0c9ded64fb8f21f86d975b5823e23664df015425
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-06-07  Saam barati  <sbarati@apple.com>
2
3         InvalidationPointInjectionPhase creates bogus InvalidationPoints that may even be inserted when it's not OK to exit
4         https://bugs.webkit.org/show_bug.cgi?id=158499
5         <rdar://problem/26647473>
6
7         Reviewed by Mark Lam and Benjamin Poulain.
8
9         InvalidationPointInjectionPhase forgot to clear m_originThatHadFire 
10         before analyzing the current block it's analyzing. This meant that
11         the phase allowed a residual m_originThatHadFire that was set from the
12         previous block to effect a completely unrelated block. This is usually
13         harmless, but sometimes we would insert an InvalidationPoint at a point
14         in the graph when exiting is invalid. This would cause a crash.
15
16         * dfg/DFGInvalidationPointInjectionPhase.cpp:
17         (JSC::DFG::InvalidationPointInjectionPhase::run):
18         * tests/stress/dont-crash-on-bad-invalidation-point.js: Added.
19         (dontCrash):
20
21 2016-06-07  Saam Barati  <sbarati@apple.com>
22
23         operationProcessTypeProfilerLogDFG doesn't update topCallFrame
24         https://bugs.webkit.org/show_bug.cgi?id=158428
25         <rdar://problem/26571493>
26
27         Reviewed by Mark Lam.
28
29         * dfg/DFGOperations.cpp:
30
31 2016-06-07  Mark Lam  <mark.lam@apple.com>
32
33         calculatedDisplayName() and friends actually need a VM& and not a ExecState/CallFrame.
34         https://bugs.webkit.org/show_bug.cgi?id=158488
35
36         Reviewed by Geoffrey Garen.
37
38         calculatedDisplayName() (and some of its friends) actually just need a VM&.
39         Their work has nothing to do with an ExecState at all.  This patch will make that
40         clear by changing these functions to take a VM& arg instead of an ExecState* or
41         CallFrame*.
42
43         Also removed the JS_EXPORT_PRIVATE attribute from Interpreter::StackFrame::toString().
44         The JS_EXPORT_PRIVATE attribute was a holdover from the days when WebInspector
45         was entirely in WebCore.  It is no longer needed.
46
47         * debugger/DebuggerCallFrame.cpp:
48         (JSC::DebuggerCallFrame::functionName):
49         * inspector/JSInjectedScriptHost.cpp:
50         (Inspector::JSInjectedScriptHost::functionDetails):
51         * inspector/ScriptCallStackFactory.cpp:
52         (Inspector::createScriptCallStackFromException):
53         * interpreter/CallFrame.cpp:
54         (JSC::CallFrame::friendlyFunctionName):
55         * interpreter/Interpreter.cpp:
56         (JSC::StackFrame::friendlySourceURL):
57         (JSC::StackFrame::friendlyFunctionName):
58         (JSC::StackFrame::expressionInfo):
59         (JSC::StackFrame::toString):
60         (JSC::Interpreter::stackTraceAsString):
61         * interpreter/Interpreter.h:
62         * interpreter/StackVisitor.cpp:
63         (JSC::StackVisitor::Frame::functionName):
64         * runtime/InternalFunction.cpp:
65         (JSC::InternalFunction::name):
66         (JSC::InternalFunction::displayName):
67         (JSC::InternalFunction::getCallData):
68         (JSC::InternalFunction::calculatedDisplayName):
69         * runtime/InternalFunction.h:
70         (JSC::InternalFunction::createStructure):
71         * runtime/JSFunction.cpp:
72         (JSC::JSFunction::name):
73         (JSC::JSFunction::displayName):
74         (JSC::JSFunction::calculatedDisplayName):
75         (JSC::JSFunction::getConstructData):
76         (JSC::getCalculatedDisplayName):
77         * runtime/JSFunction.h:
78         (JSC::JSFunction::executable):
79         * runtime/JSObject.cpp:
80         (JSC::JSObject::calculatedClassName):
81
82 2016-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
83
84         [JSC] Do not allocate unnecessary UTF-8 string for encodeXXX functions
85         https://bugs.webkit.org/show_bug.cgi?id=158416
86
87         Reviewed by Darin Adler and Geoffrey Garen.
88
89         Previously, encodeXXX functions first allocate new UTF-8 string, and generate (& allocate) the results from this UTF-8 string.
90         It is costly since this UTF-8 string is always wasted. In this patch, we generate the results without this UTF-8 string.
91         We precisely implement ECMA262's Encode abstract operation[1].
92
93         This optimized encodeXXX functions provide great improvement in kraken stanford-crypto-sha256-iterative since it frequently calls
94         these functions. We can see 6 - 7% improvements.
95
96                                                       baseline                  patched
97
98         stanford-crypto-sha256-iterative           37.952+-0.155      ^      35.484+-0.265         ^ definitely 1.0695x faster
99
100
101         [1]: https://tc39.github.io/ecma262/#sec-encode
102
103         * runtime/JSGlobalObjectFunctions.cpp:
104         (JSC::toSafeView):
105         Use this helper function to retrieve JSString::SafeView.
106
107         (JSC::makeCharacterBitmap):
108         (JSC::encode):
109         In encode, we reserve N length buffer at first. This is important when the length of the given string is long enough,
110         preventing frequent unnecessary buffer reallocations. This reserving contributes to 1% kraken stanford-crypto-sha256-iterative progression.
111
112         (JSC::decode):
113         Previously, Bitmap accidentally includes \0. And instead of removing this \0, we checked character != 0.
114         This patch fixes it for the Bitmap not to include \0.
115
116         (JSC::globalFuncParseInt):
117         (JSC::globalFuncEscape):
118         (JSC::globalFuncUnescape):
119         * tests/stress/encode-decode-ascii.js: Added.
120         (shouldBe):
121         * tests/stress/encode-decode-unicode.js: Added.
122         (shouldBe):
123         (isLowSurrogate):
124         (isHighSurrogate):
125         (isSurrogate):
126         * tests/stress/encode-decode-uri-component-surrogates.js: Added.
127         (shouldBe):
128         (toHighSurrogate):
129         (toLowSurrogate):
130         * tests/stress/encode-decode-uri-surrogates.js: Added.
131         (shouldBe):
132         (toHighSurrogate):
133         (toLowSurrogate):
134         * tests/stress/encode-decode-zero.js: Added.
135         (shouldBe):
136         * tests/stress/escape-unescape-surrogates.js: Added.
137         (shouldBe):
138         (toHighSurrogate):
139         (toLowSurrogate):
140
141 2016-06-07  Ting-Wei Lan  <lantw44@gmail.com>
142
143         [GTK] Include locale.h before using LC_ALL
144         https://bugs.webkit.org/show_bug.cgi?id=158470
145
146         Reviewed by Darin Adler.
147
148         * jsc.cpp:
149
150 2016-06-07  Joseph Pecoraro  <pecoraro@apple.com>
151
152         Unskip generator related stress tests
153         https://bugs.webkit.org/show_bug.cgi?id=158461
154
155         Reviewed by Darin Adler.
156
157         * tests/stress/generator-methods.js:
158         * tests/stress/generator-syntax.js:
159         * tests/stress/yield-and-line-terminator.js:
160         * tests/stress/yield-label-generator.js:
161         * tests/stress/yield-named-accessors-generator.js:
162         * tests/stress/yield-named-variable-generator.js:
163         * tests/stress/yield-out-of-generator.js:
164
165 2016-06-06  Joseph Pecoraro  <pecoraro@apple.com>
166
167         Fix typo in test name trailing-comma-in-function-paramters.js
168         https://bugs.webkit.org/show_bug.cgi?id=158462
169
170         Reviewed by Mark Lam.
171
172         * tests/stress/trailing-comma-in-function-parameters.js: Renamed from Source/JavaScriptCore/tests/stress/trailing-comma-in-function-paramters.js.
173
174 2016-06-06  Andreas Kling  <akling@apple.com>
175
176         REGRESSION(r197595): 2% JSBench regression on iPhone 5.
177         <https://webkit.org/b/158459>
178
179         Unreviewed rollout.
180
181         * runtime/VM.cpp:
182         (JSC::VM::deleteAllRegExpCode): Deleted.
183         * runtime/VM.h:
184
185 2016-06-06  Michael Saboff  <msaboff@apple.com>
186
187         octal and binary parsing is wrong for some programs
188         https://bugs.webkit.org/show_bug.cgi?id=158437
189
190         Reviewed by Saam Barati.
191
192         When there is an error parsing an binary or octal literal, we need to clear the returnValue
193         of any residual value.  This is because the processing of returnValue happens before the
194         syntax check for the extra character.  Without clearing returnValue, we end trying to
195         categorize the value as an INTEGER or DOUBLE token.  If the value happens to be an
196         impure NaN, we ASSERT.
197
198         * parser/Lexer.cpp:
199         (JSC::Lexer<T>::parseBinary):
200         (JSC::Lexer<T>::parseOctal):
201         * tests/stress/regress-158437.js: New test.
202
203 2016-06-06  Mark Lam  <mark.lam@apple.com>
204
205         32-bit JSC stress test failing: stress/recursive-try-catch.js.ftl-no-cjit-validate-sampling-profiler
206         https://bugs.webkit.org/show_bug.cgi?id=158362
207
208         Reviewed by Michael Saboff.
209
210         The test does infinite recursion until it overflows the stack.  That means the
211         sampling profiler will have to capture excessively large samples, which in turn
212         makes it run very slowly.  This is what causes the test time out.
213
214         The fix is to not run the test with the sampling profiler.
215
216         * tests/stress/recursive-try-catch.js:
217
218 2016-06-06  Andreas Kling  <akling@apple.com>
219
220         Don't reportAbandonedObjectGraph() after throwing out linked code or RegExps.
221         <https://webkit.org/b/158444>
222
223         Unreviewed.
224
225         This is a speculative change for iOS performance bots. The calls to reportAbandonedObjectGraph
226         were basically redundant, since mainframe navigation will cause GC acceleration anyway via
227         ScriptController.
228
229         This appears successful at recovering the ~0.7% regression I could reproduce locally on newer
230         hardware but it's a bit too noisy to say for sure.
231
232         * runtime/VM.cpp:
233         (JSC::VM::deleteAllLinkedCode):
234         (JSC::VM::deleteAllRegExpCode):
235
236 2016-06-06  Skachkov Oleksandr  <gskachkov@gmail.com>
237         [ESNext] Trailing commas in function parameters.
238         https://bugs.webkit.org/show_bug.cgi?id=158020
239
240         Reviewed by Keith Miller.
241
242         ESNext allow to add trailing commas in function parameters and function arguments.
243         Link to spec - https://jeffmo.github.io/es-trailing-function-commas 
244         Example of using - (function (a, b,) { return a + b; })(1,2,);
245
246         * parser/Parser.cpp:
247         (JSC::Parser<LexerType>::parseFormalParameters):
248         (JSC::Parser<LexerType>::parseArguments):
249         * tests/stress/trailing-comma-in-function-paramters.js: Added.
250
251 2016-06-05  Gavin & Ellie Barraclough  <barraclough@apple.com>
252
253         Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead.
254         https://bugs.webkit.org/show_bug.cgi?id=158178
255
256         Reviewed by Darin Adler.
257
258         As of bug #158059 most JSC static table property access no longer requires getOwnPropertySlot to be
259         overridden. Port remaining calls to the getStatic* functions in Lookup.h over to the new mechanism.
260
261         Deprecate getStatic* functions in Lookup.h
262
263         * runtime/Lookup.h:
264         (JSC::getStaticPropertySlot): Deleted.
265         (JSC::getStaticFunctionSlot): Deleted.
266         (JSC::getStaticValueSlot): Deleted.
267             - No longer required. Static table access now via JSObject.
268
269 2016-06-06  Guillaume Emont  <guijemont@igalia.com>
270
271         [jsc][mips] Implement absDouble()
272         https://bugs.webkit.org/show_bug.cgi?id=158206
273
274         Reviewed by Mark Lam.
275
276         Implement absDouble() for MIPS. This is needed because Math.pow() uses
277         it since r200208.
278
279         * assembler/MIPSAssembler.h:
280         (JSC::MIPSAssembler::absd):
281         * assembler/MacroAssemblerMIPS.h:
282         (JSC::MacroAssemblerMIPS::absDouble):
283
284 2016-06-03  Oliver Hunt  <oliver@apple.com>
285
286         RegExp unicode parsing reads an extra character before failing
287         https://bugs.webkit.org/show_bug.cgi?id=158376
288
289         Reviewed by Saam Barati.
290
291         This was a probably harmless bug, but keeps triggering assertions
292         for me locally. Essentially we'd see a parse error, set the error
293         type, but then carry on parsing. In debug builds this asserts, in
294         release builds you are pretty safe unless you're exceptionally
295         unlucky with where the error occurs.
296
297         * yarr/YarrParser.h:
298         (JSC::Yarr::Parser::parseEscape):
299
300 2016-06-06  Guillaume Emont  <guijemont@igalia.com>
301
302         [jsc][mips] fix JIT::emit_op_log_shadow_chicken_prologue/_tail
303         https://bugs.webkit.org/show_bug.cgi?id=158209
304
305         Reviewed by Mark Lam.
306
307         On MIPS, changes GPRInfo::nonArgGPR0 to be regT4 instead of regT0,
308         since the code of JIT::emit_op_log_shadow_chicken_prologue/_tail()
309         expects nonArgGPR0 to be a different register from regT0 and regT2.
310
311         * jit/GPRInfo.h:
312
313 2016-06-06  Chris Dumez  <cdumez@apple.com>
314
315         Crash under JSObject::getOwnPropertyDescriptor()
316         https://bugs.webkit.org/show_bug.cgi?id=158382
317         <rdar://problem/26605004>
318
319         Reviewed by Mark Lam.
320
321         * runtime/JSObject.h:
322         (JSC::JSObject::putDirectInternal):
323         We were crashing under getOwnPropertyDescriptor() because the
324         CustomAccessor was not properly reset on window.statusbar when
325         setting it to false (which is allowed because the property is
326         marked as [Replaceable] in the IDL). We now property reset the
327         CustomAccessor flag in putDirectInternal() when needed. This
328         fixes the crash.
329
330 2016-06-06  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
331
332         [EFL] Move efl include paths to JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
333         https://bugs.webkit.org/show_bug.cgi?id=158418
334
335         Reviewed by Csaba Osztrogonác.
336
337         In Source/JavaScriptCore/PlatformEfl.cmake, we don't use JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
338         for efl include paths.
339
340         * PlatformEfl.cmake:
341         * tests/stress/encode-decode-ascii.js: Added.
342         (shouldBe):
343         * tests/stress/encode-decode-unicode.js: Added.
344         (shouldBe):
345         (isLowSurrogate):
346         (isHighSurrogate):
347         (isSurrogate):
348         * tests/stress/encode-decode-uri-component-surrogates.js: Added.
349         (shouldBe):
350         (toHighSurrogate):
351         (toLowSurrogate):
352         * tests/stress/encode-decode-uri-surrogates.js: Added.
353         (shouldBe):
354         (toHighSurrogate):
355         (toLowSurrogate):
356         * tests/stress/encode-decode-zero.js: Added.
357         (shouldBe):
358         * tests/stress/escape-unescape-surrogates.js: Added.
359         (shouldBe):
360         (toHighSurrogate):
361         (toLowSurrogate):
362
363 2016-06-05  Yusuke Suzuki  <utatane.tea@gmail.com>
364
365         Change ProxyObject.[[Get]] not to use custom accessor
366         https://bugs.webkit.org/show_bug.cgi?id=157080
367
368         Reviewed by Darin Adler.
369
370         This patch focuses on introducing the second part of the followings.
371         But to do so, first and third parts are necessary.
372
373         1. Insert missing exception checks for getPropertySlot.
374
375             While getPropertySlot can perform user-observable behavior if the slot is not VMInquiry,
376             several places miss exeption checks. For example, ProxyObject's hasProperty already can
377             throw any errors. Looking through the code, we found several missing error checks after
378             hasProperty, but this will be fixed in the separated patch[1].
379
380         2. Do not use custom accessor to implement ProxyObject's [[Get]].
381
382             The caller already allows getOwnPropertySlot to throw an exception if the type
383             is not VMInquiry. So instead of using custom accessor, we simply implement it
384             directly in the ProxyObject's method.
385
386         3. Strip slotBase from custom accessor.
387
388             The custom accessor should not be bound to the specific slot base[2], since it
389             is just an accessor. There is an alternative design: makeing this custom accessor
390             to custom value accessor and accept both the slot base and the receiver instead
391             of allowing throwing an error from getOwnPropertySlot. But we take the first design
392             that allows getPropertySlot to throw an error, since hasProperty (that does not call
393             getValue of the custom getters) can already throw any errors.
394
395             To query the property with the non-user-observable way, we already provided the way for that:
396             use VMInquiry and isTaintedByProxy() instead.
397
398         Tests just ensure that the current semantics works correctly after this patch.
399         And this patch is performance neutral.
400
401         Later, we will attempt to rename "thisValue" to "receiver"[3].
402
403         [1]: https://bugs.webkit.org/show_bug.cgi?id=158398
404         [2]: https://bugs.webkit.org/show_bug.cgi?id=157978
405         [3]: https://bugs.webkit.org/show_bug.cgi?id=158397
406
407         * API/JSCallbackObject.h:
408         * API/JSCallbackObjectFunctions.h:
409         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
410         (JSC::JSCallbackObject<Parent>::callbackGetter):
411         * bytecode/PolymorphicAccess.cpp:
412         (JSC::AccessCase::generateImpl):
413         * dfg/DFGOperations.cpp:
414         * interpreter/Interpreter.cpp:
415         (JSC::Interpreter::execute):
416         * jit/JITOperations.cpp:
417         * jsc.cpp:
418         (WTF::ImpureGetter::getOwnPropertySlot):
419         (WTF::CustomGetter::customGetter):
420         (WTF::RuntimeArray::lengthGetter):
421         (GlobalObject::finishCreation):
422         (GlobalObject::moduleLoaderFetch):
423         (functionGetGetterSetter):
424         (functionRun):
425         (functionLoad):
426         (functionLoadString):
427         (functionReadFile):
428         (functionCheckSyntax):
429         (functionLoadWebAssembly):
430         (functionLoadModule):
431         (functionCreateBuiltin):
432         (functionCheckModuleSyntax):
433         (dumpException):
434         (runWithScripts):
435         (runInteractive):
436         * llint/LLIntSlowPaths.cpp:
437         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
438         * runtime/CommonSlowPaths.cpp:
439         (JSC::SLOW_PATH_DECL):
440         * runtime/JSBoundSlotBaseFunction.cpp:
441         (JSC::boundSlotBaseFunctionCall):
442         * runtime/JSCJSValue.h:
443         * runtime/JSCJSValueInlines.h:
444         (JSC::JSValue::getPropertySlot):
445         * runtime/JSCellInlines.h:
446         (JSC::ExecState::vm):
447         This change is super important for performance. We add several `exec->hadException()` calls into the super hot path, like JSC::operationGetByIdOptimize.
448         Without this change, we call ExecState::vm() and it is not inlined. This causes 1 - 2% performance regression in Octane PDFJS.
449
450         * runtime/JSFunction.cpp:
451         (JSC::JSFunction::argumentsGetter):
452         (JSC::JSFunction::callerGetter):
453         * runtime/JSFunction.h:
454         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
455         (JSC::constructGenericTypedArrayViewWithArguments):
456         * runtime/JSModuleNamespaceObject.cpp:
457         (JSC::callbackGetter):
458         * runtime/JSONObject.cpp:
459         (JSC::Stringifier::Holder::appendNextProperty):
460         Here's UNLIKELY is important for Kraken's json-stringify-tinderbox. Without it, we can observe 0.5% regression.
461
462         (JSC::Walker::walk):
463         * runtime/JSObject.h:
464         (JSC::JSObject::getPropertySlot):
465         * runtime/ObjectPrototype.cpp:
466         (JSC::objectProtoFuncToString):
467         * runtime/PropertySlot.cpp:
468         (JSC::PropertySlot::customGetter):
469         * runtime/PropertySlot.h:
470         (JSC::PropertySlot::thisValue):
471         * runtime/ProxyObject.cpp:
472         (JSC::performProxyGet):
473         (JSC::ProxyObject::performGet):
474         (JSC::ProxyObject::getOwnPropertySlotCommon):
475         * runtime/ProxyObject.h:
476         * runtime/RegExpConstructor.cpp:
477         (JSC::regExpConstructorDollar):
478         (JSC::regExpConstructorInput):
479         (JSC::regExpConstructorMultiline):
480         (JSC::regExpConstructorLastMatch):
481         (JSC::regExpConstructorLastParen):
482         (JSC::regExpConstructorLeftContext):
483         (JSC::regExpConstructorRightContext):
484         * tests/stress/get-from-scope-dynamic-onto-proxy.js: Added.
485         (shouldBe):
486         (shouldThrow.handler.has):
487         (handler.has):
488         (try.handler.has):
489         * tests/stress/operation-in-throw-error.js: Added.
490         (testCase.handler.has):
491         (testCase):
492         * tests/stress/proxy-and-json-stringify.js: Added.
493         (shouldThrow):
494         * tests/stress/proxy-and-typed-array.js: Added.
495         * tests/stress/proxy-json-path.js: Added.
496         * tests/stress/proxy-with-statement.js: Added.
497
498 2016-06-03  Gavin & Ellie Barraclough  <barraclough@apple.com>
499
500         Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead.
501         https://bugs.webkit.org/show_bug.cgi?id=158178
502
503         Reviewed by Darin Adler.
504
505         As of bug #158059 most JSC static table property access no longer requires getOwnPropertySlot to be
506         overridden. Port remaining calls to the getStatic* functions in Lookup.h over to the new mechanism.
507
508         Part 1: Switch JSGlobalObject & JSDOMWindow to use HasStaticPropertyTable.
509
510         * runtime/JSGlobalObject.cpp:
511         (JSC::JSGlobalObject::getOwnPropertySlot):
512             - Override is still required for symbol table,
513               but regular property access is now via Base::getOwnPropertySlot.
514         * runtime/JSGlobalObject.h:
515             - add HasStaticPropertyTable to structureFlags.
516
517 2016-06-03  Benjamin Poulain  <bpoulain@apple.com>
518
519         Eager FTL failure for strict comparison of NaN with number check
520         https://bugs.webkit.org/show_bug.cgi?id=158368
521
522         Reviewed by Darin Adler.
523
524         DoupleRep with a RealNumberUse starts by handling double
525         then falls back to Int32 if the unboxed double is NaN.
