focus() / blur() should be on HTMLElement / SVGElement, not Element
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-09  Mark Lam  <mark.lam@apple.com>
2
3         Add dumping of function expression names in CodeBlock bytecode dump.
4         https://bugs.webkit.org/show_bug.cgi?id=155248
5
6         Reviewed by Filip Pizlo.
7
8         Because ...
9         [  19] new_func_exp      loc5, loc3, f0:foo
10
11         ... is more informative than
12         [  19] new_func_exp      loc5, loc3, f0
13
14         Anonymous functions will be dumped as <anon>.
15
16         * bytecode/CodeBlock.cpp:
17         (JSC::CodeBlock::dumpFunctionExpr):
18         (JSC::CodeBlock::dumpBytecode):
19         * bytecode/CodeBlock.h:
20
21 2016-03-09  Michael Saboff  <msaboff@apple.com>
22
23         [ES6] Implement RegExp sticky flag and related functionality
24         https://bugs.webkit.org/show_bug.cgi?id=155177
25
26         Reviewed by Saam Barati.
27
28         Implemented the ES6 RegExp sticky functionality.
29
30         There are two main behavior changes when the sticky flag is specified.
31         1) Matching starts at lastIndex and lastIndex is updated after the match.
32         2) The regular expression is only matched from the start position in the string.
33         See ES6 section 21.2.5.2.2 for details.
34
35         Changed both the Yarr interpreter and jit to not loop to the next character for sticky RegExp's.
36         Updated RegExp exec and match, and stringProtoFuncMatch to handle lastIndex changes.
37
38         Restructured the way flags are passed to and through YarrPatterns to use RegExpFlags instead of
39         individual bools.
40
41         Updated tests for 'y' flag and new behavior.
42
43         * bytecode/CodeBlock.cpp:
44         (JSC::regexpToSourceString):
45         * inspector/ContentSearchUtilities.cpp:
46         (Inspector::ContentSearchUtilities::findMagicComment):
47         * runtime/CommonIdentifiers.h:
48         * runtime/RegExp.cpp:
49         (JSC::regExpFlags):
50         (JSC::RegExpFunctionalTestCollector::outputOneTest):
51         (JSC::RegExp::finishCreation):
52         (JSC::RegExp::compile):
53         (JSC::RegExp::compileMatchOnly):
54         * runtime/RegExp.h:
55         * runtime/RegExpKey.h:
56         * runtime/RegExpObjectInlines.h:
57         (JSC::RegExpObject::execInline):
58         (JSC::RegExpObject::matchInline):
59         * runtime/RegExpPrototype.cpp:
60         (JSC::regExpProtoFuncCompile):
61         (JSC::flagsString):
62         (JSC::regExpProtoGetterMultiline):
63         (JSC::regExpProtoGetterSticky):
64         (JSC::regExpProtoGetterUnicode):
65         * runtime/StringPrototype.cpp:
66         (JSC::stringProtoFuncMatch):
67         * tests/es6.yaml:
68         * tests/stress/static-getter-in-names.js:
69         (shouldBe):
70         * yarr/RegularExpression.cpp:
71         (JSC::Yarr::RegularExpression::Private::compile):
72         * yarr/YarrInterpreter.cpp:
73         (JSC::Yarr::Interpreter::tryConsumeBackReference):
74         (JSC::Yarr::Interpreter::matchAssertionBOL):
75         (JSC::Yarr::Interpreter::matchAssertionEOL):
76         (JSC::Yarr::Interpreter::matchAssertionWordBoundary):
77         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
78         (JSC::Yarr::Interpreter::matchDisjunction):
79         (JSC::Yarr::Interpreter::Interpreter):
80         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
81         * yarr/YarrInterpreter.h:
82         (JSC::Yarr::BytecodePattern::BytecodePattern):
83         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
84         (JSC::Yarr::BytecodePattern::ignoreCase):
85         (JSC::Yarr::BytecodePattern::multiline):
86         (JSC::Yarr::BytecodePattern::sticky):
87         (JSC::Yarr::BytecodePattern::unicode):
88         * yarr/YarrJIT.cpp:
89         (JSC::Yarr::YarrGenerator::matchCharacterClass):
90         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
91         (JSC::Yarr::YarrGenerator::generateAssertionBOL):
92         (JSC::Yarr::YarrGenerator::generateAssertionEOL):
93         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
94         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
95         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
96         (JSC::Yarr::YarrGenerator::backtrack):
97         * yarr/YarrPattern.cpp:
98         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
99         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
100         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
101         (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
102         (JSC::Yarr::YarrPattern::compile):
103         (JSC::Yarr::YarrPattern::YarrPattern):
104         * yarr/YarrPattern.h:
105         (JSC::Yarr::YarrPattern::reset):
106         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
107         (JSC::Yarr::YarrPattern::ignoreCase):
108         (JSC::Yarr::YarrPattern::multiline):
109         (JSC::Yarr::YarrPattern::sticky):
110         (JSC::Yarr::YarrPattern::unicode):
111
112 2016-03-09  Mark Lam  <mark.lam@apple.com>
113
114         FunctionExecutable::ecmaName() should not be based on inferredName().
115         https://bugs.webkit.org/show_bug.cgi?id=155203
116
117         Reviewed by Michael Saboff.
118
119         The ES6 rules for how a function name should be inferred closely matches JSC's
120         implementation with one exception:
121             var o = {}
122             o.foo = function() {}
123
124         JSC's inferredName for o.foo would be "foo".
125         ES6 specifies that o.foo.name is "".
126
127         The fix is to add a distinct FunctionExecutable::ecmaName() which applies the ES6
128         rules for inferring the initial value of Function.name.
129
130         * bytecode/UnlinkedFunctionExecutable.cpp:
131         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
132         * bytecode/UnlinkedFunctionExecutable.h:
133         * parser/ASTBuilder.h:
134         (JSC::ASTBuilder::createAssignResolve):
135         (JSC::ASTBuilder::createGetterOrSetterProperty):
136         (JSC::ASTBuilder::createProperty):
137         (JSC::ASTBuilder::makeAssignNode):
138         * parser/Nodes.h:
139         * runtime/Executable.h:
140         * runtime/JSFunction.cpp:
141         (JSC::JSFunction::reifyName):
142         * tests/es6.yaml:
143
144 2016-03-09  Michael Saboff  <msaboff@apple.com>
145
146         Harden JSC Root element functions from bad values
147         https://bugs.webkit.org/show_bug.cgi?id=155234
148
149         Reviewed by Saam Barati.
150
151         Changed jsCast() to jsDynamicCast() in Root related function to protect against being
152         called with non-Root arguments.
153
154         * jsc.cpp:
155         (functionCreateElement):
156         (functionGetElement):
157         (functionSetElementRoot):
158
159 2016-03-09  Benjamin Poulain  <benjamin@webkit.org>
160
161         [JSC] Pick how to OSR Enter to FTL at runtime instead of compile time
162         https://bugs.webkit.org/show_bug.cgi?id=155217
163
164         Reviewed by Filip Pizlo.
165
166         This patch addresses 2 types of problems with tiering up to FTL
167         with OSR Entry in a loop:
168         -When there are nested loops, it is generally valuable to enter
169          an outer loop rather than an inner loop.
170         -When tiering up at a point that cannot OSR Enter, we are at
171          the mercy of the outer loop frequency to compile the right
172          entry point.
173
174         The first case is significant in the test "gaussian-blur".
175         That test has 4 nested loops. When we have an OSR Entry,
176         the analysis phases have to be pesimistic where we enter:
177         we do not really know what constraint can be proven from
178         the DFG code that was running.
179
180         In "gaussian-blur", integer-range analysis removes pretty
181         much all overflow checks in the inner loops of where we entered.
182         The more outside we enter, the better code we generate.
183
184         Since we spend the most iterations in the inner loop, we naturally
185         tend to OSR Enter into the 2 most inner loops, making the most
186         pessimistic assumptions.
187
188         To avoid such problems, I changed how we decide where to OSR Enter.
189         Previously, the last CheckTierUpAndOSREnter to cross the threshold
190         was where we take the entry point for FTL.
191
192         What happens now is that the entry point is not decied when
193         compiling the CheckTierUp variants. Instead, all the information
194         we need is gathered during compilation and keept on the JITCode
195         to be used at runtime.
196
197         When we try to tier up and decide to OSR Enter, we use the information
198         we have to pick a good outer loop for OSR Entry.
199
200         Now the problem is outer loop do not CheckTierUpAndOSREnter often,
201         wasting several miliseconds before entering the newly compiled FTL code.
202
203         To solve that, every CheckTierUpAndOSREnter has its own trigger that
204         bypass the counter. When the FTL Code is compiled, the trigger is set
205         and we enter through the right CheckTierUpAndOSREnter immediately.
206
207         ---
208
209         This new mechanism also solves a problem of ai-astar.
210         When we try to tier up in ai-astar, we had nothing to compile until
211         the outer loop is reached.
212
213         To make sure we reached the CheckTierUpAndOSREnter in a reasonable time,
214         we had CheckTierUpWithNestedTriggerAndOSREnter with a special trigger.
215
216         With the new mechanism, we can do much better:
217         -When we keep hitting CheckTierUpInLoop, we now have all the information
218          we need to already start compiling the outer loop.
219          Instead of waiting for the outer loop to be reached a few times, we compile
220          it as soon as the inner loop is hammering CheckTierUpInLoop.
221         -With the new triggers, the very next time we hit the outer loop, we OSR Enter.
222
223         This allow us to compile what we need sooner and enter sooner.
224
225         * dfg/DFGAbstractInterpreterInlines.h:
226         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
227         * dfg/DFGClobberize.h:
228         (JSC::DFG::clobberize): Deleted.
229         * dfg/DFGDoesGC.cpp:
230         (JSC::DFG::doesGC): Deleted.
231         * dfg/DFGFixupPhase.cpp:
232         (JSC::DFG::FixupPhase::fixupNode): Deleted.
233         * dfg/DFGJITCode.h:
234         * dfg/DFGJITCompiler.cpp:
235         (JSC::DFG::JITCompiler::JITCompiler):
236         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
237         * dfg/DFGNodeType.h:
238         * dfg/DFGOperations.cpp:
239         * dfg/DFGOperations.h:
240         * dfg/DFGPlan.h:
241         (JSC::DFG::Plan::canTierUpAndOSREnter):
242         * dfg/DFGPredictionPropagationPhase.cpp:
243         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
244         * dfg/DFGSafeToExecute.h:
245         (JSC::DFG::safeToExecute): Deleted.
246         * dfg/DFGSpeculativeJIT32_64.cpp:
247         (JSC::DFG::SpeculativeJIT::compile): Deleted.
248         * dfg/DFGSpeculativeJIT64.cpp:
249         (JSC::DFG::SpeculativeJIT::compile):
250         * dfg/DFGTierUpCheckInjectionPhase.cpp:
251         (JSC::DFG::TierUpCheckInjectionPhase::run):
252         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
253         (JSC::DFG::TierUpCheckInjectionPhase::findLoopsContainingLoopHintWithoutOSREnter): Deleted.
254         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
255         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
256         (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
257         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
258         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
259         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
260
261 2016-03-08  Filip Pizlo  <fpizlo@apple.com>
262
263         DFG should be able to constant-fold strings
264         https://bugs.webkit.org/show_bug.cgi?id=155200
265
266         Reviewed by Geoffrey Garen.
267
268         This adds constant-folding of string1 + string2 and string.length. The actual folding
269         rule is easy, but there are some gotchas.
270
271         The problem is that the DFG cannot allocate new JSString objects until we are on the
272         main thread. So, DFG IR must have a node for a JSValue string constant that hasn't been
273         created yet - i.e. it doesn't have any concrete JSValue bits yet.
274
275         We have the ability to speak of such things, using LazyJSValue. But that's a class, not
276         a node type. This patch now adds a node type, LazyJSConstant, which is a Node that holds
277         a LazyJSValue.
278
279         This puts us in a weird situation: AI uses JSValue to represent constants. It would take
280         a lot of work to change it to use LazyJSValue. So, this implements the constant folding
281         in StrengthReductionPhase. I created a bug and put a FIXME about moving these rules into
282         AI.
283
284         OTOH, our experience in B3 shows that constant folding in strength reduction is quite
285         nice. It would totally make sense to have strength reduction have constant folding rules
286         that mirror the rules in AI, or to factor out the AI constant folding rules, the same
287         way that B3 factors out those rules into Value methods.
288
289         Another issue is how to represent the cumulative result of possibly many foldings. I
290         initially considered adding LazyJSValue kinds that represented concatenation. Folding
291         the concatenation to a constant meand that this constant was actually a LazyJSValue that
292         represented the concatenation of two other things. But this would get super messy if we
293         wanted to fold an operation that uses the results of another folded operation.
294
295         So, the JIT thread folds string operations by creating a WTF::String that contains the
296         result. The DFG::Graph holds a +1 on the underlying StringImpl, so we can pass the
297         StringImpl* around without reference counting. The LazyJSValue now has a special kind
298         that means: we created this StringImpl* on the JIT thread, and once the JIT is done, we
299         will relinquish ownership of it. LazyJSValue has some magic to emit code for these
300         to-be-created-JSStrings while also transferring ownership of the StringImpl from the JIT
301         thread to the main thread and registering the JSString with the GC.
302
303         This just implements folding for concatenation and GetArrayLength. It's just a proof of
304         concept for evil things I want to do later.
305
306         This change is a 2.5x speed-up on the string concatenation microbenchmarks I added in
307         this patch.
308
309         * dfg/DFGAbstractInterpreterInlines.h:
310         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
311         * dfg/DFGClobberize.h:
312         (JSC::DFG::clobberize):
313         * dfg/DFGDoesGC.cpp:
314         (JSC::DFG::doesGC):
315         * dfg/DFGFixupPhase.cpp:
316         (JSC::DFG::FixupPhase::fixupNode):
317         * dfg/DFGFrozenValue.cpp:
318         (JSC::DFG::FrozenValue::emptySingleton):
319         (JSC::DFG::FrozenValue::tryGetString):
320         (JSC::DFG::FrozenValue::dumpInContext):
321         * dfg/DFGFrozenValue.h:
322         (JSC::DFG::FrozenValue::strength):
323         * dfg/DFGGraph.h:
324         * dfg/DFGLazyJSValue.cpp:
325         (JSC::DFG::LazyJSValue::newString):
326         (JSC::DFG::LazyJSValue::getValue):
327         (JSC::DFG::equalToStringImpl):
328         (JSC::DFG::LazyJSValue::tryGetStringImpl):
329         (JSC::DFG::LazyJSValue::tryGetString):
330         (JSC::DFG::LazyJSValue::strictEqual):
331         (JSC::DFG::LazyJSValue::switchLookupValue):
332         (JSC::DFG::LazyJSValue::emit):
333         (JSC::DFG::LazyJSValue::dumpInContext):
334         * dfg/DFGLazyJSValue.h:
335         (JSC::DFG::LazyJSValue::LazyJSValue):
336         (JSC::DFG::LazyJSValue::knownStringImpl):
337         (JSC::DFG::LazyJSValue::kind):
338         (JSC::DFG::LazyJSValue::tryGetValue):
339         (JSC::DFG::LazyJSValue::character):
340         (JSC::DFG::LazyJSValue::stringImpl):
341         * dfg/DFGMayExit.cpp:
342         (JSC::DFG::mayExit):
343         * dfg/DFGNode.cpp:
344         (JSC::DFG::Node::convertToIdentityOn):
345         (JSC::DFG::Node::convertToLazyJSConstant):
346         (JSC::DFG::Node::convertToPutHint):
347         (JSC::DFG::Node::convertToPutClosureVarHint):
348         (JSC::DFG::Node::tryGetString):
349         (JSC::DFG::Node::promotedLocationDescriptor):
350         * dfg/DFGNode.h:
351         (JSC::DFG::Node::convertToConstant):
352         (JSC::DFG::Node::convertToConstantStoragePointer):
353         (JSC::DFG::Node::castConstant):
354         (JSC::DFG::Node::hasLazyJSValue):
355         (JSC::DFG::Node::lazyJSValue):
356         (JSC::DFG::Node::initializationValueForActivation):
357         * dfg/DFGNodeType.h:
358         * dfg/DFGPredictionPropagationPhase.cpp:
359         (JSC::DFG::PredictionPropagationPhase::propagate):
360         * dfg/DFGSafeToExecute.h:
361         (JSC::DFG::safeToExecute):
362         * dfg/DFGSpeculativeJIT.cpp:
363         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
364         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
365         * dfg/DFGSpeculativeJIT.h:
366         * dfg/DFGSpeculativeJIT32_64.cpp:
367         (JSC::DFG::SpeculativeJIT::compile):
368         * dfg/DFGSpeculativeJIT64.cpp:
369         (JSC::DFG::SpeculativeJIT::compile):
370         * dfg/DFGStrengthReductionPhase.cpp:
371         (JSC::DFG::StrengthReductionPhase::handleNode):
372         * ftl/FTLCapabilities.cpp:
373         (JSC::FTL::canCompile):
374         * ftl/FTLLowerDFGToB3.cpp:
375         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
376         (JSC::FTL::DFG::LowerDFGToB3::compileInt52Constant):
377         (JSC::FTL::DFG::LowerDFGToB3::compileLazyJSConstant):
378         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
379
380 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
381
382         Web Inspector: Memory Timeline should show MemoryPressure events
383         https://bugs.webkit.org/show_bug.cgi?id=155158
384         <rdar://problem/25026610>
385
386         Reviewed by Brian Burg.
387
388         * inspector/protocol/Memory.json:
389
390 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
391
392         Web Inspector: Add Heap domain start/stop tracking commands
393         https://bugs.webkit.org/show_bug.cgi?id=155190
394
395         Reviewed by Brian Burg.
396
397         * inspector/agents/InspectorHeapAgent.cpp:
398         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
399         (Inspector::InspectorHeapAgent::startTracking):
400         (Inspector::InspectorHeapAgent::stopTracking):
401         * inspector/agents/InspectorHeapAgent.h:
402         * inspector/protocol/Heap.json:
403
404 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
405
406         Web Inspector: Add a way to create a Heap Snapshot
407         https://bugs.webkit.org/show_bug.cgi?id=155188
408
409         Reviewed by Brian Burg.
410
411         * inspector/agents/InspectorHeapAgent.h:
412         * inspector/protocol/Heap.json:
413         * inspector/agents/InspectorHeapAgent.cpp:
414         (Inspector::InspectorHeapAgent::snapshot):
415         Take a heap snapshot and return the JSON string result.
416
417         * inspector/protocol/Debugger.json:
418         Remove unused optional inferredName. Our displayName would be inferred.
419
420 2016-03-08  Oliver Hunt  <oliver@apple.com>
421
422         Fix ios bot build.
423
424         * jit/ExecutableAllocatorFixedVMPool.cpp:
425         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
426
427 2016-03-08  Mark Lam  <mark.lam@apple.com>
428
429         Implement Function.name support for getters/setters and inferring name of function properties.
430         https://bugs.webkit.org/show_bug.cgi?id=154865
431
432         Rubber-stamped by Joseph Pecoraro.
433
434         Follow up to the fix for this bug: adding a few small clean-ups for issues Joe
435         pointed out in the bug.
