3258         in certain cases.
3259         If you have a sparse object with a length > INT_MAX but very few
3260         indices defined, and you join on the empty string, it should be possible
3261         to join the array (albeit very slowly). With StringJoiner, we fail
3262         because we try to allocate > INT_MAX empty strings in a contiguous vector.
3263
3264         * runtime/ArrayPrototype.cpp:
3265         (JSC::slowJoin):
3266         (JSC::canUseFastJoin):
3267         (JSC::fastJoin):
3268         (JSC::arrayProtoFuncJoin):
3269         (JSC::join): Deleted.
3270         * runtime/JSArray.h:
3271         (JSC::toLength):
3272
3273 2016-07-12  Mark Lam  <mark.lam@apple.com>
3274
3275         Gardening: C Loop build fix after r203142.
3276
3277         Not reviewed.
3278
3279         * interpreter/CLoopStackInlines.h:
3280         (JSC::CLoopStack::isSafeToRecurse):
3281
3282 2016-07-12  Commit Queue  <commit-queue@webkit.org>
3283
3284         Unreviewed, rolling out r203131.
3285         https://bugs.webkit.org/show_bug.cgi?id=159698
3286
3287         This change caused an existing LayoutTest to time out on debug
3288         testers (Requested by ryanhaddad on #webkit).
3289
3290         Reverted changeset:
3291
3292         "[JSC] Array.prototype.join() fails some conformance tests"
3293         https://bugs.webkit.org/show_bug.cgi?id=159657
3294         http://trac.webkit.org/changeset/203131
3295
3296 2016-07-12  Mark Lam  <mark.lam@apple.com>
3297
3298         We should use different stack limits for stack checks from JS and host code.
3299         https://bugs.webkit.org/show_bug.cgi?id=159442
3300         <rdar://problem/26889188>
3301
3302         Reviewed by Geoffrey Garen.
3303
3304         We have 2 stack reservedZoneSizes:
3305         1. Options::softReservedZoneSize()
3306         2. Options::reservedZoneSize()
3307
3308         Respectively, there are used to define 2 stack limits based on these reserved
3309         zone sizes:
3310         1. VM::m_softStackLimit
3311         2. VM::m_stackLimit
3312
3313         Options::reservedZoneSize() is the amount of the stack space that JSC guarantees
3314         to the VM and client host code for it's use.  Host code that has well known
3315         stack usage characteristics (i.e. doesn't call arbitrary code) may do stack
3316         checks against the VM::m_stackLimit limit (which is computed using
3317         Options::reservedZoneSize()).
3318
3319         Options::softReservedZoneSize() is a more conservative amount of reserved stack
3320         space.  This is used to compute the VM::m_softStackLimit limit.  Any code that
3321         is difficult to have its stack usage characterized (i.e. may call arbitrary code)
3322         may need more stack space for its work.  Hence, these should do stack checks
3323         against the VM::m_softStackLimit limit.
3324
3325         JS code and host code that may call into JS code falls into the category of code
3326         that may call arbitrary code.  Hence, they should do stack checks against the
3327         VM::m_softStackLimit limit.
3328
3329         Accordingly, the VM now provides 2 recursion check functions:
3330
3331         1. VM::isSafeToRecurseSoft() will do a stack check against VM::m_softStackLimit.
3332            In addition, for C Loop builds, VM::isSafeToRecurseSoft() will also
3333            check the CLoopStack against VM::m_cloopStackLimit.
3334
3335         2. VM::isSafeToRecurse() will do a stack check against VM::m_stackLimit.