526
527         Before handling integers, the code is checking if the input
528         is indeed an int32. The problem was that this check failed
529         to account for NaN as an original input of the DoubleRep.
530
531         The call to isNotInt32() filter the doubles checks because
532         that was handled by the previous block.
533         The problem is the previous block handles any double except NaN.
534         If the original input was NaN, the masking by "~SpecFullDouble"
535         filter that possibility and isNotInt32() fails to test that case.
536
537         This patch fixes the issue by changing the filter to SpecDoubleReal.
538         The type SpecDoubleReal does not include the NaN types.
539
540         * ftl/FTLLowerDFGToB3.cpp:
541         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
542         * tests/stress/double-rep-real-number-use-on-nan.js: Added.
543         To ensure the isNotInt32() does not test anything, we want
544         proven numbers as input. The (+value) are there to enforce
545         a ToNumber() which in turn give us a proven Number type.
546
547 2016-06-03  Benjamin Poulain  <bpoulain@apple.com>
548
549         JSON.stringify replacer function calls with numeric array indices
550         https://bugs.webkit.org/show_bug.cgi?id=158262
551         rdar://problem/26613876
552
553         Reviewed by Saam Barati.
554
555         The spec of SerializeJSONArray is pretty clear that the index
556         should be transformed into a string before calling SerializeJSONProperty.
557         See http://www.ecma-international.org/ecma-262/6.0/#sec-serializejsonarray
558
559         * runtime/JSONObject.cpp:
560         (JSC::PropertyNameForFunctionCall::value):
561
562 2016-06-03  Saam barati  <sbarati@apple.com>
563
564         Proxy.ownKeys should no longer throw an exception when duplicate keys are returned and the target is non-extensible
565         https://bugs.webkit.org/show_bug.cgi?id=158350
566         <rdar://problem/26626211>
567
568         Reviewed by Michael Saboff.
569
570         The spec was recently changes in Proxy [[OwnPropertyKeys]]
571         to allow for duplicate property names under certain circumstances.
572         This patch fixes our implementation to match the spec.
573         See: https://github.com/tc39/ecma262/pull/594
574
575         * runtime/ProxyObject.cpp:
576         (JSC::ProxyObject::performGetOwnPropertyNames):
577         * tests/stress/proxy-own-keys.js:
578         (i.catch):
579         (ownKeys):
580         (assert):
581
582 2016-06-03  Saam barati  <sbarati@apple.com>
583
584         Some shadow chicken code is wrong when run on a big endian CPU
585         https://bugs.webkit.org/show_bug.cgi?id=158361
586
587         Reviewed by Mark Lam.
588
589         This code was wrong on a big endian CPU, and it was
590         also an anti-pattern in the file. The code was harmless
591         on a little endian CPU, but it's better to remove it.
592
593         * llint/LowLevelInterpreter64.asm:
594
595 2016-06-03  Keith Miller  <keith_miller@apple.com>
596
597         Add argument_count bytecode for concat
598         https://bugs.webkit.org/show_bug.cgi?id=158358
599
600         Reviewed by Geoffrey Garen.
601
602         This patch adds a new argument count bytecode. Normally, we would
603         just make sure that the argument.length bytecode was fast enough
604         that we shouldn't need such an bytecode.  However, for the case of
605         Array.prototype.concat the overhead of the arguments object
606         allocation in the LLInt was too high and caused regressions.
607
608         * bytecode/BytecodeIntrinsicRegistry.h:
609         * bytecode/BytecodeList.json:
610         * bytecode/BytecodeUseDef.h:
611         (JSC::computeUsesForBytecodeOffset):
612         (JSC::computeDefsForBytecodeOffset):
613         * bytecode/CodeBlock.cpp:
614         (JSC::CodeBlock::dumpBytecode):
615         * bytecompiler/NodesCodegen.cpp:
616         (JSC::BytecodeIntrinsicNode::emit_intrinsic_argumentCount):
617         * dfg/DFGByteCodeParser.cpp:
618         (JSC::DFG::ByteCodeParser::getArgumentCount):
619         (JSC::DFG::ByteCodeParser::parseBlock):
620         * dfg/DFGCapabilities.cpp:
621         (JSC::DFG::capabilityLevel):
622         * jit/JIT.cpp:
623         (JSC::JIT::privateCompileMainPass):
624         * jit/JIT.h:
625         * jit/JITOpcodes.cpp:
626         (JSC::JIT::emit_op_argument_count):
627         * llint/LowLevelInterpreter32_64.asm:
628         * llint/LowLevelInterpreter64.asm:
629         * tests/stress/argument-count-bytecode.js: Added.
630         (inlineCount):
631         (inlineCount1):
632         (inlineCount2):
633         (inlineCountVarArgs):
634         (assert):
635
636 2016-06-03  Geoffrey Garen  <ggaren@apple.com>
637
638         Clients of PolymorphicAccess::addCases shouldn't have to malloc
639         https://bugs.webkit.org/show_bug.cgi?id=158357
640
641         Reviewed by Keith Miller.
642
643         We only ever have 1 or 2 cases, so we can use inline Vector capacity.
644
645         This shows up a little in the JSBench profile.
646
647         * bytecode/PolymorphicAccess.cpp:
648         (JSC::PolymorphicAccess::addCases):
649         (JSC::PolymorphicAccess::addCase):
650         * bytecode/PolymorphicAccess.h:
651         * bytecode/StructureStubInfo.cpp:
652         (JSC::StructureStubInfo::addAccessCase):
653
654 2016-06-03  Benjamin Poulain  <bpoulain@apple.com>
655
656         Fix some more INFINITI->INFINITY typos
657
658         Unreviewed.
659
660         The tests were not covering the edge cases they were supposed to test.
661
662         * tests/stress/math-ceil-basics.js:
663         (testMathCeilOnConstants):
664         * tests/stress/math-clz32-basics.js:
665         (testMathClz32OnDoubles):
666         (testMathClz32OnConstants):
667         * tests/stress/math-floor-basics.js:
668         (testMathFloorOnConstants):
669         * tests/stress/math-round-basics.js:
670         (testMathRoundOnConstants):
671         * tests/stress/math-trunc-basics.js:
672         (testMathTruncOnConstants):
673
674 2016-06-02  Gavin & Ellie Barraclough  <barraclough@apple.com>
675
676         JSGlobalObject::addFunction should call deleteProperty rather than removeDirect
677         https://bugs.webkit.org/show_bug.cgi?id=158295
678
679         Reviewed by Saam Barati.
680
681         When a function in declared in program code, this replaces any previosly existing
682         property from the global object. JSGlobalObject::addFunction is currently calling
683         removeDirect rather than deleteProperty to remove the existing property. This fails
684         to remove any properties from static tables.
685
686         We currently get away with this because (a) JSObject & JSGlobalObject don't currently
687         have any properties in static tables, and (b) the current quirky property precedence
688         means that the symbol table properties end up taking precedence over JSDOMWindow's
689         static table, so window object properties end up being shadowed.
690
691         As a part of bug #158178 the precedence of static tables will change, requiring this
692         to be fixed.
693
694         The deleteProperty function does what we want (has the ability to remove properties,
695         including those from the static tables). Normally deleteProperty will not remove
696         properties that are non-configurable (DontDelete) - we need to do so. The function
697         does already support this, through a flag on VM named 'isInDefineOwnProperty', which
698         causes configurability to be ignored. Generalize this mechanism for use outside of
699         defineOwnProperty, renaming & moving DefineOwnPropertyScope helper class out to VM.
700
701         * runtime/JSFunction.cpp:
702         (JSC::JSFunction::deleteProperty):
703             - isInDefineOwnProperty -> deletePropertyMode.
704         * runtime/JSGlobalObject.cpp:
705         (JSC::JSGlobalObject::addFunction):
706             - removeDirect -> deleteProperty.
707         * runtime/JSObject.cpp:
708         (JSC::JSObject::deleteProperty):
709             - isInDefineOwnProperty -> deletePropertyMode.
710         (JSC::JSObject::defineOwnNonIndexProperty):
711             - DefineOwnPropertyScope -> VM::DeletePropertyModeScope.
712         (JSC::DefineOwnPropertyScope::DefineOwnPropertyScope): Deleted.
713         (JSC::DefineOwnPropertyScope::~DefineOwnPropertyScope): Deleted.
714             - DefineOwnPropertyScope -> VM::DeletePropertyModeScope.
715         * runtime/VM.cpp:
716         (JSC::VM::VM):
717             - removed m_inDefineOwnProperty.
718         * runtime/VM.h:
719         (JSC::VM::deletePropertyMode):
720             - isInDefineOwnProperty -> deletePropertyMode.
721         (JSC::VM::DeletePropertyModeScope::DeletePropertyModeScope):
722         (JSC::VM::DeletePropertyModeScope::~DeletePropertyModeScope):
723             - DefineOwnPropertyScope -> VM::DeletePropertyModeScope.
724         (JSC::VM::setInDefineOwnProperty): Deleted.
725             - Replaced with deletePropertyMode, can now only be set via VM::DeletePropertyModeScope.
726         (JSC::VM::isInDefineOwnProperty): Deleted.
727             - isInDefineOwnProperty -> deletePropertyMode.
728
729 2016-06-03  Mark Lam  <mark.lam@apple.com>
730
731         ARMv7 vstm and vldm instructions can only operate on a maximum of 16 registers.
732         https://bugs.webkit.org/show_bug.cgi?id=158349
733
734         Reviewed by Filip Pizlo.
735
736         According to the ARM Assembler Reference, the vstm and vldm instructions can only
737         operate on a maximum of 16 registers.  See
738         http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dht0002a/ch01s03s02.html
739         and http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dht0002a/ch01s03s02.html.
740
741         The ARMv7 probe code was wrongly using these instructions to store and load all
742         32 'd' registers.  This is now fixed.
743
744         * assembler/MacroAssemblerARMv7.cpp:
745
746 2016-06-03  Mark Lam  <mark.lam@apple.com>
747
748         Gardening: CLOOP build fix (needs a #include).
749
750         Not reviewed.
751
752         * interpreter/StackVisitor.h:
753
754 2016-06-03  Andreas Kling  <akling@apple.com>
755
756         Eliminate two large sources of temporary StringImpl objects.
757         <https://webkit.org/b/158336>
758
759         Reviewed by Anders Carlsson.
760
761         We were jumping through some inefficient hoops when creating Identifiers due to the
762         convenience of our String(const char*) constructor.
763
764         This patch avoids just over 1 million temporary StringImpl objects on the PLUM benchmark.
765
766         * runtime/JSObject.h:
767         (JSC::makeIdentifier): Add an overload for string literals so we can stop creating a temporary
768         String just for passing to Identifier::fromString().
769
770         * runtime/Lookup.h:
771         (JSC::reifyStaticProperties): Use the Identifier::fromString() that takes an LChar* and a length
772         instead of creating a temporary String.
773
774 2016-06-03  Mark Lam  <mark.lam@apple.com>
775
776         Clean up how StackVisitor dumps its frames.
777         https://bugs.webkit.org/show_bug.cgi?id=158316
778
779         Reviewed by Keith Miller.
780
781         1. Updated to do dumping to a PrintStream.
782         2. Added support for printing a prefix for each frame.
783            This is currently used by JSDollarVMPrototype to print frame numbers.
784         3. Fix the incrementing of the frame index in StackVisitor.
785            It was initialized but never incremented before when iterating the frames.
786
787         * interpreter/StackVisitor.cpp:
788         (JSC::StackVisitor::gotoNextFrame):
789         (JSC::StackVisitor::Frame::codeType):
790         (JSC::StackVisitor::Frame::functionName):
791         (JSC::StackVisitor::Frame::sourceURL):
792         (JSC::StackVisitor::Frame::toString):
793         (JSC::StackVisitor::Frame::createArguments):
794         (JSC::StackVisitor::Frame::computeLineAndColumn):
795         (JSC::StackVisitor::Frame::retrieveExpressionInfo):
796         (JSC::StackVisitor::Frame::setToEnd):
797         (JSC::StackVisitor::Frame::dump):
798         (JSC::StackVisitor::Indent::dump):
799         (JSC::printIndents): Deleted.
800         (JSC::log): Deleted.
801         (JSC::logF): Deleted.
802         (JSC::StackVisitor::Frame::print): Deleted.
803         * interpreter/StackVisitor.h:
804         (JSC::StackVisitor::Indent::Indent):
805         (JSC::StackVisitor::Indent::operator++):
806         (JSC::StackVisitor::Indent::operator--):
807         (JSC::StackVisitor::Frame::isJSFrame):
808         (JSC::StackVisitor::Frame::isInlinedFrame):
809         (JSC::StackVisitor::Frame::vmEntryFrame):
810         (JSC::StackVisitor::Frame::callFrame):
811         (JSC::StackVisitor::Frame::Frame):
812         (JSC::StackVisitor::Frame::~Frame):
813         * tools/JSDollarVMPrototype.cpp:
814         (JSC::PrintFrameFunctor::operator()):
815
816 2016-06-02  Saam Barati  <sbarati@apple.com>
817
818         global lexical environment variables are not accessible through functions created using the function constructor
819         https://bugs.webkit.org/show_bug.cgi?id=158319
820
821         Reviewed by Filip Pizlo.
822
823         When creating a function using the Function constructor, we were
824         using the global object instead of the global lexical environment
825         as the function's scope. We should be using the global lexical environment.
826
827         * runtime/FunctionConstructor.cpp:
828         (JSC::constructFunctionSkippingEvalEnabledCheck):
829         * tests/stress/function-constructor-reading-from-global-lexical-environment.js: Added.
830         (assert):
831         (test):
832         (ClassTDZ):
833
834 2016-06-02  Oliver Hunt  <oliver@apple.com>
835
836         JS parser incorrectly handles invalid utf8 in error messages.
837         https://bugs.webkit.org/show_bug.cgi?id=158128
838
839         Reviewed by Saam Barati.
840
841         The bug here was caused by us using PrintStream's toString method
842         to produce the error message for a parse error, even though toString
843         may produce a null string in the event of invalid utf8 that causes
844         the error in first case. So when we try to create an error message
845         containing the invalid character code, we set m_errorMessage to the
846         null string, as that signals "no error" we don't stop parsing, and
847         everything goes down hill from there.
848
849         Now we use the new toStringWithLatin1Fallback so that we can always
850         produce an error message, even if it contains invalid unicode. We
851         also add an additional fallback so that we can guarantee an error
852         message is set even if we're given a null string. There's a debug
853         mode assertion to prevent anyone accidentally attempting to clear
854         the message via setErrorMessage.
855
856         * parser/Parser.cpp:
857         (JSC::Parser<LexerType>::logError):
858         * parser/Parser.h:
859         (JSC::Parser::setErrorMessage):
860
861 2016-06-02  Saam Barati  <sbarati@apple.com>
862
863         Teach bytecode liveness about the debugger
864         https://bugs.webkit.org/show_bug.cgi?id=158288
865
866         Reviewed by Filip Pizlo.
867
868         There was a bug where we wouldn't always keep the scope register
869         on the stack when the debugger is enabled. The debugger always assumes
870         it can read from the scope. The bug happened in OSR exit from the FTL.
871         The FTL uses bytecode liveness for OSR exit. Bytecode liveness proved
872         that the scope register was dead, so the FTL OSR exit wrote `undefined`
873         into the scope's stack slot when OSR exiting to the baseline.
874
875         To fix this, I taught bytecode liveness' computeUsesForBytecodeOffset() that the
876         scope is used by every instruction except op_enter. This causes the
877         scope to be live-in at every instruction except op_enter.
878
879         * bytecode/BytecodeLivenessAnalysis.cpp:
880         (JSC::blockContainsBytecodeOffset):
881         (JSC::addAlwaysLiveLocals):
882         (JSC::findBasicBlockForBytecodeOffset):
883         (JSC::stepOverInstruction):
884         (JSC::computeLocalLivenessForBytecodeOffset):
885         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
886         * bytecode/UnlinkedCodeBlock.cpp:
887         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
888         * tests/stress/shadow-chicken-reading-from-scope-after-ftl-osr-exit-bytecode-liveness.js: Added.
889         (foo):
890         (catch):
891
892 2016-06-02  Michael Saboff  <msaboff@apple.com>
893
894         REGRESSION(r200694): %ThrowTypeError% is not unique
895         https://bugs.webkit.org/show_bug.cgi?id=158231
896
897         Reviewed by Joseph Pecoraro.
898
899         The ES6 standard in section 9.2.7.1 states that %ThrowTypeError% is unique.  This
900         change reverts the handling of TypeError before r200694 and then rolls in
901         throwTypeErrorGetterSetter() with the renamed throwTypeErrorArgumentsCalleeAndCallerGetterSetter().
902
903         * runtime/ClonedArguments.cpp:
904         (JSC::ClonedArguments::getOwnPropertySlot):
905         (JSC::ClonedArguments::materializeSpecials):
906         * runtime/JSBoundFunction.cpp:
907         (JSC::JSBoundFunction::finishCreation):
908         (JSC::JSBoundFunction::visitChildren):
909         * runtime/JSFunction.cpp:
910         (JSC::getThrowTypeErrorGetterSetter):
911         (JSC::JSFunction::callerGetter):
912         (JSC::JSFunction::defineOwnProperty):
913         * runtime/JSGlobalObject.cpp:
914         (JSC::JSGlobalObject::init):
915         (JSC::JSGlobalObject::visitChildren):
916         * runtime/JSGlobalObject.h:
917         (JSC::JSGlobalObject::regExpProtoSymbolReplaceFunction):
918         (JSC::JSGlobalObject::regExpProtoGlobalGetter):
919         (JSC::JSGlobalObject::regExpProtoUnicodeGetter):
920         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
921         (JSC::JSGlobalObject::moduleLoader):
922         (JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.
923         (JSC::JSGlobalObject::throwTypeErrorCalleeAndCallerGetterSetter): Deleted.
924         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInStrictModeGetterSetter): Deleted.
925         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInClassContextGetterSetter): Deleted.
926         * runtime/JSGlobalObjectFunctions.cpp:
927         (JSC::globalFuncThrowTypeError):
928         (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
929         (JSC::globalFuncThrowTypeErrorCalleeAndCaller): Deleted.
930         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInStrictMode): Deleted.
931         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInClassContext): Deleted.
932         * runtime/JSGlobalObjectFunctions.h:
933         * tests/stress/reflect-set.js:
934
935 2016-06-02  Michael Saboff  <msaboff@apple.com>
936
937         [iOS]: Some JSC stress tests fail running out of executable memory when the LLInt is disabled
938         https://bugs.webkit.org/show_bug.cgi?id=158317
939
940         Reviewed by Saam Barati.
941
942         Updated these test to not run the "no-llint" variant when running on ARM machines.
943
944         * tests/stress/arrowfunction-lexical-bind-superproperty.js: Skip no-llint for ARM
945         (testCase):
946         * tests/stress/proxy-revoke.js: Skipp no-lint for ARM and ARM64
947         (assert):
948
949 2016-06-02  Keith Miller  <keith_miller@apple.com>
950
951         Unreviewed, reland r201532. The associated regressions have been fixed
952         by r201584.
953
954 2016-06-02  Filip Pizlo  <fpizlo@apple.com>
955
956         Use "= delete" for Locker(int) 
957
958         Rubber stamped by Saam Barati.
959
960         * runtime/ConcurrentJITLock.h:
961         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
962
963 2016-06-02  Keith Miller  <keith_miller@apple.com>
964
965         ObjectPropertyCondition should have a isStillValidAssumingImpurePropertyWatchpoint function
966         https://bugs.webkit.org/show_bug.cgi?id=158308
967
968         Reviewed by Filip Pizlo.
969
970         Recently, structureEnsuresValidityAssumingImpurePropertyWatchpoint was converted to check
971         what should be isStillValidAssumingImpurePropertyWatchpoint. This patch fixes the API so
972         it should work as expected. This patch also changes generateConditions in
973         ObjectPropertyConditionSet to use isStillValidAssumingImpurePropertyWatchpoint.
974
975         * bytecode/ObjectPropertyCondition.cpp:
976         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
977         (JSC::ObjectPropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
978         * bytecode/ObjectPropertyCondition.h:
979         * bytecode/ObjectPropertyConditionSet.cpp:
980
981 2016-06-02  Filip Pizlo  <fpizlo@apple.com>
982
983         Make it harder to accidentally pass an integer to a locker.
984
985         Rubber stamped by Keith Miller.
986
987         * runtime/ConcurrentJITLock.h:
988         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
989
990 2016-06-02  Filip Pizlo  <fpizlo@apple.com>
991
992         Make it easier to use NoLockingNecessary
993         https://bugs.webkit.org/show_bug.cgi?id=158306
994
995         Reviewed by Keith Miller.
996         
997         Adapt to the new NoLockingNecessary API. More details in the WTF ChangeLog.
998
999         * bytecompiler/BytecodeGenerator.cpp:
1000         (JSC::BytecodeGenerator::BytecodeGenerator):
1001         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1002         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1003         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
1004         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
1005         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
1006         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1007         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1008         (JSC::BytecodeGenerator::variable):
1009         (JSC::BytecodeGenerator::createVariable):
1010         (JSC::BytecodeGenerator::emitResolveScope):
1011         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1012         * runtime/ConcurrentJITLock.h:
1013         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1014         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1015
1016 2016-06-01  Filip Pizlo  <fpizlo@apple.com>
1017
1018         Structure::previousID() races with Structure::allocateRareData()
1019         https://bugs.webkit.org/show_bug.cgi?id=158280
1020
1021         Reviewed by Mark Lam.
1022         
1023         The problem is that previousID() would test hasRareData() and then either load the
1024         previous Structure from the rare data, or load it directly. allocateRareData() would set
1025         the hasRareData() bit separately from moving the Structure pointer into the rare data. So
1026         we'd have a race that would cause previousID() to sometimes return the rarae data instead
1027         of the previous Structure.
1028
1029         The fix is to get rid of the hasRareData bit. We can use the structureID of the
1030         previousOrRareData cell to determine if it's the previousID or the RareData. This fixes the
1031         race and it's probably not any slower.