436
437         * runtime/JSBoundSlotBaseFunction.cpp:
438         (JSC::JSBoundSlotBaseFunction::create):
439         * runtime/JSCJSValue.cpp:
440         (JSC::JSValue::putToPrimitiveByIndex):
441
442 2016-03-08  Oliver Hunt  <oliver@apple.com>
443
444         Start moving to separated writable and executable mappings in the JIT
445         https://bugs.webkit.org/show_bug.cgi?id=155178
446
447         Reviewed by Fil Pizlo.
448
449         Start moving to a separate writable and executable heap for the various
450         JITs.
451
452         As part of our work to harden the JIT against various attacks, we're
453         moving away from our current RWX heap and on to using separate RW and X
454         mappings. This means that simply leaking the location of the executable
455         mapping is not sufficient to compromise JSC, so we can continue to
456         use direct executable pointers in our GC objects (which we need for
457         performance), but keep the writable pointer in only a single location
458         so that we are less likely to leak the address. To further obscure the
459         address of the writable region we place it in an execute only region
460         of memory so that it is not possible to read the location from 
461         anywhere. That means an attacker must have at least partial control
462         of PC (to call jitMemCopy) before they can start to attack the JIT.
463
464         This work is initially ARM64 only, as we use as the jitMemCopy is
465         currently specific to that platform's calling conventions and layout.
466         We're just landing it in the current form so that we can at least
467         ensure it doesn't regress.
468
469         * Configurations/FeatureDefines.xcconfig:
470         * assembler/ARM64Assembler.h:
471         (JSC::ARM64Assembler::ldp):
472         (JSC::ARM64Assembler::ldnp):
473         (JSC::ARM64Assembler::fillNops):
474         (JSC::ARM64Assembler::stp):
475         (JSC::ARM64Assembler::stnp):
476         (JSC::ARM64Assembler::replaceWithJump):
477         (JSC::ARM64Assembler::replaceWithLoad):
478         (JSC::ARM64Assembler::replaceWithAddressComputation):
479         (JSC::ARM64Assembler::setPointer):
480         (JSC::ARM64Assembler::repatchInt32):
481         (JSC::ARM64Assembler::repatchCompact):
482         (JSC::ARM64Assembler::linkJumpOrCall):
483         (JSC::ARM64Assembler::linkCompareAndBranch):
484         (JSC::ARM64Assembler::linkConditionalBranch):
485         (JSC::ARM64Assembler::linkTestAndBranch):
486         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
487         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
488         * assembler/LinkBuffer.cpp:
489         (JSC::LinkBuffer::copyCompactAndLinkCode):
490         (JSC::LinkBuffer::allocate):
491         * assembler/LinkBuffer.h:
492         (JSC::LinkBuffer::LinkBuffer):
493         * assembler/MacroAssemblerARM64.h:
494         (JSC::MacroAssemblerARM64::sub64):
495         (JSC::MacroAssemblerARM64::load64):
496         (JSC::MacroAssemblerARM64::loadPair64):
497         (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
498         (JSC::MacroAssemblerARM64::load8):
499         (JSC::MacroAssemblerARM64::store64):
500         (JSC::MacroAssemblerARM64::storePair64):
501         (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
502         (JSC::MacroAssemblerARM64::store8):
503         (JSC::MacroAssemblerARM64::branchAdd64):
504         (JSC::MacroAssemblerARM64::branchSub64):
505         * jit/ExecutableAllocator.h:
506         (JSC::performJITMemcpy):
507         * jit/ExecutableAllocatorFixedVMPool.cpp:
508         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
509         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
510         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
511         * runtime/Options.cpp:
512         (JSC::recomputeDependentOptions):
513         * runtime/Options.h:
514
515 2016-03-08  Mark Lam  <mark.lam@apple.com>
516
517         Implement Function.name support for getters/setters and inferring name of function properties.
518         https://bugs.webkit.org/show_bug.cgi?id=154865
519
520         Reviewed by Geoffrey Garen.
521
522         1. toString() no longer uses the value of Function.name as the name of the
523            function in the returned string, because ...
524
525             i. Function.name is supposed to be configurable.  Hence, it can be made
526                writable and can be set to any JSValue, or deleted.
527            ii. Function.prototype.toString() is supposed to produce a string that can be
528                eval'ed.  Hence, for JS functions, the function name in the produced
529                string must be a legal function name (and not some arbitrary value set in
530                Function.name).  For example, while a number is a legal value for
531                Function.name, it is not legal as the function name in the toString()
532                string.
533
534            Instead, we'll always use the original name from the JS source that the
535            function was parsed from.
536
537         2. JSFunction::name() now always return the original name, not the value of
538            the Function.name property.  As a result, it also no longer needs an
539            ExecState* arg.
540
541            If the original name is an empty string, JSFunction::name() will use the
542            inferred name.
543
544         3. For JS functions, the original name can be attained from their
545            FunctionExecutable object.
546
547            For host/native functions (which do not have a FunctionExecutable), we get the
548            "original" name from its NativeExecutable.
549
550         4. The m_hostFunctionStubMap now keys its NativeExecutable pointers using the
551            original name, in addition to the native function and constructor pointers.
552
553            This is needed because we want a different NativeExecutable for functions with
554            a different name (to satisfy (3) above).
555
556         5. Changed JSBoundFunction to store the name of its bound function in its
557            NativeExecutable.  This will later be used to generate the toString() string.
558            It's Function.name value is eagerly initialized at construction time.
559
560         6. Function.name for getters/setters are now prefixed with "get"/"set".
561            This was done both for the JSBoundSlotBaseFunctions and JS definable get/set
562            functions.
563
564         7. Added InternalFunction::m_originalName so that we can use it to generate the
565            toString() string.  We're storing it as a JSString instead of a WTF::String
566            only because we want InternalFunction to be continue to be trivially
567            destructible.
568
569         * inspector/JSInjectedScriptHost.cpp:
570         (Inspector::JSInjectedScriptHost::functionDetails):
571         * jit/JITThunks.cpp:
572         (JSC::JITThunks::finalize):
573         (JSC::JITThunks::hostFunctionStub):
574         * jit/JITThunks.h:
575         * runtime/Executable.h:
576         * runtime/FunctionPrototype.cpp:
577         (JSC::functionProtoFuncToString):
578         * runtime/InternalFunction.cpp:
579         (JSC::InternalFunction::finishCreation):
580         (JSC::InternalFunction::visitChildren):
581         (JSC::InternalFunction::name):
582         (JSC::InternalFunction::displayName):
583         * runtime/InternalFunction.h:
584         * runtime/JSBoundFunction.cpp:
585         (JSC::JSBoundFunction::create):
586         (JSC::JSBoundFunction::visitChildren):
587         (JSC::JSBoundFunction::toStringName): Deleted.
588         * runtime/JSBoundFunction.h:
589         (JSC::JSBoundFunction::boundThis):
590         (JSC::JSBoundFunction::boundArgs):
591         (JSC::JSBoundFunction::createStructure):
592         * runtime/JSBoundSlotBaseFunction.cpp:
593         (JSC::boundSlotBaseFunctionCall):
594         (JSC::JSBoundSlotBaseFunction::create):
595         * runtime/JSFunction.cpp:
596         (JSC::JSFunction::initializeRareData):
597         (JSC::JSFunction::name):
598         (JSC::JSFunction::displayName):
599         (JSC::JSFunction::calculatedDisplayName):
600         (JSC::JSFunction::reifyName):
601         * runtime/JSFunction.h:
602         * tests/es6.yaml:
603
604 2016-03-08  Commit Queue  <commit-queue@webkit.org>
605
606         Unreviewed, rolling out r197793 and r197799.
607         https://bugs.webkit.org/show_bug.cgi?id=155195
608
609         something weird happened while landing this and everything
610         broke (Requested by olliej on #webkit).
611
612         Reverted changesets:
613
614         "Start moving to separated writable and executable mappings in
615         the JIT"
616         https://bugs.webkit.org/show_bug.cgi?id=155178
617         http://trac.webkit.org/changeset/197793
618
619         "arm64 build fix after r197793."
620         http://trac.webkit.org/changeset/197799
621
622 2016-03-08  Alex Christensen  <achristensen@webkit.org>
623
624         arm64 build fix after r197793.
625
626         * jit/ExecutableAllocatorFixedVMPool.cpp:
627         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
628         (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
629         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
630         Use consistent ENABLE macro.  It looks like it was partially renamed.
631
632 2016-03-08  Filip Pizlo  <fpizlo@apple.com>
633
634         Regexp matching should incur less call overhead
635         https://bugs.webkit.org/show_bug.cgi?id=155181
636
637         Reviewed by Geoffrey Garen.
638
639         Previously we had DFG/FTL code call into the DFGOperation, which then called in to
640         RegExpObject, which then called into createRegExpMatchesArray, which then called into
641         RegExp, which then called the code generated by Yarr.
642
643         Now we have DFG/FTL code call into the DFGOperation, which does all of the things and calls
644         into code generated by Yarr.
645
646         This is another tiny Octane/regexp speed-up.
647
648         * JavaScriptCore.xcodeproj/project.pbxproj:
649         * dfg/DFGOperations.cpp:
650         * runtime/RegExp.cpp:
651         (JSC::regExpFlags):
652         (JSC::RegExp::compile):
653         (JSC::RegExp::match):
654         (JSC::RegExp::compileMatchOnly):
655         (JSC::RegExp::deleteCode):
656         (JSC::RegExpFunctionalTestCollector::clearRegExp): Deleted.
657         (JSC::RegExp::compileIfNecessary): Deleted.
658         (JSC::RegExp::compileIfNecessaryMatchOnly): Deleted.
659         * runtime/RegExp.h:
660         * runtime/RegExpInlines.h: Added.
661         (JSC::RegExpFunctionalTestCollector::clearRegExp):
662         (JSC::RegExp::compileIfNecessary):
663         (JSC::RegExp::matchInline):
664         (JSC::RegExp::compileIfNecessaryMatchOnly):
665         * runtime/RegExpMatchesArray.cpp:
666         (JSC::createEmptyRegExpMatchesArray):
667         (JSC::createStructureImpl):
668         (JSC::tryCreateUninitializedRegExpMatchesArray): Deleted.
669         (JSC::createRegExpMatchesArray): Deleted.
670         * runtime/RegExpMatchesArray.h:
671         (JSC::tryCreateUninitializedRegExpMatchesArray):
672         (JSC::createRegExpMatchesArray):
673         * runtime/RegExpObject.cpp:
674         (JSC::RegExpObject::put):
675         (JSC::RegExpObject::exec):
676         (JSC::RegExpObject::match):
677         (JSC::getLastIndexAsUnsigned): Deleted.
678         * runtime/RegExpObject.h:
679         (JSC::RegExpObject::getLastIndex):
680         (JSC::RegExpObject::test):
681         (JSC::RegExpObject::testInline):
682         * runtime/RegExpObjectInlines.h: Added.
683         (JSC::getRegExpObjectLastIndexAsUnsigned):
684         (JSC::RegExpObject::execInline):
685         (JSC::RegExpObject::matchInline):
686
687 2016-03-08  Mark Lam  <mark.lam@apple.com>
688
689         synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
690         https://bugs.webkit.org/show_bug.cgi?id=155169
691
692         Reviewed by Geoffrey Garen.
693
694         With the exception checks, we may end up throwing new exceptions over an existing
695         one that has been thrown but not handled yet, thereby obscuring it.  It may also
696         mean that the VM will continue running on potentially unstable state, which may
697         have undesirable consequences.
698
699         I first observed this in some failed assertion while running tests on a patch for
700         https://bugs.webkit.org/show_bug.cgi?id=154865.
701
702         Performance is neutral with this patch (tested on x86_64).
703
704         1. Deleted JSNotAnObject, and removed all uses of it.
705
706         2. Added exception checks, when needed, following calls to synthesizePrototype()
707            and JSValue::toObject().
708
709            The cases that do not need an exception check are the ones that already ensures
710            that JSValue::toObject() is only called on a value that is convertible to an
711            object.  In those cases, I added an assertion that no exception was thrown
712            after the call.
713
714         * CMakeLists.txt:
715         * JavaScriptCore.xcodeproj/project.pbxproj:
716         * inspector/ScriptCallStackFactory.cpp:
717         (Inspector::createScriptCallStackFromException):
718         * interpreter/Interpreter.cpp:
719         * jit/JITOperations.cpp:
720         * llint/LLIntSlowPaths.cpp:
721         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
722         * runtime/ArrayPrototype.cpp:
723         (JSC::arrayProtoFuncJoin):
724         (JSC::arrayProtoFuncConcat):
725         (JSC::arrayProtoFuncPop):
726         (JSC::arrayProtoFuncPush):
727         (JSC::arrayProtoFuncReverse):
728         (JSC::arrayProtoFuncShift):
729         (JSC::arrayProtoFuncSlice):
730         (JSC::arrayProtoFuncSplice):
731         (JSC::arrayProtoFuncUnShift):
732         (JSC::arrayProtoFuncIndexOf):
733         (JSC::arrayProtoFuncLastIndexOf):
734         (JSC::arrayProtoFuncValues):
735         (JSC::arrayProtoFuncEntries):
736         (JSC::arrayProtoFuncKeys):
737         * runtime/CommonSlowPaths.cpp:
738         (JSC::SLOW_PATH_DECL):
739         * runtime/ExceptionHelpers.cpp:
740         * runtime/JSCJSValue.cpp:
741         (JSC::JSValue::toObjectSlowCase):
742         (JSC::JSValue::toThisSlowCase):
743         (JSC::JSValue::synthesizePrototype):
744         (JSC::JSValue::putToPrimitive):
745         (JSC::JSValue::putToPrimitiveByIndex):
746         * runtime/JSCJSValueInlines.h:
747         (JSC::JSValue::getPropertySlot):
748         (JSC::JSValue::get):
749         * runtime/JSFunction.cpp:
750         * runtime/JSGlobalObjectFunctions.cpp:
751         (JSC::globalFuncProtoGetter):
752         * runtime/JSNotAnObject.cpp: Removed.
753         * runtime/JSNotAnObject.h: Removed.
754         * runtime/ObjectConstructor.cpp:
755         (JSC::objectConstructorDefineProperties):
756         (JSC::objectConstructorCreate):
757         * runtime/ObjectPrototype.cpp:
758         (JSC::objectProtoFuncValueOf):
759         (JSC::objectProtoFuncHasOwnProperty):
760         (JSC::objectProtoFuncIsPrototypeOf):
761         (JSC::objectProtoFuncToString):
762         * runtime/VM.cpp:
763         (JSC::VM::VM):
764         * runtime/VM.h:
765
766 2016-03-08  Oliver Hunt  <oliver@apple.com>
767
768         Start moving to separated writable and executable mappings in the JIT
769         https://bugs.webkit.org/show_bug.cgi?id=155178
770
771         Reviewed by Filip Pizlo.
772
773         Start moving to a separate writable and executable heap for the various
774         JITs.
775
776         As part of our work to harden the JIT against various attacks, we're
777         moving away from our current RWX heap and on to using separate RW and X
778         mappings. This means that simply leaking the location of the executable
779         mapping is not sufficient to compromise JSC, so we can continue to
780         use direct executable pointers in our GC objects (which we need for
781         performance), but keep the writable pointer in only a single location
782         so that we are less likely to leak the address. To further obscure the
783         address of the writable region we place it in an execute only region
784         of memory so that it is not possible to read the location from 
785         anywhere. That means an attacker must have at least partial control
786         of PC (to call jitMemCopy) before they can start to attack the JIT.
787
788         This work is initially ARM64 only, as we use as the jitMemCopy is
789         currently specific to that platform's calling conventions and layout.
790         We're just landing it in the current form so that we can at least
791         ensure it doesn't regress.
792
793         * Configurations/FeatureDefines.xcconfig:
794         * assembler/ARM64Assembler.h:
795         (JSC::ARM64Assembler::ldp):
796         (JSC::ARM64Assembler::ldnp):
797         (JSC::ARM64Assembler::fillNops):
798         (JSC::ARM64Assembler::stp):
799         (JSC::ARM64Assembler::stnp):
800         (JSC::ARM64Assembler::replaceWithJump):
801         (JSC::ARM64Assembler::replaceWithLoad):
802         (JSC::ARM64Assembler::replaceWithAddressComputation):
803         (JSC::ARM64Assembler::setPointer):
804         (JSC::ARM64Assembler::repatchInt32):
805         (JSC::ARM64Assembler::repatchCompact):
806         (JSC::ARM64Assembler::linkJumpOrCall):
807         (JSC::ARM64Assembler::linkCompareAndBranch):
808         (JSC::ARM64Assembler::linkConditionalBranch):
809         (JSC::ARM64Assembler::linkTestAndBranch):
810         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
811         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
812         * assembler/LinkBuffer.cpp:
813         (JSC::LinkBuffer::copyCompactAndLinkCode):
814         (JSC::LinkBuffer::allocate):
815         * assembler/LinkBuffer.h:
816         (JSC::LinkBuffer::LinkBuffer):
817         * assembler/MacroAssemblerARM64.h:
818         (JSC::MacroAssemblerARM64::sub64):
819         (JSC::MacroAssemblerARM64::load64):
820         (JSC::MacroAssemblerARM64::loadPair64):
821         (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
822         (JSC::MacroAssemblerARM64::load8):
823         (JSC::MacroAssemblerARM64::store64):
824         (JSC::MacroAssemblerARM64::storePair64):
825         (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
826         (JSC::MacroAssemblerARM64::store8):
827         (JSC::MacroAssemblerARM64::branchAdd64):
828         (JSC::MacroAssemblerARM64::branchSub64):
829         * jit/ExecutableAllocator.h:
830         (JSC::performJITMemcpy):
831         * jit/ExecutableAllocatorFixedVMPool.cpp:
832         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
833         (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
834         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
835         * runtime/Options.cpp:
836         (JSC::recomputeDependentOptions):
837         * runtime/Options.h:
838
839 2016-03-08  Michael Saboff  <msaboff@apple.com>
840
841         [ES6] Regular Expression canonicalization tables for Unicode need to be updated to use Unicode CaseFolding.txt
842         https://bugs.webkit.org/show_bug.cgi?id=155114
843
844         Reviewed by Darin Adler.
845
846         Extracted out the Unicode canonicalization table creation from
847         YarrCanonicalizeUnicode.js into a new Python script, generateYarrCanonicalizeUnicode.
848         That script generates the Unicode tables as the file YarrCanonicalizeUnicode.cpp in
849         DerivedSources/JavaScriptCore.
850
851         Updated the processing of ignore case to make the ASCII short cuts dependent on whether
852         or not we are a Unicode pattern.