3336
3337         Also added a promise-infinite-recursion-should-not-crash.js test.
3338
3339         * bytecompiler/BytecodeGenerator.h:
3340         (JSC::BytecodeGenerator::emitNodeInTailPosition):
3341         (JSC::BytecodeGenerator::emitNodeInConditionContext):
3342         * interpreter/CLoopStack.cpp:
3343         (JSC::CLoopStack::grow):
3344         * interpreter/CLoopStack.h:
3345         (JSC::CLoopStack::size):
3346         * interpreter/CLoopStackInlines.h:
3347         (JSC::CLoopStack::ensureCapacityFor):
3348         (JSC::CLoopStack::isSafeToRecurse):
3349         (JSC::CLoopStack::topOfFrameFor):
3350         * interpreter/CachedCall.h:
3351         (JSC::CachedCall::CachedCall):
3352         * interpreter/Interpreter.cpp:
3353         (JSC::Interpreter::execute):
3354         (JSC::Interpreter::executeCall):
3355         (JSC::Interpreter::executeConstruct):
3356         * llint/LLIntSlowPaths.cpp:
3357         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3358         * parser/Parser.cpp:
3359         * runtime/Options.h:
3360         * runtime/ProxyObject.cpp:
3361         (JSC::performProxyGet):
3362         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3363         (JSC::ProxyObject::performHasProperty):
3364         (JSC::ProxyObject::getOwnPropertySlotCommon):
3365         (JSC::ProxyObject::performPut):
3366         (JSC::performProxyCall):
3367         (JSC::performProxyConstruct):
3368         (JSC::ProxyObject::performDelete):
3369         (JSC::ProxyObject::performPreventExtensions):
3370         (JSC::ProxyObject::performIsExtensible):
3371         (JSC::ProxyObject::performDefineOwnProperty):
3372         (JSC::ProxyObject::performGetOwnPropertyNames):
3373         (JSC::ProxyObject::performSetPrototype):
3374         (JSC::ProxyObject::performGetPrototype):
3375         * runtime/RegExp.cpp:
3376         (JSC::RegExp::finishCreation):
3377         (JSC::RegExp::compile):
3378         (JSC::RegExp::compileMatchOnly):
3379         * runtime/StringRecursionChecker.h:
3380         (JSC::StringRecursionChecker::performCheck):
3381         * runtime/VM.cpp:
3382         (JSC::VM::setStackPointerAtVMEntry):
3383         (JSC::VM::updateSoftReservedZoneSize):
3384         (JSC::preCommitStackMemory):
3385         (JSC::VM::updateStackLimits):
3386         (JSC::VM::updateStackLimit): Deleted.
3387         * runtime/VM.h:
3388         (JSC::VM::stackLimit):
3389         (JSC::VM::softStackLimit):
3390         (JSC::VM::addressOfSoftStackLimit):
3391         (JSC::VM::setCLoopStackLimit):
3392         (JSC::VM::isSafeToRecurse):
3393         (JSC::VM::lastStackTop):
3394         (JSC::VM::setException):
3395         * runtime/VMInlines.h:
3396         (JSC::VM::ensureStackCapacityFor):
3397         (JSC::VM::isSafeToRecurseSoft):
3398         (JSC::VM::shouldTriggerTermination):
3399         * tests/stress/promise-infinite-recursion-should-not-crash.js: Added.
3400         (testPromise):
3401         (promiseFunc):
3402         * yarr/YarrPattern.cpp:
3403
3404 2016-07-12  Per Arne Vollan  <pvollan@apple.com>
3405
3406         [Win] Fix for build error when trying to version stamp dll.
3407         https://bugs.webkit.org/show_bug.cgi?id=159692
3408
3409         Reviewed by Brent Fulgham.
3410
3411         Use correct path to version stamp script.
3412
3413         * CMakeLists.txt:
3414
3415 2016-07-12  Benjamin Poulain  <bpoulain@apple.com>
3416
3417         [JSC] Array.prototype.join() fails some conformance tests
3418         https://bugs.webkit.org/show_bug.cgi?id=159657
3419
3420         Reviewed by Saam Barati.
3421
3422         There were a couple of failures:
3423         -separator.toString() was called *before* we get the length
3424          and process ToLength() on it.
3425         -We were using toUInt32() on length instead of ToLength(),
3426          failing on big integers and various negative numbers.
3427
3428         Additionally, I replaced the "fast" ArrayStorage path
3429         by a fully generic implementation that does not depends on StringJoiner.
3430
3431         The reason is StringJoiner was doing poorly on sparse objects
3432         in certain cases.