1032
1033         * runtime/Structure.cpp:
1034         (JSC::Structure::Structure):
1035         (JSC::Structure::allocateRareData):
1036         * runtime/Structure.h:
1037
1038 2016-06-01  Michael Saboff  <msaboff@apple.com>
1039
1040         Runaway WebContent process CPU & memory @ foxnews.com
1041         https://bugs.webkit.org/show_bug.cgi?id=158290
1042
1043         Reviewed by Mark Lam.
1044
1045         Clear the thrown value at the end of the catch block so that the stack scanner won't
1046         find the value during GC.
1047
1048         Added a new stress test.
1049
1050         * bytecompiler/NodesCodegen.cpp:
1051         (JSC::TryNode::emitBytecode):
1052         * tests/stress/recursive-try-catch.js: Added.
1053         (logError):
1054         (tryCallingBadFunction):
1055         (recurse):
1056         (test):
1057
1058 2016-06-01  Benjamin Poulain  <bpoulain@apple.com>
1059
1060         [JSC] Some setters for components of Date do not timeClip() their result
1061         https://bugs.webkit.org/show_bug.cgi?id=158278
1062         rdar://problem/25131426
1063
1064         Reviewed by Geoffrey Garen.
1065
1066         Many of the setters where not doing timeClip() on the computed UTC
1067         time since Epoch.
1068
1069         See http://www.ecma-international.org/ecma-262/6.0/#sec-date.prototype.setdate
1070         and the following sections for the definition.
1071
1072         * runtime/DatePrototype.cpp:
1073         (JSC::setNewValueFromTimeArgs):
1074         (JSC::setNewValueFromDateArgs):
1075
1076 2016-06-01  Keith Miller  <keith_miller@apple.com>
1077
1078         canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints
1079         https://bugs.webkit.org/show_bug.cgi?id=158291
1080
1081         Reviewed by Benjamin Poulain.
1082
1083         The old StringObject primitive access code used structure watchpoints. This meant that
1084         if you set a watchpoint on String.prototype prior to tiering up to the DFG then added
1085         a new property to String.prototype then we would never use StringObject optimizations.
1086         This made property caching in the LLInt bad because it meant we would watchpoint
1087         String.prototype very early in the program, which hurt date-format-xpab.js since that
1088         benchmark relies on the StringObject optimizations.
1089
1090         This patch also extends ObjectPropertyConditionSet to be able to handle a slotBase
1091         equivalence condition. Since that makes the code for generating the DFG watchpoints
1092         significantly cleaner.
1093
1094         * bytecode/ObjectPropertyCondition.cpp:
1095         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
1096         * bytecode/ObjectPropertyConditionSet.cpp:
1097         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
1098         (JSC::ObjectPropertyConditionSet::slotBaseCondition):
1099         (JSC::generateConditionsForPrototypeEquivalenceConcurrently):
1100         * bytecode/ObjectPropertyConditionSet.h:
1101         * dfg/DFGGraph.cpp:
1102         (JSC::DFG::Graph::isStringPrototypeMethodSane):
1103         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
1104         * dfg/DFGGraph.h:
1105
1106 2016-06-01  Geoffrey Garen  <ggaren@apple.com>
1107
1108         Unreviewed, rolling in r201436.
1109         https://bugs.webkit.org/show_bug.cgi?id=158143
1110
1111         r201562 should haved fixed the Dromaeo DOM core regression.
1112
1113         Restored changeset:
1114
1115         "REGRESSION: JSBench spends a lot of time transitioning
1116         to/from dictionary"
1117         https://bugs.webkit.org/show_bug.cgi?id=158045
1118         http://trac.webkit.org/changeset/201436
1119
1120
1121 2016-06-01  Commit Queue  <commit-queue@webkit.org>
1122
1123         Unreviewed, rolling out r201488.
1124         https://bugs.webkit.org/show_bug.cgi?id=158268
1125
1126         Caused 23% regression on JetStream's crypto-md5 (Requested by
1127         rniwa on #webkit).
1128
1129         Reverted changeset:
1130
1131         "[ESNext] Support trailing commas in function param lists"
1132         https://bugs.webkit.org/show_bug.cgi?id=158020
1133         http://trac.webkit.org/changeset/201488
1134
1135 2016-05-31  Geoffrey Garen  <ggaren@apple.com>
1136
1137         Dictionary property access should be fast
1138         https://bugs.webkit.org/show_bug.cgi?id=158250
1139
1140         Reviewed by Keith Miller.
1141
1142         We have some remnant code that unnecessarily takes a slow path for
1143         dictionaries. This caused the Dromaeo regression in r201436. Let's fix
1144         that.
1145
1146         * jit/Repatch.cpp:
1147         (JSC::tryCacheGetByID): Attempt to flatten a dictionary if necessary, but
1148         not too much. This is our idiom in other places.
1149
1150         (JSC::tryCachePutByID): See tryCacheGetByID.
1151
1152         * llint/LLIntSlowPaths.cpp:
1153         (JSC::LLInt::setupGetByIdPrototypeCache): See tryCacheGetByID.
1154
1155         * runtime/JSObject.cpp:
1156         (JSC::JSObject::fillGetterPropertySlot):
1157         * runtime/JSObject.h:
1158         (JSC::JSObject::fillCustomGetterPropertySlot): The rules for caching a
1159         getter are the same as the rules for caching anything else: We're
1160         allowed to cache even in dictionaries, as long as they're cacheable
1161         dictionaries. Any transition that would change to/from getter/setter
1162         or change other attributes requires a structure transition.
1163
1164 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1165
1166         [JSC] Drop "replace" from JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET
1167         https://bugs.webkit.org/show_bug.cgi?id=158223
1168
1169         Reviewed by Darin Adler.
1170
1171         This list maintains "not implemented yet" well-known symbols.
1172         `Symbol.replace` is already implemented.
1173
1174         * runtime/CommonIdentifiers.h:
1175
1176 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1177
1178         Unreviewed, roll out r201481, r201523: 0.3% regression in Octane code-load
1179         https://bugs.webkit.org/show_bug.cgi?id=158249
1180
1181         * API/JSScriptRef.cpp:
1182         (parseScript):
1183         * CMakeLists.txt:
1184         * DerivedSources.make:
1185         * JavaScriptCore.xcodeproj/project.pbxproj:
1186         * builtins/AsyncFunctionPrototype.js: Removed.
1187         (asyncFunctionResume): Deleted.
1188         * builtins/BuiltinExecutables.cpp:
1189         (JSC::BuiltinExecutables::createExecutable):
1190         * bytecode/BytecodeList.json:
1191         * bytecode/BytecodeUseDef.h:
1192         (JSC::computeUsesForBytecodeOffset): Deleted.
1193         (JSC::computeDefsForBytecodeOffset): Deleted.
1194         * bytecode/CodeBlock.cpp:
1195         (JSC::CodeBlock::finishCreation):
1196         (JSC::CodeBlock::dumpBytecode): Deleted.
1197         * bytecode/UnlinkedCodeBlock.h:
1198         (JSC::UnlinkedCodeBlock::isArrowFunction):
1199         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction): Deleted.
1200         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction): Deleted.
1201         * bytecode/UnlinkedFunctionExecutable.cpp:
1202         (JSC::generateUnlinkedFunctionCodeBlock):
1203         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1204         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1205         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1206         * bytecode/UnlinkedFunctionExecutable.h:
1207         * bytecompiler/BytecodeGenerator.cpp:
1208         (JSC::BytecodeGenerator::BytecodeGenerator):
1209         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
1210         (JSC::BytecodeGenerator::emitNewMethodDefinition):
1211         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1212         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon): Deleted.
1213         (JSC::BytecodeGenerator::emitNewFunction): Deleted.
1214         * bytecompiler/BytecodeGenerator.h:
1215         (JSC::BytecodeGenerator::makeFunction):
1216         * bytecompiler/NodesCodegen.cpp:
1217         (JSC::FunctionNode::emitBytecode): Deleted.
1218         * inspector/agents/InspectorRuntimeAgent.cpp:
1219         (Inspector::InspectorRuntimeAgent::parse):
1220         * jit/JIT.cpp:
1221         (JSC::JIT::privateCompileMainPass): Deleted.
1222         * jit/JIT.h:
1223         * jit/JITOpcodes.cpp:
1224         (JSC::JIT::emitNewFuncCommon): Deleted.
1225         (JSC::JIT::emit_op_new_async_func): Deleted.
1226         (JSC::JIT::emitNewFuncExprCommon): Deleted.
1227         (JSC::JIT::emit_op_new_async_func_exp): Deleted.
1228         * jit/JITOperations.cpp:
1229         * jit/JITOperations.h:
1230         * jsc.cpp:
1231         (runInteractive):
1232         (printUsageStatement): Deleted.
1233         * llint/LLIntSlowPaths.cpp:
1234         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
1235         * llint/LLIntSlowPaths.h:
1236         * llint/LowLevelInterpreter.asm:
1237         * parser/ASTBuilder.h:
1238         (JSC::ASTBuilder::createAsyncFunctionBody): Deleted.
1239         * parser/Keywords.table:
1240         * parser/Parser.cpp:
1241         (JSC::Parser<LexerType>::Parser):
1242         (JSC::Parser<LexerType>::parseInner):
1243         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1244         (JSC::Parser<LexerType>::parseStatementListItem):
1245         (JSC::Parser<LexerType>::parseStatement):
1246         (JSC::Parser<LexerType>::parseFunctionParameters):
1247         (JSC::Parser<LexerType>::parseFunctionInfo):
1248         (JSC::Parser<LexerType>::parseClass):
1249         (JSC::Parser<LexerType>::parseImportClauseItem):
1250         (JSC::Parser<LexerType>::parseImportDeclaration):
1251         (JSC::Parser<LexerType>::parseExportDeclaration):
1252         (JSC::Parser<LexerType>::parseAssignmentExpression):
1253         (JSC::Parser<LexerType>::parseProperty):
1254         (JSC::Parser<LexerType>::parsePropertyMethod):
1255         (JSC::Parser<LexerType>::parsePrimaryExpression):
1256         (JSC::Parser<LexerType>::parseMemberExpression):
1257         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1258         (JSC::Parser<LexerType>::printUnexpectedTokenText):
1259         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements): Deleted.
1260         (JSC::Parser<LexerType>::parseVariableDeclarationList): Deleted.
1261         (JSC::Parser<LexerType>::parseDestructuringPattern): Deleted.
1262         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement): Deleted.
1263         (JSC::Parser<LexerType>::parseFormalParameters): Deleted.
1264         (JSC::stringForFunctionMode): Deleted.
1265         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration): Deleted.
1266         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement): Deleted.
1267         (JSC::Parser<LexerType>::parseAwaitExpression): Deleted.
1268         (JSC::Parser<LexerType>::parseAsyncFunctionExpression): Deleted.
1269         (JSC::Parser<LexerType>::parseUnaryExpression): Deleted.
1270         * parser/Parser.h:
1271         (JSC::Scope::Scope):
1272         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
1273         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
1274         (JSC::Parser::pushScope):
1275         (JSC::Parser::popScopeInternal):
1276         (JSC::Parser::matchSpecIdentifier):
1277         (JSC::parse):
1278         (JSC::Scope::setSourceParseMode): Deleted.
1279         (JSC::Scope::isAsyncFunction): Deleted.
1280         (JSC::Scope::isAsyncFunctionBoundary): Deleted.
1281         (JSC::Scope::isModule): Deleted.
1282         (JSC::Scope::setIsFunction): Deleted.
1283         (JSC::Scope::setIsAsyncArrowFunction): Deleted.
1284         (JSC::Scope::setIsAsyncFunction): Deleted.
1285         (JSC::Scope::setIsAsyncFunctionBody): Deleted.
1286         (JSC::Scope::setIsAsyncArrowFunctionBody): Deleted.
1287         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError): Deleted.
1288         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction): Deleted.
1289         (JSC::Parser::forceClassifyExpressionError): Deleted.
1290         (JSC::Parser::declarationTypeToVariableKind): Deleted.
1291         (JSC::Parser::upperScope): Deleted.
1292         (JSC::Parser::isDisallowedIdentifierAwait): Deleted.
1293         (JSC::Parser::disallowedIdentifierAwaitReason): Deleted.
1294         * parser/ParserModes.h:
1295         (JSC::isFunctionParseMode):
1296         (JSC::isModuleParseMode):
1297         (JSC::isProgramParseMode):
1298         (JSC::SourceParseModeSet::SourceParseModeSet): Deleted.
1299         (JSC::SourceParseModeSet::contains): Deleted.
1300         (JSC::SourceParseModeSet::mergeSourceParseModes): Deleted.
1301         (JSC::isAsyncFunctionParseMode): Deleted.
1302         (JSC::isAsyncArrowFunctionParseMode): Deleted.
1303         (JSC::isAsyncFunctionWrapperParseMode): Deleted.
1304         (JSC::isAsyncFunctionBodyParseMode): Deleted.
1305         (JSC::constructAbilityForParseMode): Deleted.
1306         * parser/ParserTokens.h:
1307         * parser/SourceCodeKey.h:
1308         (JSC::SourceCodeKey::SourceCodeKey):
1309         (JSC::SourceCodeKey::operator==):
1310         (JSC::SourceCodeKey::runtimeFlags): Deleted.
1311         * parser/SyntaxChecker.h:
1312         (JSC::SyntaxChecker::createAsyncFunctionBody): Deleted.
1313         * runtime/AsyncFunctionConstructor.cpp: Removed.
1314         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor): Deleted.
1315         (JSC::AsyncFunctionConstructor::finishCreation): Deleted.
1316         (JSC::callAsyncFunctionConstructor): Deleted.
1317         (JSC::constructAsyncFunctionConstructor): Deleted.
1318         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
1319         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
1320         * runtime/AsyncFunctionConstructor.h: Removed.
1321         (JSC::AsyncFunctionConstructor::create): Deleted.
1322         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
1323         * runtime/AsyncFunctionPrototype.cpp: Removed.
1324         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype): Deleted.
1325         (JSC::AsyncFunctionPrototype::finishCreation): Deleted.
1326         * runtime/AsyncFunctionPrototype.h: Removed.
1327         (JSC::AsyncFunctionPrototype::create): Deleted.
1328         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
1329         * runtime/CodeCache.cpp:
1330         (JSC::CodeCache::getGlobalCodeBlock):
1331         (JSC::CodeCache::getProgramCodeBlock):
1332         (JSC::CodeCache::getEvalCodeBlock):
1333         (JSC::CodeCache::getModuleProgramCodeBlock):
1334         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1335         * runtime/CodeCache.h:
1336         * runtime/CommonIdentifiers.h:
1337         * runtime/Completion.cpp:
1338         (JSC::checkSyntax):
1339         (JSC::checkModuleSyntax):
1340         * runtime/Completion.h:
1341         * runtime/Executable.cpp:
1342         (JSC::ScriptExecutable::newCodeBlockFor):
1343         (JSC::ProgramExecutable::checkSyntax):
1344         * runtime/Executable.h:
1345         * runtime/FunctionConstructor.cpp:
1346         (JSC::constructFunctionSkippingEvalEnabledCheck):
1347         * runtime/FunctionConstructor.h:
1348         * runtime/JSAsyncFunction.cpp: Removed.
1349         (JSC::JSAsyncFunction::JSAsyncFunction): Deleted.
1350         (JSC::JSAsyncFunction::createImpl): Deleted.
1351         (JSC::JSAsyncFunction::create): Deleted.
1352         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint): Deleted.
1353         * runtime/JSAsyncFunction.h: Removed.
1354         (JSC::JSAsyncFunction::allocationSize): Deleted.
1355         (JSC::JSAsyncFunction::createStructure): Deleted.
1356         * runtime/JSFunction.cpp:
1357         (JSC::JSFunction::getOwnPropertySlot):
1358         * runtime/JSGlobalObject.cpp:
1359         (JSC::JSGlobalObject::createProgramCodeBlock):
1360         (JSC::JSGlobalObject::createEvalCodeBlock):
1361         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
1362         (JSC::JSGlobalObject::init): Deleted.
1363         * runtime/JSGlobalObject.h:
1364         (JSC::JSGlobalObject::asyncFunctionPrototype): Deleted.
1365         (JSC::JSGlobalObject::asyncFunctionStructure): Deleted.
1366         * runtime/ModuleLoaderObject.cpp:
1367         (JSC::moduleLoaderObjectParseModule):
1368         * runtime/RuntimeFlags.h:
1369         (JSC::RuntimeFlags::operator==): Deleted.
1370         (JSC::RuntimeFlags::operator!=): Deleted.
1371         * tests/stress/async-await-basic.js: Removed.
1372         (shouldBe): Deleted.
1373         (shouldBeAsync): Deleted.
1374         (shouldThrow): Deleted.
1375         (shouldThrowAsync): Deleted.
1376         (shouldThrowSyntaxError): Deleted.
1377         (let.AsyncFunction.async): Deleted.
1378         (async.asyncFunctionForProto): Deleted.
1379         (Object.getPrototypeOf.async): Deleted.
1380         (Object.getPrototypeOf.async.method): Deleted.
1381         (async): Deleted.
1382         (async.method): Deleted.
1383         (async.asyncNonConstructorDecl): Deleted.
1384         (shouldThrow.new.async): Deleted.
1385         (shouldThrow.new.async.nonConstructor): Deleted.
1386         (async.asyncDecl): Deleted.
1387         (async.f): Deleted.
1388         (MyError): Deleted.
1389         (async.asyncDeclThrower): Deleted.
1390         (shouldThrowAsync.async): Deleted.
1391         (resolveLater): Deleted.
1392         (rejectLater): Deleted.
1393         (async.resumeAfterNormal): Deleted.
1394         (O.async.resumeAfterNormal): Deleted.
1395         (resumeAfterNormalArrow.async): Deleted.
1396         (async.resumeAfterThrow): Deleted.
1397         (O.async.resumeAfterThrow): Deleted.
1398         (resumeAfterThrowArrow.async): Deleted.
1399         (catch): Deleted.
1400         * tests/stress/async-await-module-reserved-word.js: Removed.
1401         (shouldThrow): Deleted.
1402         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await): Deleted.
1403         (checkModuleSyntaxError.String.raw.await): Deleted.
1404         (checkModuleSyntaxError.String.raw.async.await): Deleted.
1405         (SyntaxError.Cannot.declare.named): Deleted.
1406         * tests/stress/async-await-mozilla.js: Removed.
1407         (shouldBe): Deleted.
1408         (shouldBeAsync): Deleted.
1409         (shouldThrow): Deleted.
1410         (shouldThrowAsync): Deleted.
1411         (assert): Deleted.
1412         (shouldThrowSyntaxError): Deleted.
1413         (mozSemantics.async.empty): Deleted.
1414         (mozSemantics.async.simpleReturn): Deleted.
1415         (mozSemantics.async.simpleAwait): Deleted.
1416         (mozSemantics.async.simpleAwaitAsync): Deleted.
1417         (mozSemantics.async.returnOtherAsync): Deleted.
1418         (mozSemantics.async.simpleThrower): Deleted.
1419         (mozSemantics.async.delegatedThrower): Deleted.
1420         (mozSemantics.async.tryCatch): Deleted.
1421         (mozSemantics.async.tryCatchThrow): Deleted.
1422         (mozSemantics.async.wellFinally): Deleted.
1423         (mozSemantics.async.finallyMayFail): Deleted.
1424         (mozSemantics.async.embedded.async.inner): Deleted.
1425         (mozSemantics.async.embedded): Deleted.
1426         (mozSemantics.async.fib): Deleted.
1427         (mozSemantics.async.isOdd.async.isEven): Deleted.
1428         (mozSemantics.async.isOdd): Deleted.
1429         (mozSemantics.hardcoreFib.async.fib2): Deleted.
1430         (mozSemantics.namedAsyncExpr.async.simple): Deleted.
1431         (mozSemantics.async.executionOrder.async.first): Deleted.
1432         (mozSemantics.async.executionOrder.async.second): Deleted.
1433         (mozSemantics.async.executionOrder.async.third): Deleted.
1434         (mozSemantics.async.executionOrder): Deleted.
1435         (mozSemantics.async.miscellaneous): Deleted.
1436         (mozSemantics.thrower): Deleted.
1437         (mozSemantics.async.defaultArgs): Deleted.
1438         (mozSemantics.shouldThrow): Deleted.
1439         (mozSemantics): Deleted.
1440         (mozMethods.X): Deleted.
1441         (mozMethods.X.prototype.async.getValue): Deleted.
1442         (mozMethods.X.prototype.setValue): Deleted.
1443         (mozMethods.X.prototype.async.increment): Deleted.
1444         (mozMethods.X.prototype.async.getBaseClassName): Deleted.
1445         (mozMethods.X.async.getStaticValue): Deleted.
1446         (mozMethods.Y.prototype.async.getBaseClassName): Deleted.
1447         (mozMethods.Y): Deleted.
1448         (mozFunctionNameInferrence.async.test): Deleted.
1449         (mozSyntaxErrors): Deleted.
1450         * tests/stress/async-await-reserved-word.js: Removed.
1451         (assert): Deleted.
1452         (shouldThrowSyntaxError): Deleted.
1453         (AsyncFunction.async): Deleted.
1454         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Removed.
1455         (shouldBe): Deleted.
1456         (shouldBeAsync): Deleted.
1457         (shouldThrowAsync): Deleted.
1458         (noArgumentsArrow2.async): Deleted.
1459         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Removed.
1460         (shouldBe): Deleted.
1461         (shouldBeAsync): Deleted.
1462         (shouldThrowAsync): Deleted.
1463         (C1): Deleted.
1464         (C2): Deleted.
1465         (shouldThrowAsync.async): Deleted.
1466         * tests/stress/async_arrow_functions_lexical_super_binding.js: Removed.
1467         (shouldBe): Deleted.
1468         (shouldBeAsync): Deleted.
1469         (BaseClass.prototype.baseClassValue): Deleted.
1470         (BaseClass.prototype.get property): Deleted.
1471         (BaseClass): Deleted.
1472         (ChildClass.prototype.asyncSuperProp): Deleted.
1473         (ChildClass.prototype.asyncSuperProp2): Deleted.
1474         (ChildClass): Deleted.
1475         (ChildClass2): Deleted.
1476         * tests/stress/async_arrow_functions_lexical_this_binding.js: Removed.
1477         (shouldBe): Deleted.
1478         (shouldBeAsync): Deleted.
1479         (d.y): Deleted.
1480
1481 2016-05-31  Commit Queue  <commit-queue@webkit.org>
1482
1483         Unreviewed, rolling out r201363 and r201456.
1484         https://bugs.webkit.org/show_bug.cgi?id=158240
1485
1486         "40% regression on date-format-xparb" (Requested by
1487         keith_miller on #webkit).