853
854         Renamed yarr/YarrCanonicalizeUnicode.{cpp,js} back to their prior names,
855         YarrCanonicalizeUCS2.{cpp,js}.
856         Renamed yarr/YarrCanonicalizeUnicode.h to YarrCanonicalize.h as it declares both the
857         legacy UCS2 and Unicode tables.
858
859         * CMakeLists.txt:
860         * DerivedSources.make:
861         * JavaScriptCore.xcodeproj/project.pbxproj:
862         * generateYarrCanonicalizeUnicode: Added.
863         * ucd: Added.
864         * ucd/CaseFolding.txt: Added.  The current verion, 8.0, of the Unicode CaseFolding table.
865         * yarr/YarrCanonicalizeUCS2.cpp: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.cpp.
866         * yarr/YarrCanonicalize.h: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.h.
867         * yarr/YarrCanonicalizeUCS2.js: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.js.
868         (printHeader):
869         * yarr/YarrCanonicalizeUnicode.cpp: Removed.
870         * yarr/YarrCanonicalizeUnicode.h: Removed.
871         * yarr/YarrCanonicalizeUnicode.js: Removed.
872         * yarr/YarrInterpreter.cpp:
873         (JSC::Yarr::Interpreter::tryConsumeBackReference):
874         * yarr/YarrJIT.cpp:
875         * yarr/YarrPattern.cpp:
876         (JSC::Yarr::CharacterClassConstructor::putChar):
877
878 2016-03-08  Andreas Kling  <akling@apple.com>
879
880         WeakBlock::visit() should check for a WeakHandleOwner before consulting mark bits.
881         <https://webkit.org/b/155154>
882
883         Reviewed by Darin Adler.
884
885         Reorder the checks in WeakBlock::visit() so we don't look at the mark bits in MarkedBlock
886         unless the current WeakImpl has a WeakHandleOwner we need to consult.
887
888         I was originally hoping to make an optimization that could skip over entire WeakBlocks
889         if they didn't have a single WeakHandleOwner, but it turns out that scenario is not as
890         common as I suspected.
891
892         * heap/WeakBlock.cpp:
893         (JSC::WeakBlock::visit):
894
895 2016-03-07  Saam barati  <sbarati@apple.com>
896
897         [ES6] Implement revocable proxies
898         https://bugs.webkit.org/show_bug.cgi?id=154321
899
900         Reviewed by Mark Lam.
901
902         This patch is a straight forward implementation of Proxy.revocable
903         with respect to section 26.2.2.1 of the ECMAScript spec.
904         https://tc39.github.io/ecma262/#sec-proxy.revocable
905
906         This patch also fixes a bug in Proxy where we
907         were incorrectly caching "in", i.e, `"x" in proxy`.
908         We should never blatantly cache this because caching is observable
909         behavior by users of the language. We could come up with
910         a smarter caching scheme that caches only if the Proxy's
911         handler doesn't have a "has" property, i.e, we don't have
912         to call out to JS code. But for now, it's easiest to disable
913         caching.
914
915         * CMakeLists.txt:
916         * JavaScriptCore.xcodeproj/project.pbxproj:
917         * runtime/JSGlobalObject.cpp:
918         (JSC::JSGlobalObject::init):
919         (JSC::JSGlobalObject::visitChildren):
920         * runtime/JSGlobalObject.h:
921         (JSC::JSGlobalObject::moduleRecordStructure):
922         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
923         (JSC::JSGlobalObject::proxyObjectStructure):
924         (JSC::JSGlobalObject::proxyRevokeStructure):
925         (JSC::JSGlobalObject::wasmModuleStructure):
926         * runtime/ProxyConstructor.cpp:
927         (JSC::ProxyConstructor::create):
928         (JSC::ProxyConstructor::ProxyConstructor):
929         (JSC::makeRevocableProxy):
930         (JSC::proxyRevocableConstructorThrowError):
931         (JSC::ProxyConstructor::finishCreation):
932         (JSC::constructProxyObject):
933         * runtime/ProxyConstructor.h:
934         (JSC::ProxyConstructor::createStructure):
935         * runtime/ProxyObject.cpp:
936         (JSC::ProxyObject::finishCreation):
937         (JSC::performProxyGet):
938         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
939         (JSC::ProxyObject::performHasProperty):
940         (JSC::ProxyObject::performPut):
941         (JSC::performProxyCall):
942         (JSC::performProxyConstruct):
943         (JSC::ProxyObject::performDelete):
944         (JSC::ProxyObject::performPreventExtensions):
945         (JSC::ProxyObject::performIsExtensible):
946         (JSC::ProxyObject::performDefineOwnProperty):
947         (JSC::ProxyObject::performGetOwnPropertyNames):
948         (JSC::ProxyObject::performSetPrototype):
949         (JSC::ProxyObject::performGetPrototype):
950         (JSC::ProxyObject::getPrototype):
951         (JSC::ProxyObject::revoke):
952         (JSC::ProxyObject::visitChildren):
953         * runtime/ProxyObject.h:
954         (JSC::ProxyObject::create):
955         * runtime/ProxyRevoke.cpp: Added.
956         (JSC::ProxyRevoke::create):
957         (JSC::ProxyRevoke::ProxyRevoke):
958         (JSC::ProxyRevoke::finishCreation):
959         (JSC::performProxyRevoke):
960         (JSC::ProxyRevoke::getCallData):
961         (JSC::ProxyRevoke::visitChildren):
962         * runtime/ProxyRevoke.h: Added.
963         (JSC::ProxyRevoke::createStructure):
964         (JSC::ProxyRevoke::proxy):
965         (JSC::ProxyRevoke::setProxyToNull):
966         * tests/stress/proxy-has-property.js:
967         (assert):
968         (assert.let.handler.has):
969         (assert.let.foo):
970         * tests/stress/proxy-revoke.js: Added.
971         (assert):
972         (throw.new.Error.):
973         (throw.new.Error):
974         (callAllHandlers):
975         (shouldThrowNullHandler):
976         (allHandlersShouldThrow):
977         (i.let.trap.of.traps.trap.string_appeared_here.func):
978         (i.let.trap.of.traps.else.func):
979         (i.Proxy.revocable):
980
981 2016-03-07  Csaba Osztrogon√°c  <ossy@webkit.org>
982
983         Fix the ARM build after r197687
984         https://bugs.webkit.org/show_bug.cgi?id=155128
985
986         Reviewed by Saam Barati.
987
988         * assembler/MacroAssemblerARM.h:
989         (JSC::MacroAssemblerARM::moveZeroToDouble):
990
991 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
992
993         Reduce the number of instructions needed to record the last regexp result
994         https://bugs.webkit.org/show_bug.cgi?id=155161
995
996         Reviewed by Sam Weinig.
997
998         This tightens up RegExpCachedResult::record(). My profiling shows that we spend just
999         over 1% of the time in Octane/regexp in this function. This function had two obvious
1000         redundancies:
1001
1002         1) It executed the write barrier on owner twice. It only needs to execute it once. Since
1003            the same RegExpConstructor is likely to be used many times, it makes sense to do the
1004            barrier without looking at the 'to' objects at all. In steady state, this means that
1005            the RegExpConstructor will simply be OldGrey so this one barrier will always skip the
1006            slow path.
1007
1008         2) It cleared some fields that didn't need to be cleared, since we can just use
1009            m_reified to indicate that the fields are not meaningful anymore.
1010
1011         This is meant to be a microscopic regexp speed-up.
1012
1013         * runtime/RegExpCachedResult.cpp:
1014         (JSC::RegExpCachedResult::visitChildren):
1015         (JSC::RegExpCachedResult::lastResult):
1016         * runtime/RegExpCachedResult.h:
1017         (JSC::RegExpCachedResult::record):
1018
1019 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
1020
1021         createRegExpMatchesArray should allocate substrings more quickly
1022         https://bugs.webkit.org/show_bug.cgi?id=155160
1023
1024         Reviewed by Sam Weinig.
1025
1026         This was calling a version of jsSubstring() that isn't inlineable because it was doing a lot
1027         of checks in finishCreation(). In particular, it was checking that the base string is not
1028         itself a substring and that it's been resolved. We don't need those checks here, since the
1029         string must have been resolved prior to regexp processing.
1030
1031         This patch is also smart about whether to do checks for the empty and full substrings. In
1032         the matches array loop, these checks are super unlikely to be profitable, so we just
1033         unconditionally allocate the substring.
1034
1035         This removes those checks and makes the allocation inlineable. It looks like a 1% speed-up
1036         on Octane/regexp.
1037
1038         * runtime/JSString.h:
1039         (JSC::jsSubstring):
1040         (JSC::jsSubstringOfResolved):
1041         * runtime/RegExpMatchesArray.cpp:
1042         (JSC::createRegExpMatchesArray):
1043
1044 2016-03-07  Benjamin Poulain  <bpoulain@apple.com>
1045
1046         [JSC] Small clean up of how we use SSA's valuesAtHead
1047         https://bugs.webkit.org/show_bug.cgi?id=155152
1048
1049         Reviewed by Filip Pizlo.
1050
1051         liveAtHead and valuesAtHead contain the same nodes,
1052         we do not need the extra look up.
1053
1054         This also opens the way to use the same kind of liveness
1055         analysis as Air (where live values at head do not use a set).
1056
1057         * dfg/DFGInPlaceAbstractState.cpp:
1058         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1059         (JSC::DFG::InPlaceAbstractState::merge):
1060
1061 2016-03-07  Brian Burg  <bburg@apple.com>
1062
1063         Web Inspector: the protocol generator should generate factory method stubs for protocol types
1064         https://bugs.webkit.org/show_bug.cgi?id=155103
1065         <rdar://problem/25002772>
1066
1067         Reviewed by Timothy Hatcher.
1068
1069         Generate stubs with unique names so that parsing methods can be used
1070         reflectively at runtime, based on the protocol version that's loaded.
1071
1072         * JavaScriptCore.xcodeproj/project.pbxproj:
1073         * inspector/scripts/codegen/__init__.py:
1074         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1075         Added. For each type in a domain, add a method of the form
1076         -[ProtocolTypeConversions _parseXXX:fromPayload]. This is in a category
1077         method, and the selector is only ever looked up at runtime.
1078
1079         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
1080         * inspector/scripts/generate-inspector-protocol-bindings.py:
1081         (generate_from_specification):
1082
1083         Rebaseline test results with new generator output.
1084
1085         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1086         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1087         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1088         * inspector/scripts/tests/expected/enum-values.json-result:
1089         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1090         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1091         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1092         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1093         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1094         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1095         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1096         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1097         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1098
1099 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
1100
1101         RegExp.prototype.exec() should call into Yarr at most once
1102         https://bugs.webkit.org/show_bug.cgi?id=155139
1103
1104         Reviewed by Saam Barati.
1105
1106         For apparently no good reason, RegExp.prototype.match() was calling into Yarr twice, almost
1107         as if it was hoping that the non-matching case was so common that it was best to have the
1108         matching case do the work all over again.
1109
1110         This is a 4% speed-up on Octane/regexp. It's also a matter of common sense: we should not be
1111         in the business of presuming whether someone's match will succeed or fail. The increased
1112         cost of running Yarr twice is so much larger than whatever savings we were getting from
1113         running a match-only regexp that this is just not a good overall deal for the engine.
1114
1115         Also, it's interesting that we are seeing a 4% speed-up on regexp despite the fact that a
1116         majority (almost a supermajority, I think) of calls into RegExp.prototype.match() are failed
1117         matches. So, this change is a 4% speed-up despite being a slow down on the common case. That
1118         tells you just how bad the old behavior was on the uncommon case.
1119
1120         * runtime/MatchResult.h:
1121         (MatchResult::MatchResult):
1122         (MatchResult::failed):
1123         (MatchResult::operator bool):
1124         * runtime/RegExpCachedResult.cpp:
1125         (JSC::RegExpCachedResult::lastResult):
1126         * runtime/RegExpConstructor.h:
1127         (JSC::RegExpConstructor::setMultiline):
1128         (JSC::RegExpConstructor::multiline):
1129         (JSC::RegExpConstructor::performMatch):
1130         (JSC::RegExpConstructor::recordMatch):
1131         * runtime/RegExpMatchesArray.cpp:
1132         (JSC::createRegExpMatchesArray):
1133         (JSC::createEmptyRegExpMatchesArray):
1134         (JSC::createStructureImpl):
1135         * runtime/RegExpMatchesArray.h:
1136         (JSC::createRegExpMatchesArray):
1137         * runtime/RegExpObject.cpp:
1138         (JSC::RegExpObject::put):
1139         (JSC::getLastIndexAsUnsigned):
1140         (JSC::RegExpObject::exec):
1141         (JSC::RegExpObject::match):
1142         * runtime/RegExpObject.h:
1143         (JSC::RegExpObject::getLastIndex):
1144         (JSC::RegExpObject::test):
1145         * runtime/StringPrototype.cpp:
1146         (JSC::stringProtoFuncMatch):
1147
1148 2016-03-07  Joseph Pecoraro  <pecoraro@apple.com>
1149
1150         Heap Snapshot should include different Edge types and data (Property, Index, Variable)
1151         https://bugs.webkit.org/show_bug.cgi?id=154937
1152
1153         Reviewed by Geoffrey Garen.
1154
1155         * heap/SlotVisitor.cpp:
1156         (JSC::SlotVisitor::appendHidden):
1157         * heap/SlotVisitor.h:
1158         * heap/SlotVisitorInlines.h:
1159         (JSC::SlotVisitor::appendHidden):
1160         (JSC::SlotVisitor::appendValuesHidden):
1161         Add new visit methods to visit a reference without snapshotting the edge.
1162
1163         * heap/Heap.cpp:
1164         (JSC::AddExtraHeapSnapshotEdges::AddExtraHeapSnapshotEdges):
1165         (JSC::AddExtraHeapSnapshotEdges::operator()):
1166         (JSC::Heap::addHeapSnapshotEdges):
1167         (JSC::Heap::removeDeadHeapSnapshotNodes):
1168         (JSC::Heap::collectImpl):
1169         * heap/Heap.h:
1170         After marking, visit the live cells for a chance to record extra
1171         heap snapshotting information about the cell.
1172
1173         * heap/HeapSnapshotBuilder.cpp:
1174         (JSC::HeapSnapshotBuilder::appendNode):
1175         (JSC::HeapSnapshotBuilder::appendEdge):
1176         (JSC::HeapSnapshotBuilder::appendPropertyNameEdge):
1177         (JSC::HeapSnapshotBuilder::appendVariableNameEdge):
1178         (JSC::HeapSnapshotBuilder::appendIndexEdge):
1179         (JSC::HeapSnapshotBuilder::json):
1180         * heap/HeapSnapshotBuilder.h:
1181         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
1182         Construct edges with extra data.
1183
1184         * runtime/ClassInfo.h:
1185         * runtime/JSCell.cpp:
1186         (JSC::JSCell::heapSnapshot):
1187         * runtime/JSCell.h:
1188         Add a new method to provide cells with an opportunity to provide
1189         extra heap snapshotting information.
1190
1191         * runtime/JSObject.cpp:
1192         (JSC::JSObject::visitButterfly):
1193         (JSC::JSObject::visitChildren):
1194         (JSC::JSObject::heapSnapshot):
1195         (JSC::JSFinalObject::visitChildren):
1196         * runtime/JSObject.h:
1197         Capture object property names and index names when heap snapshotting.
1198         Do not include them as internal edges in normal visitChildren.
1199
1200         * runtime/JSEnvironmentRecord.cpp:
1201         (JSC::JSEnvironmentRecord::visitChildren):
1202         (JSC::JSEnvironmentRecord::heapSnapshot):
1203         * runtime/JSEnvironmentRecord.h:
1204         * runtime/JSSegmentedVariableObject.cpp:
1205         (JSC::JSSegmentedVariableObject::visitChildren):
1206         (JSC::JSSegmentedVariableObject::heapSnapshot):
1207         * runtime/JSSegmentedVariableObject.h:
1208         Capture scope variable names when heap snapshotting.
1209
1210         * runtime/Structure.cpp:
1211         (JSC::Structure::visitChildren):
1212         * runtime/Structure.h:
1213         * runtime/StructureInlines.h:
1214         (JSC::Structure::propertyTable):
1215         When performing a heap snapshotting collection, don't clear the
1216         property table so that accessing the table during this GC is okay.
1217
1218         * tests/heapProfiler/driver/driver.js:
1219         * tests/heapProfiler/property-edge-types.js: Added.
1220         * tests/heapProfiler/variable-edge-types.js: Added.
1221         Tests covering the different edge types and data we capture.
1222
1223 2016-03-07  Saam barati  <sbarati@apple.com>
1224
1225         [ES6] Implement Proxy.[[GetPrototypeOf]]
1226         https://bugs.webkit.org/show_bug.cgi?id=155099
1227
1228         Reviewed by Mark Lam.
1229
1230         This patch is a straight forward implementation of Proxy.[[GetPrototypeOf]]
1231         with respect to section 9.5.1 of the ECMAScript spec.
1232         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-getprototypeof
1233
1234         * runtime/ProxyObject.cpp:
1235         (JSC::performProxyGet):
1236         (JSC::ProxyObject::setPrototype):
1237         (JSC::ProxyObject::performGetPrototype):
1238         (JSC::ProxyObject::getPrototype):
1239         (JSC::ProxyObject::visitChildren):
1240         * runtime/ProxyObject.h:
1241         * tests/es6.yaml:
1242         * tests/stress/proxy-get-prototype-of.js: Added.