3433         If you have a sparse object with a length > INT_MAX but very few
3434         indices defined, and you join on the empty string, it should be possible
3435         to join the array (albeit very slowly). With StringJoiner, we fail
3436         because we try to allocate > INT_MAX empty strings in a contiguous vector.
3437
3438         * runtime/ArrayPrototype.cpp:
3439         (JSC::slowJoin):
3440         (JSC::canUseFastJoin):
3441         (JSC::fastJoin):
3442         (JSC::arrayProtoFuncJoin):
3443         (JSC::join): Deleted.
3444         * runtime/JSArray.h:
3445         (JSC::toLength):
3446
3447 2016-07-12  Mark Lam  <mark.lam@apple.com>
3448
3449         More stack limit and reserved zone renaming.
3450         https://bugs.webkit.org/show_bug.cgi?id=159690
3451
3452         Rubber-stamped by Geoffrey Garen.
3453
3454         We should rename the following:
3455             osStackLimitWithReserve => softStackLimit
3456             reservedZoneSize => softReservedZoneSize
3457             errorModeReservedZoneSize => reservedZoneSize
3458
3459         * API/tests/PingPongStackOverflowTest.cpp:
3460         (testPingPongStackOverflow):
3461         * dfg/DFGJITCompiler.cpp:
3462         (JSC::DFG::JITCompiler::compile):
3463         (JSC::DFG::JITCompiler::compileFunction):
3464         * ftl/FTLLowerDFGToB3.cpp:
3465         (JSC::FTL::DFG::LowerDFGToB3::lower):
3466         * interpreter/CLoopStack.cpp:
3467         (JSC::CLoopStack::CLoopStack):
3468         (JSC::CLoopStack::grow):
3469         (JSC::CLoopStack::releaseExcessCapacity):
3470         (JSC::CLoopStack::addToCommittedByteCount):
3471         (JSC::CLoopStack::setSoftReservedZoneSize):
3472         (JSC::CLoopStack::setReservedZoneSize): Deleted.
3473         * interpreter/CLoopStack.h:
3474         (JSC::CLoopStack::size):
3475         * interpreter/CLoopStackInlines.h:
3476         (JSC::CLoopStack::shrink):
3477         * jit/JIT.cpp:
3478         (JSC::JIT::compileWithoutLinking):
3479         * jit/SetupVarargsFrame.cpp:
3480         (JSC::emitSetupVarargsFrameFastCase):
3481         * llint/LLIntSlowPaths.cpp:
3482         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3483         * llint/LowLevelInterpreter.asm:
3484         * llint/LowLevelInterpreter32_64.asm:
3485         * llint/LowLevelInterpreter64.asm:
3486         * runtime/ErrorHandlingScope.cpp:
3487         (JSC::ErrorHandlingScope::ErrorHandlingScope):
3488         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
3489         * runtime/ErrorHandlingScope.h:
3490         * runtime/Options.h:
3491         * runtime/RegExp.cpp:
3492         (JSC::RegExp::finishCreation):
3493         (JSC::RegExp::compile):
3494         (JSC::RegExp::compileMatchOnly):
3495         * runtime/VM.cpp:
3496         (JSC::VM::VM):
3497         (JSC::VM::setStackPointerAtVMEntry):
3498         (JSC::VM::updateSoftReservedZoneSize):
3499         (JSC::VM::updateStackLimit):
3500         (JSC::VM::updateReservedZoneSize): Deleted.
3501         * runtime/VM.h:
3502         (JSC::VM::stackPointerAtVMEntry):
3503         (JSC::VM::softReservedZoneSize):
3504         (JSC::VM::softStackLimit):
3505         (JSC::VM::addressOfSoftStackLimit):
3506         (JSC::VM::cloopStackLimit):
3507         (JSC::VM::setCLoopStackLimit):
3508         (JSC::VM::isSafeToRecurse):
3509         (JSC::VM::reservedZoneSize): Deleted.
3510         (JSC::VM::osStackLimitWithReserve): Deleted.
3511         (JSC::VM::addressOfOSStackLimitWithReserve): Deleted.