1488
1489         Reverted changesets:
1490
1491         "LLInt should be able to cache prototype loads for values in
1492         GetById"
1493         https://bugs.webkit.org/show_bug.cgi?id=158032
1494         http://trac.webkit.org/changeset/201363
1495
1496         "get_by_id should support caching unset properties in the
1497         LLInt"
1498         https://bugs.webkit.org/show_bug.cgi?id=158136
1499         http://trac.webkit.org/changeset/201456
1500
1501 2016-05-31  Commit Queue  <commit-queue@webkit.org>
1502
1503         Unreviewed, rolling out r201359.
1504         https://bugs.webkit.org/show_bug.cgi?id=158238
1505
1506         "It was not a speedup on anything" (Requested by saamyjoon on
1507         #webkit).
1508
1509         Reverted changeset:
1510
1511         "We can cache lookups to JSScope::abstractResolve inside
1512         CodeBlock::finishCreation"
1513         https://bugs.webkit.org/show_bug.cgi?id=158036
1514         http://trac.webkit.org/changeset/201359
1515
1516 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1517
1518         [JSC] Recover parser performance regression by async support
1519         https://bugs.webkit.org/show_bug.cgi?id=158228
1520
1521         Reviewed by Saam Barati.
1522
1523         This patch recovers parser performance regression caused in r201481.
1524
1525         Compared to the version that reverts r201481, still ~1% regression remains.
1526         But compared to ToT, this patch significantly improves the code-load performance.
1527
1528         In Linux x64 JSCOnly port, with GCC 5.3.1.
1529
1530         reverted v.s. patched.
1531                                  reverted                  patched
1532
1533         closure              0.61805+-0.00376    ?     0.62280+-0.00525       ?
1534         jquery               8.03778+-0.02114          8.03453+-0.04646
1535
1536         <geometric>          2.22883+-0.00836    ?     2.23688+-0.00995       ? might be 1.0036x slower
1537
1538         ToT v.s. patched.
1539                                  baseline                  patched
1540
1541         closure              0.65490+-0.00351    ^     0.62473+-0.00363       ^ definitely 1.0483x faster
1542         jquery               8.25373+-0.06256    ^     8.04701+-0.03455       ^ definitely 1.0257x faster
1543
1544         <geometric>          2.32488+-0.00921    ^     2.24210+-0.00592       ^ definitely 1.0369x faster
1545
1546         * bytecode/UnlinkedFunctionExecutable.cpp:
1547         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1548         * bytecode/UnlinkedFunctionExecutable.h:
1549         Extend SourceParseMode.
1550
1551         * parser/Parser.cpp:
1552         (JSC::Parser<LexerType>::parseInner):
1553         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1554         Do not call `matchSpecIdentifier()` as much as we can. This greatly improves the performance.
1555
1556         (JSC::Parser<LexerType>::parseStatementListItem):
1557         (JSC::Parser<LexerType>::parseStatement):
1558         (JSC::Parser<LexerType>::parseFunctionParameters):
1559         (JSC::Parser<LexerType>::parseFunctionInfo):
1560         Do not touch `currentScope()->isGenerator()` even if it is unnecessary in parseFunctionInfo.
1561         And accidental `syntaxChecker => context` changes are fixed.
1562
1563         (JSC::Parser<LexerType>::parseClass):
1564         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1565         (JSC::Parser<LexerType>::parseImportClauseItem):
1566         (JSC::Parser<LexerType>::parseExportDeclaration):
1567         (JSC::Parser<LexerType>::parseAssignmentExpression):
1568         Do not use matchSpecIdentifier() in the hot paths.
1569
1570         (JSC::Parser<LexerType>::parseProperty):
1571         (JSC::Parser<LexerType>::parsePrimaryExpression):
1572         (JSC::Parser<LexerType>::parseMemberExpression):
1573         (JSC::Parser<LexerType>::parseUnaryExpression):
1574         (JSC::Parser<LexerType>::printUnexpectedTokenText): Deleted.
1575         * parser/Parser.h:
1576         (JSC::isIdentifierOrKeyword):
1577         AWAIT shoud be one of the keywords. This AWAIT check is unnecessary.
1578
1579         (JSC::Parser::upperScope):
1580         (JSC::Parser::matchSpecIdentifier):
1581         Touching currentScope() and its member causes significant performance degradation.
1582         We carefully remove the above access in the hot paths.
1583
1584         (JSC::Parser::isDisallowedIdentifierAwait):
1585         * parser/ParserModes.h:
1586         (JSC::SourceParseModeSet::SourceParseModeSet):
1587         (JSC::SourceParseModeSet::contains):
1588         (JSC::SourceParseModeSet::mergeSourceParseModes):
1589         (JSC::isFunctionParseMode):
1590         (JSC::isAsyncFunctionParseMode):
1591         (JSC::isAsyncArrowFunctionParseMode):
1592         (JSC::isAsyncFunctionWrapperParseMode):
1593         (JSC::isAsyncFunctionBodyParseMode):
1594         (JSC::isModuleParseMode):
1595         (JSC::isProgramParseMode):
1596         (JSC::constructAbilityForParseMode):
1597         The parser frequently checks SourceParseMode. And variety of SourceParseMode becomes many.
1598         So using switch onto SourceParseMode degrades the performance. Instead, we use bit tests to guard against
1599         many SourceParseModes. We expect that this will be efficiently compiled into test & jmp.
1600
1601         * parser/ParserTokens.h:
1602         Change AWAIT to one of the keywords, as the same to YIELD / LET.
1603
1604 2016-05-31  Saam Barati  <sbarati@apple.com>
1605
1606         Web Inspector: capturing with Allocations timeline causes GC to take 100x longer and cause frame drops
1607         https://bugs.webkit.org/show_bug.cgi?id=158054
1608         <rdar://problem/25280762>
1609
1610         Reviewed by Joseph Pecoraro.
1611
1612         HeapSnapshot::sweepCell was taking a long time on 
1613         http://bl.ocks.org/syntagmatic/6c149c08fc9cde682635
1614         because it has to do a binary search to find if
1615         an item is or is not in the list. 90% of the binary searches
1616         would not find anything. This resulted in a lot of wasted time.
1617
1618         This patch adds a TinyBloomFilter member variable to HeapSnapshot.
1619         We use this filter to try to bypass doing a binary search when the
1620         filter tells us that a particular JSCell is definitely not in our
1621         list. This is a 2x speedup on the steady state GC of the above
1622         website.
1623
1624         * heap/HeapSnapshot.cpp:
1625         (JSC::HeapSnapshot::appendNode):
1626         (JSC::HeapSnapshot::sweepCell):
1627         (JSC::HeapSnapshot::shrinkToFit):
1628         (JSC::HeapSnapshot::nodeForCell):
1629         * heap/HeapSnapshot.h:
1630
1631 2016-05-29  Saam barati  <sbarati@apple.com>
1632
1633         Stack overflow crashes with deep or cyclic proxy prototype chains
1634         https://bugs.webkit.org/show_bug.cgi?id=157087
1635
1636         Reviewed by Filip Pizlo and Mark Lam.
1637
1638         Because a Proxy can call back into the JS runtime in arbitrary
1639         ways, we may have effectively cyclic prototype chains and property lookups
1640         by using a Proxy. We may also have arbitrarily long Proxy chains
1641         where we call into a C frame for each link in the Proxy chain.
1642         This means that every Proxy hook must be aware that it can stack overflow.
1643         Before, only certain hooks were aware of this fact. That was a bug,
1644         all hooks must assume they can stack overflow.
1645
1646         Also, because we may have effectively cyclic prototype chains, we
1647         compile ProxyObject.cpp with -fno-optimize-sibling-calls. This prevents
1648         tail call optimization from happening on any of the calls from
1649         ProxyObject.cpp. We do this because we rely on the machine stack
1650         growing for throwing a stack overflow error. It's better for developers
1651         to be able to see a stack overflow error than to have their program
1652         infinite loop because the compiler performed TCO.
1653
1654         This patch also fixes a couple call sites of various methods
1655         where we didn't check for an exception.
1656
1657         * CMakeLists.txt:
1658         * JavaScriptCore.xcodeproj/project.pbxproj:
1659         * interpreter/Interpreter.cpp:
1660         (JSC::sizeOfVarargs):
1661         * runtime/InternalFunction.cpp:
1662         (JSC::InternalFunction::createSubclassStructure):
1663         * runtime/JSArray.h:
1664         (JSC::getLength):
1665         * runtime/ObjectPrototype.cpp:
1666         (JSC::objectProtoFuncToString):
1667         * runtime/ProxyObject.cpp:
1668         (JSC::performProxyGet):
1669         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1670         (JSC::ProxyObject::performHasProperty):
1671         (JSC::ProxyObject::getOwnPropertySlotCommon):
1672         (JSC::ProxyObject::performPut):
1673         (JSC::performProxyCall):
1674         (JSC::performProxyConstruct):
1675         (JSC::ProxyObject::performDelete):
1676         (JSC::ProxyObject::performPreventExtensions):
1677         (JSC::ProxyObject::performIsExtensible):
1678         (JSC::ProxyObject::performDefineOwnProperty):
1679         (JSC::ProxyObject::performGetOwnPropertyNames):
1680         (JSC::ProxyObject::getOwnPropertyNames):
1681         (JSC::ProxyObject::getPropertyNames):
1682         (JSC::ProxyObject::getOwnNonIndexPropertyNames):
1683         (JSC::ProxyObject::performSetPrototype):
1684         (JSC::ProxyObject::performGetPrototype):
1685         * runtime/ProxyObject.h:
1686         (JSC::ProxyObject::create):
1687         * tests/stress/proxy-stack-overflow-exceptions.js: Added.
1688         (shouldThrowStackOverflow):
1689         (const.emptyFunction):
1690         (makeLongProxyChain):
1691         (shouldThrowStackOverflow.longProxyChain):
1692         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain1):
1693         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain2):
1694         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain3):
1695         (shouldThrowStackOverflow.longProxyChainBind):
1696         (shouldThrowStackOverflow.longProxyChainPropertyAccess):
1697         (shouldThrowStackOverflow.longProxyChainReflectConstruct):
1698         (shouldThrowStackOverflow.longProxyChainReflectSet):
1699         (shouldThrowStackOverflow.longProxyChainReflectOwnKeys):
1700         (shouldThrowStackOverflow.longProxyChainGetPrototypeOf):
1701         (shouldThrowStackOverflow.longProxyChainSetPrototypeOf):
1702         (shouldThrowStackOverflow.longProxyChainGetOwnPropertyDescriptor):
1703         (shouldThrowStackOverflow.longProxyChainDefineProperty):
1704         (shouldThrowStackOverflow.longProxyChainIsExtensible):
1705         (shouldThrowStackOverflow.longProxyChainPreventExtensions):
1706         (shouldThrowStackOverflow.longProxyChainDeleteProperty):
1707         (shouldThrowStackOverflow.longProxyChainWithScope):
1708         (shouldThrowStackOverflow.longProxyChainWithScope2):
1709         (shouldThrowStackOverflow.longProxyChainWithScope3):
1710         (shouldThrowStackOverflow.longProxyChainArrayPrototypePush):
1711         (shouldThrowStackOverflow.longProxyChainWithScope4):
1712         (shouldThrowStackOverflow.longProxyChainCall):
1713         (shouldThrowStackOverflow.longProxyChainConstruct):
1714         (shouldThrowStackOverflow.longProxyChainHas):
1715
1716 2016-05-28  Andreas Kling  <akling@apple.com>
1717
1718         JSGlobalLexicalEnvironment leaks SegmentedVector due to lack of destructor.
1719         <https://webkit.org/b/158186>
1720
1721         Reviewed by Saam Barati.
1722
1723         Give JSGlobalLexicalEnvironment a destroy() and set up a finalizer for it
1724         like we do with JSGlobalObject. (This is needed because they don't inherit
1725         from JSDestructibleObjects and thus can't use JSCell::needsDestruction to
1726         ask for allocation in destructor space.)
1727
1728         This stops us from leaking all the SegmentedVector backing stores.
1729
1730         * runtime/JSGlobalLexicalEnvironment.cpp:
1731         (JSC::JSGlobalLexicalEnvironment::destroy):
1732         * runtime/JSGlobalLexicalEnvironment.h:
1733         (JSC::JSGlobalLexicalEnvironment::create):
1734
1735 2016-05-28  Skachkov Oleksandr  <gskachkov@gmail.com>
1736         [ESNext] Trailing commas in function parameters.
1737         https://bugs.webkit.org/show_bug.cgi?id=158020
1738
1739         Reviewed by Keith Miller.
1740
1741         ESNext allow to add trailing commas in function parameters and function arguments.
1742         Link to spec - https://jeffmo.github.io/es-trailing-function-commas 
1743         Example of using - (function (a, b,) { return a + b; })(1,2,);
1744
1745         * parser/Parser.cpp:
1746         (JSC::Parser<LexerType>::parseFormalParameters):
1747         (JSC::Parser<LexerType>::parseArguments):
1748         * tests/stress/trailing-comma-in-function-paramters.js: Added.
1749
1750 2016-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1751
1752         [JSC] op_new_arrow_func_exp is no longer necessary
1753         https://bugs.webkit.org/show_bug.cgi?id=158180
1754
1755         Reviewed by Saam Barati.
1756
1757         This patch removes op_new_arrow_func_exp bytecode since
1758         what op_new_arrow_func_exp is doing is completely the same to op_new_func_exp.
1759
1760         * bytecode/BytecodeList.json:
1761         * bytecode/BytecodeUseDef.h:
1762         (JSC::computeUsesForBytecodeOffset): Deleted.
1763         (JSC::computeDefsForBytecodeOffset): Deleted.
1764         * bytecode/CodeBlock.cpp:
1765         (JSC::CodeBlock::dumpBytecode): Deleted.
1766         * bytecompiler/BytecodeGenerator.cpp:
1767         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
1768         * dfg/DFGByteCodeParser.cpp:
1769         (JSC::DFG::ByteCodeParser::parseBlock):
1770         * dfg/DFGCapabilities.cpp:
1771         (JSC::DFG::capabilityLevel): Deleted.
1772         * jit/JIT.cpp:
1773         (JSC::JIT::privateCompileMainPass): Deleted.
1774         * jit/JIT.h:
1775         * jit/JITOpcodes.cpp:
1776         (JSC::JIT::emitNewFuncExprCommon):
1777         (JSC::JIT::emit_op_new_arrow_func_exp): Deleted.
1778         * llint/LLIntSlowPaths.cpp:
1779         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
1780         * llint/LLIntSlowPaths.h:
1781         * llint/LowLevelInterpreter.asm:
1782
1783 2016-05-27  Caitlin Potter  <caitp@igalia.com>
1784
1785         [JSC] implement async functions proposal
1786         https://bugs.webkit.org/show_bug.cgi?id=156147
1787
1788         Reviewed by Yusuke Suzuki.
1789
1790         Adds support for `async` functions, proposed in https://tc39.github.io/ecmascript-asyncawait/.
1791
1792         On the front-end side, "await" becomes a contextual keyword when used within an async function,
1793         which triggers parsing an AwaitExpression. "await" becomes an illegal identifier name within
1794         these contexts. The bytecode generated from an "await" expression is identical to that generated
1795         in a "yield" expression in a Generator, as AsyncFunction reuses generator's state machine mechanism.
1796
1797         There are numerous syntactic forms for language features, including a variation on ArrowFunctions,
1798         requiring the keyword `async` to precede ArrowFormalParameters, and similarly, MethodDefinitions,
1799         which are ordinary MethodDefinitions preceded by the keyword `async`.
1800
1801         An async function desugars to the following:
1802
1803         ```
1804         async function asyncFn() {
1805         }
1806
1807         becomes:
1808
1809         function asyncFn() {
1810             let generator = {
1811                 @generatorNext: function(@generator, @generatorState, @generatorValue, @generatorResumeMode) {
1812                   // generator state machine stuff here
1813                 },
1814                 @generatorState: 0,
1815                 @generatorThis: this,
1816                 @generatorFrame: null
1817             };
1818             return @asyncFunctionResume(generator, undefined, GeneratorResumeMode::NormalMode);
1819         }
1820         ```
1821
1822         `@asyncFunctionResume()` is similar to `@generatorResume`, with the exception that it will wrap the
1823         result of invoking `@generatorNext()` in a Promise, and will avoid allocating an iterator result
1824         object.
1825
1826         If the generator has yielded (an AwaitExpression has occurred), resumption will occur automatically
1827         once the await-expression operand is finished, via Promise chaining.
1828
1829         * API/JSScriptRef.cpp:
1830         (parseScript):
1831         * CMakeLists.txt:
1832         * DerivedSources.make:
1833         * JavaScriptCore.xcodeproj/project.pbxproj:
1834         * builtins/AsyncFunctionPrototype.js: Added.
1835         (asyncFunctionResume):
1836         * builtins/BuiltinExecutables.cpp:
1837         (JSC::BuiltinExecutables::createExecutable):
1838         * bytecode/BytecodeList.json:
1839         * bytecode/BytecodeUseDef.h:
1840         (JSC::computeUsesForBytecodeOffset):
1841         (JSC::computeDefsForBytecodeOffset):
1842         * bytecode/CodeBlock.cpp:
1843         (JSC::CodeBlock::dumpBytecode):
1844         (JSC::CodeBlock::finishCreation):
1845         * bytecode/UnlinkedCodeBlock.h:
1846         (JSC::UnlinkedCodeBlock::isArrowFunction):
1847         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction):
1848         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction):
1849         * bytecode/UnlinkedFunctionExecutable.cpp:
1850         (JSC::generateUnlinkedFunctionCodeBlock):
1851         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1852         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1853         * bytecode/UnlinkedFunctionExecutable.h:
1854         * bytecompiler/BytecodeGenerator.cpp:
1855         (JSC::BytecodeGenerator::BytecodeGenerator):
1856         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
1857         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
1858         (JSC::BytecodeGenerator::emitNewMethodDefinition):
1859         (JSC::BytecodeGenerator::emitNewFunction):
1860         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1861         * bytecompiler/BytecodeGenerator.h:
1862         (JSC::BytecodeGenerator::makeFunction):
1863         * bytecompiler/NodesCodegen.cpp:
1864         (JSC::FunctionNode::emitBytecode):
1865         * inspector/agents/InspectorRuntimeAgent.cpp:
1866         (Inspector::InspectorRuntimeAgent::parse):
1867         * jit/JIT.cpp:
1868         (JSC::JIT::privateCompileMainPass):
1869         * jit/JIT.h:
1870         * jit/JITOpcodes.cpp:
1871         (JSC::JIT::emitNewFuncCommon):
1872         (JSC::JIT::emit_op_new_async_func):
1873         (JSC::JIT::emitNewFuncExprCommon):
1874         (JSC::JIT::emit_op_new_async_func_exp):
1875         * jit/JITOperations.cpp:
1876         * jit/JITOperations.h:
1877         * jsc.cpp:
1878         (runInteractive):
1879         (printUsageStatement):
1880         * llint/LLIntSlowPaths.cpp:
1881         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1882         * llint/LLIntSlowPaths.h:
1883         * llint/LowLevelInterpreter.asm:
1884         * parser/ASTBuilder.h:
1885         (JSC::ASTBuilder::createAsyncFunctionBody):
1886         * parser/Keywords.table:
1887         * parser/Parser.cpp:
1888         (JSC::Parser<LexerType>::Parser):
1889         (JSC::Parser<LexerType>::parseInner):
1890         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1891         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
1892         (JSC::Parser<LexerType>::parseStatementListItem):
1893         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1894         (JSC::Parser<LexerType>::parseDestructuringPattern):
1895         (JSC::Parser<LexerType>::parseStatement):
1896         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
1897         (JSC::Parser<LexerType>::parseFormalParameters):
1898         (JSC::stringForFunctionMode):
1899         (JSC::Parser<LexerType>::parseFunctionParameters):
1900         (JSC::Parser<LexerType>::parseFunctionInfo):
1901         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1902         (JSC::Parser<LexerType>::parseClass):
1903         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1904         (JSC::Parser<LexerType>::parseImportClauseItem):
1905         (JSC::Parser<LexerType>::parseImportDeclaration):
1906         (JSC::Parser<LexerType>::parseExportDeclaration):
1907         (JSC::Parser<LexerType>::parseAssignmentExpression):
1908         (JSC::Parser<LexerType>::parseAwaitExpression):
1909         (JSC::Parser<LexerType>::parseProperty):
1910         (JSC::Parser<LexerType>::parsePropertyMethod):
1911         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
1912         (JSC::Parser<LexerType>::parsePrimaryExpression):
1913         (JSC::Parser<LexerType>::parseMemberExpression):
1914         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1915         (JSC::Parser<LexerType>::parseUnaryExpression):
1916         (JSC::Parser<LexerType>::printUnexpectedTokenText):
1917         * parser/Parser.h:
1918         (JSC::isIdentifierOrKeyword):
1919         (JSC::Scope::Scope):
1920         (JSC::Scope::setSourceParseMode):
1921         (JSC::Scope::isAsyncFunction):
1922         (JSC::Scope::isAsyncFunctionBoundary):
1923         (JSC::Scope::isModule):
1924         (JSC::Scope::setIsFunction):
1925         (JSC::Scope::setIsAsyncArrowFunction):
1926         (JSC::Scope::setIsAsyncFunction):
1927         (JSC::Scope::setIsAsyncFunctionBody):
1928         (JSC::Scope::setIsAsyncArrowFunctionBody):
1929         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError):
1930         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
1931         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction):
1932         (JSC::Parser::forceClassifyExpressionError):
1933         (JSC::Parser::declarationTypeToVariableKind):
1934         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
1935         (JSC::Parser::pushScope):
1936         (JSC::Parser::popScopeInternal):
1937         (JSC::Parser::matchSpecIdentifier):
1938         (JSC::Parser::isDisallowedIdentifierAwait):
1939         (JSC::Parser::disallowedIdentifierAwaitReason):
1940         (JSC::parse):
1941         * parser/ParserModes.h:
1942         (JSC::isFunctionParseMode):
1943         (JSC::isAsyncFunctionParseMode):
1944         (JSC::isAsyncArrowFunctionParseMode):
1945         (JSC::isAsyncFunctionWrapperParseMode):
1946         (JSC::isAsyncFunctionBodyParseMode):
1947         (JSC::isModuleParseMode):
1948         (JSC::isProgramParseMode):
1949         (JSC::constructAbilityForParseMode):
1950         * parser/ParserTokens.h:
1951         * parser/SourceCodeKey.h:
1952         (JSC::SourceCodeKey::SourceCodeKey):
1953         (JSC::SourceCodeKey::runtimeFlags):
1954         (JSC::SourceCodeKey::operator==):
1955         * parser/SyntaxChecker.h:
1956         (JSC::SyntaxChecker::createAsyncFunctionBody):
1957         * runtime/AsyncFunctionConstructor.cpp: Added.