1243         (assert):
1244         (throw.new.Error.let.handler.get getPrototypeOf):
1245         (throw.new.Error.get let):
1246         (throw.new.Error.get catch):
1247         (throw.new.Error):
1248         (assert.let.handler.getPrototypeOf):
1249         (assert.get let):
1250         (assert.get catch):
1251         (assert.):
1252         (let.handler.getPrototypeOf):
1253         (get let):
1254         (let.handler.has):
1255
1256 2016-03-07  Brian Burg  <bburg@apple.com>
1257
1258         Web Inspector: rename generated *EnumConversionHelpers.h to *TypeConversions.h
1259         https://bugs.webkit.org/show_bug.cgi?id=155121
1260         <rdar://problem/25010391>
1261
1262         Reviewed by Timothy Hatcher.
1263
1264         Split out this renaming from the work to generate factory method stubs for types.
1265
1266         * JavaScriptCore.xcodeproj/project.pbxproj:
1267         * inspector/scripts/codegen/__init__.py:
1268         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1269         (ObjCConfigurationImplementationGenerator.generate_output):
1270         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1271         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1272         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objc_conversion_helpers.py.
1273         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1274         (ObjCProtocolTypesImplementationGenerator.generate_output):
1275         * inspector/scripts/codegen/objc_generator_templates.py:
1276         * inspector/scripts/generate-inspector-protocol-bindings.py:
1277         (generate_from_specification):
1278
1279         Rebaseline tests after changing generator order.
1280
1281         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1282         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1283         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1284         * inspector/scripts/tests/expected/enum-values.json-result:
1285         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1286         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1287         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1288         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1289         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1290         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1291         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1292         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1293         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1294
1295 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
1296
1297         [JSC] Improve and64() and or64() with immediate on x86
1298         https://bugs.webkit.org/show_bug.cgi?id=155104
1299
1300         Reviewed by Geoffrey Garen.
1301
1302         GetButterflyReadOnly was doing:
1303             movq 0x8(%rbx), %r9
1304             movq $0xfffffffffffffffc, %r11
1305             andq %r11, %r9
1306         There is no need for the move to load the immediate,
1307         andq sign extend its immediate.
1308
1309         With this patch, we have:
1310             movq 0x8(%rbx), %r9
1311             andq $0xfffffffffffffffc, %r9
1312
1313         * assembler/MacroAssemblerX86_64.h:
1314         (JSC::MacroAssemblerX86_64::and64):
1315         (JSC::MacroAssemblerX86_64::or64):
1316
1317 2016-03-07  Brian Burg  <bburg@apple.com>
1318
1319         Web Inspector: It should be possible to initialize generated ObjC protocol types from an NSDictionary payload
1320         https://bugs.webkit.org/show_bug.cgi?id=155102
1321         <rdar://problem/25002015>
1322
1323         Reviewed by Timothy Hatcher.
1324
1325         In Objective-C code, we sometimes prefer to parse JSON using Cocoa rather
1326         than the InspectorValue classes. Support initializing protocol objects
1327         directly from an NSDictionary payload. This delegates validation of values to
1328         the setter methods that already exist on the protocol object classes.
1329
1330         * inspector/scripts/codegen/generate_objc_header.py:
1331         (ObjCHeaderGenerator._generate_type_interface):
1332         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1333         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1334         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
1335         * inspector/scripts/codegen/objc_generator.py:
1336         (ObjCGenerator.payload_to_objc_expression_for_member):
1337         Add a new helper method to generate an expression to unpack the value
1338         from an NSDictionary. If it's not a primitive, the setter performs
1339         validation of the value's kind using -[NSObject isKindOfClass:].
1340
1341         Rebaseline relevant tests.
1342
1343         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1344         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1345         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1346         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1347         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1348         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1349         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1350
1351 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
1352
1353         [JSC] Simplify the overflow check of ArithAbs
1354         https://bugs.webkit.org/show_bug.cgi?id=155063
1355
1356         Reviewed by Geoffrey Garen.
1357
1358         The only integer that overflow abs(int32) is INT_MIN.
1359         For some reason, our code testing for that case
1360         was checking the top bit of the result specifically.
1361
1362         The code required a large immediate on x86 and an extra
1363         register on ARM64.
1364
1365         This patch turns the overflow check into a branch on
1366         the sign of the result.
1367
1368         * dfg/DFGSpeculativeJIT32_64.cpp:
1369         (JSC::DFG::SpeculativeJIT::compile):
1370         * dfg/DFGSpeculativeJIT64.cpp:
1371         (JSC::DFG::SpeculativeJIT::compile):
1372         * ftl/FTLLowerDFGToB3.cpp:
1373         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
1374         * jit/ThunkGenerators.cpp:
1375         (JSC::absThunkGenerator):
1376         * tests/stress/arith-abs-overflow.js: Added.
1377         (opaqueAbs):
1378
1379 2016-03-07  Benjamin Poulain  <bpoulain@apple.com>
1380
1381         [JSC] Improve how DFG zero Floating Point registers
1382         https://bugs.webkit.org/show_bug.cgi?id=155096
1383
1384         Reviewed by Geoffrey Garen.
1385
1386         DFG had a weird way of zeroing a FPR:
1387             -zero a GP.
1388             -move that to a FP.
1389
1390         Filip added moveZeroToDouble() for B3. This patch
1391         uses that in the lower tiers.
1392
1393         * assembler/MacroAssemblerARMv7.h:
1394         (JSC::MacroAssemblerARMv7::moveZeroToDouble):
1395         * dfg/DFGSpeculativeJIT64.cpp:
1396         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1397         * jit/ThunkGenerators.cpp:
1398         (JSC::floorThunkGenerator):
1399         (JSC::roundThunkGenerator):
1400
1401 2016-03-07  Andreas Kling  <akling@apple.com>
1402
1403         REGRESSION (r197303): Web Inspector crashes web process when inspecting an element on TOT
1404         <https://webkit.org/b/154812>
1405
1406         Reviewed by Geoffrey Garen.
1407
1408         Guard against null pointer dereference for UnlinkedCodeBlocks that don't have any control flow
1409         profiling data.
1410
1411         * bytecode/CodeBlock.cpp:
1412         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1413         * bytecode/UnlinkedCodeBlock.h:
1414         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets):
1415
1416 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
1417
1418         [JSC] Remove a useless "Move" from baseline-JIT op_mul's fast path
1419         https://bugs.webkit.org/show_bug.cgi?id=155071
1420
1421         Reviewed by Geoffrey Garen.
1422
1423         We do not need to multiply to a scratch and then move the result
1424         to the destination. We can just multiply to the destination.
1425
1426         * jit/JITArithmetic.cpp:
1427         (JSC::JIT::emit_op_mul):
1428         * jit/JITMulGenerator.cpp:
1429         (JSC::JITMulGenerator::generateFastPath):
1430
1431 2016-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1432
1433         [JSC] StringObject.{put, defineOwnProperty} should realize indexed properties
1434         https://bugs.webkit.org/show_bug.cgi?id=155089
1435
1436         Reviewed by Geoffrey Garen.
1437
1438         Through implementing Reflect.set[1], we found StringObject does not obey the spec.
1439         StringObject::put should call putByIndex if the given propertyName is index.
1440         And StringObject::defineOwnProperty should recognize indexed properties since
1441         JSObject::defineOwnIndexedProperty is specialized to JSObject layout.
1442         Before calling JSObject::defineOwnProperty,
1443         StringObject should handle its special indexed own properties.
1444         It is responsibility of StringObject::defineOwnProperty.
1445
1446         And the logic is cleaned up by using validateAndApplyPropertyDescriptor.
1447
1448         [1]: https://bugs.webkit.org/show_bug.cgi?id=155024
1449
1450         * runtime/StringObject.cpp:
1451         (JSC::StringObject::put):
1452         (JSC::StringObject::putByIndex):
1453         (JSC::isStringOwnProperty):
1454         (JSC::StringObject::defineOwnProperty):
1455         (JSC::StringObject::deleteProperty):
1456         * tests/stress/string-object-define-own-property.js: Added.
1457         (shouldBe):
1458         (shouldThrow):
1459         * tests/stress/string-object-put-by-index.js: Added.
1460         (shouldBe):
1461         (shouldThrow):
1462         (testSloppy):
1463         (testStrict):
1464
1465 2016-03-06  Brian Burg  <bburg@apple.com>
1466
1467         Web Inspector: the protocol generator should have separate prefix options for Objective-C classes and filenames
1468         https://bugs.webkit.org/show_bug.cgi?id=155101
1469         <rdar://problem/25000053>
1470
1471         Reviewed by Timothy Hatcher.
1472
1473         It should be possible to generate Objective-C protocol types without prefixing all class names.
1474         The prefixes are only necessary when the generated files are part of a framework, but this isn't
1475         how the generated Objective-C frontend files are used.
1476
1477         Add a separate framework setting and switch over code to use the 'protocol_group' in filenames,
1478         and the 'objc_prefix' for Objective-C enum and class prefixes.
1479
1480         No tests need to be rebaselined because tests always set the protocol_group and objc_prefix
1481         to the same value.
1482
1483         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1484         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1485         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1486         (ObjCConfigurationImplementationGenerator.output_filename):
1487         (ObjCConfigurationImplementationGenerator.generate_output):
1488         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1489         (ObjCConfigurationHeaderGenerator.output_filename):
1490         (ObjCConfigurationHeaderGenerator.generate_output):
1491         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1492         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1493         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1494         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1495         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1496         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1497         (ObjCConversionHelpersGenerator.output_filename):
1498         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1499         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1500         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1501         * inspector/scripts/codegen/generate_objc_header.py:
1502         (ObjCHeaderGenerator.output_filename):
1503         * inspector/scripts/codegen/generate_objc_internal_header.py:
1504         (ObjCInternalHeaderGenerator.output_filename):
1505         (ObjCInternalHeaderGenerator.generate_output):
1506         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1507         (ObjCProtocolTypesImplementationGenerator.output_filename):
1508         (ObjCProtocolTypesImplementationGenerator.generate_output):
1509         * inspector/scripts/codegen/models.py:
1510         * inspector/scripts/codegen/objc_generator.py:
1511         (ObjCGenerator):
1512         (ObjCGenerator.protocol_name):
1513         (ObjCGenerator.objc_prefix):
1514
1515 2016-03-06  Brian Burg  <bburg@apple.com>
1516
1517         Unreviewed, rebaseline inspector protocol generator tests after r197563.
1518
1519         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1520         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1521         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1522         * inspector/scripts/tests/expected/enum-values.json-result:
1523         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1524
1525 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
1526
1527         [JSC] Improve DFG's Int32 ArithMul if one operand is a constant
1528         https://bugs.webkit.org/show_bug.cgi?id=155066
1529
1530         Reviewed by Filip Pizlo.
1531
1532         When multiplying an integer by a constant, DFG was doing quite
1533         a bit worse than baseline JIT.
1534         We were loading the constant into a register, doing the multiply,
1535         the checking the result and both operands for negative zero.
1536
1537         This patch changes:
1538         -Use the multiply-by-immediate form on x86.
1539         -Do as few checks as possible to detect negative-zero.
1540
1541         In most cases, this reduce the negative-zero checks
1542         to zero or one TEST+JUMP.
1543
1544         * assembler/MacroAssembler.h:
1545         (JSC::MacroAssembler::mul32):
1546         * dfg/DFGSpeculativeJIT.cpp:
1547         (JSC::DFG::SpeculativeJIT::compileArithMul):
1548
1549 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
1550
1551         [JSC] Remove a superfluous Move in front of every double unboxing
1552         https://bugs.webkit.org/show_bug.cgi?id=155064
1553
1554         Reviewed by Saam Barati.
1555
1556         Double unboxing was always doing:
1557             Move source, scratch
1558             Add64 tag, scratch
1559             IntToDouble scratch, fp
1560
1561         We do not need to "Move" to copy the source.
1562         Both x86 and ARM64 have an efficient 3 operands Add instruction.
1563
1564         * dfg/DFGSpeculativeJIT.cpp:
1565         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1566         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1567         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
1568         * dfg/DFGSpeculativeJIT.h:
1569         (JSC::DFG::SpeculativeJIT::unboxDouble):
1570         * jit/AssemblyHelpers.h:
1571         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
1572         (JSC::AssemblyHelpers::unboxDouble):
1573         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
1574
1575 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
1576
1577         [JSC] Use 3 operands Add in more places
1578         https://bugs.webkit.org/show_bug.cgi?id=155082
1579
1580         Reviewed by Filip Pizlo.
1581
1582         * assembler/MacroAssembler.h:
1583         (JSC::MacroAssembler::addPtr):
1584         (JSC::MacroAssembler::add32):
1585         * assembler/MacroAssemblerARMv7.h:
1586         (JSC::MacroAssemblerARMv7::add32):
1587         * dfg/DFGSpeculativeJIT.cpp:
1588         (JSC::DFG::SpeculativeJIT::compileArithAdd):
1589         The case with child1 constant is useless.
1590         The canonical form will have the constant as child2.
1591
1592         Also add register reuse for the fast-add.
1593         Registers are a scarce resource on x86.
1594
1595         * jit/CCallHelpers.h:
1596         (JSC::CCallHelpers::prepareForTailCallSlow):
1597         * yarr/YarrJIT.cpp:
1598         (JSC::Yarr::YarrGenerator::generate):
1599
1600 2016-03-06  Benjamin Poulain  <bpoulain@apple.com>
1601
1602         [JSC] Improve codegen of Compare and Test
1603         https://bugs.webkit.org/show_bug.cgi?id=155055
1604
1605         Reviewed by Filip Pizlo.
1606
1607         This patch introduces a few improvements on how we lower
1608         Compare and Test with immediates:
1609             -Add certain Immediate forms of ARM64.
1610             -Use CBZ/CBNZ when possible on ARM64.
1611             -When possible, convert a CMP into a TST
1612              On some hardware, we can issue more TST simultaneously.
1613
1614              On x86, any TST+Jump is candidate for macro-fusion.
1615              They are also smaller.
1616              (sections 3.4.2.2 and 3.5.1.9)
1617             -Do not load the mask immediate of a TST
1618              if it only contains ones (mostly useful for ARM64
1619              since that would not have been a valid immediate).
1620
1621         * assembler/MacroAssembler.h:
1622         (JSC::MacroAssembler::compare32):
1623         * assembler/MacroAssemblerARM64.h:
1624         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1625         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
1626         This is somewhat unrelated but I found that out while working
1627         on moveDoubleConditionallyTest32:
1628             If "thenCase" and "dest" are assigned the same register
1629             by the allocator, then the first (f)fcsel would override
1630             the "thenCase" and the second fcsel would always be "elseCase".
1631
1632         This is covered by testb3 but was only uncovered
1633         after recent "Move" removals in lowering.
1634
1635         (JSC::MacroAssemblerARM64::moveConditionally32):
1636         (JSC::MacroAssemblerARM64::moveConditionally64):
1637         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
1638         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
1639         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
1640         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
1641         (JSC::MacroAssemblerARM64::branch32):
1642         (JSC::MacroAssemblerARM64::branch64):
1643         (JSC::MacroAssemblerARM64::branchTest32):
1644         (JSC::MacroAssemblerARM64::test32):
1645         The version taking an immediate was guarded by
1646         (cond == Zero) || (cond == NonZero). That is overzealous,
1647         and only needed for CBZ/CBNZ.
1648
1649         (JSC::MacroAssemblerARM64::branchTest64):
1650         (JSC::MacroAssemblerARM64::compare32):
1651         (JSC::MacroAssemblerARM64::compare64):
1652         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
1653         * assembler/MacroAssemblerX86Common.h:
1654         (JSC::MacroAssemblerX86Common::moveConditionally32):
1655         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
1656         (JSC::MacroAssemblerX86Common::branch32):
1657         (JSC::MacroAssemblerX86Common::test32):
1658         (JSC::MacroAssemblerX86Common::branchTest32):
1659         (JSC::MacroAssemblerX86Common::compare32):
1660         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
1661         * assembler/MacroAssemblerX86_64.h:
1662         (JSC::MacroAssemblerX86_64::compare64):
1663         (JSC::MacroAssemblerX86_64::branch64):
1664         (JSC::MacroAssemblerX86_64::moveConditionally64):
1665         * b3/B3LowerToAir.cpp:
1666         (JSC::B3::Air::LowerToAir::createGenericCompare):
1667         Unfortunately this cannot be abstracted by the MacroAssembler.
1668         Those immediates are not valid, we have to pick the better
1669         for right away.
1670
1671         * b3/air/AirOpcode.opcodes:
1672         * b3/testb3.cpp:
1673         (JSC::B3::int64Operands):
1674         (JSC::B3::modelCompare):
1675         (JSC::B3::testCompareImpl):
1676         (JSC::B3::testCompare):
1677         (JSC::B3::b3Pow):
1678         (JSC::B3::testPowDoubleByIntegerLoop):
1679         Some versions of pow(double, int) do not return
1680         the exact same bits as our integer loop.
1681         Added a new version to have the same behavior
1682         as the B3 loop.
1683
1684         (JSC::B3::run):
1685         * dfg/DFGSpeculativeJIT.cpp:
1686         (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
1687         * dfg/DFGSpeculativeJIT64.cpp:
1688         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
1689         Comparing to an immediate is super common. Do not waste
1690         a register for that!
1691
1692 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
1693
1694         Unreviewed, fix build. This was a messed up merge.
1695
1696         * ftl/FTLLowerDFGToB3.cpp:
1697         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1698
1699 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
1700
1701         DFG should know how to speculate StringOrOther
1702         https://bugs.webkit.org/show_bug.cgi?id=155094
1703
1704         Reviewed by Saam Barati.
1705
1706         Any code that processes the regexp matches array was previously doing a relatively expensive
1707         Branch(Untyped:). This introduces a new use kind called StringOrOther, which is perfect for
1708         code that loops over the matches array and branches on the entries being non-empty.
1709
1710         To do this, I needed to introduce code into the FTL that creates new blocks. We still had that
1711         awful FTL_NEW_BLOCK idiom since the only way to debug LLVM IR was to ascribe names to basic
1712         blocks. B3 IR is inherently more debuggable since unlike LLVM, B3 knows how to always respect
1713         code origin, and it knows how to print the code origin nicely in the dumps. So, rather than
1714         continue using FTL_NEW_BLOCK(m_out, ("things")), I replaced all of that stuff with
1715         m_out.newBlock(). It's much nicer that way.