3512         * runtime/VMInlines.h:
3513         (JSC::VM::ensureStackCapacityFor):
3514         * wasm/WASMFunctionCompiler.h:
3515         (JSC::WASMFunctionCompiler::startFunction):
3516
3517 2016-07-12  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
3518
3519         Remove ENABLE_CSS3_TEXT_LINE_BREAK flag
3520         https://bugs.webkit.org/show_bug.cgi?id=159671
3521
3522         Reviewed by Csaba Osztrogonác.
3523
3524         ENABLE_CSS3_TEXT_LINE_BREAK feature was implemented without guards.
3525         https://bugs.webkit.org/show_bug.cgi?id=89235
3526
3527         So this guard can be removed in build scripts.
3528
3529         * Configurations/FeatureDefines.xcconfig:
3530
3531 2016-07-12  Per Arne Vollan  <pvollan@apple.com>
3532
3533         [Win] DLLs are missing version information.
3534         https://bugs.webkit.org/show_bug.cgi?id=159349
3535
3536         Reviewed by Brent Fulgham.
3537
3538         Generate autoversion.h and run perl version stamp utility.
3539
3540         * CMakeLists.txt:
3541
3542 2016-07-11  Caio Lima  <ticaiolima@gmail.com>
3543
3544         ECMAScript 2016: %TypedArray%.prototype.includes implementation
3545         https://bugs.webkit.org/show_bug.cgi?id=159385
3546
3547         Reviewed by Benjamin Poulain.
3548
3549         This patch implements the ECMAScript 2016:
3550         %TypedArray%.prototype.includes
3551         following spec 22.2.3.14
3552         https://tc39.github.io/ecma262/2016/#sec-%typedarray%.prototype.includes
3553
3554         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3555         (JSC::genericTypedArrayViewProtoFuncIncludes):
3556         * runtime/JSTypedArrayViewPrototype.cpp:
3557         (JSC::typedArrayViewProtoFuncIncludes):
3558         (JSC::JSTypedArrayViewPrototype::finishCreation):
3559
3560 2016-07-11  Benjamin Poulain  <benjamin@webkit.org>
3561
3562         [JSC] Array.from() and Array.of() try to build objects even if "this" is not a constructor
3563         https://bugs.webkit.org/show_bug.cgi?id=159604
3564
3565         Reviewed by Yusuke Suzuki.
3566
3567         The spec says IsConstructor(), we were just checking if "this"
3568         is any function.
3569
3570         * builtins/ArrayConstructor.js:
3571         (of):
3572         (from):
3573
3574 2016-07-11  Keith Miller  <keith_miller@apple.com>
3575
3576         defineProperty on a index of a TypedArray should throw if configurable
3577         https://bugs.webkit.org/show_bug.cgi?id=159653
3578
3579         Reviewed by Saam Barati.
3580
3581         When I fixed this before I misread the spec and thought it said we
3582         should throw if the descriptor said the proprety is not
3583         configurable. This is the opposite. We should throw if the
3584         descriptor says the property is configurable.
3585
3586         * runtime/JSGenericTypedArrayViewInlines.h:
3587         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
3588         * tests/stress/typedarray-access-monomorphic-neutered.js:
3589         * tests/stress/typedarray-access-neutered.js:
3590         * tests/stress/typedarray-configure-index.js: Added.
3591         (assert):
3592         (assertThrows):
3593         (makeDescriptor):
3594         (test):
3595
3596 2016-07-11  Saam Barati  <sbarati@apple.com>
3597
3598         some paths in Array.prototype.splice don't account for the array not having certain indexed properties
3599         https://bugs.webkit.org/show_bug.cgi?id=159641
3600         <rdar://problem/27171999>
3601
3602         Reviewed by Filip Pizlo and Keith Miller.
3603
3604         Array.prototype.splice was incorrectly putting properties on
3605         the result array even if the |this| array didn't have those
3606         properties. This is not the behavior of the spec. However, this
3607         could also cause a crash because we can construct a program where
3608         we would putByIndex on a typed array where the value we are
3609         putting is JSValue(). This is bad because the typed array will
3610         try to convert JSValue() into an integer.