1958         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
1959         (JSC::AsyncFunctionConstructor::finishCreation):
1960         (JSC::callAsyncFunctionConstructor):
1961         (JSC::constructAsyncFunctionConstructor):
1962         (JSC::AsyncFunctionConstructor::getCallData):
1963         (JSC::AsyncFunctionConstructor::getConstructData):
1964         * runtime/AsyncFunctionConstructor.h: Added.
1965         (JSC::AsyncFunctionConstructor::create):
1966         (JSC::AsyncFunctionConstructor::createStructure):
1967         * runtime/AsyncFunctionPrototype.cpp: Added.
1968         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype):
1969         (JSC::AsyncFunctionPrototype::finishCreation):
1970         * runtime/AsyncFunctionPrototype.h: Added.
1971         (JSC::AsyncFunctionPrototype::create):
1972         (JSC::AsyncFunctionPrototype::createStructure):
1973         * runtime/CodeCache.cpp:
1974         (JSC::CodeCache::getGlobalCodeBlock):
1975         (JSC::CodeCache::getProgramCodeBlock):
1976         (JSC::CodeCache::getEvalCodeBlock):
1977         (JSC::CodeCache::getModuleProgramCodeBlock):
1978         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1979         * runtime/CodeCache.h:
1980         * runtime/CommonIdentifiers.h:
1981         * runtime/Completion.cpp:
1982         (JSC::checkSyntax):
1983         (JSC::checkModuleSyntax):
1984         * runtime/Completion.h:
1985         * runtime/Executable.cpp:
1986         (JSC::ScriptExecutable::newCodeBlockFor):
1987         (JSC::ProgramExecutable::checkSyntax):
1988         * runtime/Executable.h:
1989         * runtime/FunctionConstructor.cpp:
1990         (JSC::constructFunctionSkippingEvalEnabledCheck):
1991         * runtime/FunctionConstructor.h:
1992         * runtime/JSAsyncFunction.cpp: Added.
1993         (JSC::JSAsyncFunction::JSAsyncFunction):
1994         (JSC::JSAsyncFunction::createImpl):
1995         (JSC::JSAsyncFunction::create):
1996         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
1997         * runtime/JSAsyncFunction.h: Added.
1998         (JSC::JSAsyncFunction::allocationSize):
1999         (JSC::JSAsyncFunction::createStructure):
2000         * runtime/JSFunction.cpp:
2001         (JSC::JSFunction::getOwnPropertySlot):
2002         * runtime/JSGlobalObject.cpp:
2003         (JSC::JSGlobalObject::init):
2004         (JSC::JSGlobalObject::createProgramCodeBlock):
2005         (JSC::JSGlobalObject::createEvalCodeBlock):
2006         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2007         * runtime/JSGlobalObject.h:
2008         (JSC::JSGlobalObject::asyncFunctionPrototype):
2009         (JSC::JSGlobalObject::asyncFunctionStructure):
2010         * runtime/ModuleLoaderObject.cpp:
2011         (JSC::moduleLoaderObjectParseModule):
2012         * runtime/RuntimeFlags.h:
2013         (JSC::RuntimeFlags::operator==):
2014         (JSC::RuntimeFlags::operator!=):
2015         * tests/stress/async-await-basic.js: Added.
2016         (shouldBe):
2017         (shouldBeAsync):
2018         (shouldThrow):
2019         (shouldThrowAsync):
2020         (let.AsyncFunction.async):
2021         (async.asyncFunctionForProto):
2022         (Object.getPrototypeOf.async):
2023         (Object.getPrototypeOf.async.method):
2024         (async):
2025         (async.method):
2026         (async.asyncNonConstructorDecl):
2027         (shouldThrow.new.async):
2028         (shouldThrow.new.async.nonConstructor):
2029         (async.asyncDecl):
2030         (async.f):
2031         (MyError):
2032         (async.asyncDeclThrower):
2033         (shouldThrowAsync.async):
2034         (resolveLater):
2035         (rejectLater):
2036         (async.resumeAfterNormal):
2037         (O.async.resumeAfterNormal):
2038         (resumeAfterNormalArrow.async):
2039         (async.resumeAfterThrow):
2040         (O.async.resumeAfterThrow):
2041         (resumeAfterThrowArrow.async):
2042         (catch):
2043         * tests/stress/async-await-module-reserved-word.js: Added.
2044         (shouldThrow):
2045         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await):
2046         (checkModuleSyntaxError.String.raw.await):
2047         (checkModuleSyntaxError.String.raw.async.await):
2048         (SyntaxError.Cannot.declare.named):
2049         * tests/stress/async-await-mozilla.js: Added.
2050         (shouldBe):
2051         (shouldBeAsync):
2052         (shouldThrow):
2053         (shouldThrowAsync):
2054         (assert):
2055         (shouldThrowSyntaxError):
2056         (mozSemantics.async.empty):
2057         (mozSemantics.async.simpleReturn):
2058         (mozSemantics.async.simpleAwait):
2059         (mozSemantics.async.simpleAwaitAsync):
2060         (mozSemantics.async.returnOtherAsync):
2061         (mozSemantics.async.simpleThrower):
2062         (mozSemantics.async.delegatedThrower):
2063         (mozSemantics.async.tryCatch):
2064         (mozSemantics.async.tryCatchThrow):
2065         (mozSemantics.async.wellFinally):
2066         (mozSemantics.async.finallyMayFail):
2067         (mozSemantics.async.embedded.async.inner):
2068         (mozSemantics.async.embedded):
2069         (mozSemantics.async.fib):
2070         (mozSemantics.async.isOdd.async.isEven):
2071         (mozSemantics.async.isOdd):
2072         (mozSemantics.hardcoreFib.async.fib2):
2073         (mozSemantics.namedAsyncExpr.async.simple):
2074         (mozSemantics.async.executionOrder.async.first):
2075         (mozSemantics.async.executionOrder.async.second):
2076         (mozSemantics.async.executionOrder.async.third):
2077         (mozSemantics.async.executionOrder):
2078         (mozSemantics.async.miscellaneous):
2079         (mozSemantics.thrower):
2080         (mozSemantics.async.defaultArgs):
2081         (mozSemantics.shouldThrow):
2082         (mozSemantics):
2083         (mozMethods.X):
2084         (mozMethods.X.prototype.async.getValue):
2085         (mozMethods.X.prototype.setValue):
2086         (mozMethods.X.prototype.async.increment):
2087         (mozMethods.X.prototype.async.getBaseClassName):
2088         (mozMethods.X.async.getStaticValue):
2089         (mozMethods.Y.prototype.async.getBaseClassName):
2090         (mozMethods.Y):
2091         (mozFunctionNameInferrence.async.test):
2092         (mozSyntaxErrors):
2093         * tests/stress/async-await-reserved-word.js: Added.
2094         (assert):
2095         (shouldThrowSyntaxError):
2096         (AsyncFunction.async):
2097         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Added.
2098         (shouldBe):
2099         (shouldBeAsync):
2100         (shouldThrowAsync):
2101         (noArgumentsArrow2.async):
2102         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Added.
2103         (shouldBe):
2104         (shouldBeAsync):
2105         (shouldThrowAsync):
2106         (C1):
2107         (C2):
2108         (shouldThrowAsync.async):
2109         * tests/stress/async_arrow_functions_lexical_super_binding.js: Added.
2110         (shouldBe):
2111         (shouldBeAsync):
2112         (BaseClass.prototype.baseClassValue):
2113         (BaseClass):
2114         (ChildClass.prototype.asyncSuperProp):
2115         (ChildClass.prototype.asyncSuperProp2):
2116         (ChildClass):
2117         * tests/stress/async_arrow_functions_lexical_this_binding.js: Added.
2118         (shouldBe):
2119         (shouldBeAsync):
2120         (d.y):
2121
2122 2016-05-27  Saam barati  <sbarati@apple.com>
2123
2124         DebuggerCallFrame crashes when updated with the globalExec because neither ShadowChicken's algorithm nor StackVisitor's algorithm reasons about the globalExec
2125         https://bugs.webkit.org/show_bug.cgi?id=158104
2126
2127         Reviewed by Filip Pizlo.
2128
2129         I think globalExec is a special enough case that it should be handled
2130         at the layers above ShadowChicken and StackVisitor. Those APIs should
2131         deal with real stack frames on the machine stack, not a heap constructed frame.
2132
2133         This patch makes DebuggerCallFrame::create aware that it may be
2134         created with the globalObject->globalExec() by having it construct
2135         a single DebuggerCallFrame that wraps the globalExec.
2136
2137         This fixes a crasher because we will construct a DebuggerCallFrame
2138         with the globalExec when the Inspector is set to pause on all uncaught
2139         exceptions and the JS program has a syntax error. Because the program
2140         hasn't begun execution, there is no machine JS stack frame yet. So
2141         DebuggerCallFrame is created with globalExec, which will cause it
2142         to hit an assertion that dictates that the stack have size greater
2143         than zero.
2144
2145         * debugger/DebuggerCallFrame.cpp:
2146         (JSC::DebuggerCallFrame::create):
2147
2148 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
2149
2150         DFG::LazyJSValue::tryGetStringImpl() crashes for empty values
2151         https://bugs.webkit.org/show_bug.cgi?id=158170
2152
2153         Reviewed by Michael Saboff.
2154
2155         The problem here is that jsDynamicCast<>() is evil! It avoids checking for the empty
2156         value, presumably because this makes it soooper fast. In DFG IR, empty values can appear
2157         anywhere because of TDZ.
2158         
2159         This patch doesn't change jsDynamicCast<>(), but it hardens our wrappers for it in the DFG
2160         and it has the affected code use one of those wrappers.
2161         
2162         * dfg/DFGFrozenValue.h:
2163         (JSC::DFG::FrozenValue::dynamicCast): Harden this.
2164         (JSC::DFG::FrozenValue::cast):
2165         * dfg/DFGLazyJSValue.cpp:
2166         (JSC::DFG::LazyJSValue::tryGetStringImpl): Use the hardened wrapper.
2167         * tests/stress/strcat-emtpy.js: Added. This used to crash every time.
2168         (foo):
2169         (i.catch):
2170
2171 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
2172
2173         regExpProtoFuncSplitFast should OOM before it swaps
2174         https://bugs.webkit.org/show_bug.cgi?id=158157
2175
2176         Reviewed by Mark Lam.
2177         
2178         This is a huge speed-up on some jsfunfuzz test cases because it makes us realize much
2179         sooner that running a regexp split will result in swapping. It uses the same basic
2180         approach as http://trac.webkit.org/changeset/201451: if the result array crosses a certain
2181         size threshold, we proceed with a dry run to see how big the array will get before
2182         allocating anything else. This way, bogus uses of split that would have OOMed only after
2183         killing the user's machine will now OOM before killing the user's machine.
2184         
2185         This is an enormous speed-up on some jsfunfuzz tests: they go from running for a long
2186         time to running instantly.
2187
2188         * runtime/RegExpPrototype.cpp:
2189         (JSC::advanceStringIndex):
2190         (JSC::genericSplit):
2191         (JSC::regExpProtoFuncSplitFast):
2192         * runtime/StringObject.h:
2193         (JSC::jsStringWithReuse):
2194         (JSC::jsSubstring):
2195         * tests/stress/big-split-captures.js: Added.
2196         * tests/stress/big-split.js: Added.
2197
2198 2016-05-27  Saam barati  <sbarati@apple.com>
2199
2200         ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
2201         https://bugs.webkit.org/show_bug.cgi?id=158131
2202
2203         Reviewed by Yusuke Suzuki.
2204
2205         There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
2206         frame(s) are tail deleted.
2207
2208         DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
2209         tail deleted. This is clearly wrong. The following program proves that this assertion
2210         was misguided:
2211         ```
2212         "use strict";
2213         setTimeout(function foo() { return bar(); }, 0);
2214         ```
2215
2216         ShadowChicken had a very subtle bug when creating the shadow stack when 
2217         the entry frames of the stack were tail deleted. Because it places frames into its shadow
2218         stack by walking the machine frame and looking up entries in the log,
2219         the machine frame doesn't have any notion of those tail deleted frames
2220         at the entry of execution. ShadowChicken would never find those frames
2221         because it would look for tail deleted frames *before* consulting the
2222         current machine frame. This is wrong because if the entry frames
2223         are tail deleted, then there is no machine frame for them because there
2224         is no machine frame before them! Therefore, we must search for tail deleted
2225         frames *after* consulting a machine frame. This is sound because we will always
2226         have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
2227         So when we consult the machine frame that is the entry frame on the machine stack,
2228         we will search for tail deleted frames that come before it in the shadow stack.
2229         This will allow us to find those tail deleted frames that are the entry frames
2230         for the shadow stack.
2231
2232         * debugger/DebuggerCallFrame.cpp:
2233         (JSC::DebuggerCallFrame::create):
2234         * interpreter/ShadowChicken.cpp:
2235         (JSC::ShadowChicken::Packet::dump):
2236         (JSC::ShadowChicken::update):
2237         (JSC::ShadowChicken::dump):
2238
2239 2016-05-27  Chris Dumez  <cdumez@apple.com>
2240
2241         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables
2242         https://bugs.webkit.org/show_bug.cgi?id=158111
2243
2244         Reviewed by Darin Adler.
2245
2246         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables.
2247         These are often used cross-thread and copying the captured lambda variables can be
2248         dangerous (e.g. we do not want to copy a String after calling isolatedCopy() upon
2249         capture).
2250
2251         * runtime/Watchdog.cpp:
2252         (JSC::Watchdog::startTimer):
2253         (JSC::Watchdog::Watchdog): Deleted.
2254         (JSC::Watchdog::setTimeLimit): Deleted.
2255         * runtime/Watchdog.h:
2256
2257 2016-05-27  Konstantin Tokarev  <annulen@yandex.ru>
2258
2259         Removed unused headers from ExecutableAllocatorFixedVMPool.cpp.
2260         https://bugs.webkit.org/show_bug.cgi?id=158159
2261
2262         Reviewed by Darin Adler.
2263
2264         * jit/ExecutableAllocatorFixedVMPool.cpp:
2265
2266 2016-05-27  Keith Miller  <keith_miller@apple.com>
2267
2268         get_by_id should support caching unset properties in the LLInt
2269         https://bugs.webkit.org/show_bug.cgi?id=158136
2270
2271         Reviewed by Benjamin Poulain.
2272
2273         Recently, we started supporting prototype load caching for get_by_id
2274         in the LLInt. This patch extends that to caching unset properties.
2275         While it is uncommon in general for a program to see a single structure
2276         without a given property, the Array.prototype.concat function needs to
2277         lookup the Symbol.isConcatSpreadable property. For any existing code
2278         That property will never be set as it did not exist prior to ES6.
2279
2280         Similarly to the get_by_id_proto_load bytecode, this patch adds a new
2281         bytecode, get_by_id_unset that checks the structureID of the base and
2282         assigns undefined to the result.
2283
2284         There are no new tests here since we already have many tests that
2285         incidentally cover this change.
2286
2287         * bytecode/BytecodeList.json:
2288         * bytecode/BytecodeUseDef.h:
2289         (JSC::computeUsesForBytecodeOffset):
2290         (JSC::computeDefsForBytecodeOffset):
2291         * bytecode/CodeBlock.cpp:
2292         (JSC::CodeBlock::printGetByIdOp):
2293         (JSC::CodeBlock::dumpBytecode):
2294         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2295         * bytecode/GetByIdStatus.cpp:
2296         (JSC::GetByIdStatus::computeFromLLInt):
2297         * dfg/DFGByteCodeParser.cpp:
2298         (JSC::DFG::ByteCodeParser::parseBlock):
2299         * dfg/DFGCapabilities.cpp:
2300         (JSC::DFG::capabilityLevel):
2301         * jit/JIT.cpp:
2302         (JSC::JIT::privateCompileMainPass):
2303         (JSC::JIT::privateCompileSlowCases):
2304         * llint/LLIntSlowPaths.cpp:
2305         (JSC::LLInt::setupGetByIdPrototypeCache):
2306         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2307         * llint/LLIntSlowPaths.h:
2308         * llint/LowLevelInterpreter32_64.asm:
2309         * llint/LowLevelInterpreter64.asm:
2310
2311 2016-05-26  Filip Pizlo  <fpizlo@apple.com>
2312
2313         Bogus uses of regexp matching should realize that they will OOM before they start swapping
2314         https://bugs.webkit.org/show_bug.cgi?id=158142
2315
2316         Reviewed by Michael Saboff.
2317         
2318         Refactored the RegExpObject::matchGlobal() code so that there is less duplication. Took
2319         advantage of this to make the code more resilient in case of absurd situations: if the
2320         result array gets large, it proceeds with a dry run to detect how many matches there will
2321         be. This allows it to OOM before it starts swapping.
2322         
2323         This also improves the overall performance of the code by using lightweight substrings and
2324         skipping the whole intermediate argument array.
2325         
2326         This makes some jsfunfuzz tests run a lot faster and use a lot less memory.
2327         
2328         * builtins/RegExpPrototype.js:
2329         * CMakeLists.txt:
2330         * JavaScriptCore.xcodeproj/project.pbxproj:
2331         * runtime/MatchResult.cpp: Added.
2332         (JSC::MatchResult::dump):
2333         * runtime/MatchResult.h:
2334         (JSC::MatchResult::empty):
2335         (MatchResult::empty): Deleted.
2336         * runtime/RegExpObject.cpp:
2337         (JSC::RegExpObject::match):
2338         (JSC::collectMatches):
2339         (JSC::RegExpObject::matchGlobal):
2340         * runtime/StringObject.h:
2341         (JSC::jsStringWithReuse):
2342         (JSC::jsSubstring):
2343         * tests/stress/big-match.js: Added. Make sure that this optimization doesn't break big matches.
2344
2345 2016-05-26  Gavin & Ellie Barraclough  <barraclough@apple.com>
2346
2347         Static table property lookup should not require getOwnPropertySlot override.
2348         https://bugs.webkit.org/show_bug.cgi?id=158059
2349
2350         Reviewed by Darin Adler.
2351
2352         Currently JSObject does not handle property lookup of entries in the static
2353         table. Each subclass with static properties mut override getOwnPropertySlot,
2354         and explicitly call the lookup functions. This has the following drawbacks:
2355
2356         - Performance: for any class with static properties, property acces becomes
2357           virtual (via method table).
2358         - Poor encapsulation: implementation detail of static property access is
2359           spread throughout & cross projects, rather than being contained in JSObject.
2360         - Code size: this results in a great many additional functions.
2361         - Inconsistency: static table presence has to be be taken into account in many
2362           other operations, e.g. presence of read-only properties for put.
2363         - Memory: in order to avoid the virtual lookup, DOM prototypes eagerly reify
2364           all properties. This is likely suboptimal.
2365
2366         Instead, JSObject::getPropertySlot / JSObject::getOwnPropertySlot should be
2367         able to handle static properties.
2368
2369         This is actually a fairly small & simple change.
2370
2371         The common pattern is for subclasses of JObject to override getOwnPropertySlot
2372         to first defer to JSObject for property storage lookup, and only if this fails
2373         consult the static table. They just want the static tables to be consulted after
2374         regular property storgae lookup. So just add a fast flag in TypeInfo for JSObject
2375         to check, and where it is set, do so. Then it's just a question of switching
2376         classes over to start setting this flag, and drop the override.
2377
2378         The new mechanism does change static table lookup order from oldest-ancestor
2379         first to most-derived first. The new ordering makes more sense (means derived
2380         class static tables can now override entries from parents), and shoudn't affect
2381         any existing code (since overriding didn't previously work, there likely aren't
2382         shadowing properties in more derived types).
2383
2384         This patch changes all classes in JavaScriptCore over to using the new mechanism,
2385         except JSGlobalObject. I'll move classes in WebCore over as a separate patch
2386         (this is also why I've not moved JSGlobalObject in this patch - doing so would
2387         move JSDOMWindow, and I'd rather handle that separately).
2388
2389         * runtime/JSTypeInfo.h:
2390         (JSC::TypeInfo::hasStaticPropertyTable):
2391             - Add HasStaticPropertyTable flag.
2392         * runtime/Lookup.cpp:
2393         (JSC::setUpStaticFunctionSlot):
2394             - Change setUpStaticFunctionSlot to take a VM&.
2395         * runtime/Lookup.h:
2396         (JSC::getStaticPropertySlotFromTable):
2397             - Added helper function to perform static lookup alone.
2398         (JSC::getStaticPropertySlot):
2399         (JSC::getStaticFunctionSlot):
2400             - setUpStaticFunctionSlot changed to take a VM&.
2401         * runtime/JSObject.cpp:
2402         (JSC::JSObject::getOwnStaticPropertySlot):
2403             - Added, walks ClassInfo chain looking for static properties.
2404         * runtime/JSObject.h:
2405         (JSC::JSObject::getOwnNonIndexPropertySlot):
2406             - getOwnNonIndexPropertySlot is used internally by getPropertySlot
2407               & getOwnPropertySlot. If property is not present in storage array
2408               then check the static table.
2409         * runtime/ArrayConstructor.cpp:
2410         (JSC::ArrayConstructor::finishCreation):
2411         (JSC::constructArrayWithSizeQuirk):
2412         (JSC::ArrayConstructor::getOwnPropertySlot): Deleted.
2413         * runtime/ArrayConstructor.h:
2414         (JSC::ArrayConstructor::create):
2415         * runtime/ArrayIteratorPrototype.cpp:
2416         (JSC::ArrayIteratorPrototype::finishCreation):
2417         (JSC::ArrayIteratorPrototype::getOwnPropertySlot): Deleted.
2418         * runtime/ArrayIteratorPrototype.h:
2419         (JSC::ArrayIteratorPrototype::create):
2420         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
2421         * runtime/BooleanPrototype.cpp:
2422         (JSC::BooleanPrototype::finishCreation):
2423         (JSC::booleanProtoFuncToString):
2424         (JSC::BooleanPrototype::getOwnPropertySlot): Deleted.