1716
1717         This is a tiny speed-up on Octane/regexp at best. I was hoping for more. Oh well.
1718
1719         * bytecode/SpeculatedType.h:
1720         (JSC::isStringSpeculation):
1721         (JSC::isStringOrOtherSpeculation):
1722         (JSC::isSymbolSpeculation):
1723         * dfg/DFGFixupPhase.cpp:
1724         (JSC::DFG::FixupPhase::fixupNode):
1725         * dfg/DFGNode.h:
1726         (JSC::DFG::Node::shouldSpeculateString):
1727         (JSC::DFG::Node::shouldSpeculateStringOrOther):
1728         (JSC::DFG::Node::shouldSpeculateStringObject):
1729         * dfg/DFGSafeToExecute.h:
1730         (JSC::DFG::SafeToExecuteEdge::operator()):
1731         * dfg/DFGSpeculativeJIT.cpp:
1732         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
1733         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
1734         (JSC::DFG::SpeculativeJIT::emitStringBranch):
1735         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
1736         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
1737         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1738         (JSC::DFG::SpeculativeJIT::speculateString):
1739         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
1740         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1741         (JSC::DFG::SpeculativeJIT::speculate):
1742         * dfg/DFGSpeculativeJIT.h:
1743         * dfg/DFGSpeculativeJIT32_64.cpp:
1744         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1745         (JSC::DFG::SpeculativeJIT::emitBranch):
1746         * dfg/DFGSpeculativeJIT64.cpp:
1747         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1748         (JSC::DFG::SpeculativeJIT::emitBranch):
1749         * dfg/DFGUseKind.cpp:
1750         (WTF::printInternal):
1751         * dfg/DFGUseKind.h:
1752         (JSC::DFG::typeFilterFor):
1753         * ftl/FTLCapabilities.cpp:
1754         (JSC::FTL::canCompile):
1755         * ftl/FTLLowerDFGToB3.cpp:
1756         (JSC::FTL::DFG::LowerDFGToB3::lower):
1757         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1758         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
1759         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1760         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
1761         (JSC::FTL::DFG::LowerDFGToB3::compileArithDiv):
1762         (JSC::FTL::DFG::LowerDFGToB3::compileArithMod):
1763         (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax):
1764         (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
1765         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1766         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructure):
1767         (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure):
1768         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
1769         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1770         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1771         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1772         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1773         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
1774         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
1775         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1776         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1777         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1778         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest):
1779         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
1780         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1781         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1782         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
1783         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
1784         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1785         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1786         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1787         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1788         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
1789         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
1790         (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
1791         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1792         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
1793         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
1794         (JSC::FTL::DFG::LowerDFGToB3::compileIsString):
1795         (JSC::FTL::DFG::LowerDFGToB3::compileIsObject):
1796         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
1797         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1798         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1799         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1800         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1801         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1802         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
1803         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1804         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
1805         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
1806         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1807         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1808         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
1809         (JSC::FTL::DFG::LowerDFGToB3::checkStructure):
1810         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
1811         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
1812         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1813         (JSC::FTL::DFG::LowerDFGToB3::loadVectorWithBarrier):
1814         (JSC::FTL::DFG::LowerDFGToB3::copyBarrier):
1815         (JSC::FTL::DFG::LowerDFGToB3::loadVectorReadOnly):
1816         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
1817         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
1818         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
1819         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1820         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1821         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd):
1822         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1823         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1824         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1825         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
1826         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
1827         (JSC::FTL::DFG::LowerDFGToB3::switchString):
1828         (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
1829         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
1830         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
1831         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
1832         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToJSValue):
1833         (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
1834         (JSC::FTL::DFG::LowerDFGToB3::convertDoubleToInt32):
1835         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1836         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
1837         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
1838         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
1839         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
1840         (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent):
1841         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
1842         (JSC::FTL::DFG::LowerDFGToB3::speculateRealNumber):
1843         (JSC::FTL::DFG::LowerDFGToB3::speculateNotStringVar):
1844         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
1845         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
1846         * ftl/FTLOutput.cpp:
1847         (JSC::FTL::Output::initialize):
1848         (JSC::FTL::Output::newBlock):
1849         (JSC::FTL::Output::check):
1850         * ftl/FTLOutput.h:
1851         (JSC::FTL::Output::setFrequency):
1852         (JSC::FTL::Output::insertNewBlocksBefore):
1853
1854 2016-03-06  Saam Barati  <sbarati@apple.com>
1855
1856         [[GetPrototypeOf]] should be a fully virtual method in the method table
1857         https://bugs.webkit.org/show_bug.cgi?id=155002
1858
1859         Reviewed by Filip Pizlo.
1860
1861         This patch makes us more consistent with how the ES6 specification models the
1862         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
1863         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
1864         still allows directly accessing the prototype for situations where this
1865         is the desired behavior. This is equivalent to getting the internal
1866         [[Prototype]] field as described in the specification. 
1867
1868         * API/JSObjectRef.cpp:
1869         (JSObjectGetPrototype):
1870         (JSObjectSetPrototype):
1871         * dfg/DFGOperations.cpp:
1872         * dfg/DFGOperations.h:
1873         * dfg/DFGSpeculativeJIT.cpp:
1874         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1875         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1876         * ftl/FTLLowerDFGToB3.cpp:
1877         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1878         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
1879         * jit/JITOpcodes.cpp:
1880         (JSC::JIT::emit_op_instanceof):
1881         (JSC::JIT::emitSlow_op_instanceof):
1882         * jit/JITOpcodes32_64.cpp:
1883         (JSC::JIT::emit_op_instanceof):
1884         (JSC::JIT::emitSlow_op_instanceof):
1885         * jit/JITOperations.cpp:
1886         * jit/JITOperations.h:
1887         * jsc.cpp:
1888         (functionCreateProxy):
1889         * llint/LLIntSlowPaths.cpp:
1890         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1891         * llint/LowLevelInterpreter.asm:
1892         * llint/LowLevelInterpreter32_64.asm:
1893         * llint/LowLevelInterpreter64.asm:
1894         * runtime/ArrayPrototype.cpp:
1895         (JSC::speciesConstructArray):
1896         * runtime/ClassInfo.h:
1897         * runtime/FunctionPrototype.cpp:
1898         (JSC::functionProtoFuncBind):
1899         * runtime/IntlCollatorPrototype.cpp:
1900         (JSC::IntlCollatorPrototypeGetterCompare):
1901         * runtime/IntlDateTimeFormatPrototype.cpp:
1902         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1903         * runtime/IntlNumberFormatPrototype.cpp:
1904         (JSC::IntlNumberFormatPrototypeGetterFormat):
1905         * runtime/JSBoundFunction.cpp:
1906         (JSC::hasInstanceBoundFunction):
1907         (JSC::getBoundFunctionStructure):
1908         (JSC::JSBoundFunction::create):
1909         * runtime/JSBoundFunction.h:
1910         * runtime/JSCJSValue.cpp:
1911         (JSC::JSValue::putToPrimitive):
1912         * runtime/JSCell.cpp:
1913         (JSC::JSCell::setPrototype):
1914         (JSC::JSCell::getPrototype):
1915         * runtime/JSCell.h:
1916         * runtime/JSGlobalObject.cpp:
1917         (JSC::JSGlobalObject::init):
1918         (JSC::JSGlobalObject::hasLegacyProfiler):
1919         (JSC::lastInPrototypeChain):
1920         (JSC::JSGlobalObject::objectPrototypeIsSane):
1921         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
1922         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
1923         * runtime/JSGlobalObject.h:
1924         (JSC::JSGlobalObject::finishCreation):
1925         * runtime/JSGlobalObjectFunctions.cpp:
1926         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
1927         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1928         (JSC::globalFuncProtoGetter):
1929         * runtime/JSLexicalEnvironment.cpp:
1930         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1931         * runtime/JSObject.cpp:
1932         (JSC::JSObject::calculatedClassName):
1933         (JSC::JSObject::putInlineSlow):
1934         (JSC::JSObject::setPrototypeWithCycleCheck):
1935         (JSC::JSObject::setPrototype):
1936         (JSC::JSObject::getPrototype):
1937         (JSC::JSObject::defaultHasInstance):
1938         (JSC::objectPrivateFuncInstanceOf):
1939         (JSC::JSObject::getPropertyNames):
1940         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1941         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
1942         (JSC::JSObject::getGenericPropertyNames):
1943         * runtime/JSObject.h:
1944         (JSC::JSObject::finishCreation):
1945         (JSC::JSObject::JSObject):
1946         (JSC::JSObject::getPrototypeDirect):
1947         (JSC::JSObject::getPrototype):
1948         (JSC::JSObject::getOwnNonIndexPropertySlot):
1949         (JSC::JSObject::getPropertySlot):
1950         (JSC::JSObject::getNonIndexPropertySlot):
1951         (JSC::JSObject::prototype): Deleted.
1952         * runtime/JSObjectInlines.h:
1953         (JSC::JSObject::canPerformFastPutInline):
1954         * runtime/JSProxy.cpp:
1955         (JSC::JSProxy::setTarget):
1956         * runtime/JSTypedArrayViewConstructor.cpp:
1957         (JSC::constructTypedArrayView):
1958         * runtime/ObjectConstructor.cpp:
1959         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
1960         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1961         (JSC::objectConstructorGetPrototypeOf):
1962         * runtime/ObjectPrototype.cpp:
1963         (JSC::objectProtoFuncIsPrototypeOf):
1964         * runtime/ProxyObject.cpp:
1965         (JSC::performProxyGet):
1966         (JSC::ProxyObject::performSetPrototype):
1967         * runtime/StructureInlines.h:
1968         (JSC::Structure::isValid):
1969         * tests/stress/proxy-has-property.js:
1970         (assert.let.h1.has):
1971         (assert.let.h2.has):
1972         (assert):
1973
1974 2016-03-06  Commit Queue  <commit-queue@webkit.org>
1975
1976         Unreviewed, rolling out r197645.
1977         https://bugs.webkit.org/show_bug.cgi?id=155097
1978
1979         "Doesn't build properly when building entire webkit"
1980         (Requested by saamyjoon on #webkit).
1981
1982         Reverted changeset:
1983
1984         "[[GetPrototypeOf]] should be a fully virtual method in the
1985         method table"
1986         https://bugs.webkit.org/show_bug.cgi?id=155002
1987         http://trac.webkit.org/changeset/197645
1988
1989 2016-03-06  Saam barati  <sbarati@apple.com>
1990
1991         [[GetPrototypeOf]] should be a fully virtual method in the method table
1992         https://bugs.webkit.org/show_bug.cgi?id=155002
1993
1994         Reviewed by Filip Pizlo.
1995
1996         This patch makes us more consistent with how the ES6 specification models the
1997         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
1998         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
1999         still allows directly accessing the prototype for situations where this
2000         is the desired behavior. This is equivalent to getting the internal
2001         [[Prototype]] field as described in the specification. 
2002
2003         * API/JSObjectRef.cpp:
2004         (JSObjectGetPrototype):
2005         (JSObjectSetPrototype):
2006         * dfg/DFGOperations.cpp:
2007         * dfg/DFGOperations.h:
2008         * dfg/DFGSpeculativeJIT.cpp:
2009         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2010         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
2011         * ftl/FTLLowerDFGToB3.cpp:
2012         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2013         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
2014         * jit/JITOpcodes.cpp:
2015         (JSC::JIT::emit_op_instanceof):
2016         (JSC::JIT::emitSlow_op_instanceof):
2017         * jit/JITOpcodes32_64.cpp:
2018         (JSC::JIT::emit_op_instanceof):
2019         (JSC::JIT::emitSlow_op_instanceof):
2020         * jit/JITOperations.cpp:
2021         * jit/JITOperations.h:
2022         * jsc.cpp:
2023         (functionCreateProxy):
2024         * llint/LLIntSlowPaths.cpp:
2025         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2026         * llint/LowLevelInterpreter.asm:
2027         * llint/LowLevelInterpreter32_64.asm:
2028         * llint/LowLevelInterpreter64.asm:
2029         * runtime/ArrayPrototype.cpp:
2030         (JSC::speciesConstructArray):
2031         * runtime/ClassInfo.h:
2032         * runtime/FunctionPrototype.cpp:
2033         (JSC::functionProtoFuncBind):
2034         * runtime/IntlCollatorPrototype.cpp:
2035         (JSC::IntlCollatorPrototypeGetterCompare):
2036         * runtime/IntlDateTimeFormatPrototype.cpp:
2037         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2038         * runtime/IntlNumberFormatPrototype.cpp:
2039         (JSC::IntlNumberFormatPrototypeGetterFormat):
2040         * runtime/JSBoundFunction.cpp:
2041         (JSC::hasInstanceBoundFunction):
2042         (JSC::getBoundFunctionStructure):
2043         (JSC::JSBoundFunction::create):
2044         * runtime/JSBoundFunction.h:
2045         * runtime/JSCJSValue.cpp:
2046         (JSC::JSValue::putToPrimitive):
2047         * runtime/JSCell.cpp:
2048         (JSC::JSCell::setPrototype):
2049         (JSC::JSCell::getPrototype):
2050         * runtime/JSCell.h:
2051         * runtime/JSGlobalObject.cpp:
2052         (JSC::JSGlobalObject::init):
2053         (JSC::JSGlobalObject::hasLegacyProfiler):
2054         (JSC::lastInPrototypeChain):
2055         (JSC::JSGlobalObject::objectPrototypeIsSane):
2056         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2057         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2058         * runtime/JSGlobalObject.h:
2059         (JSC::JSGlobalObject::finishCreation):
2060         * runtime/JSGlobalObjectFunctions.cpp:
2061         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
2062         (JSC::GlobalFuncProtoGetterFunctor::operator()):
2063         (JSC::globalFuncProtoGetter):
2064         * runtime/JSLexicalEnvironment.cpp:
2065         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2066         * runtime/JSObject.cpp:
2067         (JSC::JSObject::calculatedClassName):
2068         (JSC::JSObject::putInlineSlow):
2069         (JSC::JSObject::setPrototypeWithCycleCheck):
2070         (JSC::JSObject::setPrototype):
2071         (JSC::JSObject::getPrototype):
2072         (JSC::JSObject::defaultHasInstance):
2073         (JSC::objectPrivateFuncInstanceOf):
2074         (JSC::JSObject::getPropertyNames):
2075         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2076         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
2077         (JSC::JSObject::getGenericPropertyNames):
2078         * runtime/JSObject.h:
2079         (JSC::JSObject::finishCreation):
2080         (JSC::JSObject::JSObject):
2081         (JSC::JSObject::getPrototypeDirect):
2082         (JSC::JSObject::getPrototype):
2083         (JSC::JSObject::getOwnNonIndexPropertySlot):
2084         (JSC::JSObject::getPropertySlot):
2085         (JSC::JSObject::getNonIndexPropertySlot):
2086         (JSC::JSObject::prototype): Deleted.
2087         * runtime/JSObjectInlines.h:
2088         (JSC::JSObject::canPerformFastPutInline):
2089         * runtime/JSProxy.cpp:
2090         (JSC::JSProxy::setTarget):
2091         * runtime/JSTypedArrayViewConstructor.cpp:
2092         (JSC::constructTypedArrayView):
2093         * runtime/ObjectConstructor.cpp:
2094         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
2095         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2096         (JSC::objectConstructorGetPrototypeOf):
2097         * runtime/ObjectPrototype.cpp:
2098         (JSC::objectProtoFuncIsPrototypeOf):
2099         * runtime/ProxyObject.cpp:
2100         (JSC::performProxyGet):
2101         (JSC::ProxyObject::performSetPrototype):
2102         * runtime/StructureInlines.h:
2103         (JSC::Structure::isValid):
2104         * tests/stress/proxy-has-property.js:
2105         (assert.let.h1.has):
2106         (assert.let.h2.has):
2107         (assert):
2108
2109 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
2110
2111         RegExpMatchesArray doesn't know how to have a bad time
2112         https://bugs.webkit.org/show_bug.cgi?id=155069
2113
2114         Reviewed by Yusuke Suzuki.
2115
2116         In trunk if we are having a bad time, the regexp matches array is still allocated with a
2117         non-slow-put indexing shape, which makes it have the wrong behavior on indexed setters on
2118         the prototype chain.
2119
2120         Getting this to work right requires introducing bad time code paths into the regexp matches
2121         array. It also requires something more drastic: making this code not play games with the
2122         global object. The code that creates the matches array needs to have the actual global
2123         object of the regexp native function that it's logically created by.
2124
2125         This is totally different from how we've handled global objects in the past because it means
2126         that the global object is not a constant. Normally we can make it a constant because a
2127         script executable will know its global object. But with native functions, it's the function
2128         instance that knows the global object - not the native executable. When we inline a native
2129         intrinsic, we are guaranteed to know the native executable but we're not guaranteed to know
2130         the functon instance. This means that the global object may be a variable that gets computed
2131         by looking at the instance at run-time. So, the RegExpExec/RegExpTest nodes in DFG IR now
2132         take a global object child. That also meant adding a new node type, GetGlobalObject, which
2133         does the thing to the callee that CallFrame::lexicalGlobalObject() would have done.
2134         Eventually, we'll probably have to make other native intrinsics also use GetGlobalObject. It
2135         turns out that this really isn't so bad because usually it's constant-folded anyway, since
2136         although the intrinsic code supports executable-based inlining (which leaves the callee
2137         instance as an unknown), it happens rarely for intrinsics. So, conveying the global object
2138         via a child isn't any worse than conveying it via meta-data, and it's probably better than
2139         telling the inliner not to do executable-based inlining of native intrinsics. That would
2140         have been a confusing special-case.
2141
2142         This is perf-neutral on my machines but it fixes a bug and it unlocks some interesting
2143         possibilities. For example, RegExpExec can now make a firm promise about the type of array
2144         it's creating.
2145
2146         This also contains some other changes:
2147         
2148         - We are now using Structure::addPropertyTransition() in a lot of places even though it was
2149           meant to be an internal method with a quirky contract - for example if only works if you
2150           know that there is not existing transition. This relaxes this constraint.
2151         
2152         - Restores the use of "*" for heap references in JSString.h. It's very unusual to have heap
2153           references pointed at with "&", since we don't currently do that anywhere. The fact that
2154           it was using the wrong reference type also meant that the code couldn't elegantly make use
2155           of some our GC pointer helpers like jsCast<>.