3611
3612         * runtime/ArrayPrototype.cpp:
3613         (JSC::arrayProtoFuncSplice):
3614         * tests/stress/array-prototype-splice-making-typed-array.js: Added.
3615         (assert):
3616         (test):
3617
3618 2016-07-11  Mark Lam  <mark.lam@apple.com>
3619
3620         Refactor JSStack to only be the stack data structure for the C Loop.
3621         https://bugs.webkit.org/show_bug.cgi?id=159545
3622
3623         Reviewed by Geoffrey Garen.
3624
3625         Changes made:
3626         1. Renamed JSStack to CLoopStack.
3627         2. Made all of CLoopStack code to conditional on #if !ENABLE(JIT) i.e. they will
3628            only be in effect for the C Loop build.
3629         3. Changed clients of JSStack to use new equivalent VM APIs:
3630             a. JSStack::ensureCapacityFor() => VM::ensureStackCapacityFor()
3631             b. JSStack::committedByteCount() => VM::committedStackByteCount()
3632         4. Made VM::updateReservedZoneSize() call CLoopStack::setReservedZoneSize()
3633            instead of calling it from all the clients of VM::updateReservedZoneSize().
3634         5. Removed all unnecessary references to JSStack.
3635
3636         * CMakeLists.txt:
3637         * JavaScriptCore.xcodeproj/project.pbxproj:
3638         * assembler/MaxFrameExtentForSlowPathCall.h:
3639         * bytecode/BytecodeConventions.h:
3640         * dfg/DFGGraph.h:
3641         * dfg/DFGOSREntry.cpp:
3642         (JSC::DFG::prepareOSREntry):
3643         * ftl/FTLOSREntry.cpp:
3644         (JSC::FTL::prepareOSREntry):
3645         * heap/Heap.cpp:
3646         (JSC::Heap::finalizeUnconditionalFinalizers):
3647         (JSC::Heap::willStartIterating):
3648         (JSC::Heap::gatherJSStackRoots):
3649         (JSC::Heap::stack): Deleted.
3650         * heap/Heap.h:
3651         * interpreter/CLoopStack.cpp: Copied from Source/JavaScriptCore/interpreter/JSStack.cpp.
3652         (JSC::commitSize):
3653         (JSC::CLoopStack::CLoopStack):
3654         (JSC::CLoopStack::~CLoopStack):
3655         (JSC::CLoopStack::grow):
3656         (JSC::CLoopStack::gatherConservativeRoots):
3657         (JSC::CLoopStack::sanitizeStack):
3658         (JSC::CLoopStack::releaseExcessCapacity):
3659         (JSC::CLoopStack::addToCommittedByteCount):
3660         (JSC::CLoopStack::setReservedZoneSize):
3661         (JSC::CLoopStack::committedByteCount):
3662         (JSC::JSStack::JSStack): Deleted.
3663         (JSC::JSStack::~JSStack): Deleted.
3664         (JSC::JSStack::growSlowCase): Deleted.
3665         (JSC::JSStack::gatherConservativeRoots): Deleted.
3666         (JSC::JSStack::sanitizeStack): Deleted.
3667         (JSC::JSStack::releaseExcessCapacity): Deleted.
3668         (JSC::JSStack::addToCommittedByteCount): Deleted.
3669         (JSC::JSStack::setReservedZoneSize): Deleted.
3670         (JSC::JSStack::lowAddress): Deleted.
3671         (JSC::JSStack::highAddress): Deleted.
3672         (JSC::JSStack::committedByteCount): Deleted.
3673         * interpreter/CLoopStack.h: Copied from Source/JavaScriptCore/interpreter/JSStack.h.
3674         (JSC::CLoopStack::containsAddress):
3675         (JSC::CLoopStack::lowAddress):
3676         (JSC::CLoopStack::highAddress):
3677         (JSC::CLoopStack::reservationTop):
3678         (JSC::JSStack::containsAddress): Deleted.