2425         * runtime/BooleanPrototype.h:
2426         (JSC::BooleanPrototype::create):
2427         * runtime/DateConstructor.cpp:
2428         (JSC::DateConstructor::finishCreation):
2429         (JSC::millisecondsFromComponents):
2430         (JSC::DateConstructor::getOwnPropertySlot): Deleted.
2431         * runtime/DateConstructor.h:
2432         (JSC::DateConstructor::create):
2433         * runtime/DatePrototype.cpp:
2434         (JSC::DatePrototype::finishCreation):
2435         (JSC::dateProtoFuncToString):
2436         (JSC::DatePrototype::getOwnPropertySlot): Deleted.
2437         * runtime/DatePrototype.h:
2438         (JSC::DatePrototype::create):
2439         * runtime/ErrorPrototype.cpp:
2440         (JSC::ErrorPrototype::finishCreation):
2441         (JSC::ErrorPrototype::getOwnPropertySlot): Deleted.
2442         * runtime/ErrorPrototype.h:
2443         (JSC::ErrorPrototype::create):
2444         * runtime/GeneratorPrototype.cpp:
2445         (JSC::GeneratorPrototype::finishCreation):
2446         (JSC::GeneratorPrototype::getOwnPropertySlot): Deleted.
2447         * runtime/GeneratorPrototype.h:
2448         (JSC::GeneratorPrototype::create):
2449         (JSC::GeneratorPrototype::createStructure):
2450         (JSC::GeneratorPrototype::GeneratorPrototype):
2451         * runtime/InspectorInstrumentationObject.cpp:
2452         (JSC::InspectorInstrumentationObject::finishCreation):
2453         (JSC::InspectorInstrumentationObject::isEnabled):
2454         (JSC::InspectorInstrumentationObject::getOwnPropertySlot): Deleted.
2455         * runtime/InspectorInstrumentationObject.h:
2456         (JSC::InspectorInstrumentationObject::create):
2457         (JSC::InspectorInstrumentationObject::createStructure):
2458         * runtime/IntlCollatorConstructor.cpp:
2459         (JSC::IntlCollatorConstructor::getCallData):
2460         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
2461         (JSC::IntlCollatorConstructor::getOwnPropertySlot): Deleted.
2462         * runtime/IntlCollatorConstructor.h:
2463         * runtime/IntlCollatorPrototype.cpp:
2464         (JSC::IntlCollatorPrototype::finishCreation):
2465         (JSC::IntlCollatorFuncCompare):
2466         (JSC::IntlCollatorPrototype::getOwnPropertySlot): Deleted.
2467         * runtime/IntlCollatorPrototype.h:
2468         * runtime/IntlDateTimeFormatConstructor.cpp:
2469         (JSC::IntlDateTimeFormatConstructor::getCallData):
2470         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
2471         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot): Deleted.
2472         * runtime/IntlDateTimeFormatConstructor.h:
2473         * runtime/IntlDateTimeFormatPrototype.cpp:
2474         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2475         (JSC::IntlDateTimeFormatFuncFormatDateTime):
2476         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot): Deleted.
2477         * runtime/IntlDateTimeFormatPrototype.h:
2478         * runtime/IntlNumberFormatConstructor.cpp:
2479         (JSC::IntlNumberFormatConstructor::getCallData):
2480         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
2481         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot): Deleted.
2482         * runtime/IntlNumberFormatConstructor.h:
2483         * runtime/IntlNumberFormatPrototype.cpp:
2484         (JSC::IntlNumberFormatPrototype::finishCreation):
2485         (JSC::IntlNumberFormatFuncFormatNumber):
2486         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot): Deleted.
2487         * runtime/IntlNumberFormatPrototype.h:
2488         * runtime/JSDataViewPrototype.cpp:
2489         (JSC::JSDataViewPrototype::createStructure):
2490         (JSC::getData):
2491         (JSC::JSDataViewPrototype::getOwnPropertySlot): Deleted.
2492         * runtime/JSDataViewPrototype.h:
2493         * runtime/JSInternalPromiseConstructor.cpp:
2494         (JSC::JSInternalPromiseConstructor::getCallData):
2495         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot): Deleted.
2496         * runtime/JSInternalPromiseConstructor.h:
2497         * runtime/JSONObject.cpp:
2498         (JSC::Walker::Walker):
2499         (JSC::JSONObject::getOwnPropertySlot): Deleted.
2500         * runtime/JSONObject.h:
2501         (JSC::JSONObject::create):
2502         * runtime/JSPromiseConstructor.cpp:
2503         (JSC::JSPromiseConstructor::getCallData):
2504         (JSC::JSPromiseConstructor::getOwnPropertySlot): Deleted.
2505         * runtime/JSPromiseConstructor.h:
2506         * runtime/JSPromisePrototype.cpp:
2507         (JSC::JSPromisePrototype::addOwnInternalSlots):
2508         (JSC::JSPromisePrototype::getOwnPropertySlot): Deleted.
2509         * runtime/JSPromisePrototype.h:
2510         * runtime/MapPrototype.cpp:
2511         (JSC::MapPrototype::finishCreation):
2512         (JSC::getMap):
2513         (JSC::MapPrototype::getOwnPropertySlot): Deleted.
2514         * runtime/MapPrototype.h:
2515         (JSC::MapPrototype::create):
2516         (JSC::MapPrototype::MapPrototype):
2517         * runtime/ModuleLoaderObject.cpp:
2518         (JSC::ModuleLoaderObject::finishCreation):
2519         (JSC::printableModuleKey):
2520         (JSC::ModuleLoaderObject::getOwnPropertySlot): Deleted.
2521         * runtime/ModuleLoaderObject.h:
2522         * runtime/NumberPrototype.cpp:
2523         (JSC::NumberPrototype::finishCreation):
2524         (JSC::toThisNumber):
2525         (JSC::NumberPrototype::getOwnPropertySlot): Deleted.
2526         * runtime/NumberPrototype.h:
2527         (JSC::NumberPrototype::create):
2528         * runtime/ObjectConstructor.cpp:
2529         (JSC::ObjectConstructor::addDefineProperty):
2530         (JSC::constructObject):
2531         (JSC::ObjectConstructor::getOwnPropertySlot): Deleted.
2532         * runtime/ObjectConstructor.h:
2533         (JSC::ObjectConstructor::create):
2534         (JSC::ObjectConstructor::createStructure):
2535         * runtime/ReflectObject.cpp:
2536         (JSC::ReflectObject::finishCreation):
2537         (JSC::ReflectObject::getOwnPropertySlot): Deleted.
2538         * runtime/ReflectObject.h:
2539         (JSC::ReflectObject::create):
2540         (JSC::ReflectObject::createStructure):
2541         * runtime/RegExpConstructor.cpp:
2542         (JSC::RegExpConstructor::getRightContext):
2543         (JSC::regExpConstructorDollar):
2544         (JSC::RegExpConstructor::getOwnPropertySlot): Deleted.
2545         * runtime/RegExpConstructor.h:
2546         (JSC::RegExpConstructor::create):
2547         (JSC::RegExpConstructor::createStructure):
2548         * runtime/SetPrototype.cpp:
2549         (JSC::SetPrototype::finishCreation):
2550         (JSC::getSet):
2551         (JSC::SetPrototype::getOwnPropertySlot): Deleted.
2552         * runtime/SetPrototype.h:
2553         (JSC::SetPrototype::create):
2554         (JSC::SetPrototype::SetPrototype):
2555         * runtime/StringConstructor.cpp:
2556         (JSC::StringConstructor::finishCreation):
2557         (JSC::stringFromCharCodeSlowCase):
2558         (JSC::StringConstructor::getOwnPropertySlot): Deleted.
2559         * runtime/StringConstructor.h:
2560         (JSC::StringConstructor::create):
2561         * runtime/StringIteratorPrototype.cpp:
2562         (JSC::StringIteratorPrototype::finishCreation):
2563         (JSC::StringIteratorPrototype::getOwnPropertySlot): Deleted.
2564         * runtime/StringIteratorPrototype.h:
2565         (JSC::StringIteratorPrototype::create):
2566         (JSC::StringIteratorPrototype::StringIteratorPrototype):
2567         * runtime/StringPrototype.cpp:
2568         (JSC::StringPrototype::create):
2569         (JSC::substituteBackreferencesSlow):
2570         (JSC::StringPrototype::getOwnPropertySlot): Deleted.
2571         * runtime/StringPrototype.h:
2572         * runtime/SymbolConstructor.cpp:
2573         (JSC::SymbolConstructor::finishCreation):
2574         (JSC::callSymbol):
2575         (JSC::SymbolConstructor::getOwnPropertySlot): Deleted.
2576         * runtime/SymbolConstructor.h:
2577         (JSC::SymbolConstructor::create):
2578         * runtime/SymbolPrototype.cpp:
2579         (JSC::SymbolPrototype::finishCreation):
2580         (JSC::SymbolPrototype::getOwnPropertySlot): Deleted.
2581         * runtime/SymbolPrototype.h:
2582         (JSC::SymbolPrototype::create):
2583             - remove getOwnPropertySlot, replace OverridesGetOwnPropertySlot flag with HasStaticPropertyTable.
2584
2585 2016-05-26  Commit Queue  <commit-queue@webkit.org>
2586
2587         Unreviewed, rolling out r201436.
2588         https://bugs.webkit.org/show_bug.cgi?id=158143
2589
2590         Caused 30% regression on Dromaeo DOM core tests (Requested by
2591         rniwa on #webkit).
2592
2593         Reverted changeset:
2594
2595         "REGRESSION: JSBench spends a lot of time transitioning
2596         to/from dictionary"
2597         https://bugs.webkit.org/show_bug.cgi?id=158045
2598         http://trac.webkit.org/changeset/201436
2599
2600 2016-05-26  Geoffrey Garen  <ggaren@apple.com>
2601
2602         REGRESSION: JSBench spends a lot of time transitioning to/from dictionary
2603         https://bugs.webkit.org/show_bug.cgi?id=158045
2604
2605         Reviewed by Saam Barati.
2606
2607         15% speedup on jsbench-amazon-firefox, possibly 5% speedup overall on jsbench.
2608
2609         This regression seems to have two parts:
2610
2611         (1) Transitioning the window object to/from dictionary is more expensive
2612         than it used to be to because the window object has lots more properties.
2613         The window object has more properties because, for WebIDL compatibility,
2614         we reify DOM APIs as properties when you delete.
2615
2616         (2) DOM prototypes transition to/from dictionary upon creation
2617         because, once again for WebIDL compatibility, we reify their static
2618         APIs eagerly.
2619
2620         The solution is to chill out a bit on dictionary transitions.
2621
2622         * bytecode/ObjectPropertyConditionSet.cpp: Don't flatten a dictionary
2623         if we've already done so before. This avoids pathological churn, and it
2624         is our idiom in other places.
2625
2626         * interpreter/Interpreter.cpp:
2627         (JSC::Interpreter::execute): Do flatten the global object unconditionally
2628         if it is an uncacheable dictionary because the global object is super
2629         important.
2630
2631         * runtime/BatchedTransitionOptimizer.h:
2632         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2633         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): Deleted.
2634         Don't transition away from dictionary after a batched set of property
2635         puts because normal dictionaries are cacheable and that's a perfectly
2636         fine state to be in -- and the transition is expensive.
2637
2638         * runtime/JSGlobalObject.cpp:
2639         (JSC::JSGlobalObject::init): Do start the global object out as a cacheable
2640         dictionary because it will inevitably have enough properties to become
2641         a dictionary.
2642
2643         * runtime/Operations.h:
2644         (JSC::normalizePrototypeChain): Same as ObjectPropertyConditionSet.cpp.
2645
2646 2016-05-25  Geoffrey Garen  <ggaren@apple.com>
2647
2648         replaceable own properties seem to ignore replacement after property caching
2649         https://bugs.webkit.org/show_bug.cgi?id=158091
2650
2651         Reviewed by Darin Adler.
2652
2653         * runtime/Lookup.h:
2654         (JSC::replaceStaticPropertySlot): New helper function for replacing a
2655         static property with a direct property. We need to do an attribute changed
2656         transition because client code might have cached our static property.
2657
2658 2016-05-25  Benjamin Poulain  <benjamin@webkit.org>
2659
2660         [JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr
2661         https://bugs.webkit.org/show_bug.cgi?id=158011
2662         rdar://problem/25946592
2663
2664         Reviewed by Saam Barati.
2665
2666         When generating the meta-data required for compilation,
2667         Yarr uses a recursive function over the various expression in the pattern.
2668
2669         If you have many nested expressions, you can run out of stack
2670         and crash the WebProcess.
2671         This patch changes that into a soft failure. The expression is just
2672         considered invalid.
2673
2674         * runtime/RegExp.cpp:
2675         (JSC::RegExp::finishCreation):
2676         (JSC::RegExp::compile):
2677         (JSC::RegExp::compileMatchOnly):
2678         * yarr/YarrPattern.cpp:
2679         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
2680         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
2681         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2682         (JSC::Yarr::YarrPattern::compile):
2683         (JSC::Yarr::YarrPattern::YarrPattern):
2684         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): Deleted.
2685         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): Deleted.
2686         * yarr/YarrPattern.h:
2687
2688 2016-05-25  Alex Christensen  <achristensen@webkit.org>
2689
2690         Fix Win64 build after r201335
2691         https://bugs.webkit.org/show_bug.cgi?id=158078
2692
2693         Reviewed by Mark Lam.
2694
2695         * offlineasm/x86.rb:
2696         Add intel implementations for loadbs and loadhs
2697
2698 2016-05-25  Carlos Garcia Campos  <cgarcia@igalia.com>
2699
2700         REGRESSION(r201066): [GTK] Several intl tests started to fail in GTK+ bot after r201066
2701         https://bugs.webkit.org/show_bug.cgi?id=158066
2702
2703         Reviewed by Darin Adler.
2704
2705         run-javascriptcore-tests does $ENV{LANG}="en_US.UTF-8"; but we are not actually honoring the environment
2706         variables at all when using jsc binary. We are using setlocale() with a nullptr locale to get the current one, but
2707         the current one is always "C", because to set the locale according to the environment variables we need to call
2708         setlocale with an empty string as locale. That's done by gtk_init(), which is called by all our binaries (web
2709         process, network process, etc.), but not by jsc (because jsc doesn't depend on GTK+). The reason why it has
2710         always worked for EFL is because they call ecore_init() in jsc that calls setlocale.
2711
2712         * jsc.cpp:
2713         (main): Call setlocale(LC_ALL, "") on GTK+.
2714
2715 2016-05-25  Csaba Osztrogonác  <ossy@webkit.org>
2716
2717         [ARM] Fix the Wcast-align warning in LinkBuffer.cpp
2718         https://bugs.webkit.org/show_bug.cgi?id=157889
2719
2720         Reviewed by Darin Adler.
2721
2722         * assembler/LinkBuffer.cpp:
2723         (JSC::recordLinkOffsets):
2724
2725 2016-05-24  Keith Miller  <keith_miller@apple.com>
2726
2727         TypedArray.prototype.slice should not throw if no arguments are provided
2728         https://bugs.webkit.org/show_bug.cgi?id=158044
2729         <rdar://problem/26433280>
2730
2731         Reviewed by Geoffrey Garen.
2732
2733         We were throwing an exception if the TypedArray.prototype.slice function
2734         was not provided arguments. This was wrong. Instead we should just assume
2735         the first argument was 0.
2736
2737         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2738         (JSC::genericTypedArrayViewProtoFuncSlice): Deleted.
2739         * tests/stress/typedarray-slice.js:
2740
2741 2016-05-24  Keith Miller  <keith_miller@apple.com>
2742
2743         LLInt should be able to cache prototype loads for values in GetById
2744         https://bugs.webkit.org/show_bug.cgi?id=158032
2745
2746         Reviewed by Filip Pizlo.
2747
2748         This patch adds prototype value caching to the LLInt for op_get_by_id.
2749         Two previously unused words in the op_get_by_id bytecode have been
2750         repurposed to hold extra information for the cache. The first is a
2751         counter that records the number of get_by_ids that hit a cacheable value
2752         on a prototype. When the counter is decremented from one to zero we
2753         attempt to cache the prototype load, which will be discussed further
2754         below. The second word is used to hold the prototype object when we have
2755         started caching.
2756
2757         When the counter is decremented to zero we first attempt to generate and
2758         watch the property conditions needed to ensure the validity of prototype
2759         load. If the watchpoints are successfully created and installed we
2760         replace the op_get_by_id opcode with the new op_get_by_id_proto_load
2761         opcode, which tells the LLInt to use the cache prototype object for the
2762         load rather than the base value.
2763
2764         Prior to this patch there was not LLInt specific data onCodeBlocks.
2765         Since the CodeBlock needs to own the Watchpoints for the cache, a weak
2766         map from each base structure to a bag of Watchpoints created for that
2767         structure by some op_get_by_id has been added to the CodeBlock. During
2768         GC, if we find that the a structure in the map has not been marked we
2769         free the associated bag on the CodeBlock.
2770
2771         * JavaScriptCore.xcodeproj/project.pbxproj:
2772         * bytecode/BytecodeList.json:
2773         * bytecode/BytecodeUseDef.h:
2774         (JSC::computeUsesForBytecodeOffset):
2775         (JSC::computeDefsForBytecodeOffset):
2776         * bytecode/CodeBlock.cpp:
2777         (JSC::CodeBlock::printGetByIdOp):
2778         (JSC::CodeBlock::printGetByIdCacheStatus):
2779         (JSC::CodeBlock::dumpBytecode):
2780         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2781         * bytecode/CodeBlock.h:
2782         (JSC::CodeBlock::llintGetByIdWatchpointMap):
2783         (JSC::clearLLIntGetByIdCache):
2784         * bytecode/GetByIdStatus.cpp:
2785         (JSC::GetByIdStatus::computeFromLLInt):
2786         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Added.
2787         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
2788         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
2789         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2790         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Added.
2791         * bytecode/ObjectPropertyConditionSet.cpp:
2792         (JSC::ObjectPropertyConditionSet::isValidAndWatchable):
2793         * bytecode/ObjectPropertyConditionSet.h:
2794         * bytecompiler/BytecodeGenerator.cpp:
2795         (JSC::BytecodeGenerator::emitGetById):
2796         * dfg/DFGByteCodeParser.cpp:
2797         (JSC::DFG::ByteCodeParser::parseBlock):
2798         * dfg/DFGCapabilities.cpp:
2799         (JSC::DFG::capabilityLevel):
2800         * jit/JIT.cpp:
2801         (JSC::JIT::privateCompileMainPass):
2802         (JSC::JIT::privateCompileSlowCases):
2803         * llint/LLIntSlowPaths.cpp:
2804         (JSC::LLInt::setupGetByIdPrototypeCache):
2805         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2806         * llint/LLIntSlowPaths.h:
2807         * llint/LowLevelInterpreter32_64.asm:
2808         * llint/LowLevelInterpreter64.asm:
2809         * runtime/Options.h:
2810         * tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js: Added.
2811         (test):
2812
2813 2016-05-24  Keith Miller  <keith_miller@apple.com>
2814
2815         We should be able to use the sampling profiler with DRT/WTR.
2816         https://bugs.webkit.org/show_bug.cgi?id=158041
2817
2818         Reviewed by Saam Barati.
2819
2820         This patch makes the sampling profiler use a new option, samplingProfilerPath, which
2821         specifies the path to a directory to output sampling profiler data when the program
2822         terminates or the VM is destroyed. Additionally, it fixes some other issues with the
2823         bytecode profiler that would cause crashes on debug builds.
2824
2825         * profiler/ProfilerDatabase.cpp:
2826         (JSC::Profiler::Database::ensureBytecodesFor):
2827         (JSC::Profiler::Database::performAtExitSave):
2828         * runtime/Options.h:
2829         * runtime/SamplingProfiler.cpp:
2830         (JSC::SamplingProfiler::registerForReportAtExit):
2831         (JSC::SamplingProfiler::reportDataToOptionFile):
2832         (JSC::SamplingProfiler::reportTopFunctions):
2833         (JSC::SamplingProfiler::reportTopBytecodes):
2834         * runtime/SamplingProfiler.h:
2835         * runtime/VM.cpp:
2836         (JSC::VM::VM):
2837         (JSC::VM::~VM):
2838
2839 2016-05-24  Saam barati  <sbarati@apple.com>
2840
2841         We can cache lookups to JSScope::abstractResolve inside CodeBlock::finishCreation
2842         https://bugs.webkit.org/show_bug.cgi?id=158036
2843
2844         Reviewed by Geoffrey Garen.
2845
2846         This patch implements a 1 item cache for JSScope::abstractResolve. I also tried
2847         implementing the cache as a HashMap, but it seemed either less profitable on some
2848         benchmarks or just as profitable on others. Therefore, it's cleaner to just
2849         use a 1 item cache.
2850
2851         * bytecode/CodeBlock.cpp:
2852         (JSC::CodeBlock::CodeBlock):
2853         (JSC::AbstractResolveKey::AbstractResolveKey):
2854         (JSC::AbstractResolveKey::operator==):
2855         (JSC::AbstractResolveKey::isEmptyValue):
2856         (JSC::CodeBlock::finishCreation):
2857         * runtime/GetPutInfo.h:
2858         (JSC::needsVarInjectionChecks):
2859         (JSC::ResolveOp::ResolveOp):
2860
2861 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
2862
2863         Unreviwed, add a comment to describe the test's failure mode. Suggested by mlam.
2864
2865         * tests/stress/override-map-constructor.js:
2866         (Map):
2867
2868 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
2869
2870         Map should not be in JSGlobalObject's static hashtable because it's initialized eagerly via FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR
2871         https://bugs.webkit.org/show_bug.cgi?id=158031
2872         rdar://problem/26353661
2873
2874         Reviewed by Geoffrey Garen.
2875         
2876         We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
2877         not a LazyClassStructure<> and there is nothing lazy about it.
2878
2879         * runtime/JSGlobalObject.cpp: The fix is to remove Map here.
2880         * runtime/Lookup.cpp: Add some dumping on the assert path.
2881         (JSC::setUpStaticFunctionSlot):
2882         * tests/stress/override-map-constructor.js: Added. This test used to crash.