2156
2157         * dfg/DFGAbstractInterpreterInlines.h:
2158         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2159         * dfg/DFGByteCodeParser.cpp:
2160         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2161         (JSC::DFG::ByteCodeParser::handleMinMax):
2162         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2163         * dfg/DFGClobberize.h:
2164         (JSC::DFG::clobberize):
2165         * dfg/DFGDoesGC.cpp:
2166         (JSC::DFG::doesGC):
2167         * dfg/DFGFixupPhase.cpp:
2168         (JSC::DFG::FixupPhase::fixupNode):
2169         * dfg/DFGNodeType.h:
2170         * dfg/DFGOperations.cpp:
2171         * dfg/DFGOperations.h:
2172         * dfg/DFGPredictionPropagationPhase.cpp:
2173         (JSC::DFG::PredictionPropagationPhase::propagate):
2174         * dfg/DFGSafeToExecute.h:
2175         (JSC::DFG::safeToExecute):
2176         * dfg/DFGSpeculativeJIT.cpp:
2177         (JSC::DFG::SpeculativeJIT::compileSkipScope):
2178         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
2179         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2180         * dfg/DFGSpeculativeJIT.h:
2181         (JSC::DFG::SpeculativeJIT::callOperation):
2182         * dfg/DFGSpeculativeJIT32_64.cpp:
2183         (JSC::DFG::SpeculativeJIT::compile):
2184         * dfg/DFGSpeculativeJIT64.cpp:
2185         (JSC::DFG::SpeculativeJIT::compile):
2186         * ftl/FTLCapabilities.cpp:
2187         (JSC::FTL::canCompile):
2188         * ftl/FTLLowerDFGToB3.cpp:
2189         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2190         (JSC::FTL::DFG::LowerDFGToB3::compileSkipScope):
2191         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalObject):
2192         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
2193         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
2194         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
2195         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2196         * jit/JITOperations.h:
2197         * runtime/JSGlobalObject.cpp:
2198         (JSC::JSGlobalObject::init):
2199         (JSC::JSGlobalObject::haveABadTime):
2200         (JSC::JSGlobalObject::visitChildren):
2201         * runtime/JSGlobalObject.h:
2202         * runtime/JSObject.h:
2203         (JSC::JSObject::putDirectInternal):
2204         * runtime/JSString.h:
2205         (JSC::jsString):
2206         (JSC::jsSubstring):
2207         * runtime/RegExpCachedResult.cpp:
2208         (JSC::RegExpCachedResult::lastResult):
2209         * runtime/RegExpMatchesArray.cpp:
2210         (JSC::tryCreateUninitializedRegExpMatchesArray):
2211         (JSC::createRegExpMatchesArray):
2212         (JSC::createStructureImpl):
2213         (JSC::createRegExpMatchesArrayStructure):
2214         (JSC::createRegExpMatchesArraySlowPutStructure):
2215         * runtime/RegExpMatchesArray.h:
2216         * runtime/RegExpObject.cpp:
2217         (JSC::RegExpObject::put):
2218         (JSC::RegExpObject::exec):
2219         (JSC::RegExpObject::match):
2220         * runtime/RegExpObject.h:
2221         (JSC::RegExpObject::getLastIndex):
2222         (JSC::RegExpObject::test):
2223         * runtime/RegExpPrototype.cpp:
2224         (JSC::regExpProtoFuncTest):
2225         (JSC::regExpProtoFuncExec):
2226         (JSC::regExpProtoFuncCompile):
2227         * runtime/StringPrototype.cpp:
2228         (JSC::stringProtoFuncMatch):
2229         * runtime/Structure.cpp:
2230         (JSC::Structure::suggestedArrayStorageTransition):
2231         (JSC::Structure::addPropertyTransition):
2232         (JSC::Structure::addNewPropertyTransition):
2233         * runtime/Structure.h:
2234         * tests/stress/regexp-matches-array-bad-time.js: Added.
2235         * tests/stress/regexp-matches-array-slow-put.js: Added.
2236
2237 2016-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2238
2239         [JSC] RegExp#lastIndex should handle writable attribute when defining in defineOwnProperty path
2240         https://bugs.webkit.org/show_bug.cgi?id=155093
2241
2242         Reviewed by Filip Pizlo.
2243
2244         Before this patch, `setLastIndex(ExecState* exec, size_t lastIndex)` always overwrites the existing value
2245         regardless of writable attribute.
2246         And when defining RegExp#lastIndex in defineOwnProperty, we need to define the value first
2247         before making the attribute readonly. After changing the writable attribute, we cannot define the value.
2248
2249         * runtime/RegExpObject.cpp:
2250         (JSC::RegExpObject::defineOwnProperty):
2251         * runtime/RegExpObject.h:
2252         (JSC::RegExpObject::setLastIndex):
2253         * tests/stress/regexp-last-index-writable.js: Added.
2254         (shouldBe):
2255         (shouldThrow):
2256         (regExpLastIndex):
2257
2258 2016-03-05  Filip Pizlo  <fpizlo@apple.com>
2259
2260         The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell
2261         https://bugs.webkit.org/show_bug.cgi?id=154900
2262
2263         Reviewed by Saam Barati.
2264
2265         These old operations used to speculate cell. That's what they did when they were first
2266         introduced. That was probably about as good as they could do back then because we didn't have
2267         very powerful checks. Now we have powerful checks, so we can do this right.
2268
2269         The most profitable thing to check is that child1 is a RegExpObject and child2 is a JSString.
2270         Sometimes though, we will not know what child2 is even though we know that child1 is a
2271         RegExpObject. So, this patch means that RegExpExec/RegExpTest have the following overloads:
2272
2273             RegExpExec(RegExpObject:, String:)
2274             RegExpExec(RegExpObject:, Untyped:)
2275             RegExpExec(Untyped:, Untyped:)
2276
2277         This shaves off some type checks in Octane/regexp. It also cleans up some problems in our
2278         modeling of the effectfulness of these operations.
2279
2280         * dfg/DFGAbstractInterpreterInlines.h:
2281         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2282         * dfg/DFGClobberize.h:
2283         (JSC::DFG::clobberize):
2284         * dfg/DFGFixupPhase.cpp:
2285         (JSC::DFG::FixupPhase::fixupNode):
2286         * dfg/DFGOperations.cpp:
2287         * dfg/DFGOperations.h:
2288         * dfg/DFGSpeculativeJIT.h:
2289         (JSC::DFG::SpeculativeJIT::callOperation):
2290         * dfg/DFGSpeculativeJIT32_64.cpp:
2291         (JSC::DFG::SpeculativeJIT::compile):
2292         * dfg/DFGSpeculativeJIT64.cpp:
2293         (JSC::DFG::SpeculativeJIT::compile):
2294         * ftl/FTLLowerDFGToB3.cpp:
2295         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
2296         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
2297         * jit/JITOperations.h:
2298
2299 2016-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2300
2301         [ES6] Support Reflect.construct
2302         https://bugs.webkit.org/show_bug.cgi?id=147330
2303
2304         Reviewed by Saam Barati.
2305
2306         Based on Saam's r196868, this patch adds support for Reflect.construct.
2307         This patch implements OrdinaryCreateFromConstructor[1] for fallback cases.
2308         This path is rarely taken. For example,
2309
2310             Reflect.construct(function () { }, [], Map);
2311
2312         In this case, the `new.target` becomes `Map`.
2313         So we should create an object that `__proto__` is `Map.prototype`.
2314
2315         And to allow forward declaration (and encouraging strong type checking), we change
2316         ConstructType, CallType to C++11 enum class.
2317
2318         [1]: http://ecma-international.org/ecma-262/6.0/#sec-ordinarycreatefromconstructor
2319
2320         * API/JSCallbackConstructor.cpp:
2321         (JSC::JSCallbackConstructor::getConstructData):
2322         * API/JSCallbackFunction.cpp:
2323         (JSC::JSCallbackFunction::getCallData):
2324         * API/JSCallbackObjectFunctions.h:
2325         (JSC::JSCallbackObject<Parent>::getConstructData):
2326         (JSC::JSCallbackObject<Parent>::getCallData):
2327         * API/JSObjectRef.cpp:
2328         (JSObjectIsFunction):
2329         (JSObjectCallAsFunction):
2330         (JSObjectIsConstructor):
2331         (JSObjectCallAsConstructor):
2332         * API/ObjCCallbackFunction.mm:
2333         (JSC::ObjCCallbackFunction::getCallData):
2334         (JSC::ObjCCallbackFunction::getConstructData):
2335         * bindings/ScriptFunctionCall.cpp:
2336         (Deprecated::ScriptFunctionCall::call):
2337         * bindings/ScriptValue.cpp:
2338         (Deprecated::ScriptValue::isFunction):
2339         * builtins/ReflectObject.js:
2340         * dfg/DFGOperations.cpp:
2341         * inspector/InjectedScriptManager.cpp:
2342         (Inspector::InjectedScriptManager::createInjectedScript):
2343         * interpreter/Interpreter.cpp:
2344         (JSC::sizeOfVarargs):
2345         (JSC::Interpreter::execute):
2346         (JSC::Interpreter::executeCall):
2347         (JSC::Interpreter::executeConstruct):
2348         * jit/JITOperations.cpp:
2349         * llint/LLIntSlowPaths.cpp:
2350         (JSC::LLInt::handleHostCall):
2351         * runtime/ArrayConstructor.cpp:
2352         (JSC::ArrayConstructor::getConstructData):
2353         (JSC::ArrayConstructor::getCallData):
2354         * runtime/ArrayPrototype.cpp:
2355         (JSC::arrayProtoFuncToString):
2356         (JSC::arrayProtoFuncToLocaleString):
2357         (JSC::getLength): Deleted.
2358         * runtime/BooleanConstructor.cpp:
2359         (JSC::BooleanConstructor::getConstructData):
2360         (JSC::BooleanConstructor::getCallData):
2361         * runtime/CallData.cpp:
2362         (JSC::call):
2363         * runtime/CallData.h:
2364         * runtime/CommonSlowPaths.cpp:
2365         (JSC::SLOW_PATH_DECL):
2366         * runtime/ConstructData.cpp:
2367         (JSC::construct):
2368         * runtime/ConstructData.h:
2369         * runtime/DateConstructor.cpp:
2370         (JSC::DateConstructor::getConstructData):
2371         (JSC::DateConstructor::getCallData):
2372         * runtime/DatePrototype.cpp:
2373         (JSC::dateProtoFuncToJSON):
2374         * runtime/Error.h:
2375         (JSC::StrictModeTypeErrorFunction::getConstructData):
2376         (JSC::StrictModeTypeErrorFunction::getCallData):
2377         * runtime/ErrorConstructor.cpp:
2378         (JSC::ErrorConstructor::getConstructData):
2379         (JSC::ErrorConstructor::getCallData):
2380         * runtime/ExceptionHelpers.cpp:
2381         (JSC::errorDescriptionForValue):
2382         * runtime/FunctionConstructor.cpp:
2383         (JSC::FunctionConstructor::getConstructData):
2384         (JSC::FunctionConstructor::getCallData):
2385         * runtime/FunctionPrototype.cpp:
2386         (JSC::FunctionPrototype::getCallData):
2387         (JSC::functionProtoFuncToString):
2388         (JSC::functionProtoFuncBind):
2389         * runtime/GeneratorFunctionConstructor.cpp:
2390         (JSC::GeneratorFunctionConstructor::getCallData):
2391         (JSC::GeneratorFunctionConstructor::getConstructData):
2392         * runtime/InternalFunction.cpp:
2393         (JSC::InternalFunction::getCallData):
2394         * runtime/IntlCollatorConstructor.cpp:
2395         (JSC::IntlCollatorConstructor::getConstructData):
2396         (JSC::IntlCollatorConstructor::getCallData):
2397         * runtime/IntlDateTimeFormatConstructor.cpp:
2398         (JSC::IntlDateTimeFormatConstructor::getConstructData):
2399         (JSC::IntlDateTimeFormatConstructor::getCallData):
2400         * runtime/IntlNumberFormatConstructor.cpp:
2401         (JSC::IntlNumberFormatConstructor::getConstructData):
2402         (JSC::IntlNumberFormatConstructor::getCallData):
2403         * runtime/IteratorOperations.cpp:
2404         (JSC::iteratorNext):
2405         (JSC::iteratorClose):
2406         * runtime/JSArray.h:
2407         (JSC::getLength):
2408         * runtime/JSArrayBufferConstructor.cpp:
2409         (JSC::JSArrayBufferConstructor::getConstructData):
2410         (JSC::JSArrayBufferConstructor::getCallData):
2411         * runtime/JSBoundFunction.cpp:
2412         (JSC::boundFunctionCall):
2413         (JSC::boundFunctionConstruct):
2414         (JSC::JSBoundFunction::create):
2415         * runtime/JSCJSValue.h:
2416         * runtime/JSCJSValueInlines.h:
2417         (JSC::JSValue::isFunction):
2418         (JSC::JSValue::isConstructor):
2419         * runtime/JSCell.cpp:
2420         (JSC::JSCell::getCallData):
2421         (JSC::JSCell::getConstructData):
2422         * runtime/JSFunction.cpp:
2423         (JSC::JSFunction::getCallData):
2424         (JSC::JSFunction::getConstructData):
2425         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2426         (JSC::constructGenericTypedArrayViewWithArguments):
2427         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData):
2428         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2429         * runtime/JSInternalPromise.cpp:
2430         (JSC::JSInternalPromise::then):
2431         * runtime/JSInternalPromiseConstructor.cpp:
2432         (JSC::JSInternalPromiseConstructor::getConstructData):
2433         (JSC::JSInternalPromiseConstructor::getCallData):
2434         * runtime/JSJob.cpp:
2435         (JSC::JSJobMicrotask::run):
2436         * runtime/JSONObject.cpp:
2437         (JSC::Stringifier::Stringifier):
2438         (JSC::Stringifier::toJSONImpl):
2439         (JSC::Stringifier::appendStringifiedValue):
2440         (JSC::JSONProtoFuncParse):
2441         * runtime/JSObject.cpp:
2442         (JSC::callToPrimitiveFunction):
2443         (JSC::JSObject::hasInstance):
2444         (JSC::JSObject::getMethod):
2445         * runtime/JSObject.h:
2446         (JSC::getCallData):
2447         (JSC::getConstructData):
2448         * runtime/JSPromise.cpp:
2449         (JSC::JSPromise::initialize):
2450         * runtime/JSPromiseConstructor.cpp:
2451         (JSC::JSPromiseConstructor::getConstructData):
2452         (JSC::JSPromiseConstructor::getCallData):
2453         * runtime/JSPromiseDeferred.cpp:
2454         (JSC::newPromiseCapability):
2455         (JSC::callFunction):
2456         * runtime/JSTypedArrayViewConstructor.cpp:
2457         (JSC::constructTypedArrayView):
2458         (JSC::JSTypedArrayViewConstructor::getConstructData):
2459         (JSC::JSTypedArrayViewConstructor::getCallData):
2460         * runtime/MapConstructor.cpp:
2461         (JSC::constructMap):
2462         (JSC::MapConstructor::getConstructData):
2463         (JSC::MapConstructor::getCallData):
2464         * runtime/ModuleLoaderObject.cpp:
2465         (JSC::ModuleLoaderObject::provide):
2466         (JSC::ModuleLoaderObject::loadAndEvaluateModule):
2467         (JSC::ModuleLoaderObject::loadModule):
2468         (JSC::ModuleLoaderObject::linkAndEvaluateModule):
2469         * runtime/NativeErrorConstructor.cpp:
2470         (JSC::NativeErrorConstructor::getConstructData):
2471         (JSC::NativeErrorConstructor::getCallData):
2472         * runtime/NullGetterFunction.cpp:
2473         (JSC::NullGetterFunction::getCallData):
2474         (JSC::NullGetterFunction::getConstructData):
2475         * runtime/NullSetterFunction.cpp:
2476         (JSC::NullSetterFunction::getCallData):
2477         (JSC::NullSetterFunction::getConstructData):
2478         * runtime/NumberConstructor.cpp:
2479         (JSC::NumberConstructor::getConstructData):
2480         (JSC::NumberConstructor::getCallData):
2481         * runtime/ObjectConstructor.cpp:
2482         (JSC::ObjectConstructor::getConstructData):
2483         (JSC::ObjectConstructor::getCallData):
2484         (JSC::toPropertyDescriptor):
2485         * runtime/ObjectPrototype.cpp:
2486         (JSC::objectProtoFuncDefineGetter):
2487         (JSC::objectProtoFuncDefineSetter):
2488         (JSC::objectProtoFuncToLocaleString):
2489         * runtime/Operations.cpp:
2490         (JSC::jsTypeStringForValue):
2491         (JSC::jsIsObjectTypeOrNull):
2492         (JSC::jsIsFunctionType):
2493         * runtime/ProxyConstructor.cpp:
2494         (JSC::ProxyConstructor::getConstructData):
2495         (JSC::ProxyConstructor::getCallData):
2496         * runtime/ProxyObject.cpp:
2497         (JSC::ProxyObject::finishCreation):
2498         (JSC::performProxyCall):
2499         (JSC::ProxyObject::getCallData):
2500         (JSC::performProxyConstruct):
2501         (JSC::ProxyObject::getConstructData):
2502         * runtime/ReflectObject.cpp:
2503         (JSC::reflectObjectConstruct):
2504         * runtime/RegExpConstructor.cpp:
2505         (JSC::RegExpConstructor::getConstructData):
2506         (JSC::RegExpConstructor::getCallData):
2507         * runtime/RuntimeType.h:
2508         * runtime/SamplingProfiler.cpp:
2509         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2510         * runtime/SetConstructor.cpp:
2511         (JSC::constructSet):
2512         (JSC::SetConstructor::getConstructData):
2513         (JSC::SetConstructor::getCallData):
2514         * runtime/StringConstructor.cpp:
2515         (JSC::StringConstructor::getConstructData):
2516         (JSC::StringConstructor::getCallData):
2517         * runtime/StringPrototype.cpp:
2518         (JSC::replaceUsingRegExpSearch):
2519         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
2520         (JSC::operationStringProtoFuncReplaceRegExpString):
2521         (JSC::replaceUsingStringSearch):
2522         * runtime/SymbolConstructor.cpp:
2523         (JSC::SymbolConstructor::getConstructData):
2524         (JSC::SymbolConstructor::getCallData):
2525         * runtime/WeakMapConstructor.cpp:
2526         (JSC::constructWeakMap):
2527         (JSC::WeakMapConstructor::getConstructData):
2528         (JSC::WeakMapConstructor::getCallData):
2529         * runtime/WeakSetConstructor.cpp:
2530         (JSC::constructWeakSet):
2531         (JSC::WeakSetConstructor::getConstructData):
2532         (JSC::WeakSetConstructor::getCallData):
2533         * tests/es6.yaml:
2534         * tests/stress/reflect-construct.js: Added.