3679         (JSC::JSStack::lowAddress): Deleted.
3680         (JSC::JSStack::highAddress): Deleted.
3681         (JSC::JSStack::reservationTop): Deleted.
3682         * interpreter/CLoopStackInlines.h: Copied from Source/JavaScriptCore/interpreter/JSStackInlines.h.
3683         (JSC::CLoopStack::ensureCapacityFor):
3684         (JSC::CLoopStack::topOfFrameFor):
3685         (JSC::CLoopStack::topOfStack):
3686         (JSC::CLoopStack::shrink):
3687         (JSC::CLoopStack::setCLoopStackLimit):
3688         (JSC::JSStack::ensureCapacityFor): Deleted.
3689         (JSC::JSStack::topOfFrameFor): Deleted.
3690         (JSC::JSStack::topOfStack): Deleted.
3691         (JSC::JSStack::shrink): Deleted.
3692         (JSC::JSStack::grow): Deleted.
3693         (JSC::JSStack::setCLoopStackLimit): Deleted.
3694         * interpreter/CallFrame.cpp:
3695         (JSC::CallFrame::unsafeCallSiteIndex):
3696         (JSC::CallFrame::currentVPC):
3697         (JSC::CallFrame::stack): Deleted.
3698         * interpreter/CallFrame.h:
3699         (JSC::ExecState::callerFrameAndPC):
3700         (JSC::ExecState::unsafeCallerFrameAndPC):
3701         * interpreter/Interpreter.cpp:
3702         (JSC::sizeOfVarargs):
3703         (JSC::sizeFrameForForwardArguments):
3704         (JSC::sizeFrameForVarargs):
3705         (JSC::Interpreter::Interpreter):
3706         * interpreter/Interpreter.h:
3707         (JSC::Interpreter::cloopStack):
3708         (JSC::Interpreter::getOpcode):
3709         (JSC::Interpreter::isCallBytecode):
3710         (JSC::Interpreter::stack): Deleted.
3711         * interpreter/JSStack.cpp: Removed.
3712         * interpreter/JSStack.h: Removed.
3713         * interpreter/JSStackInlines.h: Removed.
3714         * interpreter/StackVisitor.cpp:
3715         (JSC::StackVisitor::Frame::dump):
3716         * jit/JIT.h:
3717         * jit/JITOperations.cpp:
3718         * jit/JSInterfaceJIT.h:
3719         * jit/SpecializedThunkJIT.h:
3720         * jit/ThunkGenerators.cpp:
3721         * llint/LLIntOffsetsExtractor.cpp:
3722         * llint/LLIntSlowPaths.cpp:
3723         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3724         (JSC::LLInt::llint_stack_check_at_vm_entry):
3725         * llint/LLIntThunks.cpp:
3726         * llint/LowLevelInterpreter.cpp:
3727         (JSC::CLoop::execute):
3728         * runtime/CommonSlowPaths.cpp:
3729         (JSC::SLOW_PATH_DECL):
3730         * runtime/CommonSlowPaths.h:
3731         (JSC::CommonSlowPaths::arityCheckFor):
3732         * runtime/ErrorHandlingScope.cpp:
3733         (JSC::ErrorHandlingScope::ErrorHandlingScope):
3734         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
3735         * runtime/JSGlobalObject.h:
3736         * runtime/MemoryStatistics.cpp:
3737         (JSC::globalMemoryStatistics):
3738         * runtime/StackAlignment.h:
3739         * runtime/VM.cpp:
3740         (JSC::VM::VM):
3741         (JSC::VM::updateReservedZoneSize):
3742         (JSC::sanitizeStackForVM):
3743         (JSC::VM::committedStackByteCount):
3744         * runtime/VM.h:
3745         (JSC::VM::reservedZoneSize):
3746         (JSC::VM::osStackLimitWithReserve):
3747         (JSC::VM::addressOfOSStackLimitWithReserve):
3748         * runtime/VMInlines.h:
3749         (JSC::VM::ensureStackCapacityFor):
3750         (JSC::VM::shouldTriggerTermination):