2883         (Map):
2884
2885 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
2886
2887         LLInt64 should have typed array fast paths for get_by_val
2888         https://bugs.webkit.org/show_bug.cgi?id=157931
2889
2890         Reviewed by Keith Miller.
2891
2892         I think that the LLInt should be able to access typed arrays more quickly than it does now.
2893         Ideally we would have fast paths for every major typed array operation and we would use
2894         inline cache optimizations. I don't want to do this all in one go, so my plan is to
2895         incrementally add support for this as time allows.
2896         
2897         This change just adds the easy typed array fast paths for get_by_val in the 64-bit version
2898         of LLInt.
2899         
2900         Another bug, https://bugs.webkit.org/show_bug.cgi?id=157922, tracks the overall task of
2901         adding all typed array fast paths to both versions of the LLInt.
2902         
2903         This is a 30% speed-up on typed array benchmarks in LLInt. This is not a speed-up when the
2904         JITs are enabled.
2905
2906         * llint/LLIntData.cpp:
2907         (JSC::LLInt::Data::performAssertions):
2908         * llint/LLIntOffsetsExtractor.cpp:
2909         * llint/LowLevelInterpreter.asm:
2910         * llint/LowLevelInterpreter64.asm:
2911         * offlineasm/backends.rb:
2912         * runtime/JSArrayBufferView.h:
2913         * runtime/JSType.h:
2914
2915 2016-05-24  Saam barati  <sbarati@apple.com> and Yusuke Suzuki <utatane.tea@gmail.com>
2916
2917         ThisTDZMode is no longer needed
2918         https://bugs.webkit.org/show_bug.cgi?id=157209
2919
2920         Reviewed by Saam Barati.
2921
2922         ThisTDZMode is no longer needed because we have ConstructorKind
2923         and DerivedContextType. The value of ThisTDZMode is strictly less
2924         expressive than the combination of those two values. We were
2925         using those values anyways, and this patch just makes it official
2926         by removing ThisTDZMode.
2927
2928         This patch also cleans up caching keys. We extract SourceCodeFlags
2929         from SourceCodeKey and use it in EvalCodeCache. It correctly
2930         contains needed cache attributes: EvalContextType, DerivedContextType,
2931         etc. Here, we still use specialized keys for EvalCodeCache instead
2932         of SourceCodeKey for performance; it does not include name String and
2933         does not allocate SourceCode.
2934
2935         * bytecode/EvalCodeCache.h:
2936         (JSC::EvalCodeCache::CacheKey::CacheKey):
2937         (JSC::EvalCodeCache::CacheKey::operator==):
2938         (JSC::EvalCodeCache::CacheKey::Hash::equal):
2939         (JSC::EvalCodeCache::tryGet):
2940         (JSC::EvalCodeCache::getSlow):
2941         * bytecompiler/NodesCodegen.cpp:
2942         (JSC::ThisNode::emitBytecode): Deleted.
2943         * debugger/DebuggerCallFrame.cpp:
2944         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2945         * interpreter/Interpreter.cpp:
2946         (JSC::eval):
2947         * parser/ASTBuilder.h:
2948         (JSC::ASTBuilder::createThisExpr):
2949         * parser/NodeConstructors.h:
2950         (JSC::ThisNode::ThisNode):
2951         * parser/Nodes.h:
2952         * parser/Parser.cpp:
2953         (JSC::Parser<LexerType>::Parser):
2954         (JSC::Parser<LexerType>::parsePrimaryExpression):
2955         * parser/Parser.h:
2956         (JSC::parse):
2957         * parser/ParserModes.h:
2958         * parser/SourceCodeKey.h:
2959         (JSC::SourceCodeFlags::SourceCodeFlags):
2960         (JSC::SourceCodeFlags::operator==):
2961         (JSC::SourceCodeKey::SourceCodeKey):
2962         (JSC::SourceCodeKey::Hash::hash):
2963         (JSC::SourceCodeKey::Hash::equal):
2964         (JSC::SourceCodeKey::HashTraits::isEmptyValue):
2965         (JSC::SourceCodeKeyHash::hash): Deleted.
2966         (JSC::SourceCodeKeyHash::equal): Deleted.
2967         (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
2968         * parser/SyntaxChecker.h:
2969         (JSC::SyntaxChecker::createThisExpr):
2970         * runtime/CodeCache.cpp:
2971         (JSC::CodeCache::getGlobalCodeBlock):
2972         (JSC::CodeCache::getProgramCodeBlock):
2973         (JSC::CodeCache::getEvalCodeBlock):
2974         (JSC::CodeCache::getModuleProgramCodeBlock):
2975         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2976         * runtime/CodeCache.h:
2977         * runtime/Executable.cpp:
2978         (JSC::EvalExecutable::create):
2979         * runtime/Executable.h:
2980         * runtime/JSGlobalObject.cpp:
2981         (JSC::JSGlobalObject::createEvalCodeBlock):
2982         * runtime/JSGlobalObject.h:
2983         * runtime/JSGlobalObjectFunctions.cpp:
2984         (JSC::globalFuncEval):
2985         * tests/stress/code-cache-incorrect-caching.js: Added.
2986         (shouldBe):
2987         (hello):
2988         (catch):
2989         (shouldBe.test.hello):
2990         (globalEval.ok):
2991         (global.hello.hello):
2992
2993 2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2994
2995         Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
2996         https://bugs.webkit.org/show_bug.cgi?id=157080
2997
2998         Reviewed by Saam Barati.
2999
3000         In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
3001         In this patch, we add a new parameter, "slotBase". This represents the base value offering
3002         this custom getter. And use it in ProxyObject's performGet custom accessor getter.
3003
3004         * API/JSCallbackObject.h:
3005         * API/JSCallbackObjectFunctions.h:
3006         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3007         (JSC::JSCallbackObject<Parent>::callbackGetter):
3008         * bytecode/PolymorphicAccess.cpp:
3009         (JSC::AccessCase::generateImpl):
3010         In PolymorphicAccess case, the thisValue and the slotBase are always cells.
3011         This is because IC is enabled in the case that the base value is a cell.
3012         And slotBase is always on the prototype chain from this base value.
3013
3014         * jit/CCallHelpers.h:
3015         (JSC::CCallHelpers::setupArgumentsWithExecState):
3016         * jsc.cpp:
3017         (WTF::CustomGetter::customGetter):
3018         (WTF::RuntimeArray::lengthGetter):
3019         * runtime/CustomGetterSetter.cpp:
3020         (JSC::callCustomSetter):
3021         * runtime/JSBoundSlotBaseFunction.cpp:
3022         (JSC::boundSlotBaseFunctionCall):
3023         * runtime/JSFunction.cpp:
3024         (JSC::JSFunction::argumentsGetter):
3025         (JSC::JSFunction::callerGetter):
3026         * runtime/JSFunction.h:
3027         * runtime/JSModuleNamespaceObject.cpp:
3028         (JSC::callbackGetter):
3029         * runtime/PropertySlot.cpp:
3030         (JSC::PropertySlot::customGetter):
3031         * runtime/PropertySlot.h:
3032         * runtime/ProxyObject.cpp:
3033         (JSC::performProxyGet):
3034         * runtime/RegExpConstructor.cpp:
3035         (JSC::regExpConstructorDollar):
3036         (JSC::regExpConstructorInput):
3037         (JSC::regExpConstructorMultiline):
3038         (JSC::regExpConstructorLastMatch):
3039         (JSC::regExpConstructorLastParen):
3040         (JSC::regExpConstructorLeftContext):
3041         (JSC::regExpConstructorRightContext):
3042         (JSC::regExpConstructorDollar1): Deleted.
3043         (JSC::regExpConstructorDollar2): Deleted.
3044         (JSC::regExpConstructorDollar3): Deleted.
3045         (JSC::regExpConstructorDollar4): Deleted.
3046         (JSC::regExpConstructorDollar5): Deleted.
3047         (JSC::regExpConstructorDollar6): Deleted.
3048         (JSC::regExpConstructorDollar7): Deleted.
3049         (JSC::regExpConstructorDollar8): Deleted.
3050         (JSC::regExpConstructorDollar9): Deleted.
3051         * tests/stress/proxy-get-with-primitive-receiver.js: Added.
3052         (shouldBe):
3053
3054 2016-05-23  Geoffrey Garen  <ggaren@apple.com>
3055
3056         REGRESSION (196374): deleting a global property is expensive
3057         https://bugs.webkit.org/show_bug.cgi?id=158005
3058
3059         Reviewed by Chris Dumez.
3060
3061         * runtime/JSObject.cpp:
3062         (JSC::JSObject::deleteProperty): We only need to reify static properties
3063         if the name being deleted matches a static property. Otherwise, we can
3064         be sure that delete won't observe any static properties.
3065
3066 2016-05-23  Saam barati  <sbarati@apple.com>
3067
3068         The baseline JIT crashes when compiling "(1,1)/1"
3069         https://bugs.webkit.org/show_bug.cgi?id=157933
3070
3071         Reviewed by Benjamin Poulain.
3072
3073         op_div in the baseline JIT needed to better handle when both the lhs
3074         and rhs are constants. It needs to make sure to load either the lhs or
3075         the rhs into a register since the div generator can't handle both
3076         the lhs and rhs being constants.
3077
3078         * jit/JITArithmetic.cpp:
3079         (JSC::JIT::emit_op_div):
3080         * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
3081         (assert):
3082         (test):
3083
3084 2016-05-23  Saam barati  <sbarati@apple.com>
3085
3086         String template don't handle let initialization properly inside eval
3087         https://bugs.webkit.org/show_bug.cgi?id=157991
3088
3089         Reviewed by Oliver Hunt.
3090
3091         The fix is to make sure we emit TDZ checks. 
3092
3093         * bytecompiler/NodesCodegen.cpp:
3094         (JSC::TaggedTemplateNode::emitBytecode):
3095         * tests/stress/tagged-template-tdz.js: Added.
3096         (shouldThrowTDZ):
3097         (test):
3098
3099 2016-05-22  Saam barati  <sbarati@apple.com>
3100
3101         Unreviewed. Fixed debug assertion failures from r201235.
3102
3103         * runtime/JSScope.cpp:
3104         (JSC::abstractAccess):
3105
3106 2016-05-22  Brady Eidson  <beidson@apple.com>
3107
3108         Attempted Yosemite build fix after http://trac.webkit.org/changeset/201255
3109
3110         Suggested by and reviewed by Anders Carlsson.
3111
3112         * b3/B3CCallValue.h: Initialize the effects member more conventionally.
3113
3114 2016-05-22  Brady Eidson  <beidson@apple.com>
3115
3116         Move to C++14.
3117         https://bugs.webkit.org/show_bug.cgi?id=157948
3118
3119         Reviewed by Michael Catanzaro.
3120
3121         * Configurations/Base.xcconfig:
3122
3123 2016-05-22  Saam barati  <sbarati@apple.com>
3124
3125         REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
3126         https://bugs.webkit.org/show_bug.cgi?id=157968
3127         <rdar://problem/26404735>
3128
3129         Reviewed by Ryosuke Niwa and Filip Pizlo.
3130
3131         There was a bug in the DFG where we were checking a condition
3132         on the wrong variable.
3133
3134         * dfg/DFGStrengthReductionPhase.cpp:
3135         (JSC::DFG::StrengthReductionPhase::handleNode):
3136
3137 2016-05-22  Chris Dumez  <cdumez@apple.com>
3138
3139         Remove uses of PassRefPtr in JS bindings code
3140         https://bugs.webkit.org/show_bug.cgi?id=157949
3141
3142         Reviewed by Andreas Kling.
3143
3144         Remove uses of PassRefPtr in JS bindings code.
3145
3146         * runtime/JSGlobalObject.cpp:
3147         (JSC::JSGlobalObject::queueMicrotask):
3148         * runtime/JSGlobalObject.h:
3149
3150 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
3151
3152         Remove LegacyProfiler
3153         https://bugs.webkit.org/show_bug.cgi?id=153565
3154
3155         Reviewed by Mark Lam.
3156
3157         JavaScriptCore now provides a sampling profiler and it is enabled
3158         by all ports. Web Inspector switched months ago to using the
3159         sampling profiler and displaying its data. Remove the legacy
3160         profiler, as it is no longer being used by anything other then
3161         console.profile and tests. We will update console.profile's
3162         behavior soon to have new behavior and use the sampling data.
3163
3164         * API/JSProfilerPrivate.cpp: Removed.
3165         * API/JSProfilerPrivate.h: Removed.
3166         * CMakeLists.txt:
3167         * JavaScriptCore.xcodeproj/project.pbxproj:
3168         * bytecode/BytecodeList.json:
3169         * bytecode/BytecodeUseDef.h:
3170         (JSC::computeUsesForBytecodeOffset): Deleted.
3171         (JSC::computeDefsForBytecodeOffset): Deleted.
3172         * bytecode/CodeBlock.cpp:
3173         (JSC::CodeBlock::dumpBytecode): Deleted.
3174         * bytecode/UnlinkedFunctionExecutable.cpp:
3175         (JSC::generateUnlinkedFunctionCodeBlock):
3176         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3177         * bytecode/UnlinkedFunctionExecutable.h:
3178         * bytecompiler/BytecodeGenerator.cpp:
3179         (JSC::BytecodeGenerator::BytecodeGenerator):
3180         (JSC::BytecodeGenerator::emitCall):
3181         (JSC::BytecodeGenerator::emitCallVarargs):
3182         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
3183         (JSC::BytecodeGenerator::emitConstructVarargs):
3184         (JSC::BytecodeGenerator::emitConstruct):
3185         * bytecompiler/BytecodeGenerator.h:
3186         (JSC::CallArguments::profileHookRegister): Deleted.
3187         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
3188         * bytecompiler/NodesCodegen.cpp:
3189         (JSC::CallFunctionCallDotNode::emitBytecode):
3190         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3191         (JSC::CallArguments::CallArguments): Deleted.
3192         * dfg/DFGAbstractInterpreterInlines.h:
3193         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
3194         * dfg/DFGByteCodeParser.cpp:
3195         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
3196         * dfg/DFGCapabilities.cpp:
3197         (JSC::DFG::capabilityLevel): Deleted.
3198         * dfg/DFGClobberize.h:
3199         (JSC::DFG::clobberize): Deleted.
3200         * dfg/DFGDoesGC.cpp:
3201         (JSC::DFG::doesGC): Deleted.
3202         * dfg/DFGFixupPhase.cpp:
3203         (JSC::DFG::FixupPhase::fixupNode): Deleted.
3204         * dfg/DFGNodeType.h:
3205         * dfg/DFGPredictionPropagationPhase.cpp:
3206         * dfg/DFGSafeToExecute.h:
3207         (JSC::DFG::safeToExecute): Deleted.
3208         * dfg/DFGSpeculativeJIT32_64.cpp:
3209         (JSC::DFG::SpeculativeJIT::compile): Deleted.
3210         * dfg/DFGSpeculativeJIT64.cpp:
3211         (JSC::DFG::SpeculativeJIT::compile): Deleted.
3212         * inspector/InjectedScriptBase.cpp:
3213         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
3214         * interpreter/Interpreter.cpp:
3215         (JSC::UnwindFunctor::operator()): Deleted.
3216         (JSC::Interpreter::execute): Deleted.
3217         (JSC::Interpreter::executeCall): Deleted.
3218         (JSC::Interpreter::executeConstruct): Deleted.
3219         * jit/JIT.cpp:
3220         (JSC::JIT::privateCompileMainPass): Deleted.
3221         * jit/JIT.h:
3222         * jit/JITOpcodes.cpp:
3223         (JSC::JIT::emit_op_profile_will_call): Deleted.
3224         (JSC::JIT::emit_op_profile_did_call): Deleted.
3225         * jit/JITOpcodes32_64.cpp:
3226         (JSC::JIT::emit_op_profile_will_call): Deleted.
3227         (JSC::JIT::emit_op_profile_did_call): Deleted.
3228         * jit/JITOperations.cpp:
3229         * jit/JITOperations.h:
3230         * llint/LLIntSlowPaths.cpp:
3231         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
3232         * llint/LLIntSlowPaths.h:
3233         * llint/LowLevelInterpreter.asm:
3234         * parser/ParserModes.h:
3235         * profiler/CallIdentifier.h: Removed.
3236         * profiler/LegacyProfiler.cpp: Removed.
3237         * profiler/LegacyProfiler.h: Removed.
3238         * profiler/Profile.cpp: Removed.
3239         * profiler/Profile.h: Removed.
3240         * profiler/ProfileGenerator.cpp: Removed.
3241         * profiler/ProfileGenerator.h: Removed.
3242         * profiler/ProfileNode.cpp: Removed.
3243         * profiler/ProfileNode.h: Removed.
3244         * profiler/ProfilerJettisonReason.cpp:
3245         (WTF::printInternal): Deleted.
3246         * profiler/ProfilerJettisonReason.h:
3247         * runtime/CodeCache.cpp:
3248         (JSC::CodeCache::getGlobalCodeBlock):
3249         (JSC::CodeCache::getProgramCodeBlock):
3250         (JSC::CodeCache::getEvalCodeBlock):
3251         (JSC::CodeCache::getModuleProgramCodeBlock):
3252         * runtime/CodeCache.h:
3253         * runtime/Executable.cpp:
3254         (JSC::ScriptExecutable::newCodeBlockFor):
3255         * runtime/JSGlobalObject.cpp:
3256         (JSC::JSGlobalObject::createProgramCodeBlock):
3257         (JSC::JSGlobalObject::createEvalCodeBlock):
3258         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
3259         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
3260         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
3261         * runtime/JSGlobalObject.h:
3262         * runtime/Options.h:
3263         * runtime/VM.cpp:
3264         (JSC::VM::VM): Deleted.
3265         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
3266         (JSC::VM::setEnabledProfiler): Deleted.
3267         * runtime/VM.h:
3268         (JSC::VM::enabledProfiler): Deleted.
3269         (JSC::VM::enabledProfilerAddress): Deleted.
3270
3271 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
3272
3273         Remove LegacyProfiler
3274         https://bugs.webkit.org/show_bug.cgi?id=153565
3275
3276         Reviewed by Saam Barati.
3277
3278         * inspector/protocol/Timeline.json:
3279         * jsc.cpp:
3280         * runtime/JSGlobalObject.cpp:
3281         (JSC::JSGlobalObject::hasLegacyProfiler):
3282         * runtime/JSGlobalObject.h:
3283         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
3284
3285 2016-05-20  Saam barati  <sbarati@apple.com>
3286
3287         JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference
3288         https://bugs.webkit.org/show_bug.cgi?id=157956
3289
3290         Reviewed by Geoffrey Garen.
3291
3292         A SymbolTableEntry may be a FatEntry. Copying a FatEntry is slow because we have to
3293         malloc memory for it, then free the malloced memory once the entry goes out of
3294         scope. abstractAccess uses a SymbolTableEntry temporarily when performing scope
3295         accesses during bytecode linking. It copies out the SymbolTableEntry every time
3296         it does a SymbolTable lookup. This is not cheap when the entry happens to be a
3297         FatEntry. We should really just be using a reference to the entry because
3298         there is no need to copy it in such a scenario.
3299
3300         * runtime/JSScope.cpp:
3301         (JSC::abstractAccess):
3302
3303 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
3304
3305         Web Inspector: retained size for typed arrays does not count native backing store
3306         https://bugs.webkit.org/show_bug.cgi?id=157945
3307         <rdar://problem/26392238>
3308
3309         Reviewed by Geoffrey Garen.
3310
3311         * runtime/JSArrayBuffer.h:
3312         * runtime/JSArrayBuffer.cpp:
3313         (JSC::JSArrayBuffer::estimatedSize):
3314         Include an estimatedSize implementation for JSArrayBuffer.
3315         ArrayBuffer has a unique path, different from other data
3316         stored in the Heap.
3317
3318         * tests/heapProfiler/typed-array-sizes.js: Added.
3319         Test sizes of TypedArray with and without an ArrayBuffer.
3320         When the TypedArray is a view wrapping an ArrayBuffer, the
3321         ArrayBuffer has the size.
3322
3323 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
3324
3325         reifyAllStaticProperties makes two copies of every string
3326         https://bugs.webkit.org/show_bug.cgi?id=157953
3327
3328         Reviewed by Mark Lam.
3329
3330         Let's not do that.
3331
3332         * runtime/JSObject.cpp:
3333         (JSC::JSObject::reifyAllStaticProperties): Pass our Identifier to
3334         reifyStaticProperty so it doesn't have to make its own.
3335
3336         * runtime/Lookup.h:
3337         (JSC::reifyStaticProperty): No need to null check because callers never
3338         pass null anymore. No need to make an identifier because callers pass
3339         us one.
3340
3341         (JSC::reifyStaticProperties): Honor new interface.
3342
3343 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
3344
3345         JSBench regression: CodeBlock linking always copies the symbol table
3346         https://bugs.webkit.org/show_bug.cgi?id=157951
3347
3348         Reviewed by Saam Barati.
3349
3350         We always put a SymbolTable into the constant pool, even in simple
3351         functions in which it won't be used -- i.e., there's on eval and there
3352         are no captured variables and so on.
3353
3354         This is costly because linking must copy any provided symbol tables.
3355
3356         * bytecompiler/BytecodeGenerator.cpp:
3357         (JSC::BytecodeGenerator::BytecodeGenerator):
3358         (JSC::BytecodeGenerator::emitProfileType): Only add the symbol table
3359         as a constant if we will use it at runtime.
3360
3361 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
3362
3363         [JSC] Improve int->float conversion in FTL
3364         https://bugs.webkit.org/show_bug.cgi?id=157936
3365
3366         Reviewed by Filip Pizlo.
3367
3368         The integer -> floating point lowering was very barebone.
3369
3370         For example, converting a constant integer to double
3371         was doing:
3372             mov #const, %eax
3373             xor %xmm0, %xmm0
3374             cvtsi2sd %eax, %xmm0
3375
3376         Conversion from integer to float was also missing.
3377         We were always converting to double then rounding the double
3378         to float.
3379
3380         This patch adds the basics:
3381         -Constant folding.
3382         -Integer to Float opcode.
3383         -Reducing int->double to int->float when used by DoubleToFloat.