2535         (shouldBe):
2536         (shouldThrow):
2537         (shouldThrow.array.get length):
2538         (shouldThrow.array.get 0):
2539         (array.get length):
2540         (array.get 0):
2541         (shouldBe.Reflect.construct):
2542         (shouldBe.Reflect.construct.Hello):
2543         (3.shouldBe.Reflect.construct.Hello):
2544         (3.newTarget):
2545         (0.shouldBe.Reflect.construct):
2546         (shouldBe.A):
2547         (shouldBe.B):
2548         (nativeConstructorTest.DerivedMap):
2549         (nativeConstructorTest.FailedMap):
2550         (set noInline):
2551
2552 2016-03-04  Andreas Kling  <akling@apple.com>
2553
2554         [iOS] Throw away compiled RegExp code when navigating to a new page.
2555         <https://webkit.org/b/155015>
2556
2557         Reviewed by Anders Carlsson.
2558
2559         Add a mechanism to have the VM discard all RegExp bytecode and JIT code.
2560
2561         * runtime/VM.cpp:
2562         (JSC::VM::deleteAllRegExpCode):
2563         * runtime/VM.h:
2564
2565 2016-03-04  David Kilzer  <ddkilzer@apple.com>
2566
2567         REGRESSION (r197531): JavaScriptCore ASan build fails due to weak external symbol
2568         <http://webkit.org/b/155033>
2569         <rdar://problem/24979661>
2570
2571         Reviewed by Alexey Proskuryakov.
2572
2573         * runtime/JSObject.cpp:
2574         (JSC::JSObject::ordinaryToPrimitive): Don't mark this method
2575         inline since it's also used in DatePrototype.cpp, and is
2576         declared as a public class method.
2577         * runtime/JSObject.h:
2578         (JSC::JSObject::ordinaryToPrimitive): Don't export this method
2579         since it is not used outside of JavaScriptCore.
2580
2581 2016-03-04  Alex Christensen  <achristensen@webkit.org>
2582
2583         Remove vcxproj build system
2584         https://bugs.webkit.org/show_bug.cgi?id=154388
2585
2586         Rubber-stamped by Brent Fulgham.
2587
2588         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed.
2589         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Removed.
2590         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Removed.
2591         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Removed.
2592         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Removed.
2593         * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Removed.
2594         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Removed.
2595         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Removed.
2596         * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Removed.
2597         * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Removed.
2598         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Removed.
2599         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Removed.
2600         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Removed.
2601         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Removed.
2602         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Removed.
2603         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Removed.
2604         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Removed.
2605         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Removed.
2606         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Removed.
2607         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Removed.
2608         * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Removed.
2609         * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Removed.
2610         * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Removed.
2611         * JavaScriptCore.vcxproj/build-generated-files.pl: Removed.
2612         * JavaScriptCore.vcxproj/copy-files.cmd: Removed.
2613
2614 2016-03-04  Chris Dumez  <cdumez@apple.com>
2615
2616         Location.reload should not be writable
2617         https://bugs.webkit.org/show_bug.cgi?id=154989
2618
2619         Reviewed by Gavin Barraclough.
2620
2621         After r196770, operations marked as [Unforgeable] in the IDL (such as
2622         Location.reload) are correctly reported as not writable by
2623         Object.getOwnPropertyDescriptor(). Trying to set such property in JS
2624         is correctly ignored (or throws in strict mode) if the object has
2625         previously been reified. However, due to a bug in putEntry(), it was
2626         still possible to override the property if the object was not reified
2627         yet. This patch fixes the issue by checking in putEntry() that entries
2628         that are functions are not ReadOnly before calling putDirect().
2629
2630         * runtime/Lookup.h:
2631         (JSC::putEntry):
2632
2633 2016-03-04  Skachkov Oleksandr  <gskachkov@gmail.com>
2634
2635         [ES6] Arrow function syntax. Lexical bind "super" inside of the arrow function in generator.
2636         https://bugs.webkit.org/show_bug.cgi?id=152575
2637
2638         Reviewed by Yusuke Suzuki.
2639
2640         Added support of the 'SuperProperty' in arrow function within of the generator 
2641         method of class. Before patch parser  did not recognize that current arrow function 
2642         is declated inside of the generator and raise SyntaxError.
2643
2644         * parser/Parser.cpp:
2645         (JSC::Parser<LexerType>::parseFunctionInfo):
2646         * parser/Parser.h:
2647         (JSC::Scope::Scope):
2648         (JSC::Scope::isGeneratorBoundary):
2649         (JSC::Scope::setIsFunction):
2650         (JSC::Scope::setIsGenerator):
2651         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
2652         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
2653
2654 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
2655
2656         DFG/FTL should inline accesses to RegExpObject::m_lastIndex
2657         https://bugs.webkit.org/show_bug.cgi?id=155003
2658
2659         Reviewed by Benjamin Poulain.
2660
2661         The Octane/regexp benchmark sets RegExps' lastIndex a lot. I could imagine this being
2662         something that people want to do. Right now, I'm not convinced that making the RegExp object
2663         be more plain-JS would be a good idea considering that pretty much all uses of it will
2664         require some special compiler magic. Also, it's good that this patch teaches the compiler
2665         how to reason about lastIndex since some of my other plans for regexp involve having the
2666         compiler treat more regexp stuff as intrinsic.
2667
2668         This is a smaller Octane/regexp speed-up than I hoped - maybe around 1%. It's an enormous
2669         speed-up on the microbenchmarks attached to this patch.
2670
2671         * dfg/DFGAbstractHeap.h:
2672         * dfg/DFGAbstractInterpreterInlines.h:
2673         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2674         * dfg/DFGClobberize.h:
2675         (JSC::DFG::clobberize):
2676         * dfg/DFGDoesGC.cpp:
2677         (JSC::DFG::doesGC):
2678         * dfg/DFGFixupPhase.cpp:
2679         (JSC::DFG::FixupPhase::fixupNode):
2680         * dfg/DFGHeapLocation.h:
2681         * dfg/DFGNodeType.h:
2682         * dfg/DFGPredictionPropagationPhase.cpp:
2683         (JSC::DFG::PredictionPropagationPhase::propagate):
2684         * dfg/DFGSafeToExecute.h:
2685         (JSC::DFG::safeToExecute):
2686         * dfg/DFGSpeculativeJIT.cpp:
2687         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2688         (JSC::DFG::SpeculativeJIT::compileGetRegExpObjectLastIndex):
2689         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2690         * dfg/DFGSpeculativeJIT.h:
2691         * dfg/DFGSpeculativeJIT32_64.cpp:
2692         (JSC::DFG::SpeculativeJIT::compile):
2693         * dfg/DFGSpeculativeJIT64.cpp:
2694         (JSC::DFG::SpeculativeJIT::compile):
2695         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2696         * ftl/FTLAbstractHeapRepository.cpp:
2697         * ftl/FTLAbstractHeapRepository.h:
2698         * ftl/FTLCapabilities.cpp:
2699         (JSC::FTL::canCompile):
2700         * ftl/FTLLowerDFGToB3.cpp:
2701         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2702         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
2703         (JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):
2704         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2705         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
2706         (JSC::FTL::DFG::LowerDFGToB3::lowObject):
2707         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject):
2708         (JSC::FTL::DFG::LowerDFGToB3::lowString):
2709         * runtime/RegExpObject.h:
2710         (JSC::RegExpObject::createStructure):
2711         (JSC::RegExpObject::offsetOfLastIndex):
2712
2713 2016-03-03  Chris Dumez  <cdumez@apple.com>
2714
2715         Regression(r196770): Unable to use HipChat Mac app
2716         https://bugs.webkit.org/show_bug.cgi?id=154999
2717         <rdar://problem/24931959>
2718
2719         Reviewed by Darin Adler.
2720
2721         Add a setter to PutPropertySlot to override the 'isStrictMode' flag.
2722
2723         * runtime/PutPropertySlot.h:
2724         (JSC::PutPropertySlot::setStrictMode):
2725
2726 2016-03-03  Benjamin Poulain  <bpoulain@apple.com>
2727
2728         [JSC] Add support for MADD, MSUB and MNEG to Air
2729         https://bugs.webkit.org/show_bug.cgi?id=154997
2730
2731         Reviewed by Filip Pizlo.
2732
2733         ARM64 can do an Add/Sub in the Multiply units.
2734         LLVM was doing so but we lost that when switching to B3.
2735
2736         This patch adds those instructions in Air.
2737
2738         There are more ALUs than multiply units, thus we are more
2739         likely to successfully schedule a Multiply+Add than 2 Multiply.
2740         I am conservative and only emit a multiply-add if the value
2741         can be interned. As far as I can tell from what is generated
2742         by LLVM, that backend had the same rule.
2743
2744         * assembler/MacroAssemblerARM64.h:
2745         (JSC::MacroAssemblerARM64::multiplyAdd32):
2746         (JSC::MacroAssemblerARM64::multiplySub32):
2747         (JSC::MacroAssemblerARM64::multiplyNeg32):
2748         (JSC::MacroAssemblerARM64::multiplyAdd64):
2749         (JSC::MacroAssemblerARM64::multiplySub64):
2750         (JSC::MacroAssemblerARM64::multiplyNeg64):
2751         * b3/B3LowerToAir.cpp:
2752         (JSC::B3::Air::LowerToAir::lower):
2753         * b3/air/AirOpcode.opcodes:
2754         * b3/testb3.cpp:
2755         (JSC::B3::populateWithInterestingValues):
2756         (JSC::B3::floatingPointOperands):
2757         (JSC::B3::int64Operands):
2758         (JSC::B3::int32Operands):
2759         (JSC::B3::testMulAddArgsLeft):
2760         (JSC::B3::testMulAddArgsRight):
2761         (JSC::B3::testMulAddArgsLeft32):
2762         (JSC::B3::testMulAddArgsRight32):
2763         (JSC::B3::testMulSubArgsLeft):
2764         (JSC::B3::testMulSubArgsRight):
2765         (JSC::B3::testMulSubArgsLeft32):
2766         (JSC::B3::testMulSubArgsRight32):
2767         (JSC::B3::testMulNegArgs):
2768         (JSC::B3::testMulNegArgs32):
2769         (JSC::B3::run):
2770
2771 2016-03-03  Saam Barati  <sbarati@apple.com>
2772
2773         [ES6] Implement Proxy.[[SetPrototypeOf]]
2774         https://bugs.webkit.org/show_bug.cgi?id=154931
2775
2776         Reviewed by Ryosuke Niwa.
2777
2778         This patch is a straight forward implementation of Proxy.[[SetPrototypeOf]]
2779         with respect to section 9.5.2 of the ECMAScript spec.
2780         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-setprototypeof-v
2781
2782         * runtime/JSObject.cpp:
2783         (JSC::JSObject::putInlineSlow):
2784         * runtime/ProxyObject.cpp:
2785         (JSC::ProxyObject::put):
2786         (JSC::ProxyObject::getGenericPropertyNames):
2787         (JSC::ProxyObject::performSetPrototype):
2788         (JSC::ProxyObject::setPrototype):
2789         (JSC::ProxyObject::visitChildren):
2790         * runtime/ProxyObject.h:
2791         * tests/es6.yaml:
2792         * tests/stress/proxy-set-prototype-of.js: Added.
2793         (assert):
2794         (throw.new.Error.let.handler.get setPrototypeOf):
2795         (throw.new.Error.set let):
2796         (throw.new.Error.set catch):
2797         (throw.new.Error):
2798         (assert.let.handler.setPrototypeOf):
2799         (assert.set let):
2800         (assert.set catch):
2801         (let.handler.setPrototypeOf):
2802         (set let):
2803         (set catch):
2804
2805 2016-03-03  Keith Miller  <keith_miller@apple.com>
2806
2807         JSArrayBuffers should be collected less aggressively
2808         https://bugs.webkit.org/show_bug.cgi?id=154982
2809
2810         Reviewed by Geoffrey Garen.
2811
2812         We are currently too aggressive in our collection of ArrayBuffer wrappers.
2813         There are three cases where we need to avoid collecting ArrayBuffer wrappers.
2814         1. If the wrapper has custom properties.
2815         2. If the wrapper is a subclass of ArrayBuffer.
2816         3. If the wrapper is in a WeakMap/WeakSet.
2817
2818         Currently, we only pass the first case in WebCore and none in the jsc CLI.
2819         This patch removes some optimizations that cause us to collect when we
2820         should not. Namely, always skipping the object unless it has custom
2821         properties. Additionally, in the case of subclassing, we also need a way
2822         for custom JSArrayBuffer objects to register themselves as the wrapper for
2823         an ArrayBuffer class.
2824
2825         Finally, this patch fixes an issue where views would not mark their ArrayBuffer
2826         as an opaque root. This patch also moves an associated ASSERT that the
2827         ArrayBuffer held by a view is not null in JSGenericTypedArrayView::visitChildren
2828         into JSArrayBufferView::visitChildren, where we add the opaque root.
2829
2830         * runtime/JSArrayBuffer.cpp:
2831         (JSC::JSArrayBuffer::finishCreation):
2832         (JSC::JSArrayBuffer::create):
2833         (JSC::JSArrayBuffer::createWithoutWrapping):
2834         * runtime/JSArrayBuffer.h:
2835         * runtime/JSArrayBufferView.cpp:
2836         (JSC::JSArrayBufferView::visitChildren):
2837         * runtime/JSArrayBufferView.h:
2838         * runtime/JSGenericTypedArrayViewInlines.h:
2839         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
2840         * runtime/SimpleTypedArrayController.cpp:
2841         (JSC::SimpleTypedArrayController::toJS):
2842         (JSC::SimpleTypedArrayController::registerWrapper):
2843         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
2844         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::finalize):
2845         * runtime/SimpleTypedArrayController.h:
2846         * runtime/TypedArrayController.h:
2847
2848 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
2849
2850         Octane/regexp's Exec function should benefit from array length accessor inlining
2851         https://bugs.webkit.org/show_bug.cgi?id=154994
2852
2853         Reviewed by Benjamin Poulain.
2854
2855         It does:
2856
2857             var thingy = blahbitty.blah;
2858             if (thingy)
2859                 foo = thingy.length;
2860
2861         So, 'thingy' is SpecArray | SpecOther, which prevents the array length accessor inlining from
2862         kicking in. Our strategy for this elsewhere in the DFG is to allow a one-time speculation that
2863         we won't see SpecOther, since *usually* we see SpecOther mixed with other stuff in cases like
2864         this where there is some null check guarding the code.
2865
2866         This gives another slight speed-up on Octane/regexp.
2867
2868         * bytecode/SpeculatedType.h:
2869         (JSC::isCellSpeculation):
2870         (JSC::isCellOrOtherSpeculation):
2871         (JSC::isNotCellSpeculation):
2872         * dfg/DFGFixupPhase.cpp:
2873         (JSC::DFG::FixupPhase::fixupNode):
2874         * dfg/DFGNode.h:
2875         (JSC::DFG::Node::shouldSpeculateCell):
2876         (JSC::DFG::Node::shouldSpeculateCellOrOther):
2877         (JSC::DFG::Node::shouldSpeculateNotCell):
2878
2879 2016-03-03  Saam Barati  <sbarati@apple.com>
2880
2881         Add Proxy tests for exceptions that depend on an object being non-extensible and having configurable properties
2882         https://bugs.webkit.org/show_bug.cgi?id=154745
2883
2884         Reviewed by Geoffrey Garen.
2885
2886         This patch is mostly an implementation of Proxy.[[OwnPropertyKeys]] 
2887         with respect to section 9.5.11 of the ECMAScript spec.
2888         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys
2889
2890         This patch also changes call sites of getOwnPropertyNames and
2891         getPropertyNames to expect that an exception can be thrown.
2892
2893         * dfg/DFGOperations.cpp:
2894         * inspector/JSInjectedScriptHost.cpp:
2895         (Inspector::JSInjectedScriptHost::iteratorEntries):
2896         * interpreter/Interpreter.cpp:
2897         (JSC::Interpreter::execute):
2898         * runtime/IntlObject.cpp:
2899         (JSC::supportedLocales):
2900         * runtime/JSCJSValue.h:
2901         * runtime/JSCJSValueInlines.h:
2902         (JSC::JSValue::get):
2903         (JSC::JSValue::put):
2904         * runtime/JSONObject.cpp:
2905         (JSC::Stringifier::Holder::appendNextProperty):
2906         (JSC::Walker::walk):
2907         * runtime/JSObject.cpp:
2908         (JSC::JSObject::getPropertyNames):
2909         (JSC::JSObject::getGenericPropertyNames):
2910         * runtime/JSObject.h:
2911         (JSC::makeIdentifier):
2912         (JSC::createListFromArrayLike):
2913         * runtime/JSPropertyNameEnumerator.h:
2914         (JSC::propertyNameEnumerator):
2915         * runtime/JSPropertyNameIterator.cpp:
2916         (JSC::JSPropertyNameIterator::create):
2917         * runtime/MapConstructor.cpp:
2918         (JSC::constructMap):
2919         * runtime/ObjectConstructor.cpp:
2920         (JSC::defineProperties):
2921         (JSC::objectConstructorSeal):
2922         (JSC::objectConstructorFreeze):
2923         (JSC::objectConstructorIsSealed):
2924         (JSC::objectConstructorIsFrozen):
2925         (JSC::ownPropertyKeys):
2926         * runtime/ProxyObject.cpp:
2927         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2928         (JSC::ProxyObject::deleteProperty):
2929         (JSC::ProxyObject::deletePropertyByIndex):
2930         (JSC::ProxyObject::defineOwnProperty):
2931         (JSC::ProxyObject::performGetOwnPropertyNames):
2932         (JSC::ProxyObject::getOwnPropertyNames):
2933         (JSC::ProxyObject::getOwnNonIndexPropertyNames):
2934         (JSC::ProxyObject::getStructurePropertyNames):
2935         (JSC::ProxyObject::getGenericPropertyNames):
2936         (JSC::ProxyObject::visitChildren):
2937         * runtime/ProxyObject.h:
2938         (JSC::ProxyObject::create):
2939         (JSC::ProxyObject::createStructure):
2940         * runtime/Structure.cpp:
2941         (JSC::Structure::Structure):
2942         (JSC::Structure::add):
2943         (JSC::Structure::getPropertyNamesFromStructure):
2944         (JSC::Structure::checkConsistency):
2945         (JSC::Structure::canCachePropertyNameEnumerator):
2946         (JSC::Structure::canAccessPropertiesQuicklyForEnumeration):
2947         (JSC::Structure::canAccessPropertiesQuickly): Deleted.
2948         * runtime/Structure.h:
2949         * runtime/WeakMapConstructor.cpp:
2950         (JSC::constructWeakMap):
2951         * tests/es6.yaml:
2952         * tests/stress/proxy-own-keys.js: Added.