3751
3752 2016-07-11  Keith Miller  <keith_miller@apple.com>
3753
3754         STP TypedArray.subarray 5x slowdown compared to 9.1
3755         https://bugs.webkit.org/show_bug.cgi?id=156404
3756         <rdar://problem/26493032>
3757
3758         Reviewed by Geoffrey Garen.
3759
3760         This patch moves the species constructor work for
3761         %TypedArray%.prototype.subarray to a js wrapper. By moving the
3762         species constructor work to JS we are able to completely optimize
3763         it out in DFG. The actual work of creating a TypedArray is still
3764         done in C++ since we are able to avoid calling into the
3765         constructor, which is expensive. This patch also changes the error
3766         message when a %TypedArray%.prototype function is passed a non-typed
3767         array this value. Finally, we used to check that the this value
3768         had not been detached, however, this behavior was incorrect.
3769
3770         * builtins/BuiltinNames.h:
3771         * builtins/TypedArrayPrototype.js:
3772         (globalPrivate.typedArraySpeciesConstructor):
3773         (subarray):
3774         * runtime/ConstructData.cpp:
3775         (JSC::construct):
3776         * runtime/ConstructData.h:
3777         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3778         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3779         (JSC::genericTypedArrayViewProtoFuncSubarray): Deleted.
3780         * runtime/JSGlobalObject.cpp:
3781         (JSC::JSGlobalObject::init):
3782         * runtime/JSTypedArrayViewPrototype.cpp:
3783         (JSC::typedArrayViewPrivateFuncLength):
3784         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
3785         (JSC::JSTypedArrayViewPrototype::finishCreation):
3786         (JSC::typedArrayViewProtoFuncSubarray): Deleted.
3787         * runtime/JSTypedArrayViewPrototype.h:
3788
3789 2016-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3790
3791         REGRESSION(r202992): JSC varargs tests are broken
3792         https://bugs.webkit.org/show_bug.cgi?id=159616
3793
3794         Reviewed by Csaba Osztrogonác.
3795
3796         The substitution miss in r202992 causes varargs tests failures in GTK port.
3797
3798         * jit/SetupVarargsFrame.cpp:
3799         (JSC::emitSetupVarargsFrameFastCase):
3800
3801 2016-07-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3802
3803         [ES6] Promise.{all,race} no longer use @@species
3804         https://bugs.webkit.org/show_bug.cgi?id=159615
3805
3806         Reviewed by Keith Miller.
3807
3808         As per the latest ES draft, Promise.{all,race} no longer use @@species.
3809         So, this patch drops FIXMEs.
3810
3811         * builtins/PromiseConstructor.js:
3812         (all):
3813         (race):
3814         * tests/stress/ignore-promise-species.js: Added.
3815         (shouldBe):
3816         (DerivedPromise.prototype.get Symbol):
3817         (DerivedPromise):
3818
3819 2016-07-10  Commit Queue  <commit-queue@webkit.org>
3820
3821         Unreviewed, rolling out r203037.
3822         https://bugs.webkit.org/show_bug.cgi?id=159614
3823
3824         The JSC tests are breaking in elcapitan-debug-tests-jsc and
3825         elcapitan-release-tests-jsc (Requested by caiolima on
3826         #webkit).
3827
3828         Reverted changeset:
3829
3830         "ECMAScript 2016: %TypedArray%.prototype.includes
3831         implementation"
3832         https://bugs.webkit.org/show_bug.cgi?id=159385
3833         http://trac.webkit.org/changeset/203037
3834
3835 2016-07-10  Caio Lima  <ticaiolima@gmail.com>
3836
3837         ECMAScript 2016: %TypedArray%.prototype.includes implementation
3838         https://bugs.webkit.org/show_bug.cgi?id=159385
3839
3840         Reviewed by Benjamin Poulain.
3841
3842         This patch implements the ECMAScript 2016:
3843         %TypedArray%.prototype.includes
3844         following spec 22.2.3.14
3845         https://tc39.github.io/ecma262/2016/#sec-%typedarray%.prototype.includes
3846
3847         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3848         (JS