3384
3385         * assembler/MacroAssemblerX86Common.h:
3386         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
3387         * assembler/MacroAssemblerX86_64.h:
3388         (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
3389         (JSC::MacroAssemblerX86_64::convertInt64ToFloat):
3390         * assembler/X86Assembler.h:
3391         (JSC::X86Assembler::cvtsi2ss_rr):
3392         (JSC::X86Assembler::cvtsi2ssq_rr):
3393         (JSC::X86Assembler::cvtsi2sdq_mr):
3394         (JSC::X86Assembler::cvtsi2ssq_mr):
3395         (JSC::X86Assembler::cvtsi2ss_mr):
3396         * assembler/MacroAssemblerARM64.h:
3397         * b3/B3Const32Value.cpp:
3398         (JSC::B3::Const32Value::iToDConstant):
3399         (JSC::B3::Const32Value::iToFConstant):
3400         * b3/B3Const32Value.h:
3401         * b3/B3Const64Value.cpp:
3402         (JSC::B3::Const64Value::iToDConstant):
3403         (JSC::B3::Const64Value::iToFConstant):
3404         * b3/B3Const64Value.h:
3405         * b3/B3LowerToAir.cpp:
3406         (JSC::B3::Air::LowerToAir::lower):
3407         * b3/B3Opcode.cpp:
3408         (WTF::printInternal):
3409         * b3/B3Opcode.h:
3410         * b3/B3ReduceDoubleToFloat.cpp:
3411         * b3/B3ReduceStrength.cpp:
3412         * b3/B3Validate.cpp:
3413         * b3/B3Value.cpp:
3414         (JSC::B3::Value::iToDConstant):
3415         (JSC::B3::Value::iToFConstant):
3416         (JSC::B3::Value::isRounded):
3417         (JSC::B3::Value::effects):
3418         (JSC::B3::Value::key):
3419         (JSC::B3::Value::typeFor):
3420         * b3/B3Value.h:
3421         * b3/B3ValueKey.cpp:
3422         (JSC::B3::ValueKey::materialize):
3423         * b3/air/AirFixPartialRegisterStalls.cpp:
3424         * b3/air/AirOpcode.opcodes:
3425         * b3/testb3.cpp:
3426         (JSC::B3::int64Operands):
3427         (JSC::B3::testIToD64Arg):
3428         (JSC::B3::testIToF64Arg):
3429         (JSC::B3::testIToD32Arg):
3430         (JSC::B3::testIToF32Arg):
3431         (JSC::B3::testIToD64Mem):
3432         (JSC::B3::testIToF64Mem):
3433         (JSC::B3::testIToD32Mem):
3434         (JSC::B3::testIToF32Mem):
3435         (JSC::B3::testIToD64Imm):
3436         (JSC::B3::testIToF64Imm):
3437         (JSC::B3::testIToD32Imm):
3438         (JSC::B3::testIToF32Imm):
3439         (JSC::B3::testIToDReducedToIToF64Arg):
3440         (JSC::B3::testIToDReducedToIToF32Arg):
3441         (JSC::B3::run):
3442
3443 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
3444
3445         [JSC] FTL can crash on stack overflow
3446         https://bugs.webkit.org/show_bug.cgi?id=157881
3447         rdar://problem/24665964
3448
3449         Reviewed by Michael Saboff.
3450
3451         The VM's m_largestFTLStackSize was never set anywhere (updateFTLLargestStackSize()
3452         was never called). We forgot to change that when implementing B3.
3453
3454         Even when it is set, we still have a problem on OSR Exit.
3455         If the last frame is a FTL frame and it OSR Exits, the space required for
3456         that frame becomes significantly larger. What happens is we crash in the OSR Exit
3457         instead of the FTL frame (this is what happens in rdar://problem/24665964).
3458
3459         This patch changes the stack boundary checks in FTL to be the same as DFG:
3460         we verify that we have enough space for the current optimized function but
3461         also for the baseline version (including inlining) in case of exit.
3462
3463         * ftl/FTLLowerDFGToB3.cpp:
3464         (JSC::FTL::DFG::LowerDFGToB3::lower):
3465         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack): Deleted.
3466         * runtime/VM.cpp:
3467         (JSC::VM::VM): Deleted.
3468         (JSC::VM::updateStackLimit): Deleted.
3469         (JSC::VM::updateFTLLargestStackSize): Deleted.
3470         * runtime/VM.h:
3471         (JSC::VM::addressOfFTLStackLimit): Deleted.
3472
3473 2016-05-18  Filip Pizlo  <fpizlo@apple.com>
3474
3475         DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header
3476         https://bugs.webkit.org/show_bug.cgi?id=144527
3477
3478         Reviewed by Saam Barati.
3479         
3480         This adds a control flow equivalence analysis (called ControlEquivalenceAnalysis) based on
3481         dominator analysis over the backwards CFG. Two basic blocks are control flow equivalent if
3482         the execution of one implies that the other one must also execute. It means that the two
3483         blocks' forward and backward dominance are reciprocated: (A dom B and B backdom A) or (B dom
3484         A and A backdom B). LICM now uses it to become more conservative about hoisting checks, if
3485         this has caused problems in the past. If we hoist something that may exit from a block that
3486         was not control equivalent to the pre-header then it's possible that the node's speculation
3487         will fail even though it wouldn't have if it wasn't hoisted. So, we flag these nodes'
3488         origins as being "wasHoisted" and we track all of their exits as "HoistingFailed". LICM will
3489         turn off such speculative hoisting if the CodeBlock from which we are hoisting had the
3490         HoistingFailed exit kind.
3491         
3492         Note that this deliberately still allows us to hoist things that may exit even if they are
3493         not control equivalent to the pre-header. This is necessary because the profitability of
3494         hoisting is so huge in all of the cases that we're aware of that it's worth giving it a
3495         shot.
3496         
3497         This is neutral on macrobenchmarks since none of the benchmarks we track have a hoistable
3498         operation that would exit only if hoisted. I added microbenchmarks to illustrate the problem
3499         and two of them speed up by ~40% while one of them is neutral (Int52 saves us from having
3500         problems on that program even though LICM previously did the wrong thing).
3501
3502         * JavaScriptCore.xcodeproj/project.pbxproj:
3503         * bytecode/ExitKind.cpp:
3504         (JSC::exitKindToString):
3505         * bytecode/ExitKind.h:
3506         * dfg/DFGAtTailAbstractState.h:
3507         (JSC::DFG::AtTailAbstractState::operator bool):
3508         (JSC::DFG::AtTailAbstractState::initializeTo):
3509         * dfg/DFGBackwardsCFG.h: Added.
3510         (JSC::DFG::BackwardsCFG::BackwardsCFG):
3511         * dfg/DFGBackwardsDominators.h: Added.
3512         (JSC::DFG::BackwardsDominators::BackwardsDominators):
3513         * dfg/DFGCommon.h:
3514         (JSC::DFG::checkAndSet): Deleted.
3515         * dfg/DFGControlEquivalenceAnalysis.h: Added.
3516         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
3517         (JSC::DFG::ControlEquivalenceAnalysis::dominatesEquivalently):
3518         (JSC::DFG::ControlEquivalenceAnalysis::areEquivalent):
3519         * dfg/DFGGraph.cpp:
3520         (JSC::DFG::Graph::dump):
3521         (JSC::DFG::Graph::dumpBlockHeader):
3522         (JSC::DFG::Graph::invalidateCFG):
3523         (JSC::DFG::Graph::substituteGetLocal):
3524         (JSC::DFG::Graph::handleAssertionFailure):
3525         (JSC::DFG::Graph::ensureDominators):
3526         (JSC::DFG::Graph::ensurePrePostNumbering):
3527         (JSC::DFG::Graph::ensureNaturalLoops):
3528         (JSC::DFG::Graph::ensureBackwardsCFG):
3529         (JSC::DFG::Graph::ensureBackwardsDominators):
3530         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
3531         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3532         * dfg/DFGGraph.h:
3533         (JSC::DFG::Graph::hasDebuggerEnabled):
3534         * dfg/DFGInPlaceAbstractState.h:
3535         (JSC::DFG::InPlaceAbstractState::operator bool):
3536         (JSC::DFG::InPlaceAbstractState::createValueForNode):
3537         (JSC::DFG::InPlaceAbstractState::forNode):
3538         * dfg/DFGLICMPhase.cpp:
3539         (JSC::DFG::LICMPhase::run):
3540         (JSC::DFG::LICMPhase::attemptHoist):
3541         * dfg/DFGMayExit.cpp:
3542         (JSC::DFG::mayExit):
3543         * dfg/DFGMayExit.h:
3544         * dfg/DFGNode.h:
3545         * dfg/DFGNodeOrigin.cpp:
3546         (JSC::DFG::NodeOrigin::dump):
3547         * dfg/DFGNodeOrigin.h:
3548         (JSC::DFG::NodeOrigin::takeValidExit):
3549         (JSC::DFG::NodeOrigin::withWasHoisted):
3550         (JSC::DFG::NodeOrigin::forInsertingAfter):
3551         * dfg/DFGNullAbstractState.h: Added.
3552         (JSC::DFG::NullAbstractState::NullAbstractState):
3553         (JSC::DFG::NullAbstractState::operator bool):
3554         (JSC::DFG::NullAbstractState::forNode):
3555         * dfg/DFGOSRExit.cpp:
3556         (JSC::DFG::OSRExit::OSRExit):
3557         * dfg/DFGOSRExitBase.cpp:
3558         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
3559         * dfg/DFGOSRExitBase.h:
3560         (JSC::DFG::OSRExitBase::OSRExitBase):
3561         * dfg/DFGTypeCheckHoistingPhase.cpp:
3562         (JSC::DFG::TypeCheckHoistingPhase::run):
3563         * ftl/FTLOSRExit.cpp:
3564         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
3565         (JSC::FTL::OSRExit::OSRExit):
3566         * ftl/FTLOSRExit.h:
3567
3568 2016-05-19  Mark Lam  <mark.lam@apple.com>
3569
3570         Code that null checks the VM pointer before any use should ref the VM.
3571         https://bugs.webkit.org/show_bug.cgi?id=157864
3572
3573         Reviewed by Filip Pizlo and Keith Miller.
3574
3575         JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
3576         through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
3577         after their null checks.
3578
3579         * bytecode/CodeBlock.h:
3580         (JSC::CodeBlock::vm):
3581         (JSC::CodeBlock::setVM): Deleted.
3582         - Not used, and suggests that it can be changed during the lifetime of the
3583           CodeBlock (which should not be).
3584
3585         * heap/HeapTimer.cpp:
3586         (JSC::HeapTimer::timerDidFire):
3587         * runtime/JSLock.cpp:
3588         (JSC::JSLock::willReleaseLock):
3589         - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
3590           the raw VM pointer.  This makes the null check a strong guarantee that the
3591           VM pointer is valid while these functions are using it.
3592
3593 2016-05-19  Saam barati  <sbarati@apple.com>
3594
3595         arrow function lexical environment should reuse the same environment as the function's lexical environment where possible
3596         https://bugs.webkit.org/show_bug.cgi?id=157908
3597
3598         Reviewed by Filip Pizlo.
3599
3600         We can safely combine these two environment when we have
3601         a simple parameter list (no default parameters, no destructring parameters).
3602
3603         * bytecompiler/BytecodeGenerator.cpp:
3604         (JSC::BytecodeGenerator::BytecodeGenerator):
3605         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
3606         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
3607         * bytecompiler/BytecodeGenerator.h:
3608
3609 2016-05-19  Michael Saboff  <msaboff@apple.com>
3610
3611         Unreviewed build fix.
3612
3613         Skipping this new test as it times out on the bots.
3614
3615         Issue tracked in https://bugs.webkit.org/show_bug.cgi?id=157903
3616
3617         * tests/stress/regress-157595.js:
3618         (MyRegExp):
3619
3620 2016-05-19  Guillaume Emont  <guijemont@igalia.com>
3621
3622         JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis
3623         https://bugs.webkit.org/show_bug.cgi?id=157741
3624
3625         Reviewed by Saam Barati.
3626
3627         The PutByValWithThis case needs a special case for MIPS because we
3628         don't have enough registers. The special case needs to be different
3629         from the x86 one because we have a different ABI.
3630
3631         * dfg/DFGSpeculativeJIT32_64.cpp:
3632         (JSC::DFG::SpeculativeJIT::compile):
3633
3634 2016-05-19  Brian Burg  <bburg@apple.com>
3635
3636         Web Inspector: use a consistent prefix for injected scripts
3637         https://bugs.webkit.org/show_bug.cgi?id=157715
3638         <rdar://problem/26287188>
3639
3640         Reviewed by Timothy Hatcher.
3641
3642         * CMakeLists.txt:
3643         * DerivedSources.make:
3644         * inspector/InjectedScriptSource.js:
3645
3646 2016-05-19  Csaba Osztrogonác  <ossy@webkit.org>
3647
3648         [ARM] Remove redefined macro after r200606
3649         https://bugs.webkit.org/show_bug.cgi?id=157890
3650
3651         Reviewed by Michael Saboff.
3652
3653         * bytecode/PolymorphicAccess.cpp:
3654         * jit/CCallHelpers.h:
3655
3656 2016-05-18  Saam barati  <sbarati@apple.com>
3657
3658         Function with default parameter values that are arrow functions that capture this isn't working
3659         https://bugs.webkit.org/show_bug.cgi?id=157786
3660         <rdar://problem/26327329>
3661
3662         Reviewed by Geoffrey Garen.
3663
3664         To make the scopes ordered properly, I needed to initialize the arrow 
3665         function lexical environment before initializing default parameter values.
3666         I also made the code easier to reason about by never reusing the function's
3667         var lexical environment for the arrow function lexical environment. The
3668         reason for this is that that code was wrong, and we just didn't have code to
3669         that properly tested it. It was easy for that code to be wrong because
3670         sometimes the function's lexical environment isn't the top-most scope
3671         (namely, when a function's parameter list is non-simple) and sometimes
3672         it is (when the function's parameter list is simple).
3673
3674         Also, because a function's default parameter values may capture the
3675         'arguments' variable inside an arrow function, I needed to take care
3676         to initialize the 'arguments' variable as part of whichever scope
3677         is the top-most scope. It's either the function's var environment
3678         if the parameter list is simple, or it's the function's parameter
3679         environment if the parameter list is non-simple.
3680
3681         * bytecompiler/BytecodeGenerator.cpp:
3682         (JSC::BytecodeGenerator::BytecodeGenerator):
3683         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
3684         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
3685         (JSC::BytecodeGenerator::initializeParameters):
3686         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
3687         (JSC::BytecodeGenerator::visibleNameForParameter):
3688         * bytecompiler/BytecodeGenerator.h:
3689         * tests/stress/arrow-functions-as-default-parameter-values.js: Added.
3690         (assert):
3691         (test):
3692         (test.foo):
3693         * tests/stress/op-push-name-scope-crashes-profiler.js:
3694         (test):
3695
3696 2016-05-18  Michael Saboff  <msaboff@apple.com>
3697
3698         r199812 broke test262
3699         https://bugs.webkit.org/show_bug.cgi?id=157595
3700
3701         Reviewed by Filip Pizlo.
3702
3703         Added a reasonable limit to the size of the match result array to catch possible
3704         infinite loops when matching.
3705         Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
3706         by creating a subclass of RegExp where the base RegExp's global flag is false and
3707         the subclass overrides .global with a getter that always returns true.
3708
3709         * builtins/RegExpPrototype.js:
3710         (match):
3711         * tests/stress/regress-157595.js: Added.
3712         (MyRegExp):
3713         (MyRegExp.prototype.get global):
3714         (test):
3715         (catch):
3716
3717 2016-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3718
3719         [ES6] Namespace object re-export should be handled as local export
3720         https://bugs.webkit.org/show_bug.cgi?id=157806
3721
3722         Reviewed by Mark Lam.
3723
3724         We align the implementation of ExportEntry to the spec; remove Type::Namespace.
3725         This Type::Namespace is used for re-exported namespace object binding. For example,
3726
3727             import * as namespace from "namespace.js"
3728             export { namespace }
3729
3730         In the above case, we used ExportEntry(Type::Namespace). In this patch, we drop this
3731         and use normal local export (Type::Local) instead because namespace object actually has
3732         the local binding in the above module environment. And this handling strictly meets the
3733         spec (Sec 15.2.1.16.1 step 11-a-ii-2-b).
3734
3735         And we also clean up the ExportEntry implementation; dropping unnecessary information.
3736         This change fixes the test262/test/language/module-code/instn-star-equality.js crash.
3737
3738         * parser/ModuleAnalyzer.cpp:
3739         (JSC::ModuleAnalyzer::exportVariable):
3740         * runtime/JSModuleRecord.cpp:
3741         (JSC::getExportedNames):
3742         (JSC::JSModuleRecord::dump): Deleted.
3743         * runtime/JSModuleRecord.h:
3744         * tests/modules/namespace-re-export.js: Added.
3745         * tests/modules/namespace-re-export/namespace-re-export-fixture.js: Added.
3746         * tests/modules/namespace-re-export/namespace-re-export.js: Added.
3747         * tests/modules/resources/assert.js:
3748         (export.shouldNotBe):
3749
3750 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
3751
3752         JSC should detect the right default locale even when it's not embedded in WebCore
3753         https://bugs.webkit.org/show_bug.cgi?id=157755
3754         rdar://problem/24665424
3755
3756         Reviewed by Keith Miller.
3757         
3758         This makes JSC try to use WTF's platform user preferred language detection if the DOM did
3759         not register a defaultLanguage callback. The result is that when JSC runs standalone it
3760         will detect the platform user preferred language almost the same way as when it's embedded
3761         in WebCore. The only difference is that WebCore may have its own additional overrides via
3762         the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
3763         back to.
3764         
3765         We first found this bug because on iOS, the intl tests would fail because ICU would report
3766         a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
3767         back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
3768         OS X, just less so. For example, setting things to Poland did not result in the jsc shell
3769         printing dates Polish-style. Now it will print them Polish-style if your system preferences
3770         say so. Also, the tests don't fail on iOS anymore.
3771         
3772         * runtime/IntlObject.cpp:
3773         (JSC::defaultLocale):
3774
3775 2016-05-17  Dean Jackson  <dino@apple.com>
3776
3777         Remove ES6_GENERATORS flag
3778         https://bugs.webkit.org/show_bug.cgi?id=157815
3779         <rdar://problem/26332894>
3780
3781         Reviewed by Geoffrey Garen.
3782
3783         This flag isn't needed. Generators are enabled everywhere and
3784         part of a stable specification.
3785
3786         * Configurations/FeatureDefines.xcconfig:
3787         * parser/Parser.cpp:
3788         (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
3789         (JSC::Parser<LexerType>::parseClass): Deleted.
3790         (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
3791         (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
3792         (JSC::Parser<LexerType>::parseProperty): Deleted.
3793         (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.
3794
3795 2016-05-17  Keith Miller  <keith_miller@apple.com>
3796
3797         Rollout r200426 since it causes PLT regressions.
3798         https://bugs.webkit.org/show_bug.cgi?id=157812
3799
3800         Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
3801
3802 2016-05-17  Keith Miller  <keith_miller@apple.com>
3803
3804         Add test262 harness support code
3805         https://bugs.webkit.org/show_bug.cgi?id=157797
3806
3807         Reviewed by Filip Pizlo.
3808
3809         This patch adds some new tooling needed to run Test262 with the jsc
3810         CLI. There were three options that needed to be added for Test262:
3811
3812         1) "--test262-async" This option overrides the print function in the test runner to look for
3813         'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
3814         and that string is not passed then the test is marked as failing.
3815
3816         2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
3817         passed file before passing the source code to the VM. This option can, in theory, be passed
3818         multiple times.
3819
3820         3) "--exception=<name>" This option asserts that at the end of the last script file passed
3821         the VM has an uncaught exception with its name property equal to the passed name.
3822
3823         * jsc.cpp:
3824         (Script::Script):
3825         (fillBufferWithContentsOfFile):
3826         (functionPrint):
3827         (checkUncaughtException):
3828         (runWithScripts):
3829         (printUsageStatement):
3830         (CommandLine::parseArguments):
3831         (runJSC):
3832
3833 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
3834
3835         WTF should know about Language
3836         https://bugs.webkit.org/show_bug.cgi?id=157756
3837
3838         Reviewed by Geoffrey Garen.
3839
3840         Teach our scripts that a ObjC class beginning with WTF is totally cool.
3841
3842         * JavaScriptCore.xcodeproj/project.pbxproj:
3843
3844 2016-05-17  Joseph Pecoraro  <pecoraro@apple.com>
3845
3846         console namespace breaks putting properties on console.__proto__
3847         https://bugs.webkit.org/show_bug.cgi?id=157782
3848         <rdar://problem/26250526>
3849
3850         Reviewed by Geoffrey Garen.
3851
3852         Some websites currently depend on console.__proto__ existing and being
3853         a separate object from Object.prototype. This patch adds back a basic
3854         console.__proto__ object, but all the console functions are left on
3855         the ConsoleObject itself.
3856
3857         * runtime/JSGlobalObject.cpp:
3858         (JSC::createConsoleProperty):
3859
3860 2016-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3861
3862         Unreviewed, dump more information when math-pow-stable-results.js failed
3863         https://bugs.webkit.org/show_bug.cgi?id=157168
3864
3865         * tests/stress/math-pow-stable-results.js:
3866
3867 2016-05-16  Saam barati  <sbarati@apple.com>
3868
3869         ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
3870         https://bugs.webkit.org/show_bug.cgi?id=157770
3871
3872         Reviewed by Filip Pizlo.
3873
3874         ShadowChicken was reading the scope from a half formed
3875         frame as it threw a stack overflow exception. The frame had
3876         a valid CodeBlock pointer, but it did not have a valid scope.
3877         The code in ShadowChicken's throw packet logging mechanism didn't
3878         account for this. The fix is to respect whether genericUnwind wants
3879         to unwind from the current frame or the caller's frame. For stack
3880         overflow errors, we always unwind the caller's frame.
3881
3882         * jit/JITExceptions.cpp:
3883         (JSC::genericUnwind):
3884
3885 2016-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3886
3887         REGRESSION(r200208): It made 2 JSC stress tests fail on x86
3888         https://bugs.webkit.org/show_bug.cgi?id=157168
3889
3890         Reviewed by Benjamin Poulain.
3891
3892         The fast path in operationMathPow produces different results between x87 and the other environments.
3893         This is because x87 calculates the double value in 80bit precision.
3894         The situation is the following: in x86 32bit environment, floating point operations are compiled to
3895         x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
3896         if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
3897         and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
3898         problem since x87 has 80bit precision while SSE2 has 64bit precision.
3899
3900         In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
3901         is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
3902         occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.
3903
3904         * b3/B3MathExtras.cpp:
3905         (JSC::B3::powDoubleInt32):
3906         * runtime/MathCommon.cpp:
3907         (JSC::operationMathPow):