2953         (assert):
2954         (throw.new.Error.let.handler.ownKeys):
2955         (throw.new.Error):
2956         (assert.let.handler.get ownKeys):
2957         (assert.let.handler.ownKeys):
2958         (let.handler.ownKeys):
2959         (i.catch):
2960         (shallowEq):
2961         (let.handler.getOwnPropertyDescriptor):
2962         (i.set assert):
2963         (set add):
2964         (set assert):
2965         (set if):
2966
2967 2016-03-03  Keith Miller  <keith_miller@apple.com>
2968
2969         Array prototype JS builtins should support Symbol.species
2970         https://bugs.webkit.org/show_bug.cgi?id=154710
2971
2972         Reviewed by Geoffrey Garen.
2973
2974         Add support for Symbol.species in the Array.prototype JS
2975         builtin functions.
2976
2977         * builtins/ArrayPrototype.js:
2978         (filter):
2979         (map):
2980         * runtime/ArrayConstructor.cpp:
2981         (JSC::ArrayConstructor::finishCreation):
2982         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
2983         * runtime/ArrayConstructor.h:
2984         (JSC::ArrayConstructor::create):
2985         * runtime/CommonIdentifiers.h:
2986         * runtime/JSGlobalObject.cpp:
2987         (JSC::JSGlobalObject::init):
2988         * tests/stress/array-species-functions.js:
2989         (id):
2990
2991 2016-03-03  Michael Saboff  <msaboff@apple.com>
2992
2993         [ES6] Make Unicode RegExp pattern parsing conform to the spec
2994         https://bugs.webkit.org/show_bug.cgi?id=154988
2995
2996         Reviewed by Benjamin Poulain.
2997
2998         Updated RegExp pattern processing with 'u' (Unicode) flag to conform to the
2999         spec (https://tc39.github.io/ecma262/2016/#sec-patterns).  In the spec, the
3000         grammar is annotated with [U] annotations.  Productions that are prefixed with
3001         [+U] are only available with the Unicode flags while productions prefixed with
3002         [~U] are only available without the Unicode flag.
3003         
3004         Added flags argument to Yarr::checkSyntax() so we can catch Unicode flag related
3005         parsing errors at syntax checking time.  Restricted what escapes are available for
3006         non Unicode patterns.  Most of this is defined in the IdentityEscape rule in the
3007         pattern grammar.
3008
3009         Added \- as a CharacterClass only escape in Unicode patterns.
3010
3011         Updated the tests for these changes.
3012
3013         Made changes suggested in https://bugs.webkit.org/show_bug.cgi?id=154842#c22 after
3014         change set r197426 was landed.
3015
3016         * parser/ASTBuilder.h:
3017         (JSC::ASTBuilder::createRegExp):
3018         * parser/Parser.cpp:
3019         (JSC::Parser<LexerType>::parsePrimaryExpression):
3020         * parser/SyntaxChecker.h:
3021         (JSC::SyntaxChecker::createRegExp):
3022         * yarr/YarrInterpreter.cpp:
3023         (JSC::Yarr::Interpreter::InputStream::readChecked):
3024         (JSC::Yarr::Interpreter::InputStream::readSurrogatePairChecked):
3025         (JSC::Yarr::Interpreter::InputStream::reread):
3026         (JSC::Yarr::Interpreter::InputStream::uncheckInput):
3027         (JSC::Yarr::Interpreter::InputStream::atStart):
3028         (JSC::Yarr::Interpreter::InputStream::atEnd):
3029         (JSC::Yarr::Interpreter::testCharacterClass):
3030         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
3031         (JSC::Yarr::Interpreter::matchDisjunction):
3032         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
3033         * yarr/YarrParser.h:
3034         (JSC::Yarr::Parser::Parser):
3035         (JSC::Yarr::Parser::isIdentityEscapeAnError):
3036         (JSC::Yarr::Parser::parseEscape):
3037         (JSC::Yarr::Parser::parse):
3038         * yarr/YarrPattern.cpp:
3039         (JSC::Yarr::CharacterClassConstructor::putChar):
3040         (JSC::Yarr::CharacterClassConstructor::putRange):
3041         (JSC::Yarr::CharacterClassConstructor::addSorted):
3042         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
3043         * yarr/YarrSyntaxChecker.cpp:
3044         (JSC::Yarr::SyntaxChecker::disjunction):
3045         (JSC::Yarr::checkSyntax):
3046         * yarr/YarrSyntaxChecker.h:
3047
3048 2016-03-03  Saam barati  <sbarati@apple.com>
3049
3050         [ES6] Implement Proxy.[[DefineOwnProperty]]
3051         https://bugs.webkit.org/show_bug.cgi?id=154759
3052
3053         Reviewed by Geoffrey Garen and Mark Lam.
3054
3055         This patch is a straight forward implementation of Proxy.[[DefineOwnProperty]]
3056         with respect to section 9.5.6 of the ECMAScript spec.
3057         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-defineownproperty-p-desc
3058
3059         * runtime/ObjectConstructor.cpp:
3060         (JSC::objectConstructorGetOwnPropertyDescriptor):
3061         (JSC::objectConstructorGetOwnPropertyDescriptors):
3062         * runtime/ObjectConstructor.h:
3063         (JSC::constructEmptyObject):
3064         (JSC::constructObjectFromPropertyDescriptor):
3065         * runtime/ProxyObject.cpp:
3066         (JSC::ProxyObject::isExtensible):
3067         (JSC::ProxyObject::performDefineOwnProperty):
3068         (JSC::ProxyObject::defineOwnProperty):
3069         (JSC::ProxyObject::visitChildren):
3070         * runtime/ProxyObject.h:
3071         * tests/es6.yaml:
3072         * tests/stress/proxy-define-own-property.js: Added.
3073         (assert):
3074         (throw.new.Error):
3075         (assert.let.handler.get defineProperty):
3076         (assert.let.handler.defineProperty):
3077         (let.handler.defineProperty):
3078         (i.catch):
3079         (assert.try.):
3080         (assert.set get catch):
3081         (assert.let.setter):
3082         (assert.let.getter):
3083         (assert.set get let.handler.defineProperty):
3084         (assert.set get let):
3085         (assert.):
3086
3087 2016-03-03  Keith Miller  <keith_miller@apple.com>
3088
3089         [ES6] Add support for Symbol.toPrimitive
3090         https://bugs.webkit.org/show_bug.cgi?id=154877
3091
3092         Reviewed by Saam Barati.
3093
3094         This patch adds suport for Symbol.toPrimitive. Since we don't currently
3095         generate snippits for one side of a binary operation we only need to change
3096         the JSObject::ToPrimitive function and update some optimizations in the DFG
3097         that need to know how conversions to primitive values should work. As of
3098         ES6, the date prototype is also no longer special cased in the ToPrimitive
3099         operation. Instead, Date.prototype has a Symbol.species function that
3100         replicates the old behavior.
3101
3102         * bytecode/ObjectPropertyConditionSet.cpp:
3103         (JSC::generateConditionsForPropertyMissConcurrently):
3104         * bytecode/ObjectPropertyConditionSet.h:
3105         * dfg/DFGGraph.cpp:
3106         (JSC::DFG::Graph::watchConditions):
3107         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
3108         * dfg/DFGGraph.h:
3109         * runtime/CommonIdentifiers.h:
3110         * runtime/DatePrototype.cpp:
3111         (JSC::DatePrototype::finishCreation):
3112         (JSC::dateProtoFuncToPrimitiveSymbol):
3113         * runtime/Error.cpp:
3114         (JSC::throwTypeError):
3115         * runtime/Error.h:
3116         * runtime/JSCJSValueInlines.h:
3117         (JSC::toPreferredPrimitiveType):
3118         * runtime/JSObject.cpp:
3119         (JSC::callToPrimitiveFunction):
3120         (JSC::JSObject::ordinaryToPrimitive):
3121         (JSC::JSObject::defaultValue):
3122         (JSC::JSObject::toPrimitive):
3123         (JSC::JSObject::getPrimitiveNumber):
3124         (JSC::callDefaultValueFunction): Deleted.
3125         (JSC::throwTypeError): Deleted.
3126         * runtime/JSObject.h:
3127         (JSC::JSObject::toPrimitive): Deleted.
3128         * runtime/SmallStrings.h:
3129         * runtime/SymbolPrototype.cpp:
3130         (JSC::SymbolPrototype::finishCreation):
3131         * runtime/SymbolPrototype.h:
3132         (JSC::SymbolPrototype::create):
3133         * tests/es6.yaml:
3134         * tests/stress/date-symbol-toprimitive.js: Added.
3135         * tests/stress/ropes-symbol-toprimitive.js: Added.
3136         (ropify):
3137         (String.prototype.Symbol.toPrimitive):
3138         * tests/stress/symbol-toprimitive.js: Added.
3139         (foo.Symbol.toPrimitive):
3140         (catch):
3141
3142 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
3143
3144         DFG should be able to compile StringReplace
3145         https://bugs.webkit.org/show_bug.cgi?id=154979
3146
3147         Reviewed by Benjamin Poulain.
3148
3149         Adds support for StringReplace to the DFG tier. This is a 3% speed-up on Octane/regexp.
3150
3151         * dfg/DFGByteCodeParser.cpp:
3152         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3153         * dfg/DFGSpeculativeJIT.cpp:
3154         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3155         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
3156         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
3157         * dfg/DFGSpeculativeJIT.h:
3158         (JSC::DFG::SpeculativeJIT::callOperation):
3159         * dfg/DFGSpeculativeJIT32_64.cpp:
3160         (JSC::DFG::SpeculativeJIT::compile):
3161         * dfg/DFGSpeculativeJIT64.cpp:
3162         (JSC::DFG::SpeculativeJIT::compile):
3163         * jit/JITOperations.h:
3164
3165 2016-03-03  Saam barati  <sbarati@apple.com>
3166
3167         [[SetPrototypeOf]] isn't properly implemented everywhere
3168         https://bugs.webkit.org/show_bug.cgi?id=154943
3169
3170         Reviewed by Benjamin Poulain.
3171
3172         We were copy-pasting implememntation bits that belong in OrdinarySetPrototypeOf 
3173         in a few different places that call O.[[SetPrototypeOf]](v)
3174         rather than having those bits in OrdinarySetPrototypeOf itself.
3175         We need to put those copy-pasted bits into OrdinarySetPrototypeOf
3176         and not the call sites of O.[[SetPrototypeOf]](v) because
3177         O.[[SetPrototypeOf]](v) won't always call into OrdinarySetPrototypeOf.
3178         This is needed for correctness because this behavior is now observable
3179         with the ES6 Proxy object.
3180
3181         * runtime/ClassInfo.h:
3182         * runtime/JSCell.cpp:
3183         (JSC::JSCell::isExtensible):
3184         (JSC::JSCell::setPrototype):
3185         * runtime/JSCell.h:
3186         * runtime/JSGlobalObjectFunctions.cpp:
3187         (JSC::globalFuncProtoSetter):
3188         * runtime/JSObject.cpp:
3189         (JSC::JSObject::setPrototypeDirect):
3190         (JSC::JSObject::setPrototypeWithCycleCheck):
3191         (JSC::JSObject::setPrototype):
3192         (JSC::JSObject::allowsAccessFrom):
3193         * runtime/JSObject.h:
3194         (JSC::JSObject::mayInterceptIndexedAccesses):
3195         * runtime/ObjectConstructor.cpp:
3196         (JSC::objectConstructorSetPrototypeOf):
3197         * runtime/ReflectObject.cpp:
3198         (JSC::reflectObjectSetPrototypeOf):
3199
3200 2016-03-03  Alex Christensen  <achristensen@webkit.org>
3201
3202         Fix Windows build after r197489.
3203
3204         * jsc.cpp:
3205
3206 2016-03-02  Filip Pizlo  <fpizlo@apple.com>
3207
3208         RegExpExec/RegExpTest should not unconditionally speculate cell
3209         https://bugs.webkit.org/show_bug.cgi?id=154901
3210
3211         Reviewed by Benjamin Poulain.
3212
3213         This is a three part change. It all started with a simple goal: end the rage-recompiles in
3214         Octane/regexp by enabling the DFG and FTL to do untyped RegExpExec/RegExpTest. This keeps us
3215         in the optimized code when you do a regexp match on a number, for example.
3216
3217         While implementing this, I realized that DFGOperations.cpp was bad at exception checking. When
3218         it did check for exceptions, it used exec->hadException() instead of vm.exception(). So I
3219         fixed that. I also made sure that the regexp operations checked for exception after doing
3220         toString().
3221
3222         Unfortunately, the introduction of untyped RegExpExec/RegExpTest caused a regression on
3223         Octane/regexp. This was because we were simultaneously scheduling replacement and OSR compiles
3224         of some large functions with the FTL JIT. The OSR compiles were not useful. This was a
3225         regression from the previous changes to make OSR compiles happen sooner. The problem is that
3226         this change also removed the throttling of OSR compiles even in those cases where we suspect
3227         that replacement is more likely. This patch reintroduces that throttling, but only in the
3228         replacement path.
3229
3230         This change ends up being neutral overall.
3231
3232         * dfg/DFGFixupPhase.cpp:
3233         (JSC::DFG::FixupPhase::fixupNode):
3234         * dfg/DFGOperations.cpp:
3235         * dfg/DFGOperations.h:
3236         * dfg/DFGSpeculativeJIT32_64.cpp:
3237         (JSC::DFG::SpeculativeJIT::compile):
3238         * dfg/DFGSpeculativeJIT64.cpp:
3239         (JSC::DFG::SpeculativeJIT::compile):
3240         * ftl/FTLLowerDFGToB3.cpp:
3241         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
3242         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
3243         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3244         * tests/stress/regexp-exec-effect-after-exception.js: Added.
3245
3246 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
3247
3248         [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
3249         https://bugs.webkit.org/show_bug.cgi?id=154947
3250
3251         Reviewed by Filip Pizlo.
3252
3253         This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.
3254
3255         The problem was that JSCell_freeListNext and JSCell_structureID were
3256         considered as disjoint. When reordering instructions, the scheduler
3257         could move the write of the StructureID first to reduce dependencies.
3258         This would erase half of JSCell_freeListNext before we get a chance
3259         to load the value.
3260
3261         This patch changes the hierarchy to make sure nothing is written
3262         until JSCell_freeListNext is processed.
3263
3264         All credits for this patch go to Filip.
3265
3266         * ftl/FTLAbstractHeapRepository.cpp:
3267         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3268         * ftl/FTLAbstractHeapRepository.h:
3269
3270 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
3271
3272         [JSC] Improve Select of Doubles based on Double condition
3273         https://bugs.webkit.org/show_bug.cgi?id=154572
3274
3275         Reviewed by Filip Pizlo.
3276
3277         Octane has a bunch of Select on Double based on comparing Doubles.
3278         A few nodes generate that: ValueRep, Min, Max, etc.
3279
3280         On ARM64, we can improve our code a lot. ARM can do a select
3281         based on flags with the FCSEL instruction.
3282
3283         On x86, this patch adds aggressive aliasing for moveDoubleConditionallyXXX.
3284         This has obviously a much more limited impact.
3285
3286         * assembler/MacroAssembler.h:
3287         (JSC::MacroAssembler::moveDoubleConditionally32): Deleted.
3288         (JSC::MacroAssembler::moveDoubleConditionally64): Deleted.
3289         (JSC::MacroAssembler::moveDoubleConditionallyTest32): Deleted.
3290         (JSC::MacroAssembler::moveDoubleConditionallyTest64): Deleted.
3291         (JSC::MacroAssembler::moveDoubleConditionallyDouble): Deleted.
3292         (JSC::MacroAssembler::moveDoubleConditionallyFloat): Deleted.
3293         * assembler/MacroAssemblerARM64.h:
3294         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
3295         (JSC::MacroAssemblerARM64::moveDoubleConditionallyDouble):
3296         (JSC::MacroAssemblerARM64::moveDoubleConditionallyFloat):
3297         (JSC::MacroAssemblerARM64::moveConditionally32):
3298         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
3299         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
3300         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
3301         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest64):
3302         (JSC::MacroAssemblerARM64::branch64):
3303         * assembler/MacroAssemblerX86Common.h:
3304         (JSC::MacroAssemblerX86Common::moveConditionally32):
3305         (JSC::MacroAssemblerX86Common::moveDoubleConditionally32):
3306         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyTest32):
3307         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyDouble):
3308         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyFloat):
3309         * assembler/MacroAssemblerX86_64.h:
3310         (JSC::MacroAssemblerX86_64::moveDoubleConditionally64):
3311         (JSC::MacroAssemblerX86_64::moveDoubleConditionallyTest64):
3312         * b3/air/AirInstInlines.h:
3313         (JSC::B3::Air::Inst::shouldTryAliasingDef):
3314         * b3/air/AirOpcode.opcodes:
3315         * b3/testb3.cpp:
3316         (JSC::B3::populateWithInterestingValues):
3317         (JSC::B3::floatingPointOperands):
3318         (JSC::B3::int64Operands):
3319         (JSC::B3::int32Operands):
3320         (JSC::B3::testSelectCompareFloat):
3321         (JSC::B3::testSelectCompareFloatToDouble):
3322         (JSC::B3::testSelectDoubleCompareDouble):
3323         (JSC::B3::testSelectDoubleCompareDoubleWithAliasing):
3324         (JSC::B3::testSelectFloatCompareFloat):
3325         (JSC::B3::testSelectFloatCompareFloatWithAliasing):
3326         (JSC::B3::run):
3327
3328 2016-03-02  Joseph Pecoraro  <pecoraro@apple.com>
3329
3330         Add ability to generate a Heap Snapshot
3331         https://bugs.webkit.org/show_bug.cgi?id=154847
3332
3333         Reviewed by Mark Lam.
3334
3335         This adds HeapSnapshot, HeapSnapshotBuilder, and HeapProfiler.
3336
3337         HeapProfiler hangs off of the VM and holds the list of snapshots.
3338         I expect to add other HeapProfiling features, such as allocation
3339         tracking, to the profiler.
3340
3341         HeapSnapshot contains a collection of live cells and their identifiers.
3342         It can point to a previous HeapSnapshot, to ensure that a cell that
3343         already received an identifier maintains the same identifier across
3344         multiple snapshots. When a snapshotted cell gets garbage collected,
3345         the cell will be swept from the HeapSnapshot at the end of collection
3346         to ensure the list contains only live cells.
3347
3348         When building a HeapSnapshot nodes are added in increasing nod